Service Principals CloudConsoleGrapApi with Global Admin role

AH 25 Reputation points
2024-07-15T20:07:35.12+00:00

Hi,

I'm doing review on Microsoft Entra and notice several service principals named "CloudConsoleGrapApi" with Global Administrator role. Looking at their activity but found nothing for months.

Any idea what are these service principals and how they end up having Global Admin role?

Thank you in advance.

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,089 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,254 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Andy David - MVP 152.3K Reputation points MVP
    2024-07-15T20:28:05.65+00:00

  2. Luis Arias 7,856 Reputation points
    2024-07-15T20:53:45.5033333+00:00

    Hi AH,

    It looks like you have an third party integration that is causing that Service Principal creation with that specific role I suggest to check the activity log for the account that have the Global Administrator role because only with that role you can assign that high privileged role.

    References:

    If the information helped address your question, please Accept the answer.

    Luis

    0 comments No comments

  3. Givary-MSFT 35,216 Reputation points Microsoft Employee
    2024-07-16T08:05:40.1133333+00:00

    @AH Thank you for reaching out to us, adding to the above details

    When was the created date for the service principal name ? if its older than 1 month unless you have audit logs stored, else Entra id portal doesnt show logs older than 1 month.

    CloudConsoleGrapApi is not a core service created by Microsoft by default. As above mentioned seems like a third party integration has created this service principal.

    Would recommend to disable them or remove the Global admin privileges from the service principal immediately, do further investigation if nothing found, they can be deleted.

    Also, would suggest to review sign in logs to find whether this service principal being used recently or not.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.