Forum Discussion
Solved
Unknown User - Azure AD Audit Log Workbook
Can anyone help me understand why the Azure AD Audit Log workbook would be showing an unknow user for Add service principal and Update service principal activities?
Hey Dean, looking at the query under the hood it looks a like this
let data = AuditLogs| where "{Result:lable}" == "All" or Result in ({Result})| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != "", tostring(InitiatedBy.user.userPrincipalName), "unknown")So when a UserPrincipalName is found in the 'InitiatedBy' column you will see it, when it isn't there it comes back as unknown. If you go an look at the AuditLogs table manually for 'Add service principal' and 'Update service principal' activities, for the ones coming back as unknown I would guess that they are being created or updated by other means other than your users actually doing it manually. For instance if you add a managed identity to a virtual machine or a logic app, it will create a service principal for you, but you won't have a UserPrincipalName in the InitiatedBy field. Or if you use something like Terraform to create service principals you will have the same issue.
Hey Dean, looking at the query under the hood it looks a like this
let data = AuditLogs
| where "{Result:lable}" == "All" or Result in ({Result})
| extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != "", tostring(InitiatedBy.user.userPrincipalName), "unknown")
So when a UserPrincipalName is found in the 'InitiatedBy' column you will see it, when it isn't there it comes back as unknown. If you go an look at the AuditLogs table manually for 'Add service principal' and 'Update service principal' activities, for the ones coming back as unknown I would guess that they are being created or updated by other means other than your users actually doing it manually. For instance if you add a managed identity to a virtual machine or a logic app, it will create a service principal for you, but you won't have a UserPrincipalName in the InitiatedBy field. Or if you use something like Terraform to create service principals you will have the same issue.
Thanks for the detailed and accurate explanation. You pointed me in the right direction and reminded me of some good ways to investigate issues like this in the future.