Azure Default Service Principals vs Customer Created

Written by Ravi Yadav

The other day, a customer asked me to provide the number of Service Principals (SP) in their Azure tenant. Well, that is pretty easy right? Head over to the Azure AD service within the Azure Portal and browse the App registrations (Service Principals) here… But wait, I now want to extract the list of SPs to a file. Great, I can use the following CLI or PowerShell query “az ad sp list” or “Get-AzADServicePrincipal” to retrieve that information. Wait a second… now why do I see nearly 700 SPs in PowerShell, yet when I take a look at the Portal, I can see there are maybe 100 Service Principals at best. This cannot be right! Why is PowerShell/CLI generating a list of nearly 700 Service Principals, whereas the portal only shows me ~100 SPs? Something is up… Let’s take a deeper dive here.

Well, after some research, I ran into the following blog post from fellow Microsoft MVP, Rick Van Rousselt you can find that post HERE. Learning Microsoft creates a handful, ~600 Service Principals that are needed for various Azure services, ie. Azure AD, Office 365, Azure Policy, etc. This ia default behaviour for any Azure tenant, and is common for any tenant.

After you execute the following query (“az ad sp list” or “Get-AzADServicePrincipal“) you can see that for some of these ~600 SPs the Tenant ID does not match my customers… The appOwnerTenantId belongs to a Microsoft/Azure tenant. Interesting….

So how do you figure out which Service Principals are customer created/owned, and how do we differentiate between the customer and Microsoft?

Below is what I did, and this should help you identify which Service Principals belong to you (as the customer) and which belong to Microsoft/Azure.

  $result = az ad sp list --query "[].{ServicePrincipalName:appDisplayName,AppID:appId,TenantID:appOwnerTenantId}" --output table --all -o json | ConvertFrom-Json 
  $result | export-csv -Path "C:\temp\ServicePrincipals.csv"  -NoTypeInformation

Now I can filter the Service Principals based on the appOwnerTenantId to differentiate between customer created versus Microsoft/Azure created.

I hope this helped, and now you know Microsoft/Azure creates hundreds of Service Principals in every Azure tenant that are needed for various services, and roles.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.