Make SPN (non-interactive) login events logged and available
Currently in Azure AD when using SPN (non-interactive) logins via code (.Net, Powershell, etc.) for automated processes (server to server communication/API) that interact with Azure, there is no event in Azure AD logs to show that this login has occurred. Please make this exposed in the logs in the same fashion that an interactive user login is logged. This is not only beneficial for troubleshooting, but more importantly from a security, compliance, and risk audit trail standpoint.
We are working on this but we don’t have a public ETA to share at this time. We will keep you updated as we get closer.
Lidvar Kornberg commented
Today the Sign-In Activity log in AAD contains end-user authentication events, but does not have any log events when an application authenticate with AAD using client_credential grants. This must be logged or we are not able to trace successful or failed logon event for debugging and this is also a security concern as we can not trace and detect successful or failed logon events from unknown sources.
In order to provide a complete and wholistic view on failed login attempts it’s imperative that we are able to consistently capture such events for users (as we can today) but also for service principles given the enabling role they play in the identity sphere in Azure. Not being able to do so [other than via a support call] feels like a major flaw when trying to surface such events via a SIEM solution.
These logs need to be exposed or at the least available for extraction in order to detect and monitor any anomalous behaviour from a user entity behaviour analysis perspective.
Completely agree with this our Security team has identified this as a risk - there simply isn't enough information being surfaced about activity on app registrations and Service Principals. If we only had some log of the success/failure of Service Principals we could provide our own mitigation - but not available. Nor is this omission documented to caution the owner. In this day of app to app interactions I can only think that this requirement will become more and more necessary.
Dhanyah Krishnamoorthy commented
We are looking to add this feature into our Sign-ins Activity logs in the near future. We will keep you posted.
Edmund C Soyza commented
Hello, was just wondering if there has been any new developments on this? I actually opened a case with Microsoft to inquire how to get this info myself before I found this page.
Yes , and this should be a dashboard widget with email alerts as well
Any update on this? Having no login information is especially problematic for SPN logins since no conditional access can be applied to them.
We have received this feedback and looking to add this information in our Sign ins report. I will let you know as soon as I have an update
Jon McCabe commented
As a PCI compliant application we need to capture logs of when a Service Principal is being used. This would include failed logins, successful logins, password changes, etc. We would then like these logs to go to OMS for reporting and alerting.