Unknown User - Azure AD Audit Log Workbook

Respected Contributor

Can anyone help me understand why the Azure AD Audit Log workbook would be showing an unknow user for Add service principal and Update service principal activities?

2 Replies
best response confirmed by Dean Gross (Respected Contributor)

@Dean Gross 


Hey Dean, looking at the query under the hood it looks a like this


let data = AuditLogs
where "{Result:lable}" == "All" or Result in ({Result})
extend initiator = iif (tostring(InitiatedBy.user.userPrincipalName) != "", tostring(InitiatedBy.user.userPrincipalName), "unknown")
So when a UserPrincipalName is found in the 'InitiatedBy' column you will see it, when it isn't there it comes back as unknown. If you go an look at the AuditLogs table manually for 'Add service principal' and 'Update service principal' activities, for the ones coming back as unknown I would guess that they are being created or updated by other means other than your users actually doing it manually. For instance if you add a managed identity to a virtual machine or a logic app, it will create a service principal for you, but you won't have a UserPrincipalName in the InitiatedBy field. Or if you use something like Terraform to create service principals you will have the same issue.
Thanks for the detailed and accurate explanation. You pointed me in the right direction and reminded me of some good ways to investigate issues like this in the future.