Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,112 questions
Risky service principal log triggering
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 39%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAI%3C/text%3E%3C/svg%3E)
Aqil Isayev
0
Reputation points
I have enabled diagnostic settings for RiskyServicePrincipals and ServicePrincipalRiskEvents in Microsoft Entra ID and set up logs to flow both storage account and event hub. I want to have an example log for these types of logs, tried multiple ways ex:
- Flood of successful and failure requests using service principal.
- Sending requests from different IP's(very distant) in a short time period.
- Marking service principal as compromised and confirming/dismissing multiple times in https://entra.microsoft.com/
Which none of these generated either one of these logs. What could be other options to achieve this, any manual way or action to trigger it
Sign in to answer