Microsoft Entra service principal owner added
Description
AlphaSOC detected a new owner being added to a Microsoft Entra ID service
principal via the Add owner to service principal audit action. Service
principal owners can modify its credentials and role assignments. Attackers may
add themselves as an owner of an existing service principal to gain persistent
access to its permissions and secrets without creating a new identity, making
the compromise harder to detect.
Impact
An unauthorized service principal owner can generate new credentials and authenticate as the service principal, inheriting all its assigned roles and permissions. This may provide access to Azure resources, Microsoft Graph API data, or other services. Because service principals bypass user-focused controls such as MFA and conditional access, this type of persistence can be difficult to detect and remediate.
Severity
| Severity | Condition |
|---|---|
Low | New owner added to a service principal |
Investigation and Remediation
Review Entra audit logs for the Add owner to service principal event. Identify
the user who performed the action, the targeted service principal, and the
account that was added as owner. Determine whether the service principal holds
sensitive roles or permissions. Check for new credentials added to the service
principal after this event. If unauthorized, remove the added owner, rotate or
revoke any added credentials, and investigate the acting account for additional
malicious activity.