5

I've got a bunch of old app registrations/service principals that no one has any idea if it's being used or not. When I got into the app from Enterprise Application (All Applications) blade and see Sign-ins from Activity, nothing shows up. Nothing in Audit Logs either.

I did the same thing for an app we ARE using regularly and there's still nothing in sign-ins. I use that app to connect to our tenant from a PowerShell session; I don't even known if the Sign-ins activity log is supposed to keep track of every time you authenticate to AD using that service principal. I opened a support ticket with Microsoft and they just told me to check the Sign-ins logs but there is nothing there. I do have diagnostic logging enabled for the entire AD but nothing there either.

Is there anyway to see whether an app is being used? How frequently? Please advise!

DivZ
  • 678
  • 12
  • 20

2 Answers2

5

Microsoft implemented auditing for service principals. You can see in the Sign-In logs on the "Service principal sign-ins"-Tab the information about it. enter image description here

Sharbag
  • 245
  • 6
  • 15
3

Unfortunately, there is no way currently to know if an app's ServicePrincipal object is being used for app-only authentication.

If the app's ServicePrincipal object is taking part in user sign-in, then the sign-in activity report will include the fact that a user signed in. However, if the ServicePrincipal object is being used directly for app-only authentication, then it won't be included.

Philippe Signoret
  • 13,299
  • 1
  • 40
  • 58
  • Unfortunate...but thanks for the quick response. Guess only way is to remove the service principal object from the resource's access control (IAM) and wait till somebody complains. If nobody complains, it's good to remove! :/ – DivZ Dec 14 '18 at 22:49
  • You can also disable the ServicePrincipal object (`Set-AzureADServicePrincipal -ObjectId "{id}" -AccountEnabled $false`), to the same effect. – Philippe Signoret Dec 15 '18 at 01:14