Share via

Narada Notification Service in audit log

cbreitenstrom 5 Reputation points
2024-01-20T19:31:18.53+00:00

I have a strange entry in the Entra ID audit.log: -The entry does not have an "actor" specified -the message says that somebody (Narada Notification Service) installed successfully a Service Principal NaradaAuditLogDetails.png Google knows some similar cases but Microsoft did not answer it?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,150 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 35,216 Reputation points Microsoft Employee
    2024-01-23T16:00:14.7166667+00:00

    @cb Thank you for reaching out to us, As I understand you are looking for details on Narada Notification Service in Entra ID audit logs.

    I have checked internally on this, this app is first party app, which is created by Microsoft.

    For more details on this app, would request you to open a support ticket with us, so that our team can investigate this further. Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments
  2. cbreitenstrom 5 Reputation points
    2024-01-25T10:02:57.7833333+00:00

    Thank you for this information, which seems to relate not only to UNeedSecurity but other customers as well. The reason, you mentioned "in order for the users to receive Microsoft emails" raises further questions: we got Microsoft emails previously- so what kind of additional emails do we get thanks to this new Service Principal? Looking at the grants, that the "Narada Application Service" Enterprise Application has: "Cloud Application Administrator" and "Reports Reader" roles. What exactly are you going to do with them? Please understand, we are a security company, we can't have there some undocumented leaks within our infrastructure. At the first step, I configured an "Role assignment alert" to the admin, in order to get involved, when these roles are assigned. But as the service principal got installed without asking us, will this alert be effective? Thank you for your time.

    0 comments
  3. Curtis L 25 Reputation points
    2024-01-25T18:32:36.13+00:00

    We also had this SPN randomly install itself in December 2023 under identical circumstances. @Givary-MSFT Is there somewhere security/auditors/and other Azure/Entra ID professionals can get updates on when/if Microsoft will be pushing 1st party service principals to our environments? Unfortunately this is not the first, second, or even 3rd time we've had a previously unknown 1st party Service Principal get installed in our environment without any warning. It would be nice if we could get some more visibility either from the audit log directly or advance notice of these changes. Thank you for your time.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.