What happens to Service Principals created by users no longer in active in Azure Active Directory?

Question

Hi,

I'm trying to come up with a plan or procedure to handle Service Principals users when a user is no longer active in the companies Azure Active Directory.

For example:

• Ben creates a Service Principal on the Azure Active Directory.
• Bens colleague adds the Service Principal to the subscription as a "contributor".
• Ben uses the SP for some automation or normal use cases.
• Ben leaves the company.
• The company removes/disables Bens account in the companies Azure Active Directory.
• Ben never added another Owner to the SP.
• Ben is only one who knows the password or has the certificate.
• What happens at this point?
• Can Ben use that SP user and pass/certificate to continue to use the subscription(s) the SP is on?
• Is the Service Principal also deactivated when Bens account is deactivated/removed?
• Do we have to remove the SP manually from the Subscription?

Again there isn't a current Security threat or anything, I'm just gathering information in order to write a procedure on what happens should a user with a Service Principal added to a subscription leave the company.

Answer 1

@John Doyle , Thank you for reaching out and sharing a query. In this case, when a user creates a Service principal, he just gets added as an owner to that service principal. But having said that the Global Admin of the tenant can always override stuff and he can change/update the owner of that application whenever he wants.

Now comings to the points that you have listed:

• The company removes/disables Bens account in the companies Azure Active Directory. ---> Ben is no longer a part of your org or AAD tenant. hence no way he can log in from outside.
• Ben never added another Owner to the SP. --> No Problem, The Global Admin of the tenant can override and update the owner on the Service Principal.
• Ben is only one who knows the password or has the certificate. --> The Global Admin/Application Administrations in your tenant can update/change the password or attach a new certificate to the service Principal. It is always a good practice to that that immediately. Since Ben still holds the app secret or certificate, he can still login to your tenant using the service principal and using one of those as password. So best way, update the creds of the service principal immediately.
• Can Ben use that SP user and pass/certificate to continue to use the subscription(s) the SP is on? --> Yes, Ben still can use these password and certificate and login to your tenant as the service principal
• Is the Service Principal also deactivated when Bens account is deactivated/removed? --> No.
• Do we have to remove the SP manually from the Subscription? --> Yes, it has to be removed manually. The Global Admin/Application Administrator can do this job.
• Do we have to remove the SP manually from the Subscription? --> If the Service Prinicipal itself is deleted from your tenant, then no need to manually remove it from Subscription, as it would get removed automatically from there. But if the Service Principal still remains in the tenant, then yes from subscription it has to be removed manually.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.