Forum Discussion

StephanGee's avatar
StephanGee
Iron Contributor
Dec 07, 2025

Unexpected Service Principal Additions After Purview Label Schema Migration

Hi everyone,

I recently migrated our Microsoft Purview label schema in our tenant and noticed some interesting audit log entries right after the migration. Specifically, Entra ID recorded Add service principal actions for:

  • Microsoft Edge management service
  • Purview Ecosystem (https://api.purview.microsoft.com)

Both events were logged under my admin account, with the User-Agent showing kiota-dotnet/1.16.4, which suggests an automated process or Microsoft Graph SDK interaction.

Here are some details:

  • Operation: Add service principal
  • Result: Success
  • Tags: disableLegacyUserImpersonationClient, disableLegacyUserImpersonationResource, and for Purview: GitCreatedApp
  • Triggered at: The exact time I completed the label schema migration.

My question:

  • Is this expected behavior when migrating Purview label schemas?
  • Are these service principals required for Purview and Edge management integration?
  • Any best practices to confirm these additions are legitimate and secure?

Thanks in advance for your insights!

Best regards

Stephan

2 Replies

  • David_C06's avatar
    David_C06
    Copper Contributor
    Dec 08, 2025

    Hello Stephen, sorry but not clear for me ? 

    • did you import/migrate your Sensitivity labels structure from one M365 tenant to another ? like in a Merge and acquisition scenario ? 
    • are you talking about the migration of sensitivity label schema to the new label scheme planned by Microsoft on group label usage described in article below?

    https://learn.microsoft.com/en-us/purview/migrate-sensitivity-label-scheme

    If you talk of the migration to new label scheme article link I added,  I need on my side to size the risk impact of this migration to my existing M365 tenant with 22000 users ...Hopefully I have a LAB to validate it. Your feed backs  might interest me also. Are you using sub labels applying protection on Specified recipients ? or critical group based labels like us e.g  Secret/Finance   or Secret/Legal ?

    • StephanGee's avatar
      StephanGee
      Iron Contributor
      Jan 14, 2026

      The migration of sensitivity label schema to the new label scheme planned by Microsoft on group label usage described in article below?

      Sorry for the too long waiting time - i must have not seen the mail

Resources