Forum Discussion
Unexpected Service Principal Additions After Purview Label Schema Migration
Hi everyone,
I recently migrated our Microsoft Purview label schema in our tenant and noticed some interesting audit log entries right after the migration. Specifically, Entra ID recorded Add service principal actions for:
- Microsoft Edge management service
- Purview Ecosystem (https://api.purview.microsoft.com)
Both events were logged under my admin account, with the User-Agent showing kiota-dotnet/1.16.4, which suggests an automated process or Microsoft Graph SDK interaction.
Here are some details:
- Operation: Add service principal
- Result: Success
- Tags: disableLegacyUserImpersonationClient, disableLegacyUserImpersonationResource, and for Purview: GitCreatedApp
- Triggered at: The exact time I completed the label schema migration.
My question:
- Is this expected behavior when migrating Purview label schemas?
- Are these service principals required for Purview and Edge management integration?
- Any best practices to confirm these additions are legitimate and secure?
Thanks in advance for your insights!
Best regards
Stephan
1 Reply
Hello Stephen, sorry but not clear for me ?
- did you import/migrate your Sensitivity labels structure from one M365 tenant to another ? like in a Merge and acquisition scenario ?
- are you talking about the migration of sensitivity label schema to the new label scheme planned by Microsoft on group label usage described in article below?
https://learn.microsoft.com/en-us/purview/migrate-sensitivity-label-scheme
If you talk of the migration to new label scheme article link I added, I need on my side to size the risk impact of this migration to my existing M365 tenant with 22000 users ...Hopefully I have a LAB to validate it. Your feed backs might interest me also. Are you using sub labels applying protection on Specified recipients ? or critical group based labels like us e.g Secret/Finance or Secret/Legal ?
