Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
From March 2026, Microsoft Entra ID will no longer support service principal-less authentication behavior. In this article, you'll learn how to prepare for the deprecation of service principal-less authentication. As a tenant administrator you'll verify access, create an enterprise application, and verify tokens.
Prerequisites
- An account in the resource tenant with at least the Application administrator or Cloud application administrator role assigned.
Transitioning from Service Principal-less authentication
Microsoft Entra ID will block authentication for multitenant applications that don't have an enterprise application registration in the resource tenant. This scenario is also known as service principal-less authentication. This behavior has already been blocked for most resources. This change will address a few remaining exceptions. Service principal-less authentication issues tokens without permissions and without an object identifier (object ID). This is a preventive security measure.
This change to service principal-less authentication will make client service principal a requirement for all applications in order to improve our “Security by default” (See authentication behaviors). Service principal-less authentication can be abused if the resource applications (i.e. APIs) perform incomplete validations. Microsoft has verified that validations aren't vulnerable to service principal-less authentication. However, with this action, the risk of this gap re-appearing in future versions or being exploited in third-party resources outside Microsoft’s control is minimized.
Additionally, by enforcing the requirement that applications must be registered in every tenant where they authenticate, we reinforce tenant administrator’s governance of all access, including the ability to write conditional access policies for these applications.
You must act before March 31, 2026, to avoid authentication failure of applications.
If you identified traffic using service principal-less authentication between February 11th and March 11th, 2025, it will continue to work until March 2026. However, any traffic that wasn't detected during this period or any new traffic starting after March 11, 2025 will be blocked starting April 2025.
Use sign-in logs to find service principal-less applications
First, you'll need to verify that access by the named applications to the resources listed is necessary. The application’s sign-in activity can be reviewed by the resource tenant’s administrator via sign-in logs. The service principal ID of an application making a service principal-less authentication is shown as 00000000-0000-0000-0000-000000000000 in the sign-in logs of the resource tenant.
- Navigate to the Microsoft Entra admin center.
- On the left navigation panel, go to Entra ID > Monitoring & health > Sign-in logs.
- Go to the Service principal sign-ins tab.
- Filter by Service principal ID, and enter
00000000-0000-0000-0000-000000000000in the input field. - Change the Date sorting to be Custom time interval, and set it to Last 1 month.
- Click on a log to view the details, and navigate to the Application ID in the side panel to find the Client Application ID for the next step.
Create enterprise application
Next, you'll need to create an enterprise application in the resource tenant for each of the named applications. The resource tenant administrator must register the application using the Client App ID through the sign-in logs method from above.
Verify tokens
Finally, the administrator of the resource tenant should verify that the tokens issued to the application are no longer service principal-less. This can be verified in sign-in logs. The Service principal ID should appear with a unique alphanumeric GUID in the format aaaaaaaa-bbbb-cccc-1111-222222222222.