Unknown Actors in Audit Reports
The following are common examples of Microsoft first-party service principal actors that may be found in Microsoft Entra audit logs, including a description of actions these actors may take on Microsoft Entra objects in your tenant.
For more commonly used first-party Microsoft applications, see Application IDs of commonly used Microsoft applications.
|Azure Credential Configuration Endpoint Service||Auth Methods Registration||Used when authentication methods are registered. It can be displayed as an actor in audit logs when enabling the combined registration.|
|email@example.com||CXP||This account is from our internal Microsoft Support tenant. It's used to facilitate the management and maintenance of customers' tenants. Microsoft Support is currently transitioning to a unified platform for customer support and case management. For the change in question, the account sets a flag on the tenant to initiate the migration of support cases to the unified platform. This change doesn't directly affect any settings on your tenant or impact your existing or future support cases.|
|DaRT Team||Partner Center||The Set Partnership operation means DAP is terminated by Microsoft. This scenario is expected to be part of the Microsoft-led DAP deprecation.|
|firstname.lastname@example.org||Self-Service Password Reset||Used to perform the Self Service Password Reset operation for end users.|
|Microsoft Approval Management||Self-Service Group Management Service||Used by self-service group management service (SSGM) for Microsoft Entra ID dynamic groups, and Office 365 Group expiration policy operations.|
|Microsoft Azure Management||ARM||If the directory doesn't already have an account for the Service Administrators, the "Windows Azure Service Management API" ARM service principal will send and redeem invitations to the Service Administrators of the Azure subscription list. This process ensures that the Service Administrator of the subscription can access and view the subscription in the portal.|
|Microsoft Entra Subscription Lifecycle Process||License Manager Service||Used by the license manager service to remove licenses and subscriptions from Microsoft Entra ID when a subscription has expired or when the subscription state changes.|
|Microsoft Exchange Online Protection||Security and Compliance Center||Used by Exchange Online Protection to write changes to Microsoft Entra ID. As an example, MIP labels can only be modified in Security and Compliance Center (SCC). SCC logs contain the user actor. SCC then pushes these labels to Microsoft Entra offline, so there's no user context.|
|Microsoft Managed Policy Manager||Microsoft Managed Conditional Access||Used to create and manage Microsoft-managed Conditional Access policies.|
|Microsoft Substrate Management||Exchange||Used by Exchange Online during dual write operations to Microsoft Entra ID. When an object in Exchange Online is written to Microsoft Entra ID, this principal will show up as the actor in Microsoft Entra audit logs. For more information about dual write operations, see Exchange Online Improvements to Accelerate Replication of Changes to Microsoft Entra ID.|
|MS-CE-CXG-MAC-AadShadowRoleWriter||License Manager Service, Purchase Service, Marketplace||Used by commerce platform to assign Microsoft 365 commerce role permissions to Microsoft Entra ID. An example of a role this service would add is Modern Commerce Administrator.
- Reference 1 - Microsoft Entra built-in roles
- Reference 2 - Who can buy through self-service purchase?
|Signup||Commerce Licensing (LMS)||Used by commerce licensing service during self-service subscription signup. For more information on self-service subscriptions, see Manage self-service sign-up subscriptions.|
|email@example.com||SharePoint Online||This account is used to create Azure Access Control Service (ACS) principles, which are required for the installation of the SharePoint app (add-in).|
|Windows Azure Service Management API||Azure Resource Manager||Used by the Azure Resource Manager (ARM) service. This service principal may be used for any Microsoft Entra operations needed to maintain proper access to your Azure subscription and resources, such as ensuring the subscription's Service Administrator has a Microsoft Entra account in your tenant. You can see this actor when a customer registers a resource provider in an Azure subscription in their tenant. For more information about how and why this actor appears, see resource providers and types. More than 1,000 App IDs are connected to resource providers, and new IDs are added regularly. The REST API can be used to return the App ID dynamically.|