Skip to content

AZT502.2 - Account Creation: Service Principal Creation#

An adversary may create an application & service principal in Azure Active Directory

Resource

Azure Active Directory

Actions

  • microsoft.directory/servicePrincipals/create
  • microsoft.directory/applications/create

Examples

Detections

Logs#

Data Source Operation Name Action Log Location
Azure Active Directory Add service principal microsoft.directory/servicePrincipals/create AzureAD Audit Logs
Azure Active Directory Add application microsoft.directory/applications/create AzureAD Audit Logs
Azure Active Directory Add owner to application microsoft.directory/servicePrincipals/owners/update AzureAD Audit Logs

Queries#

AuditLogs 
|where OperationName =="Add service principal" or OperationName =="Add application" or OperationName =="Add owner to application"