AZT502.2 - Account Creation: Service Principal Creation

An adversary may create an application & service principal in Azure Active Directory

Resource

Azure Active Directory

Actions

• microsoft.directory/servicePrincipals/create
• microsoft.directory/applications/create

Examples

Az PowerShellAzure CLIMicrosoft Graph APIAzure Portal

New-AzADServicePrincipal

az ad sp create

POST https://graph.microsoft.com/v1.0/servicePrincipals

Detections

Logs

Data Source	Operation Name	Action	Log Provider
Azure Active Directory	Add service principal	microsoft.directory/servicePrincipals/create	AuditLogs
Azure Active Directory	Add application	microsoft.directory/applications/create	AuditLogs
Azure Active Directory	Add owner to application	microsoft.directory/servicePrincipals/owners/update	AuditLogs

Queries

Platform	Query
Log Analytics	AuditLogs | where OperationName == 'Add service principal'

Azure Monitor Alert

Additional Resources

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals