Service Principal - find detailed information

Question

Hello,
We have discovered a service principal was created and granted Global Admin rights in our Azure AD. No one seems to know what this account is used for and why it has GA rights.

How can I find out the details of this account, such as, when was it created, who created it, what it's tied to (apps??), is it even being used anywhere, etc?

I've done a CLI command (az ad sp show --id) and I only get this info below. The only thing that gives me any inclination at all is the password credentials section and it appears it has expired? Any insight is appreciated!

az ad sp show --id NUMBER
{
"accountEnabled": "True",
"addIns": [],
"alternativeNames": [],
"appDisplayName": null,
"appId": "NUMBER",
"appOwnerTenantId": null,
"appRoleAssignmentRequired": false,
"appRoles": [],
"applicationTemplateId": null,
"deletionTimestamp": null,
"displayName": "NAME",
"errorUrl": null,
"homepage": null,
"informationalUrls": null,
"keyCredentials": [],
"logoutUrl": null,
"notificationEmailAddresses": [],
"oauth2Permissions": [],
"objectId": "NUMBER",
"objectType": "ServicePrincipal",
"odata.metadata": "https://graph.windows.net/NUMBER/$metadata#directoryObjects/@Angie Jude ",
"odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
"passwordCredentials": [
{
"additionalProperties": null,
"customKeyIdentifier": null,
"endDate": "2015-12-30T17:50:06.145771+00:00",
"keyId": "NUMBER",
"startDate": "2014-12-30T17:50:06.145771+00:00",
"value": null
}
],
"preferredSingleSignOnMode": null,
"preferredTokenSigningKeyEndDateTime": null,
"preferredTokenSigningKeyThumbprint": null,
"publisherName": null,
"replyUrls": [],
"samlMetadataUrl": null,
"samlSingleSignOnSettings": null,
"servicePrincipalNames": [
"NUMBER",
"NAME"
],
"servicePrincipalType": "Legacy",
"signInAudience": null,
"tags": [],
"tokenEncryptionKeyId": null

Answer 1

Did you check the Azure AD audit logs? https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs