Jun 17 2020 02:46 AM
Hello Everyone,
We have a situation where looking at Audit Logs in our Azure. I found an account that was created (User Adde) by something called "ServicePrincipal_6387c64b-9a8b-4bf1-92e8-******" and I can't seem to find anything relate to this account. No Applications, nothing. I googled "Microsoft Substrate Management" witch is related to the account mentioned. But nothing found.
If anyone could give a light on how can I find why users are been added by this account I would appreciate. Thank you all in advance.
Jul 08 2020 07:03 AM
Did you ever find an answer to this? I'm seeing the same thing in our system. A random account being created by a "ServicePrincipal" account.
Jul 08 2020 08:05 AM
@MPabon Same here. No information yet on what caused it.
Aug 10 2020 06:45 AM
Aug 10 2020 06:45 AM
Aug 10 2020 01:15 PM
I decided to search again and found this post from last week. https://www.jasonfritts.me/2020/08/04/what-is-microsoft-substrate-management-and-why-is-it-creating-...
What's weird is the account that "ServicePrincipal" account created was not an account that I have ever created. So this may explain it for others but my situation is still a bit of a mystery.
Aug 18 2020 04:03 AM
Feb 16 2021 06:40 PM
@djheyvoonIn our tenancy, a user created a Bookings (https://outlook.office.com/bookings) entry that created a new user in AAD and an email forward to their mailbox.
Feb 22 2021 04:30 AM
I had the same issue after searching around i found that one of my user without any admin role assigned to him used https://outlook.office365.com/ecp to create a distribution group. So I went into default user role assignment in the EOL and unchecked MyDistributionGroups box to avoid a future issue.
As the user is not using Azure ad or Admin center I was seeing the Microsoft Substrate Management in audit logs.
Feb 24 2021 10:57 AM - edited Feb 24 2021 10:58 AM
Hi @djheyvoon,
can someone verify if there was a SaaS subscription to a product that use this account for "for example" impersonation for a certain service, the thig that came to my mind is that there is a service that taken authorization to create an account to be used by a SaaS application!!!
try to see if there is any correlation with an application that was installed at the date the account appeared.
Hope it helps!