Azure Sentinel — Monitoring Azure AD Service Principal
What is a service principal?
Any application registered with an Azure Active Directory tenant has:
- application object: globally unique istance of the app
- app or client ID: globally unique ID for your app
- service principal: identity object for a service
There are three types of SP:
- application
- managed identity
- legacy
From Microsoft docs:
“The application object is the global representation of your application for use across all tenants, and the service principal is the local representation for use in a specific tenant.”
“A service principal must be created in each tenant where the application is used, enabling it to establish an identity for sign-in and/or access to resources being secured by the tenant. A single-tenant application has only one service principal (in its home tenant), created and consented for use during application registration. A multi-tenant application also has a service principal created in each tenant where a user from that tenant has consented to its use.”
Ref: Apps & service principals in Azure AD — Microsoft identity platform | Microsoft Docs
How to get Service Principal info
Azure Active Directory provides Sign-ins log to allow monitoring and understanding how resources are used by users. In addition, Azure AD has been started to provide three additional sign-ins logs (now in preview):
- Non-interactive user sign-ins
- Service principal sign-ins
- Managed identities for Azure resource sign-ins
Why monitor Service Principals
When an Azure AD application needs to authenticate with Azure Active Directory you need to create and use Service Principal. It is an identity object used to authentication. Authentication with a Service Principal happens through the OAuth 2.0 protocol.
In order to reduce risks of misusing applications registered in you Azure Active Directory tenant, I think it’s a good practice to monitor Service Principals usage.
The basic idea is thinking how to be sure SPs are being used only by authorized sources and in a right way.
View the service principal
- Click Azure Active Directory and then click Enterprise applications.
- Under Application Type, choose All Applications and then click Apply.
- In the search filter box, type the name of the Azure resource that has managed identity enabled (Test_App in my case)
- Properties. Object ID is the unique ID of the Service Principal associated with this application
Monitoring Azure AD Service Principal leveraging Azure Sentinel
Service Principals related info ingestion
- Go to Azure Sentinel on https://portal.azure.com
- Data Connectors -> Azure Active Directory
- Click on “Open Connector page” and select “Service principal sing-in logs (Preview)”
- Click on “Apply Changes”
- Check if ingestion is working running running following kusto query:
AADServicePrincipalSignInLogs | take 10
You should see Service Principal usage.
Analytic Rule setup
Let’s assume you have an Azure AD register application running from specific IP address. You would like to be noticed if, for some reasons, Service Principal is used by different resource coming from unknown IP address.
Set up Azure Sentinel Analytics:
- Go to Azure Sentinel portal on https://portal.azure.com
- Click Analytics and then “Create Scheduled query rule”
- Fill Name, Description and other required fields.
- Add analytic rule (it’s simple, I’m just excluding my known IP from search):
AADServicePrincipalSignInLogs | where ServicePrincipalName == “Test_App” | where IPAddress != “app IP”
- Fill “Entity Mapping”
- Create Rule
If you have chance to run your app from a different IP, you should be able to get following Azure Sentinel incident:
Tip: advanced use case.
If you have Azure App run within Azure, you could monitor if Service Principals are not used by Azure public IP addresses.
Happy cloud hunting!
:)
References:
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer.