ServicePrincipal‐Analyzer

TL;DR

ServicePrincipal-Analyzer.ps1 is a PowerShell script utilized to simplify the analysis of Microsoft Service Principal Sign-In Logs extracted via Microsoft-Extractor-Suite by Invictus-IR.

Unlike interactive and non-interactive user sign-ins, service principal sign-ins don't involve a user (App-Only Context).

Instead, they're sign-ins by any nonuser account, such as apps or service principals (except managed identity sign-in, which are included only in the managed identity sign-in log). In these sign-ins, the app or service provides its own credential, such as a certificate or app secret to authenticate or access resources.

Microsoft Entra ID Protection can detect, investigate, and remediate workload identities to protect applications and service principals in addition to user identities.

A workload identity is an identity that allows an application access to resources, sometimes in the context of a user. These workload identities differ from traditional user accounts as they:

Can’t perform multifactor authentication
Often have no formal lifecycle process
Need to store their credentials or secrets somewhere

These differences make workload identities harder to manage and put them at higher risk for compromise.

Note

Full risk details and risk-based access controls are available to Microsoft Entra Workload ID Premium customers; however, customers without the Microsoft Entra Workload ID Premium licenses still receive all detections with limited reporting details.

Fig 1: ServicePrincipal-Analyzer