Gain Insight from Service Principal Sign-in Activity

Before an app can be used in an Entra ID tenant, it must be registered and have a unique identifier. Apps can be owned by the tenant or created by third parties. In both cases, a service principal for the app is required to access tenant resources. The service principal is the security principal for the app and defines who can access the app and what resources the app can access. Managed identities also have service principals to allow them to access resources.

All Microsoft 365 tenants have many service principals created for apps, including many created for Microsoft first-party apps. To find out how many Microsoft apps are known within your tenant, you can run this code to find the service principals belonging to the tenant used by Microsoft to host its services.

[array]$ServicePrincipals = Get-MgServicePrincipal -All -PageSize 500 | Sort-Object AppId
$MicrosoftApps = $ServicePrincipals | Where-Object {$_.AppOwnerOrganizationId -eq 'f8cdef31-a31e-4b4a-93e4-5f571e91255a'}

$MicrosoftApps.count
563

This isn’t the full picture because Microsoft uses other tenants to host its apps, like 9188040d-6c67-4c5b-b112-36a304b66dad (Microsoft accounts). In any case, many apps owned by Microsoft show up in Microsoft 365 tenants. The more Microsoft services you consume, the more apps you’ll find.

The Entra Admin Preview Feature for Service Principal Sign-in Activity

A recent discussion on BlueSky (my account is @tonyredmond.bsky.social) alerted me to an Entra ID preview Usage & insights feature (Figure 1) to give administrators a view into service principal sign-in activity. This is important because if an attacker can compromise a privileged account in a tenant, they can create an app, give it permissions, and use the app to exfiltrate data. Keeping a wary eye on app activity is a good idea, as is reviewing the set of permissions held by apps (here’s a PowerShell script to report app permissions).

Whenever a feature turns up in the Entra admin center, there’s usually a Graph API (listServicePrincipalSignInActivities), and wherever there’s a Graph API, there might be a Microsoft Graph PowerShell SDK cmdlet (Get-MgBetaReportServicePrincipalSignInActivity), and with a cmdlet, we can retrieve and analyze data.

Writing a Script to Report Service Principals Sign-in Activity

The script I wrote (downloadable from GitHub) does the following:

• Runs Get-MgServicePrincipal to retrieve the set of service principals known in the tenant.
• Build a hash table of application identifiers and display names (sign-in records for service principals don’t include the app name).
• Runs Get-MgBetaReportServicePrincipalSignInActivity to find sign-in activity for service principals when the last sign-in date is more than a year old.
• Creates a report about the service principals and exports the data to a CSV file.
• Generates some statistics such as the tenants that own apps, total service principals, etc.

Here’s what I found in my tenant:

Some notes about service principals for the Office 365 for IT Pros tenant
-------------------------------------------------------------------------

Service Principals by owning tenant

Tenant Name                        Tenant ID                            Number of Apps
-----------                        ---------                            --------------
Microsoft Services                 f8cdef31-a31e-4b4a-93e4-5f571e91255a            563
Office 365 for IT Pros             a662313f-14fc-43a2-9a7a-d2e27f4f3478             58
Microsoft                          72f988bf-86f1-41af-91ab-2d7cd011db47             19
Microsoft Accounts                 9188040d-6c67-4c5b-b112-36a304b66dad              2
PRDTRS01                           cdc5aeea-15c5-4db6-b079-fcadd2505dc2              2
trustportal                        7579c9b7-9fa5-4860-b7ac-742d42053c54              2
Adobe Inc                          f889b897-fa4a-4d20-b6dd-182555a5b308              1
Apple Inc.                         e0fad04c-a04c-41ab-b35e-dc523af755a1              1
Office 365 Customer Success Center d25014ba-ff6e-4f21-a7a7-698d6e524490              1
Microsoft Community & Event Tenant b4c9f32e-da17-4ded-9c95-ce9da38f25d9              1
Microsoft                          0d2db716-b331-4d7b-aa37-7f1ac9d35dae              1
PnP                                73da091f-a58d-405f-9015-9bd386425255              1
LinkedIn Production                658728e7-1632-412a-9815-fe53f53ec58b              1
AdobeExternal                      55aa7ab7-a04b-4623-ba3b-04cda52e667f              1
Credly                             54e44946-b280-4ccf-b102-2224d7008f17              1
Merill                             10407d69-1ba5-4bec-8ebe-9af2f0b9e06a              1
eventpoint                         0e45e1a3-686e-44ec-8f47-5daa29692074              1
mspmecloud                         975f013f-7f24-47e8-a7d3-abc4752bf346              1
Adobe                              fa7b1b5a-7b34-4387-94ae-d2c178decee1              1

Total Service Principals 668
Service Principals with no sign-ins in the last year 90
Service Principals with sign-ins in the last year 578
Number of apps with no service principal 46

The tenant names include Apple (used to reset authentication methods for Apple devices during the Exchange basic authentication retirement project) and several for Adobe (one of which is likely to connect SharePoint Online to the Adobe Cloud). The LinkedIn tenant likely hosts the app to connect LinkedIn data with the Microsoft 365 profile card. The PnP tenant is for the app used by the PnP PowerShell module, and the Merill tenant is home of many tools authored by Merill Fernando. This entry might be used to document conditional access policies in PowerPoint.

A total of 46 sign-in activity records for service principals could not be associated with a current service principal. This might be due to a bug in the preview feature, but it could also be due to the removal of apps by developers.

A list of the identifiers for Microsoft apps is available online. From the list I found a number of apps that are no longer in the set of service principals, including Office Online Client Microsoft Entra ID- Augmentation Loop (2abdc806-e091-4495-9b10-b04d93c3f040), OfficeShredderWacClient (4d5c2d63-cf83-4365-853c-925fd1a64357), Office Online Client Microsoft Entra ID- Loki (b23dd4db-9142-4734-867f-3577f640ad0c), and Microsoft Authentication Broker (29d9ed98-a469-4536-ade2-f981bc1d605e).

New Tools, New Insights

The nice thing about new tools is that they open up new opportunities to use data to gain additional insights into what happens in a tenant. Now that I can monitor and analyze service principal sign-in activity with PowerShell, I’ll be doing it regularly.

Need more help to write PowerShell for Microsoft 365? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.