Where are Service Principals used?

Where are they use SP? Everywhere! :) Okay, maybe not everywhere, but everybody limit the users with conditional access, request MFA, check risky sign-ins, etc. But what about the service principals? Do you have any control over them? Do you know where are they used? Let’s see how can you find them with Kusto Query Language (KQL)!

KQL

The following KQL query will help you to find the service principals which are used from different locations and IP addresses. You can modify the knownSubnets variable with your trusted subnets, so you can filter out the known locations and cloud services.

let knownSubnets = dynamic([
   "40.74.28.0/23", //ADOS westeurope
   "20.166.41.0/24", //ADOS northeurope
   "1.2.3.0/24" //CompanyTrustedIPs
]);
AADServicePrincipalSignInLogs
| where TimeGenerated > ago(30d)
| where ResultType == "0"
| where isnotempty(Location)
| where not(ipv4_is_in_any_range(IPAddress, knownSubnets))
| summarize
    ['Count of Locations']=dcount(Location),
    ['List of Locations']=make_set(Location),
    ['Count of IP Addresses']=dcount(IPAddress),
    ['List of IP Addresses']=make_set(IPAddress)
    by ServicePrincipalName, AppId

And the result will be something like this:

Limit it

You now have the list of service principals and their associated IPs, but can we apply Conditional Access policies to them? Yes, we can! However, this requires an additional license: Microsoft Entra Workload ID, which costs approximately $3 per SP per month.

Pricing details:
Microsoft Entra Pricing

For implementation guidance, refer to:
Workload Identity Conditional Access
Microsoft Learn Documentation

This guide provides step-by-step instructions on creating policies for service principals, which is similar to setting policies for users. So, I won’t go into details here.

Base code come from: Github