Can't create RiskyServicePrincipals and ServicePrincipalRiskEvents logs

Question

I am using Microsoft Entra ID P2 license and I am testing different log types generated by Entra ID.

My test setup is as follows:

1. I have created a Resource Group with an Event Hub Namespace containing one Event Hub.
2. I have created a Diagnostic Setting in Entra ID, with all the log types enabled and destination set to the mentioned Event Hub.

Now I am trying to generate some sample data for each of the log types. Now I want generate some RiskyServicePrincipals and ServicePrincipalRiskEvents logs.

I have created an App Registration and generated Client Secret for it, then I've tried the following:

Log in with Client Secret from different locations in short span of time. I have switched locations using VPN and Tor

Do a lot of failed log in attempts with correct Tenant ID and Client ID

The approach above worked great for RiskyUsers and UserRiskEvents, but does not work for RiskyServicePrincipals and ServicePrincipalRiskEvents.

My actions have generated some data in Entra ID Protection -> Risky Workload Identities, but no logs have been pushed to the Event Hub.

I can also see some data when querying:

• https://graph.microsoft.com/v1.0/identityProtection/riskyServicePrincipals
• https://graph.microsoft.com/v1.0/identityProtection/servicePrincipalRiskDetections

My questions are:

1. Should the same data be available via the API and the Event Hub? This is what I've observed for RiskyUsers and UserRiskEvents. Shouldn't it behave in a similar way for RiskyServicePrincipals and ServicePrincipalRiskEvents?
2. Are servicePrincipalRiskDetections and ServicePrincipalRiskEvents the same, despite having slightly different names?
3. Should something be enabled to receive RiskyServicePrincipals and ServicePrincipalRiskEvents logs?

Answer 1

Hi @Krzysztof Kwapisiewicz

Thanks for your detailed question! Since you're already seeing RiskyServicePrincipals data in Microsoft Graph API, but not in Event Hub, it suggests that the logs are being generated in Entra ID but may not be flowing correctly to your Event Hub due to how Diagnostic Settings handle these specific log types.

First, to answer your question about API vs. Event Hub logs, while most Entra ID logs should be available in both places, there can be a delay or difference in how certain log types are streamed. RiskyUsers and UserRiskEvents logs are typically more actively pushed via Diagnostic Settings, while RiskyServicePrincipals and ServicePrincipalRiskEvents might have different processing behaviors. Microsoft Entra ID continuously refines how workload identity risks are handled, and these logs may have additional requirements before they appear in Event Hub.

Regarding the servicePrincipalRiskDetections vs. ServicePrincipalRiskEvents, they are related but not the same. servicePrincipalRiskDetections contains detailed risk detections for service principals, while ServicePrincipalRiskEvents is meant to log risk-related events in Entra ID. The former provides risk assessment details, while the latter records specific events tied to those risks.

To ensure these logs are flowing to Event Hub, you may want to double-check your Diagnostic Settings in Entra ID:

1. Go to Microsoft Entra ID → Monitoring → Diagnostic Settings
2. Ensure that "Risky Service Principals" and "Service Principal Risk Events" are explicitly selected
3. Confirm that the destination Event Hub is correctly configured and actively receiving other logs

If everything is configured correctly and you're still not seeing the logs, try checking Azure Monitor Logs (Log Analytics Workspace) to see if the data appears there first. If it does, but still isn’t in Event Hub, it may indicate a delay or limitation in streaming those specific logs.

Hope this helps. Do let us know if you any further queries.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.