This rule detects the addition of new service principal accounts within Office 365 (O365) tenants by monitoring the `o365_management_activity` dataset specifically for relevant operations such as creating service principals. This monitoring is critical as the introduction of unauthorized service principals poses significant security risks. Attackers may use legitimate APIs to carry out unauthorized operations, leading to potential data breaches or internal compromises. The analytic counts occurrences and gathers contextual information based on the user who created the service principal and the associated actions performed during such operations.