![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
25,081 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
To design a KQL query to find service principals that haven't had sign-ins in more than 90 days, you could look at the service principal sign-in logs and AAD audit logs and use a query like this:
AADServicePrincipalSignInLogs
| where TimeGenerated > ago (90d)
Doing some digging, I found a few KQL queries written by Matthew Zorich from the Sentinel team. These examples look pretty close to what you are looking for.
This sample finds any Azure AD service principals that have been granted any .All access in the last year that haven't signed in for 30 days.
And this example summarizes your Azure AD service principals by the last time they signed in, grouped by month:
//Data connector required for this query - Azure Active Directory - Service Principal Signin Logs
AADServicePrincipalSignInLogs
| project TimeGenerated, AppId, ResultType, ServicePrincipalName
| where TimeGenerated > ago (360d)
| where ResultType == 0
| summarize arg_max(TimeGenerated, *) by AppId
| summarize ['Application List']=make_set(ServicePrincipalName) by Month=startofmonth(TimeGenerated)
| sort by Month asc
-
Please Accept the answer if the information helped you. This will help us and other community members as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 96%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)