[QUESTION] What is "ServicePrincipal_6387***" / Microsoft Substrate Management account?

%3CLINGO-SUB%20id%3D%22lingo-sub-1470137%22%20slang%3D%22en-US%22%3E%5BQUESTION%5D%20What%20is%20%22ServicePrincipal_6387***%22%20%2F%20Microsoft%20Substrate%20Management%20account%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470137%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20situation%20where%20looking%20at%20Audit%20Logs%20in%20our%20Azure.%20I%20found%20an%20account%20that%20was%20created%20(User%20Adde)%20by%20something%20called%20%22%3CSPAN%3EServicePrincipal_6387c64b-9a8b-4bf1-92e8-******%22%20and%20I%20can't%20seem%20to%20find%20anything%20relate%20to%20this%20account.%20No%20Applications%2C%20nothing.%20I%20googled%20%22Microsoft%20Substrate%20Management%22%20witch%20is%20related%20to%20the%20account%20mentioned.%20But%20nothing%20found.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20anyone%20could%20give%20a%20light%20on%20how%20can%20I%20find%20why%20users%20are%20been%20added%20by%20this%20account%20I%20would%20appreciate.%20Thank%20you%20all%20in%20advance.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1470137%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Services%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1508923%22%20slang%3D%22en-US%22%3ERe%3A%20%5BQUESTION%5D%20What%20is%20%22ServicePrincipal_6387***%22%20%2F%20Microsoft%20Substrate%20Management%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1508923%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F674268%22%20target%3D%22_blank%22%3E%40djheyvoon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20ever%20find%20an%20answer%20to%20this%3F%20I'm%20seeing%20the%20same%20thing%20in%20our%20system.%20A%20random%20account%20being%20created%20by%20a%20%22ServicePrincipal%22%20account.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1509115%22%20slang%3D%22en-US%22%3ERe%3A%20%5BQUESTION%5D%20What%20is%20%22ServicePrincipal_6387***%22%20%2F%20Microsoft%20Substrate%20Management%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1509115%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F722357%22%20target%3D%22_blank%22%3E%40MPabon%3C%2FA%3E%26nbsp%3BSame%20here.%20No%20information%20yet%20on%20what%20caused%20it.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1578301%22%20slang%3D%22en-US%22%3ERe%3A%20%5BQUESTION%5D%20What%20is%20%22ServicePrincipal_6387***%22%20%2F%20Microsoft%20Substrate%20Management%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1578301%22%20slang%3D%22en-US%22%3ENo.%20I%20haven't%20found%20anything!%20This%20is%20very%20weird.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1578303%22%20slang%3D%22en-US%22%3ERe%3A%20%5BQUESTION%5D%20What%20is%20%22ServicePrincipal_6387***%22%20%2F%20Microsoft%20Substrate%20Management%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1578303%22%20slang%3D%22en-US%22%3ENobody%20from%20M%24%20will%20say%20anything%3F%20Funny!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1579362%22%20slang%3D%22en-US%22%3ERe%3A%20%5BQUESTION%5D%20What%20is%20%22ServicePrincipal_6387***%22%20%2F%20Microsoft%20Substrate%20Management%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1579362%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F674268%22%20target%3D%22_blank%22%3E%40djheyvoon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20decided%20to%20search%20again%20and%20found%20this%20post%20from%20last%20week.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.jasonfritts.me%2F2020%2F08%2F04%2Fwhat-is-microsoft-substrate-management-and-why-is-it-creating-users-in-my-tenant%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.jasonfritts.me%2F2020%2F08%2F04%2Fwhat-is-microsoft-substrate-management-and-why-is-it-creating-users-in-my-tenant%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20weird%20is%20the%20account%20that%20%22ServicePrincipal%22%20account%20created%20was%20not%20an%20account%20that%20I%20have%20ever%20created.%20So%20this%20may%20explain%20it%20for%20others%20but%20my%20situation%20is%20still%20a%20bit%20of%20a%20mystery.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1595623%22%20slang%3D%22en-US%22%3ERe%3A%20%5BQUESTION%5D%20What%20is%20%22ServicePrincipal_6387***%22%20%2F%20Microsoft%20Substrate%20Management%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1595623%22%20slang%3D%22en-US%22%3ESame%20thing%20happened%20on%20our%20end%2C%20no%20news%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2141381%22%20slang%3D%22en-US%22%3ERe%3A%20%5BQUESTION%5D%20What%20is%20%22ServicePrincipal_6387***%22%20%2F%20Microsoft%20Substrate%20Management%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2141381%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F674268%22%20target%3D%22_blank%22%3E%40djheyvoon%3C%2FA%3EIn%20our%20tenancy%2C%20a%20user%20created%20a%20Bookings%20(%3CA%20href%3D%22https%3A%2F%2Foutlook.office.com%2Fbookings%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%2Fbookings%3C%2FA%3E)%20entry%20that%20created%20a%20new%20user%20in%20AAD%20and%20an%20email%20forward%20to%20their%20mailbox.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2155503%22%20slang%3D%22en-US%22%3ERe%3A%20%5BQUESTION%5D%20What%20is%20%22ServicePrincipal_6387***%22%20%2F%20Microsoft%20Substrate%20Management%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2155503%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F674268%22%20target%3D%22_blank%22%3E%40djheyvoon%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20the%20same%20issue%20after%20searching%20around%20i%20found%20that%20one%20of%20my%20user%20without%20any%20admin%20role%20assigned%20to%20him%20used%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Foutlook.office365.com%2Fecp%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office365.com%2Fecp%3C%2FA%3E%26nbsp%3Bto%20create%20a%20distribution%20group.%20So%20I%20went%20into%20default%20user%20role%20assignment%20in%20the%20EOL%20and%20unchecked%26nbsp%3B%3CSTRONG%3EMyDistributionGroups%20%3C%2FSTRONG%3Ebox%20to%20avoid%20a%20future%20issue.%3C%2FP%3E%3CP%3EAs%20the%20user%20is%20not%20using%20Azure%20ad%20or%20Admin%20center%20I%20was%20seeing%20the%26nbsp%3B%3CSTRONG%3EMicrosoft%20Substrate%20Management%20%3C%2FSTRONG%3Ein%20audit%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2162742%22%20slang%3D%22en-US%22%3ERe%3A%20%5BQUESTION%5D%20What%20is%20%22ServicePrincipal_6387***%22%20%2F%20Microsoft%20Substrate%20Management%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2162742%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F674268%22%20target%3D%22_blank%22%3E%40djheyvoon%3C%2FA%3E%26nbsp%3BWe%20have%20seen%20these%20created%20using%20the%20Microsoft%20Booking%20Tool.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%5B9%3A41%20AM%5D%20%3C%2FSPAN%3E%3CSPAN%3ETony%20Gunn%3C%2FSPAN%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CA%20title%3D%22https%3A%2F%2Foutlook.office.com%2Fbookings%2Fonboarding%22%20href%3D%22https%3A%2F%2Foutlook.office.com%2Fbookings%2Fonboarding%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Foutlook.office.com%2Fbookings%2Fonboarding%3C%2FA%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello Everyone,

