This detection rule identifies the creation of Service Principals within Azure, which is a crucial component in Azure Active Directory (AD) used for allowing applications to access Azure resources. The rule monitors Azure activity logs for specific messages indicating that a new service principal has been added. This activity may signify administrative actions or could indicate potential malicious activity if unauthorized users are making changes. It is vital for governance and security compliance to ensure that such creations are intentional and that they comply with established policies. The rule provides guidance on potential false positives which could occur due to legitimate user actions by system administrators. Administrators are encouraged to investigate unfamiliar user actions that result in service principal creations to mitigate risks associated with unauthorized access.