Identity Service Principals Multiple Locations
Query
//Find Azure AD service principals that are logging on from multiple locations, this should be less common than with user accounts
//Data connector required for this query - Azure Active Directory - Service Principal Signin Logs
//Return the IP addresses used to sign in and see if you can build conditional access policies around them
//Microsoft Sentinel Query
AADServicePrincipalSignInLogs
| where TimeGenerated > ago(30d)
| where ResultType == "0"
| where isnotempty(Location)
| summarize
['Count of Locations']=dcount(Location),
['List of Locations']=make_set(Location),
['Count of IP Addresses']=dcount(IPAddress),
['List of IP Addresses']=make_set(IPAddress)
by ServicePrincipalName, AppId
| where ['Count of Locations'] >= 2
//Advanced Hunting query
//Data connector required for this query - Advanced Hunting with Azure AD P2 License
AADSpnSignInEventsBeta
| where Timestamp > ago(30d)
| where ErrorCode == "0"
| where isnotempty(Country)
| summarize
['Count of Locations']=dcount(Country),
['List of Locations']=make_set(Country),
['Count of IP Addresses']=dcount(IPAddress),
['List of IP Addresses']=make_set(IPAddress)
by ServicePrincipalName, ApplicationId
| where ['Count of Locations'] >= 2Explanation
This query is used to find Azure AD service principals that are logging on from multiple locations. It retrieves the IP addresses used to sign in and provides a count and list of the locations and IP addresses. The query can be used to build conditional access policies based on these findings.
Details

Matt Zorich
Released: June 17, 2022
Tables
AADServicePrincipalSignInLogsAADSpnSignInEventsBeta
Keywords
Azure ADService PrincipalSignin LogsIP AddressesConditional Access PoliciesMicrosoft SentinelAdvanced HuntingAzure AD P2 LicenseCountry
Operators
whereTimeGeneratedagoResultTypeisnotemptysummarizedcountmake_setby['Count of Locations']['List of Locations']['Count of IP Addresses']['List of IP Addresses']ServicePrincipalNameAppIdTimestampErrorCodeApplicationId