Service Principal & App Registration Activity

m365-azureIdentity & DirectoryCloud Admin PortalSIEM / Log Aggregator

Location

Azure Portal > Entra ID > App registrations and Enterprise applications > Audit logs (or Microsoft Graph API)

Description

Audit trail for service principal and application registration changes including new app registrations, secret/certificate additions, API permission grants, redirect URI changes, and owner modifications.

Forensic Value

Service principal manipulation is a critical cloud persistence technique. Attackers add secrets or certificates to existing app registrations, creating backdoor credentials that survive password resets and MFA enforcement. New API permission grants (especially Microsoft Graph with Mail.Read, Files.ReadWrite.All) enable automated data access. Redirect URI changes can intercept OAuth flows. Monitoring for new credential additions on existing apps is essential because these changes do not require user interaction after initial compromise.

Tools Required

Azure PortalMicrosoft Graph APIPowerShell (AzureAD module)Azure CLIROADtools

Related Blockers

Legal Requesting Preservation Conflicts with Containment

Legal counsel has issued a preservation hold requiring that certain systems, mailboxes, or data stores remain untouched. This directly conflicts with containment actions like reimaging hosts, resetting accounts, or blocking network segments.

Unknown Scope of Credential Compromise

One or more accounts are confirmed compromised, but it is unclear how many additional credentials the attacker has obtained. Resetting only known-compromised accounts may be insufficient, while a mass reset disrupts operations.

Attacker Using VPN/Tor -- Cannot Determine True Origin

The threat actor is connecting through VPN services, Tor exit nodes, or residential proxy networks. Source IP addresses rotate frequently and do not reveal the actual origin, limiting geographic attribution and IP-based blocking.

Suspected Insider Still Has Access -- Investigation Must Be Covert

The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.

Regulatory Notification Deadline Approaching

A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.