Sign In
In this module

EI1.3 Service Principal and Managed Identity Sign-Ins

60-80 minutes · Module 1 · Free
Operational Objective
Your tenant has 847 application registrations and 234 service principals. Every one of them authenticates to Entra ID using credentials that cannot use MFA. Their sign-ins are recorded in separate log tables that most organizations never review. An attacker who obtains a service principal's client secret can authenticate as that application and access every resource the application has permissions to — and because nobody is monitoring the service principal sign-in logs, the access can continue undetected for months.
Deliverable: The ability to query and interpret the AADServicePrincipalSignInLogs and AADManagedIdentitySignInLogs tables, establish baseline patterns for automated workloads, and detect anomalous service principal authentication that may indicate credential compromise.
⏱ Estimated completion: 18 minutes

The logs nobody monitors

The Entra admin center provides four sign-in log tabs: Interactive user sign-ins, Non-interactive user sign-ins, Service principal sign-ins, and Managed identity sign-ins. In most organizations, the security team monitors the first two and ignores the last two entirely. This is a critical blind spot.

Service principals authenticate to Entra ID using client secrets (essentially passwords for applications) or certificates. They do this without any user context — there is no interactive authentication, no MFA challenge, no conditional access evaluation (unless workload identity conditional access is configured, which most organizations have not done). The sign-in appears in the AADServicePrincipalSignInLogs table and nowhere else.

Expand for Deeper Context

Managed identities authenticate using Azure-managed credentials that are automatically rotated and never exposed to administrators. Their sign-ins appear in the AADManagedIdentitySignInLogs table. Because managed identities have no extractable credentials, they are generally lower risk than service principals with client secrets — but they still need monitoring because compromised Azure resources that use managed identities can access whatever the managed identity has permissions to.

The volume in these tables varies widely. A service principal used for a scheduled automation might generate one sign-in per hour. A service principal used for a real-time integration might generate thousands per day. Understanding the normal volume for each service principal is essential for detecting anomalies.

Service principal sign-in log fields

The AADServicePrincipalSignInLogs table shares many fields with the user sign-in logs but has important differences:

ServicePrincipalId is the unique identifier of the service principal that authenticated. This is the primary identity field — equivalent to UserPrincipalName in the user sign-in logs.

// EI1.3 — Service principal sign-in overview
// Shows all service principal authentication in the last 24 hours
// Most organizations have never run this query
AADServicePrincipalSignInLogs
| where TimeGenerated > ago(24h)
| summarize 
    SignInCount = count(),
    DistinctIPs = dcount(IPAddress),
    LastSignIn = max(TimeGenerated),
    Resources = make_set(ResourceDisplayName, 5)
    by ServicePrincipalName, AppId
| order by SignInCount desc
// Review: Which service principals are most active?
// Which are signing in from multiple IPs?
// Do you recognize all of them?
Expand for Deeper Context

ServicePrincipalName is the display name of the service principal. Like UserDisplayName, this is human-readable but not unique — multiple service principals can share the same display name.

AppId identifies the application registration associated with the service principal.

ResourceDisplayName and ResourceId identify what the service principal was accessing — typically a Microsoft API (like "Microsoft Graph" or "Office 365 Exchange Online") or a custom API.

IPAddress is the IP address the authentication request came from. For service principals running in Azure (Functions, Logic Apps, VMs), this is an Azure datacenter IP. For service principals used by on-premises applications, this is the organization's public IP. For an attacker using a stolen client secret, this is the attacker's IP — which will differ from the normal IP pattern for that service principal.

ServicePrincipalCredentialKeyId identifies which credential was used for authentication — the specific client secret ID or certificate thumbprint. This is critical for investigation: if a service principal has multiple credentials and the sign-in used a credential you do not recognize, the attacker may have added their own credential to the service principal (the persistence mechanism described in EI0.6 Stage 3).

ConditionalAccessStatus — for most organizations, this will show "notApplied" because workload identity conditional access requires a separate license (Workload Identities Premium) and explicit configuration. If your organization has deployed conditional access for workload identities (covered in EI10), this field shows the evaluation result.

Run this query in your developer tenant. You may be surprised by how many service principals are active — even in a new tenant, Microsoft's internal services create service principals that authenticate regularly. The question for security is: do you recognize all of them, and is the activity pattern normal?

Detecting anomalous service principal behavior

The most important detection pattern for service principal sign-ins is: a service principal that normally signs in from a consistent IP range suddenly signs in from a new, unfamiliar IP address. This is the strongest indicator that a service principal's credentials have been compromised.

