Risky Service Principal Alert Feature
With the security reports in Microsoft Entra, you can gauge the probability of compromised service principals (workload identities) accounts in your environment. A service principal flagged for risk is an indicator of a service principal account that might have been compromised. The risky service principal represents the probability that a given service principal (workload identity) is compromised. These risks are calculated offline using Microsoft's internal and external threat intelligence sources including security researchers, law enforcement professionals, security teams at Microsoft, and other trusted sources.
-
Before utilizing Risky Service Principal Alert feature, ensure that Service Principals are configured as accounts in the source. For more information, refer to Service Principal Accounts Management.
-
By default, this feature is not enabled for new connectors. If your Microsoft Entra instance requires support of the Risky Service Principal Alert feature, you must enable the feature by adding attributes
Supported Operations
This feature supports the following operations:
-
Account Aggregation (Service Principal Aggregation)
-
Get Object (Get Service Principal)
Prerequisites
The tenant must have a Microsoft Entra P2 license.
Administrator Permissions
To fetch risky service principal details using MS Graph APIs, the following API permissions must be assigned:
|
OAuth2.0 Authentication |
Type |
Permission |
Purpose |
|---|---|---|---|
|
Client Credentials |
Application |
IdentityRiskEvent.Read.All IdentityRiskyServicePrincipal.Read.All |
Aggregate or get risky service principal related information |
|
Refresh Token / AuthCode JWT Certificate Credentials |
Delegated |
IdentityRiskEvent.Read.All IdentityRiskyServicePrincipal.Read.All |
Aggregate or get risky service principal related information |
Supported Schema Attributes
To manage the risky service principal alert feature, ensure that the following attributes are present in the account schema:
Note
The account schema cannot be extended for other risk related attributes.
spn_riskLevel
Level of the detected risky service principal.
spn_riskState
State of the service principal's risk.
spn_riskDetail
Details of the detected risk.
spn_riskLastUpdatedDateTime
The date and time when the risky service principal was last updated.