Skip to content

Add Service Principal

Azure

Add Service Principal

service: Azure - Microsoft Entra ID
techniques:

Event

Creates a service principal in Entra ID, representing the identity instance of an application within a tenant.

Security Context

  • Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
  • Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.

Log Source

Entra ID Audit Logs

Sample Event

Hermione registers the in-tenant Phoenix-Backup enterprise application; Entra creates the corresponding service principal in the home tenant. ServicePrincipalProvisioningType is Other (the documented bucket for delegated user-driven creation), SubscribedSkus is empty, and AppOwnerOrganizationId matches the tenantId.

{
"id": "Directory_90000000-0000-4000-8000-000000000100_5A1B7_55009912",
"category": "ApplicationManagement",
"correlationId": "90000000-0000-4000-8000-000000000100",
"result": "success",
"resultReason": "",
"activityDisplayName": "Add service principal",
"activityDateTime": "2026-04-15T16:11:53.4419006Z",
"loggedByService": "Core Directory",
"operationType": "Add",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-000000000001",
"displayName": "Hermione Granger",
"userPrincipalName": "hermione@fantasticlogs.cloud",
"ipAddress": "198.51.100.42",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "40000000-0000-4000-8000-000000000010",
"displayName": "Phoenix-Backup",
"type": "ServicePrincipal",
"userPrincipalName": null,
"groupType": null,
"modifiedProperties": [
{
"displayName": "AccountEnabled",
"oldValue": "[]",
"newValue": "[true]"
},
{
"displayName": "AppPrincipalId",
"oldValue": "[]",
"newValue": "[\"40000000-0000-4000-8000-000000000001\"]"
},
{
"displayName": "DisplayName",
"oldValue": "[]",
"newValue": "[\"Phoenix-Backup\"]"
},
{
"displayName": "ServicePrincipalNames",
"oldValue": "[]",
"newValue": "[\"40000000-0000-4000-8000-000000000001\"]"
},
{
"displayName": "ServicePrincipalType",
"oldValue": "[]",
"newValue": "[\"Application\"]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalNames, ServicePrincipalType\""
}
]
}
],
"additionalDetails": [
{
"key": "ServicePrincipalProvisioningType",
"value": "Other"
},
{
"key": "AppOwnerOrganizationId",
"value": "10000000-0000-4000-8000-000000000001"
},
{
"key": "SubscribedSkus",
"value": "[]"
},
{
"key": "User-Agent",
"value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36"
}
]
}

MITRE ATT&CK Mapping

Tactics: Persistence Privilege Escalation

Techniques:
  • T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...