Service Principal SignIn Audit Records Available for 30 Days

In August 2022, I wrote about the experience of developing and using Azure Automation runbooks. Move forward to today and one of the topics discussed in that article was raised again when I was asked if tenant sign-in logs capture details of access to enterprise apps from inside and outside the organization.

My response was “of course” because Entra ID captures all sign-ins for a tenant, including those for enterprise apps, or rather, the service principals that are the instantiation of enterprise apps within a tenant. Tenants keep sign-in records in audit logs for 30 days and those logs are available through the Entra Audit Logs Graph API, specifically for the signIn resource type and List SignIns API. The Microsoft Graph PowerShell SDK implements the List Signins API with the Get-MgAuditLogSignin cmdlet.

Beta API Supports Filtering SignIn Audit Records by Event Type

The ability to filter sign-in audit records by the type is only available through the beta API. This was also true in August 2022 and it’s a little odd that Microsoft hasn’t upgraded the V1.0 API to support filtering to find sign in records for non-interactive access, managed identities, or service principals. In any case, to filter by signInEventTypes, you need to access the beta endpoint or use the Get-MgBetaAuditLogSignIn cmdlet from the Microsoft Graph PowerShell SDK. For example, this command finds the last 5,000 sign-in audit logs generated for service principals:

[array]$AuditRecords = Get-MgBetaAuditLogSignIn -Filter "(signInEventTypes/any(t:t eq 'servicePrincipal'))" -Top 5000 -Sort "createdDateTime DESC"

Reviewing Service Principal SignIn Audit Records

Once the audit log records are extracted, the task is to interpret the Service Principal signins. Things to look for include:

• Unexpected service principals. Attackers often exploit apps in their attempts to compromise tenants, so the appearance of an unexpected service principal is always worth investigation.
• Access to service principals for enterprise apps coming from outside the organization.
• Unexpected access to registered apps from both inside and outside the organization.
• Use of client secrets (app secrets) to authenticate. This is undesirable unless the app is being tested and isn’t yet in production. Any app that’s in production should use a more secure authentication method like an X.509 certificate.

To help answer these questions, I wrote a script (available from the Office 365 for IT Pros GitHub repository) to parse audit records. The output of the script is an Excel worksheet (or CSV file if the ImportExcel module is not installed on the workstation). Figure 1 shows some sample data from my tenant.

Reviewing the data, I found:

• Adobe still uses client secrets to access the Adobe Acrobat enterprise app.
• Some people still try to use old authentication details for apps that were inadvertently revealed in articles. I don’t consider this to be evidence of anything other than people running code that they’ve found to see what happens, but it does demonstrate how authentication information can be used. The audit records show that people in Warsaw, Frankfurt, and Bengaluru tried to access apps over the last 30 days only to find that the published app secret had either expired or been replaced.
• Running declarative Copilot agents created using Copilot Studio generates a service principal for an enterprise app. The one in my tenant is named 383b6826-fc95-4359-bef6-27680c152c33 (Power Virtual Agents). I assume that the app is used to enable single sign on for agents, but I do not know if the same app is used in all tenants. The app is assigned the Cloud Application Administrator and Reports Reader roles but has no other permissions. The IP addresses used by the agents recorded in the audit records are all owned by Microsoft, indicating that the processing occurs within their datacenters (as you might expect). This is an example of a service principal that appears within a tenant without any notice.

The Worth of Service Principal SignIn Audit Reviews

I’m always relieved to answer a question. In this case, the exercise to prove how Entra ID audit log sign-in records capture information about internal and external access via service principals revealed some interesting information. It just goes to demonstrate that reviewing audit data is something that tenant administrators should do regularly.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.