Add Service Principal
Azure
Add Service Principal
Event
Creates a service principal in Entra ID, representing the identity instance of an application within a tenant.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
- Creating cloud accounts provides a durable backdoor that persists independently of any compromised user’s credentials.
Log Source
Entra ID Audit Logs
Sample Event
Hermione registers the in-tenant Phoenix-Backup enterprise application; Entra creates the corresponding service principal in the home tenant. ServicePrincipalProvisioningType is Other (the documented bucket for delegated user-driven creation), SubscribedSkus is empty, and AppOwnerOrganizationId matches the tenantId.
{ "id": "Directory_90000000-0000-4000-8000-000000000100_5A1B7_55009912", "category": "ApplicationManagement", "correlationId": "90000000-0000-4000-8000-000000000100", "result": "success", "resultReason": "", "activityDisplayName": "Add service principal", "activityDateTime": "2026-04-15T16:11:53.4419006Z", "loggedByService": "Core Directory", "operationType": "Add", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-000000000001", "displayName": "Hermione Granger", "userPrincipalName": "hermione@fantasticlogs.cloud", "ipAddress": "198.51.100.42", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "40000000-0000-4000-8000-000000000010", "displayName": "Phoenix-Backup", "type": "ServicePrincipal", "userPrincipalName": null, "groupType": null, "modifiedProperties": [ { "displayName": "AccountEnabled", "oldValue": "[]", "newValue": "[true]" }, { "displayName": "AppPrincipalId", "oldValue": "[]", "newValue": "[\"40000000-0000-4000-8000-000000000001\"]" }, { "displayName": "DisplayName", "oldValue": "[]", "newValue": "[\"Phoenix-Backup\"]" }, { "displayName": "ServicePrincipalNames", "oldValue": "[]", "newValue": "[\"40000000-0000-4000-8000-000000000001\"]" }, { "displayName": "ServicePrincipalType", "oldValue": "[]", "newValue": "[\"Application\"]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalNames, ServicePrincipalType\"" } ] } ], "additionalDetails": [ { "key": "ServicePrincipalProvisioningType", "value": "Other" }, { "key": "AppOwnerOrganizationId", "value": "10000000-0000-4000-8000-000000000001" }, { "key": "SubscribedSkus", "value": "[]" }, { "key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36" } ]}MITRE ATT&CK Mapping
Tactics: Persistence Privilege Escalation
Techniques:
- T1136.003 — Cloud Account — Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...