Share via

Entra Audit logs are periodically reporting "Add service principal failures"

song zhang 20 Reputation points
2025-01-07T06:44:45.25+00:00

Activity Type : Add service principal

Category: ApplicationManagement

Status : failure

Status reason : Microsoft.Online.Workflows.ValidationException

User Principal Name : Sync_XXXXXXXXX

the UPN is an account : On-Premises Directory Synchronization Service Account

everytime when we run microsoft entra ID connect , the sync process is succeed but there will be a failed audit log in Microsoft Entra ID.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Navya 20,180 Reputation points Microsoft External Staff Moderator
    2025-01-07T13:19:39.3333333+00:00

    Hi @song zhang

    Thank you for posting this in Microsoft Q&A.

    I understand that you are receiving Service Principal alerts in Microsoft Entra Domain Services.

    Based on the audit log screenshot, it appears that the AppId value 6bf85cfa-ac8e-4be5-b5de-425a0d0dc016 is not present in your Microsoft Entra directory. Therefore, you should add the required service principal to your directory.

    Before adding the service principal, please verify whether the application is present.

    1. In the Microsoft Entra admin center, search for and select Enterprise Applications.
    2. Search for the AppId value 6bf85cfa-ac8e-4be5-b5de-425a0d0dc016. If no existing application is found, follow the resolution steps to create the service principal.
    Install-Module Microsoft.Graph -Scope CurrentUser
connect-MgGraph -scopes "Directory.ReadWrite.All"
New-MgServicePrincipal -AppId "6bf85cfa-ac8e-4be5-b5de-425a0d0dc016"

    The managed domain's health will automatically update within two hours, and the alert will be removed.

    For your reference: https://learn.microsoft.com/en-us/entra/identity/domain-services/alert-service-principal

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pradeep Rao 0 Reputation points
    2025-01-07T08:09:58.5333333+00:00

    It seems like you're encountering a recurring issue with the "Add service principal" activity in your Microsoft Entra ID audit logs, specifically with the error Microsoft.Online.Workflows.ValidationException. This error typically indicates a problem with validating the service principal name (SPN) during the synchronization process..

    Here are some steps you can take to troubleshoot and resolve this issue:

    1. Check Credentials: Ensure that the credentials used for the synchronization process are correct. You might want to reset the credentials and try again.
    2. Verify Permissions: Make sure that the account used for synchronization has the necessary permissions to add service principals. You can check and adjust permissions in the Azure portal under the Azure Active Directory section.
    3. Review Logs: Look into the detailed logs in the Azure portal for any additional error messages or details that might help pinpoint the issue.
    4. SPN Conflicts: Ensure that the SPN being used is not already in use by another service principal. Conflicts can cause validation failures1.

    If these steps don't resolve the issue, you might need to contact Microsoft support for more in-depth assistance. They can provide more specific guidance based on your environment and the exact error details.

    Feel free to ask if you have any other questions or need further assistance!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.