Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When a new service principal appears in your tenant, you might want to understand why it was created and who or what initiated the process. The new audit log properties ServicePrincipalProvisioningType, SubscribedSkus, and AppOwnerOrganizationId help you quickly determine whether the service principal was provisioned by Microsoft, created by a user, or added by an external application. The following steps show you how to access these properties in the Microsoft Entra admin center to use them in your investigations. You can also leverage Microsoft Graph API and Log Analytics to access these new properties.
Prerequisites
To view and use these properties in Microsoft Entra audit logs, you need:
- Access to the Microsoft Entra admin center.
- One of the following roles (or a role with equivalent permissions): Security Administrator, Security Reader, or Reports Reader.
- Audit logging enabled for your tenant. For more information, see the Microsoft Entra audit logs overview.
View audit log properties to understand service principal details
To view audit log properties in the Microsoft Entra admin center:
- Sign in to the Microsoft Entra admin center.
- Browse to Monitoring & health > Audit logs.
- Set Category to ApplicationManagement and apply the filter.
- Filter Activity to Add service principal and apply the filter.
- Select an event and expand Additional details. Look for these properties
ServicePrincipalProvisioningType,SubscribedSkus, andAppOwnerOrganizationId.
If you send audit logs to Log Analytics, Microsoft Sentinel, or another destination, the same properties are available in the AuditLogs table under the AdditionalDetails JSON. You can parse these fields in your queries to group events by provisioning type, SKU, or owning tenant.
Investigate the new service principal
Once the new properties are available in your tenant, you can use them to streamline investigations into new service principals in Log Analytics and Microsoft Sentinel:
- Start with
ServicePrincipalProvisioningTypeto distinguish Microsoft-driven provisioning from direct user or app activity in your tenant. - When the value is subscription, review
SubscribedSkusto see which subscriptions or service plans in your tenant made the Microsoft service principal eligible for just-in-time provisioning. - Use
AppOwnerOrganizationIdto understand whether the app is homed in your tenant, in a Microsoft services tenant, or in another external tenant. - Combine these fields with existing audit log properties such as
initiatedByandtargetResourcesto get a full picture of who or what created the service principal, without relying on additional API calls.
Note
The AppOwnerOrganizationId property will only show for events where there is a backing application object. The SubscribedSkus property will only show for events when ServicePrincipalProvisioningType = Subscription.
These enhancements are designed to make it easier for you to interpret service principal creation events, quickly understand the meaning of different values, and plug that information into your own alerting and governance workflows. These alerts can categorize service principal creation events as "expected" versus "unexpected" based on your tenant security preferences.