 

We have a situation where looking at Audit Logs in our Azure. I found an account that was created (User Adde) by something called "ServicePrincipal_6387c64b-9a8b-4bf1-92e8-******" and I can't seem to find anything relate to this account. No Applications, nothing. I googled "Microsoft Substrate Management" witch is related to the account mentioned. But nothing found. 

If anyone could give a light on how can I find why users are been added by this account I would appreciate. Thank you all in advance.

10 Replies

@djheyvoon 

Did you ever find an answer to this? I'm seeing the same thing in our system. A random account being created by a "ServicePrincipal" account.

@MPabon Same here. No information yet on what caused it. 

No. I haven't found anything! This is very weird.
Nobody from M$ will say anything? Funny!

@djheyvoon 

I decided to search again and found this post from last week. https://www.jasonfritts.me/2020/08/04/what-is-microsoft-substrate-management-and-why-is-it-creating-...

 

What's weird is the account that "ServicePrincipal" account created was not an account that I have ever created. So this may explain it for others but my situation is still a bit of a mystery.

Same thing happened on our end, no news?

@djheyvoonIn our tenancy, a user created a Bookings (https://outlook.office.com/bookings) entry that created a new user in AAD and an email forward to their mailbox.

@djheyvoon 

I had the same issue after searching around i found that one of my user without any admin role assigned to him used https://outlook.office365.com/ecp to create a distribution group. So I went into default user role assignment in the EOL and unchecked MyDistributionGroups box to avoid a future issue.

As the user is not using Azure ad or Admin center I was seeing the Microsoft Substrate Management in audit logs.

@djheyvoon We have seen these created using the Microsoft Booking Tool. 

 

Hi @djheyvoon,

 

can someone verify if there was a SaaS subscription to a product that use this account for "for example" impersonation for a certain service, the thig that came to my mind is that there is a service that taken authorization to create an account to be used by a SaaS application!!!

 

try to see if there is any correlation with an application that was installed at the date the account appeared.

 

Hope it helps!