Forum Discussion
Audit user accessing entreprise App by SPN sign-in
I'm in a Hybrid Entra ID environment. Some users can use an "Entreprise Application" by utilizing IDs and a certificate. In the activity or sign-in logs, I can find the access entries, but I don't ha...
You're facing a common challenge in hybrid environments where service principal (SPN) or app registration-based access doesn't directly tie to a specific user identity in the sign-in logs. This is because these types of access often rely on machine or application identities rather than individual user accounts.
Potential Solutions to Identify Users Behind SPN/App Registration Access
While there's no direct way to map SPN/app registration access to a specific user in the traditional sign-in logs, you can explore the following strategies to gain more insights:
1. Leveraging Microsoft Purview Information Protection (PIP):
Track Sensitive Information: Configure PIP to track sensitive information accessed through your app registration.
Correlate with User Activity: By analyzing the access patterns of sensitive data and cross-referencing them with user activity logs, you might be able to infer which users are likely behind the SPN/app registration access.
Limitations: This approach may not provide a definitive answer, especially if the accessed data isn't highly sensitive or if multiple users have access to the same data.
2. Customizing Application Logging:
Enhance Application Logging: If you have control over the application's code, you can implement custom logging to capture additional details about the user or device making the request.
Correlate with Entra ID Logs: By capturing relevant information like user agent, IP address, or specific actions performed within the application, you can try to correlate this data with Entra ID logs to identify potential users.
3. Leveraging Conditional Access and Device Registration:
Enforce Conditional Access Policies: Implement Conditional Access policies that require multi-factor authentication (MFA) or device registration for access to sensitive resources.
Analyze Conditional Access Logs: By examining the devices and users that successfully authenticate, you might be able to identify the individuals behind the SPN/app registration access.
4. Consider Azure AD Privileged Identity Management (PIM):
Monitor Privileged Access: If your app registration requires elevated privileges, use PIM to track who activates these privileges and when.
Correlate with Access Logs: By analyzing PIM activity logs, you can identify potential users who might be using the app registration.
5. Consult with Microsoft Support:
Seek Expert Advice: Reach out to Microsoft support for tailored guidance based on your specific environment and requirements.
Explore Advanced Logging and Monitoring Options: Microsoft support engineers may be able to provide additional insights or recommend advanced logging and monitoring techniques.
