Azure Active Directory: Threat Hunting - SPN Key Count

Azure Active Directory: Threat Hunting - SPN Key Count

Azure Service Principals in your tenant should be periodically reviewed just as app registration secrets and passwords should be, see post as they both work hand-in-hand.

What is a service principal?

To access resources that are secured by an Azure AD tenant, the entity that requires access must be represented by a security principal. This requirement is true for both users (user principal) and applications (service principal). The security principal defines the access policy and permissions for the user/application in the Azure AD tenant. This enables core features such as authentication of the user/application during sign-in, and authorization during resource access.

Read more here:

Apps & service principals in Azure AD - Microsoft identity platform
Learn about the relationship between application and service principal objects in Azure Active Directory.

The following Powershell script works in the same way as the app reg key count (in the URL above) but lists SPNs and count the number of associated passwords or keys.

// PWSH script to assess the number of password and key credentials configured for the tenant's SPNs.

$Spns = Get-AzureADServicePrincipal -All $True
foreach ($Spn in $Spns) {
	if ($Spn.PasswordCredentials.Count -ne 0 -or $Spn.KeyCredentials.Count -ne 0) {
	Write-Host 'Application Display Name:' $Spn.DisplayName
	Write-Host 'Application Password Count:' $Spn.PasswordCredentials.Count
	Write-Host 'Application Key Count:' $Spn.KeyCredentials.Count
	Write-Host ''