Query Details
Identity Service Principal Createdby Managed Identity
Query
//Detect when an Azure AD service principal is created for a managed identity //Data connector required for this query - Azure Active Directory - Audit Logs AuditLogs | where OperationName == "Add service principal" | extend Actor = tostring(parse_json(tostring(InitiatedBy.app)).displayName) | extend ['Service Principal DisplayName'] = tostring(TargetResources[0].displayName) | extend ['Service Principal Id'] = tostring(TargetResources[0].id) | where Actor == "Managed Service Identity" | project TimeGenerated, ['Service Principal DisplayName'], ['Service Principal Id']
Explanation
This query looks for instances when a service principal is created for a managed identity in Azure Active Directory. It uses the Audit Logs data connector and filters for the "Add service principal" operation. It retrieves the display name and ID of the service principal and checks if the actor is a managed service identity. The results include the timestamp, service principal display name, and service principal ID.
Details
Matt Zorich
Released: June 17, 2022
Tables
AuditLogs
Keywords
AzureAD,AuditLogs,OperationName,Addserviceprincipal,Actor,InitiatedBy.app,displayName,TargetResources,ManagedServiceIdentity,TimeGenerated
Operators
| where| extend| tostring| parse_json| displayName| TargetResources[0]| id| project