Identifying Service principal-less authentication

Rather than go via the portal, and because I wanted an excuse to refresh my very basic KQL chops, I came up with query:

AADServicePrincipalSignInLogs
| where TimeGenerated > ago(30d)
| where ServicePrincipalId == "00000000-0000-0000-0000-000000000000"
| extend Result = iff(ResultSignature == "None" or ResultSignature == "FAILURE", "Failure", "Success")
| summarize Count=count() by ServicePrincipalName, AppId, ResourceDisplayName, Result

AADServicePrincipalSignInLogs

| where TimeGenerated > ago(30d)

| where ServicePrincipalId == "00000000-0000-0000-0000-000000000000"

| extend Result = iff(ResultSignature == "None" or ResultSignature == "FAILURE", "Failure", "Success")

| summarize Count=count() by ServicePrincipalName, AppId, ResourceDisplayName, Result

This will show all the service principal less sign-ins, along with the resource they are trying to access and whether it is currently failing or not.

I suppose one could just pipe this to PowerShell to create the service principal as needed. Like thus:

# subscription where my log analytics workspace is
$subscriptionId = 'XXX'
Set-AzContext -SubscriptionId $subscriptionId

# name of the log analytics workspace
$workspaceName = "xxxsentinel"

# name of the resource group
$workspaceRG = "xxxsentinel-rg"

$WorkspaceID = (Get-AzOperationalInsightsWorkspace -Name $workspaceName -ResourceGroupName $workspaceRG).CustomerID

$query = "AADServicePrincipalSignInLogs
| where TimeGenerated > ago(30d)
| where ServicePrincipalId == '00000000-0000-0000-0000-000000000000'
| extend Result = iff(ResultSignature == 'None' or ResultSignature == 'FAILURE', 'Failure', 'Success')
| summarize Count=count() by ServicePrincipalName, AppId, ResourceDisplayName, Result"

$kqlQuery = Invoke-AzOperationalInsightsQuery -WorkspaceId $WorkspaceID -Query $query

foreach ($result in $kqlQuery) {
    New-MgServicePrincipal -AppId $result.AppId
}

# subscription where my log analytics workspace is

$subscriptionId = 'XXX'

Set-AzContext -SubscriptionId $subscriptionId

# name of the log analytics workspace

$workspaceName = "xxxsentinel"

# name of the resource group

$workspaceRG = "xxxsentinel-rg"

$WorkspaceID = (Get-AzOperationalInsightsWorkspace -Name $workspaceName -ResourceGroupName $workspaceRG).CustomerID

$query = "AADServicePrincipalSignInLogs

| where TimeGenerated > ago(30d)

| where ServicePrincipalId == '00000000-0000-0000-0000-000000000000'

| extend Result = iff(ResultSignature == 'None' or ResultSignature == 'FAILURE', 'Failure', 'Success')

| summarize Count=count() by ServicePrincipalName, AppId, ResourceDisplayName, Result"

$kqlQuery = Invoke-AzOperationalInsightsQuery -WorkspaceId $WorkspaceID -Query $query

foreach ($result in $kqlQuery) {

New-MgServicePrincipal -AppId $result.AppId

}

Of course, don’t do that! 😊 The article doesn’t state it explicitly, but the idea is to verify that the app in question is genuine, and then create the sevice principal. So ideally one would generate a report that sends over the failed authentications (e.g. a Logic App that runs the query, puts it into an HTML table, and sends an email), and after a review and confirmation that this is genuine, the service principal is created (manually or via some automated process that kicks in after the review).