// EI1.3 — Detect service principal sign-ins from new IPs
// Compares last 24 hours against the previous 30 days baseline
let baselineWindow = 30d;
let detectionWindow = 24h;
let baselineIPs = AADServicePrincipalSignInLogs
| where TimeGenerated between (ago(baselineWindow) .. ago(detectionWindow))
| where ResultType == 0
| distinct ServicePrincipalName, IPAddress;
AADServicePrincipalSignInLogs
| where TimeGenerated > ago(detectionWindow)
| where ResultType == 0
| join kind=leftanti baselineIPs 
    on ServicePrincipalName, IPAddress
| summarize 
    NewIPCount = dcount(IPAddress),
    NewIPs = make_set(IPAddress, 10),
    EventCount = count()
    by ServicePrincipalName, AppId
| where NewIPCount > 0
| order by EventCount desc
// Results: service principals signing in from IPs never seen in the 30-day baseline
// Investigate: is this a legitimate infrastructure change or credential compromise?

This query establishes a 30-day baseline of normal IPs for each service principal, then finds any sign-ins in the last 24 hours from IPs not in the baseline. The results require human triage — a legitimate infrastructure migration (moving a service to a new Azure region) will also produce new IPs. But combined with other signals (was the service principal's credentials recently modified? was there an unusual audit log event?), a new IP for a service principal is a strong investigation trigger.

Managed identity sign-ins

Managed identity sign-ins in AADManagedIdentitySignInLogs are generally lower risk because managed identities have no extractable credentials. An attacker cannot steal a managed identity's secret because no secret exists — Azure manages the credential internally and rotates it automatically.

However, managed identity sign-ins still warrant monitoring for two reasons. First, if the Azure resource using the managed identity is compromised (for example, an Azure VM is breached through an RDP vulnerability), the attacker inherits the managed identity's permissions. Monitoring the managed identity's sign-in patterns helps detect this scenario — a managed identity on a VM that normally accesses Azure Key Vault suddenly accessing Microsoft Graph to read user data is anomalous.

Second, managed identity sign-ins reveal the scope of your automated workloads' access. If a managed identity has been granted broader permissions than necessary (a common oversight during initial configuration), the sign-in logs show exactly which resources it is accessing — and which permissions could be reduced without affecting functionality.

// EI1.3 — Managed identity activity overview
AADManagedIdentitySignInLogs
| where TimeGenerated > ago(7d)
| summarize 
    SignInCount = count(),
    DistinctResources = dcount(ResourceDisplayName),
    Resources = make_set(ResourceDisplayName, 10)
    by ServicePrincipalName
| order by SignInCount desc
// Review: What are your managed identities accessing?
// Are any accessing resources they should not need?
FOUR SIGN-IN LOG TABLES SigninLogs Interactive user authentication User enters credentials + MFA Risk: initial access, credential theft Monitored by most orgs ✓ AADNonInteractive... Background token refresh Silent SSO, automatic renewal Risk: token replay, session hijacking Monitored by some orgs ~ AADServicePrincipal... App credentials (secret/cert) No user context, no MFA Risk: credential theft, SP abuse Monitored by almost nobody ✗ AADManagedIdentity... Azure-managed credentials No extractable secret Risk: compromised Azure resource Monitored by almost nobody ✗ Complete identity monitoring requires all four tables
Figure EI1.3 - Service Principal and Managed Identity Sign-Ins

The scale of the blind spot

To understand why service principal monitoring matters, consider the numbers. In a typical enterprise M365 tenant with 1,000 users, there may be 200-500 application registrations and corresponding service principals. Some were created years ago for projects that have ended. Some have credentials that have not been rotated. Some have permissions that were granted during initial setup and never reduced. Some have owners who have left the organization.

Each one of these service principals is a potential entry point. An attacker who obtains a client secret for a service principal with Mail.ReadWrite application permissions can read every user's email in the tenant — without generating a single entry in the user sign-in logs. The access appears only in AADServicePrincipalSignInLogs, which nobody is monitoring.

Expand for Deeper Context

The insider threat case study in EI0.8 (Case Study 3) exploited exactly this blind spot. The departing administrator added credentials to existing service principals, and the resulting access went undetected for four months because the organization did not monitor service principal sign-in logs.

EI9 (Application Registration Security) teaches you to govern the application registrations and service principals themselves. EI10 (Workload Identity Security) teaches you to replace client secrets with managed identities and workload identity federation. EI13 (Detection Engineering) builds the analytics rules that monitor service principal sign-in patterns. This subsection gives you the log fluency to read and query these tables — the foundation for all three.

Beyond this module

The IR course's IR11 (Entra ID and Azure AD Investigation) teaches you to investigate confirmed service principal compromise — tracing which credential was used, what resources were accessed, and what persistence mechanisms were established. This module teaches you to detect the anomalous sign-in pattern before it becomes an incident.

Try it yourself

Try It — Discover Your Service Principals

Environment: Your M365 developer tenant with Sentinel workspace.

Exercise: Run the service principal overview query from above. Answer these questions:

1. How many distinct service principals have signed in during the last 24 hours? 2. Which service principal has the highest sign-in count? Do you recognize it? 3. Are any service principals signing in from multiple IP addresses? 4. Run the managed identity overview query. Are any managed identities active?

