Link to home
Start Free TrialLog in
Avatar of IT _Admin0723
IT _Admin0723Flag for United States of America

asked on

Add Service Principal - Risk?

Hello experts,
Quick  question, our security folks keep capturing the "add service principal" in the audit from the Security and Compliance center in Office 365. Is that something we need to be alerted on and raise it as a risk?

Also, in addition, do you have any recommendations (an article or blog) that our incident response team need to look at?

Any input would be greatly appreciated.

Thank you!
Avatar of btan
btan

I would say it is important as it it helps to identify the identity designated to the application. More for Audibility.

So in the audit logs you would be able to see what is the activities by the principals and may give hints to anomalous action.

This is useful when you need to audit Application admin activities which will be logged when an admin adds or changes an application that's registered in Azure AD. Any application that relies on Azure AD for authentication must be registered in the directory and activities based on the principal be logged.

Note service principal refers to application identity instead of the usual user principals.

Any access of resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This is true for both users (user principal) and applications (service principal).

The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. And this is where the log will help alert on telling signs of suspicious change actions taken.

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs

As for IR team, good to get the product used in organisation to have track their corresponding IR blog. And a few more

https://www.microsoft.com/security/blog/2019/03/25/dart-the-microsoft-cybersecurity-team-we-hope-you-never-meet/

https://www.incidentresponse.com/blog/
https://www.incidentresponse.com/playbooks/

https://digital-forensics.sans.org/blog

https://www.us-cert.gov/ncas/current-activity
It's important, as applications corresponding to the security principal can have a wide range of permissions across the organization, including being able to modify all users, read their email and so on. Not only you should be monitoring the audit logs for any changes, but you might consider disabling the ability for users to consent to apps, as well as periodically run reports that enumerate any apps/security principals and their permissions. Here's a sample script I wrote a while back: https://gallery.technet.microsoft.com/Azure-AD-Integrated-44658ec2
Avatar of IT _Admin0723

ASKER

thank you all! much appreciated all the input!
@Vasil Machiv - how would I go about disabling the ability for users to consent to apps? Is it by this ->https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/methods-for-removing-user-access
ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial