Guidance Needed on Handling Microsoft Substrate Management-Created Identities in EntraID

Question

Guidance Needed on Handling Microsoft Substrate Management-Created Identities in EntraID

Danish Anwar 46

Hello everyone,

I'm seeking advice from those who have successfully implemented Microsoft's Zero Trust Conditional Access (CA) policy framework in environments where Exchange Online is also deployed.

Recently, I began classifying our Entra ID identities using Microsoft's recommended personas. So far, it's been effective — approximately 90% of identities have been successfully tagged. However, during this process, I discovered that the Microsoft first-party app "Microsoft Substrate Management" is being used by Exchange Online to perform CRUD operations on user objects when mailboxes are created.

MS defining this 1st party app under Unkwon actors here - https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/unknown-actors-in-audit-reports#unknown-actors & a third party blog - https://www.jasonfritts.me/2020/08/04/what-is-microsoft-substrate-management-and-why-is-it-creating-users-in-my-tenant/ Which suggests this as a nice effective action, but for Entra administrators it is creating an issue if MS zero trust CA policy framework needs to be implemented.

For example, when our helpdesk team requests a new mailbox (e.g., ******@help.com), the Exchange team provisions it, and this triggers a dual-write action. The "Microsoft Substrate Management" app then automatically creates a corresponding user object in Entra ID. I've found a significant number of these identities, but they don't seem to fit into any of the standard persona categories Microsoft defines.

To address this, I created a new persona called "EXO" to group these identities. However, I'm unclear about the best practices for applying Conditional Access policies to them — particularly whether they should be blocked from interactive sign-in, and if there are any potential risks or implications I should be aware of.

I’d really appreciate insights from anyone who has tackled this scenario. How did you classify these identities? What policies did you apply? Any lessons learned or gotchas would be incredibly helpful.

Thanks in advance!

Danish Anwar 46 Reputation points

2025-04-10T12:23:12.0833333+00:00

So I opened a case with MS and the comments I have is -

These are mailbox user accounts which are mandatory along with mailboxes but these account can be used by bad actors for login via password reset. Ideally at Exchange level these mailboxes should have the sign-in as not allowed - https://docs.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide#block-sign-in-for-the-shared-mailbox-account

So I can collected them in one persona and set the persona to Block via CA policies.

Or, If following zero trust I can block all users who doesn't belong to a persona will also safeguard. Main point MS confirm that blocking this will not affect mailboxes functionality.

Accepted answer

1 additional answer

Your answer

Danish Anwar 46 Reputation points

2025-04-10T12:23:12.0833333+00:00

So I opened a case with MS and the comments I have is -

These are mailbox user accounts which are mandatory along with mailboxes but these account can be used by bad actors for login via password reset. Ideally at Exchange level these mailboxes should have the sign-in as not allowed - https://docs.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide#block-sign-in-for-the-shared-mailbox-account

So I can collected them in one persona and set the persona to Block via CA policies.

Or, If following zero trust I can block all users who doesn't belong to a persona will also safeguard. Main point MS confirm that blocking this will not affect mailboxes functionality.

Answer 1

Hello Danish Anwar,

The article you referenced describes how to block sign-ins for shared mailbox accounts. This is a great first step to secure accounts that are not intended for direct user login.

additionally, you can do is apply the least privilege principle by ensuring that these accounts only have the minimum required permissions for the tasks they need to perform. If these accounts do not need any direct interaction with users, ensure they only have access to what’s absolutely necessary for the operation of Exchange and other related services.

You can block the sign-in of shared mailbox using CA policy in Entra ID. You can follow below instructions.

Login to Entra ID portal https://entra.microsoft.com/
Use Global admin credentials to login.
Go to Protection >> Conditional access
Click on Policies >> New policy
Name the new policy
Under user's section select users and groups and select the shared mailbox account.
Under Target resources select "All cloud apps"
Now go to Access controls >> Grant
Under grant you can select Block access.

Create a CA policy to block sign-ins for service accounts or shared mailbox accounts by targeting these objects based on their attributes in Entra ID (e.g., checking if they are part of a particular group).

As for other CA policies:

-Block legacy authentication (e.g., for Exchange or other non-modern protocols) could further secure these identities.

-Enforce compliance policies (e.g., device compliance or security baselines) if these accounts are tied to devices or need to access resources outside of Exchange Online.

blocking sign-ins via CA policies for non-interactive accounts (such as shared mailboxes, service accounts, etc.) should not have any major impact, provided these accounts are truly not used for login purposes. However, it's important to test these policies in a controlled environment (using a small subset of accounts or a test group) to confirm they behave as expected.

Refer this below document which can help you to create a CA policy with more requirements:

how-to-limit-access-to-a-shared-mailbox-by-device
block-legacy-authentication
list-shared-mailboxes-with-signin-enabled-and-then-block-signin-using-powershell

I hope this clarifies things.

Please remember to "Accept Answer", so that others in the community facing similar issues can easily find the answers.

Danish Anwar 46 Reputation points

2025-04-10T12:28:41.0366667+00:00

Thank you Sakshi,

Your response is somewhat similar to what I had from MS.

However, I am not clear with below statement -

"Create a CA policy to block sign-ins for service accounts or shared mailbox accounts by targeting these objects based on their attributes in Entra ID (e.g., checking if they are part of a particular group)."

What is confusion - I do not think MS supports creating dynamic user group based on user group membership example if they are part of any group as GA maybe something in preview but I have no idea. Only using user attributes like location, name, UPN, office, etc we can create dynamic query.
If you have any idea or references like how can a dynamic user group can be created for users who are part of a group please share the references.

But anyway thanks for the answer and to add blocking such users has no impact and ideally they should be blocked.
Rahul Gupta 235 Reputation points Microsoft Employee

2025-04-10T12:32:38.02+00:00

Hello Danish,

it is possible to create Nested Groups. that are dynamic in nature .

Kindly, have a look at this Microsoft article .

https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-rule-member-of

Regards

Rahul

Answer 2

Rahul Gupta 235 Microsoft Employee

Hello,

Thanks for reaching out Microsoft community

I will definitely try and clarify your query regards Microsoft Substrate Management-Created Identities in EntraID.

These Identities are created in Entra ID when an operations has been performed directly in exchange online and not in AD / Azure AD because in that case Exchange is the one that is syncing back the object to Azure AD. usually you would see in azure that it was created by Microsoft substrated management however if you want to know who created that object, first try and found out its corresponding exchange online object and then run new-unifiedauditlogserach operation on that exchange online object to find who was the actual actor who created that object.

i hope i was able to clarify your doubts. happy to discuss this in detail if required at all.

Regards

Rahul Gupta

Microsoft Customer Support

Danish Anwar 46 Reputation points

2025-04-09T09:28:40.9266667+00:00

Hello Rahul,
Thank you for your answer.
Indeed that is correct information. I also know via Exchange online that who created it and that is valid action I have no concerns in that.

My question is when in exchange online such objects created and via dual write functionality of Exchange using MS 1st part app Microsoft Substrate Management the objects are written into EntraID. These objects are just like any other user object and with right set of permission the password can be reset and used for logins also. So the questions here is while we have personas for all other identities like Guest, service accounts, developer, internal user, etc. we have no recommendation by MS on under which persona such identities should be collected and what CA policies are recommended. I assume one is blocking sign in using such accounts as mentioned in the article - https://docs.microsoft.com/en-us/microsoft-365/admin/email/create-a-shared-mailbox?view=o365-worldwide#block-sign-in-for-the-shared-mailbox-account

But I want to block them via CA policies in EntraID but not sure if that will cause impact. I assume no but I want to confirm this. And maybe what other CA policies as per best practices we can apply on these identities.

I hope I am better able to clarify my question.
Rahul Gupta 235 Reputation points Microsoft Employee

2025-04-09T11:23:27.29+00:00
Yes you can disable the accounts to block sign in via CA policy for sure. for an example. you can do that on a scheduling mailbox. this is usually created by end users however it creates an identity of this in Azure . i dont think blocking the signin is going to create a problem. however it does depend on case to case basis .

you can create CA policies such as below

Blocking an account

allowing an account to work in a specific region

account login via a specific type of device like hybrid Entra ID join device.

do let us know if that clarifies your question.

Regards

Rahul Gupta

Microsoft customer support

Share via

Guidance Needed on Handling Microsoft Substrate Management-Created Identities in EntraID

1 additional answer

Your answer