For each unrecognized service principal, navigate to the Entra admin center → Identity → Applications → Enterprise applications and search for the AppId. Determine whether the application is a Microsoft first-party service, a third-party integration, or a custom application registered in your tenant. This exercise previews the application audit you will perform in EI9.

⚠ Compliance Myth: "Service principals are internal — they do not need the same monitoring as user accounts"

The myth: Service principals are used for internal automation. They are not exposed to external attackers. We do not need to monitor them like user accounts.

The reality: Service principal credentials (client secrets and certificates) can be stolen through the same vectors as user credentials — malware on a developer's workstation, leaked configuration files in code repositories, compromised CI/CD pipelines, or insider threat. Unlike user credentials, service principal credentials cannot be protected with MFA. A stolen client secret provides immediate, persistent access with no additional verification required. And because service principals often have broad application permissions (like Mail.ReadWrite for all mailboxes or Directory.ReadWrite.All for the entire directory), a compromised service principal can cause more damage than a compromised user account. EI10 covers how to eliminate client secrets through managed identities and workload identity federation. Until then, monitoring service principal sign-in logs is your primary detection mechanism.

📋 Investigation Artifact — Service Principal Monitoring Queries

Add these queries to your identity security query library:

Service Principal Monitoring — Core Queries

1. Daily activity summary:

AADServicePrincipalSignInLogs | where TimeGenerated > ago(24h) | summarize count() by ServicePrincipalName, AppId | order by count_ desc

2. Failed authentications (credential issues or blocks):

AADServicePrincipalSignInLogs | where TimeGenerated > ago(24h) | where ResultType != 0 | summarize count() by ServicePrincipalName, ResultType, ResultDescription

3. New IPs vs 30-day baseline (full query in subsection above)

4. Service principals accessing unusual resources:

AADServicePrincipalSignInLogs | where TimeGenerated > ago(24h) | summarize Resources = make_set(ResourceDisplayName) by ServicePrincipalName | where array_length(Resources) > 3

5. Credential key ID tracking:

AADServicePrincipalSignInLogs | where TimeGenerated > ago(24h) | summarize dcount(ServicePrincipalCredentialKeyId) by ServicePrincipalName | where dcount_ > 1

(Multiple credential IDs for one SP may indicate an attacker-added credential)

Compliance mapping: Service principal monitoring supports SOC 2 CC6.1 (Logical Access), ISO 27001 A.9.2.5 (Review of User Access Rights), and NIST CSF PR.AC-1 (Identities, Credentials, and Access Management).

Decision point

A sign-in log shows a successful authentication from an IP in a country where NE has no employees. MFA was satisfied by push notification. The user says they approved the MFA prompt while traveling. Do you accept this explanation?

Verify, do not accept at face value. Check: does the user have a travel request on file? Does the IP geo-location match the claimed travel destination? Does the device fingerprint match the user's enrolled device? Are there other sign-ins from NE's corporate IP in the same time window (which would indicate the user is NOT traveling)? An attacker who stole credentials and is bombarding the user with MFA prompts (MFA fatigue) gets the same 'I approved it' response from a confused user. The investigation confirms or refutes the travel explanation within 5 minutes.

A sign-in log shows: ResultType 0 (success), MfaDetail 'satisfied by claim', ConditionalAccessStatus 'success', IPAddress from a residential proxy in Nigeria. The user's normal sign-in pattern is UK corporate IPs only. What is the most likely explanation?
The user is traveling to Nigeria for business.
AiTM session token theft. The combination of MFA-by-claim (not interactive MFA challenge), residential proxy IP (not corporate), and successful CA evaluation (the token contains the MFA assertion) is the AiTM signature. The attacker captured the session token via an AiTM proxy, which includes the MFA claim. The token is then replayed from the attacker's infrastructure. Action: immediate session revocation, MFA method audit, and CA policy assessment (why did the compliant device policy not block this?).
The user's VPN is routing through a Nigerian exit node.
Identity Protection would have blocked this if it were truly malicious.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've mapped the identity threat landscape and learned to read sign-in logs.

EI0 established that every cloud attack starts with identity. EI1 took you through the signal that matters most — interactive, non-interactive, service principal, and managed identity sign-ins. Now you engineer the defences.

  • 17 engineering modules — authentication methods, conditional access architecture, Identity Protection, PIM, token protection, application governance, and detection rules
  • The Defense Design Method — the six-step framework applied to every identity control you'll build
  • EI18 Capstone — Identity Security Architecture Design — design complete identity architectures for three realistic organisations (SMB, mid-market, regulated enterprise)
  • Identity Security Toolkit lab pack — deployable conditional access policies, PIM configurations, and Identity Protection risk rules
  • Cross-domain detection (EI16) — email-to-identity correlation and the full phishing-to-inbox-rule attack chain
Unlock the full course with Premium See Full Syllabus
← Previous Next →