Provisioning ServicePrincipal Credential Added or Rotated
16 AAD Prov SP Credential Added
Query
let ProvisioningSPs =
AADProvisioningLogs
| where TimeGenerated > ago(14d)
| extend SPId = tostring(parse_json(ServicePrincipal).Id),
SPName = tostring(parse_json(ServicePrincipal).Name)
| summarize Events = count() by SPId, SPName
| where Events >= 10
| project SPId, SPName;
AuditLogs
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| invoke ExcludeAllowlistedIPs()
| where TimeGenerated > ago(1h)
| where OperationName has_any (
"Add service principal credentials",
"Update application - Certificates and secrets management",
"Update application",
"Add owner to service principal",
"Update service principal"
)
| mv-expand TargetResources
| extend TargetSPId = tostring(TargetResources.id),
TargetSPName = tostring(TargetResources.displayName)
| extend Actor = coalesce(tostring(InitiatedBy.user.userPrincipalName),
tostring(InitiatedBy.app.displayName))
| extend SourceIP = tostring(InitiatedBy.user.ipAddress)
| extend ModProps = tostring(TargetResources.modifiedProperties)
| where ModProps has_any (
"KeyDescription","PasswordCredentials","KeyCredentials",
"keyDescription","passwordCredentials","keyCredentials"
)
| join kind=inner (ProvisioningSPs) on $left.TargetSPId == $right.SPId
| project TimeGenerated, OperationName, Actor, SourceIP,
TargetSPName, TargetSPId, ModProps, Result
| order by TimeGenerated descExplanation
This query is designed to detect when new credentials (like client certificates or secrets) are added or rotated for a service principal that has been actively involved in provisioning operations within the last 30 days. Here's a simplified breakdown:
-
Purpose: The query aims to identify potential security risks by monitoring changes to service principal credentials. This is important because attackers might exploit legitimate provisioning processes using credentials they control.
-
Data Sources: It uses data from Azure Active Directory's Audit Logs and Provisioning Logs.
-
Detection Logic:
- It first identifies service principals that have been involved in at least 10 provisioning events in the past 14 days.
- Then, it looks for audit events in the last hour where credentials were added or updated for these service principals.
- It excludes any events from allowlisted IP addresses to focus on potentially suspicious activities.
-
Alerting:
- If such an event is detected, it triggers an alert with a high severity level.
- The alert includes details like the operation name, the actor who initiated the change, the source IP address, and the target service principal's name and ID.
-
MITRE ATT&CK Mapping: The query is mapped to specific MITRE ATT&CK techniques related to account manipulation and the use of alternate authentication materials.
-
Incident Management: When an alert is triggered, it can create an incident, grouping related alerts to help streamline investigation.
In essence, this query helps security teams identify unauthorized or suspicious changes to service principal credentials, which could indicate a security breach or misuse of provisioning capabilities in a cloud environment.
Details

David Alonso
Released: June 1, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 14d