Removing Service Principals for Discontinued Integrations🔗
Overview🔗
When you discontinue using Secureworks® Taegis™ XDR integrations with Microsoft services, it's important to clean up the associated service principals to maintain proper security hygiene in your Entra ID (formerly Azure AD) environment. Removing an integration from XDR will cause XDR to stop polling for data and delete and stored credentials for the account; however, it does not remove any service principals from the tenant that was integrated.
What is a Service Principal?🔗
A service principal is the security identity used by applications, services, and automation tools to access specific Azure resources. When you grant permissions to a Secureworks integration, a service principal is created in your tenant that represents that application and holds the permissions you've granted.
Service principals are directly related to application registrations:
- An application registration represents the global definition of an application
- A service principal is the local representation of that application in your specific tenant
Why Remove Service Principals?🔗
Removing unused service principals:
- Eliminates unnecessary access to your tenant.
- Reduces potential security risks.
- Helps maintain a clean and manageable Entra ID environment.
- Revokes all permissions previously granted to the integration.
What Happens When You Remove a Service Principal?🔗
- All permissions granted to the application in your tenant are revoked.
- The application can no longer access your Microsoft resources.
- Any integrations using this service principal will stop working.
- No data collected previously by Secureworks is deleted from Secureworks systems.
Service Principals to Remove🔗
The following table lists the client IDs of service principals the applications controlled by Secureworks. If the integrations are no longer in use in XDR, then the corresponding service prinicipals related to those integrations can be removed.
| Integration | Client ID | Environment |
|---|---|---|
| Graph Security API v1 | cc4b19d5-2bcf-48d0-9633-fc1725d4f484 |
All |
| Legacy Azure Active Directory Activity Reports | e6f06a01-1202-4e41-86d4-6a0cb45011e3 |
All |
| Legacy Office 365 | d020ee65-6aec-47ff-b18f-7424c8a631df |
All |
| Azure Activity Logs | 4fdc73d3-9fdf-4b9a-95f0-0f2063ded53b |
Charlie |
| Azure Activity Logs | 392cab40-8474-4fa9-a108-9ce447bf8c18 |
Delta |
| Azure Activity Logs | 1f053f92-4e1d-4332-ba17-0f7d2ae322f3 |
Echo |
| Azure Activity Logs | 7749a2e2-d528-4cef-89c6-6323db212509 |
Foxtrot |
| Azure Active Directory Identity Protection - Risk Detection | c1eaf970-08e4-4164-910c-6ee255e0538a |
Charlie |
| Azure Active Directory Identity Protection - Risk Detection | 2ddc63c3-0dea-4e41-92b5-848908d7298f |
Delta |
| Azure Active Directory Identity Protection - Risk Detection | adcb356c-78a0-4d87-8399-e8d80605d54b |
Echo |
| Azure Active Directory Identity Protection - Risk Detection | 8551492f-4cfe-4f08-973b-83eb93d1e90e |
Foxtrot |
For integrations where the application registration is created in the local account to be integrated, you can view the client ID by selecting the Details tab on the integration from the Integrations > Cloud APIs > Integration Name page and viewing the value for MSClientId.
Remove a Service Prinicipal🔗
The following can be completed in the Microsoft Entra Admin Center.
- Log in to the Microsoft Entra admin center as a Global Administrator.
- Go to Enterprise applications.
- Find and select the service principal you want to remove. You can search for the client ID from the table above.
- Choose Delete from the application's overview page or by expanding the Actions menu.
- Confirm the deletion in the dialog box.