Add Service Principal

Copper Contributor

I have noticed an "Add service principal" operation in the Azure audit log. I asked my team about it, but they also don't know about this operation. In normal operations, we can find the actor in the "Initiated by" field. However, in this event, there is no "Initiated by" actor specified. Instead, the "Identity" field displays "Microsoft Azure AD Internal - Jit Provisioning." Is this automatically added by Azure?ask-1.png

1 Reply
Yes, this looks like it was a part of Just-in-Time provisioning, it's the process by which Azure AD creates a user account in an application when a user from the directory signs into the application for the first time.

In this instance it looks like Azure AD has automatically created a Service Principal for an application. Service Principals are used in Azure to represent the identity of an application/service (as opposed to a user).

You have not gotten many responses here because this is the incorrect forum to ask such a question, this is more of a question about Entra ID/ AAD internals, and not Azure Sentinel (despite you finding it there), nevertheless, I hope this answers your question.

That said, don't take this as me telling you it is legitimate activity for your organisation, it will depend on your own investigation and internal processes.