Bsure Documentation
back to bsure.io
  • Welcome
  • Installation
    • Overview
    • Prerequisites
    • Installation Instructions
  • Technical Description
    • Design Principles
    • Azure Managed Application
    • Permissions Required
    • Security​
      • Public IP and Storage Account Key considerations
    • Technical Architecture
    • Dataflow and visibility
  • User guides
    • Overview
    • Main Dashboard
    • Users
      • Dashboard
      • Members
      • Guests
      • Data Quality
      • Properties
      • Sign-in Map
      • Sign-in Locations
      • Drilldown
    • Microsoft Licenses
      • Cost Dashboard
      • Licenses Overview
      • Subscription Overview
      • Inactive and Disabled Users
      • Overlapping licenses
      • Cost Allocation
      • Drilldown
      • Price Settings
      • Add Your Own Prices
        • Average SKU Price Calculator
    • Applications
      • Usage
      • Cost
      • Sign-in Locations
        • Successful sign-ins from blocked countries?
    • Groups
    • Security
      • Dashboard
      • Authentiation Methods
      • Entra ID Roles
      • Service Principals
    • Devices
      • Windows Dashboard
      • Windows Inactive Devices
      • Windows OS
      • Windows Management
      • Devices per Person
      • Drilldown
    • Share the Power BI App
      • Share App only
      • Give Access to the Power BI Workspace
      • Share the Storage Account Access Key
      • Share with External Users
    • Update Power BI App
    • Glossary
  • Pricing & Billing
    • Pricing
    • Billing
  • Support
    • Support
    • Frequently Asked Questions
    • Troubleshooting
    • Release Notes
    • New features
      • User purpose property
  • Partners
    • Partner sell an offering including the app to the customers
    • Customer have a strict data protection regime
    • Partner uses the app without customer knowledge
    • General considerations
  • Policies
    • Privacy Policy
    • Terms & Conditions
  • RECOMMENDED ACTIONS
    • Recommended actions
      • Review Entra ID role assignments and create a strategy to offer such roles
      • Review and remove all inactive or unwanted accounts
        • Bulk deletion of users in Entra ID
      • Protect all users with MFA
      • Review and clean up applications with excessive permissions
Powered by GitBook
On this page
  1. User guides
  2. Security

Service Principals

Apps or Service Principals should be considered as a user account and should be monitored closely

Often when a third party app offers single sign-on or other interactions with your Entra ID they offer a solution to create a service principal. To get the integration running you will provide the system or vendor with your tenant id, application id and a corresponding secret. The application then need access to Entra ID for the integration to work as expected and the application is given permissions in your environment.

Sign-in from this application is not governed by identity protection, such as conditional access policies, meaning that the application id + secret would work from everywhere at any time.

The Service Principal report show the different service principals in your environment, permissions given and where they sign in from. Often third party vendors ask for too much permissions and you should review the report to make sure that permissions and sign-ins are as expected.

We've classified permissions in critical, high, medium and low but a read role that is classified as low could be potentially business critical if exposed. Eg. if a service principal has been given mail.read permissions and the secret is compromised someone out there could read all your company e-mails.

Use the map and click on the dots to see what data you export to which country and too whom.

PreviousEntra ID RolesNextDevices

Last updated 1 year ago