Forum Discussion

djheyvoon's avatar
djheyvoon
Iron Contributor
Jun 17, 2020

[QUESTION] What is "ServicePrincipal_6387***" / Microsoft Substrate Management account?

Hello Everyone,

 

We have a situation where looking at Audit Logs in our Azure. I found an account that was created (User Adde) by something called "ServicePrincipal_6387c64b-9a8b-4bf1-92e8-******" and I can't seem to find anything relate to this account. No Applications, nothing. I googled "Microsoft Substrate Management" witch is related to the account mentioned. But nothing found. 

If anyone could give a light on how can I find why users are been added by this account I would appreciate. Thank you all in advance.

  • MPabon's avatar
    MPabon
    Copper Contributor

    djheyvoon 

    Did you ever find an answer to this? I'm seeing the same thing in our system. A random account being created by a "ServicePrincipal" account.

  • saafee's avatar
    saafee
    Copper Contributor

    djheyvoon 

    I had the same issue after searching around i found that one of my user without any admin role assigned to him used https://outlook.office365.com/ecp to create a distribution group. So I went into default user role assignment in the EOL and unchecked MyDistributionGroups box to avoid a future issue.

    As the user is not using Azure ad or Admin center I was seeing the Microsoft Substrate Management in audit logs.

  • Hi djheyvoon,

     

    can someone verify if there was a SaaS subscription to a product that use this account for "for example" impersonation for a certain service, the thig that came to my mind is that there is a service that taken authorization to create an account to be used by a SaaS application!!!

     

    try to see if there is any correlation with an application that was installed at the date the account appeared.

     

    Hope it helps! 

     

Resources