Unexpected Microsoft Entra activity indicating service principal creation
Description
AlphaSOC detected the creation of a new service principal in Microsoft Entra ID
via the Add service principal audit action. Attackers who compromise an
account with application registration privileges may create a service principal
to establish persistent, credential-based access to the tenant without relying
on user accounts.
Impact
A malicious service principal can provide durable, hard-to-detect access to Azure and Microsoft 365 resources. Depending on the roles or permissions assigned, an attacker may be able to read sensitive data, call Graph API endpoints, or move laterally within the cloud environment. Service principals are not subject to traditional MFA challenges like user accounts and may not be covered by user-focused Conditional Access policies, making them an attractive persistence mechanism for attackers.
Severity
| Severity | Condition |
|---|---|
Informational | Service principal created with one unexpected property |
Low | Service principal created with two unexpected properties |
Medium | Service principal created with three unexpected properties |
Investigation and Remediation
Review the Entra audit logs for the Add service principal event. Identify the
creating user, the service principal's display name, and the associated
application registration. Check whether credentials (client secrets or
certificates) were added to the service principal and what permissions or roles
it holds. If unauthorized, remove any credentials, revoke assigned roles, and
delete the service principal. Investigate the creating account for signs of
compromise and review other actions taken during the same session.