AZT502.2 - Account Creation: Service Principal Creation

An adversary may create an application & service principal in Azure Active Directory

Resource

Azure Active Directory

Actions

• microsoft.directory/servicePrincipals/create
• microsoft.directory/applications/create

Examples

Az PowerShellAzure CLIMicrosoft Graph APIAzure Portal

New-AzADServicePrincipal

az ad sp create

POST https://graph.microsoft.com/v1.0/servicePrincipals

Detections

Logs

Data Source	Operation Name	Action	Log Location
Azure Active Directory	Add service principal	microsoft.directory/servicePrincipals/create	AzureAD Audit Logs
Azure Active Directory	Add application	microsoft.directory/applications/create	AzureAD Audit Logs
Azure Active Directory	Add owner to application	microsoft.directory/servicePrincipals/owners/update	AzureAD Audit Logs

Queries

Log Analytics

AuditLogs 
|where OperationName =="Add service principal" or OperationName =="Add application" or OperationName =="Add owner to application"

Additional Resources

https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals