[QUESTION] What is "ServicePrincipal_6387***" / Microsoft Substrate Management account?

Iron Contributor

Hello Everyone,

 

We have a situation where looking at Audit Logs in our Azure. I found an account that was created (User Adde) by something called "ServicePrincipal_6387c64b-9a8b-4bf1-92e8-******" and I can't seem to find anything relate to this account. No Applications, nothing. I googled "Microsoft Substrate Management" witch is related to the account mentioned. But nothing found. 

If anyone could give a light on how can I find why users are been added by this account I would appreciate. Thank you all in advance.

10 Replies

@djheyvoon 

Did you ever find an answer to this? I'm seeing the same thing in our system. A random account being created by a "ServicePrincipal" account.

@MPabon Same here. No information yet on what caused it. 

No. I haven't found anything! This is very weird.
Nobody from M$ will say anything? Funny!

@djheyvoon 

I decided to search again and found this post from last week. https://www.jasonfritts.me/2020/08/04/what-is-microsoft-substrate-management-and-why-is-it-creating-...

 

What's weird is the account that "ServicePrincipal" account created was not an account that I have ever created. So this may explain it for others but my situation is still a bit of a mystery.

Same thing happened on our end, no news?

@djheyvoonIn our tenancy, a user created a Bookings (https://outlook.office.com/bookings) entry that created a new user in AAD and an email forward to their mailbox.

@djheyvoon 

I had the same issue after searching around i found that one of my user without any admin role assigned to him used https://outlook.office365.com/ecp to create a distribution group. So I went into default user role assignment in the EOL and unchecked MyDistributionGroups box to avoid a future issue.

As the user is not using Azure ad or Admin center I was seeing the Microsoft Substrate Management in audit logs.

@djheyvoon We have seen these created using the Microsoft Booking Tool. 

 

Hi @djheyvoon,

 

can someone verify if there was a SaaS subscription to a product that use this account for "for example" impersonation for a certain service, the thig that came to my mind is that there is a service that taken authorization to create an account to be used by a SaaS application!!!

 

try to see if there is any correlation with an application that was installed at the date the account appeared.

 

Hope it helps!