🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Microsoft Entra ID

How to Find Entra ID Groups with Service Principals as Members

As service principals accumulate group memberships in the Entra ID, they may inherit more permissions than intended. Without regular review, this can lead to non-compliance and over-permissioned accounts, which increase the risk of unauthorized escalation. To prevent such issues, this guide shows you how to identify all groups that contain service principals as members to maintain compliance.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Identify Groups with Service Principal Members Using Entra Admin Center

Microsoft Permission
Security Reader Least Privilege
Global Administrator Most Privilege
  • Sign in to the Microsoft Entra admin center.
  • Navigate to the Entra ID»Groups»Overview.
  • Click on the count associated with the Security groups under the Overview tab, since service principals can only added as members in these groups.
  • Then, choose the group you want to review. Under Manage, open the Members tab.
  • In the Type column, if you see Service Principal, it means the group includes a service principal.
Identify Groups with Service Principal Members Using Entra Admin Center
  • Note: In the Entra admin center, you can’t view all groups that have service principals as members in one place. You need to inspect each group individually, which makes the process tedious and time-consuming.

Track Groups with Service Principals as Members Using PowerShell

Microsoft 365 Permission Required
Group.Read.All Least Privilege
Directory.ReadWrite.All Most Privilege
  • Connect to the Microsoft Graph PowerShell using the following cmdlet.
  • Windows PowerShell Windows PowerShell 
     Connect-MgGraph -Scopes "Group.Read.All"
  • Execute the PowerShell script below to list all groups that have service principals added as members.
  • Windows PowerShell Windows PowerShell 
     Get-MgGroup -All | ForEach-Object {
    $group = $_
    Get-MgBetaGroupMember -GroupId $group.Id -All | Where-Object {$_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.servicePrincipal"} |
    ForEach-Object {
        [PSCustomObject]@{
            GroupName             = $group.DisplayName
            GroupId               = $group.Id
            ServicePrincipalId    = $_.Id
            ServicePrincipalName  = $_.AdditionalProperties.displayName
            AccountEnabled        = $_.AdditionalProperties.accountEnabled
            CreatedDate           = $_.AdditionalProperties.createdDateTime
        }
    }
} | Format-Table -AutoSize
  • The output displays details such as service principal Id, service principal name, group Id, group name, and more.
Track Groups with Service Principals as Members Using PowerShell
  • Note: Make sure you have installed the Microsoft Graph Beta module to run the above cmdlet successfully.
AdminDroid Entra ID Reporter

Gain Full Visibility into Entra ID Groups and Service Principal Membership

AdminDroid’s Microsoft 365 groups reporting tool provides complete visibility into groups with service principals, backed by advanced filtering, alerting, scheduling, etc., for proactive management. This tool also offers additional capabilities to help administrators identify unmanaged identities for enforcing consistent access controls in line with organizational policies.

Identify Ownerless Service Principals to Prevent Orphaned Access

Review service principals without owners to identify unmanaged identities and detect security blind spots, as they may hold broad permissions, bypass user-centric security controls, etc.

Track Group Membership Changes to Detect Privilege Misuse

Monitor group membership changes, including the addition or removal of service principals, to maintain proper access controls and ensure security compliance.

Get All Service Principals in Microsoft Entra ID

Identify all service principals in your Microsoft 365 environment and remove outdated or unwanted accounts to enhance security and maintain compliance across your organization.

Monitor Service Principal Sign-ins for Anomaly Detection

Track service principal sign-ins to spot unusual login patterns, thereby helping in the detection of compromised credentials or misuse of application identities.

Identify Service Principals Needing Role Assignments for Group Access

Track service principals that require role assignments and assign the appropriate roles to ensure they have the necessary access to perform their tasks without being over-provisioned.

Audit All Group Operations Handled by Service Principals

Leverage the Entra ID group operations report to identify all actions performed by service principals to ensure secure access and preserve a complete audit record.

Overall, the AdminDroid Entra ID management tool provides insights into all aspects of service principals and groups in Microsoft 365. Features such as managing directly from reports, performing bulk operations, automating workflows, etc., elevate Microsoft 365 management to the next level.

Explore a full range of reporting options
Download Live Demo

Important tips

Regularly retrieve Entra app registrations with expiring credentials to proactively manage service principals for ensuring uninterrupted app availability and minimizing potential vulnerabilities.

Apply app management policies and review group memberships regularly to ensure that only authorized service principals have access, thereby reducing exposure to threats.

Enable Continuous Access Evaluation to enforce Conditional Access, risk policies, and token revocation for workload identities like service principals or managed identities.

Common Errors and Resolution Steps

Below are common errors and troubleshooting steps that may occur while identifying Entra groups where the service principal is a member.

Error Get-MgServicePrincipal_List: Authentication needed. Please call Connect-MgGraph.

This error occurs when the ‘Get-MgServicePrincipal ’ cmdlet is executed without connecting to the Microsoft Graph PowerShell module.

Fix Make sure you have connected to the Microsoft Graph PowerShell module by using the cmdlet below. 
Connect-MgGraph -Scopes "Application.Read.All"

Error Get-MgServicePrincipalMemberOf_List: Resource '<ServicePrincipalID>' does not exist or one of its queried reference-property objects is not present.

This error occurs when you try to execute the 'Get-MgServicePrincipalMemberOf ' cmdlet with service principal Id that does not exist in you Microsoft Entra ID.

Fix Make sure the service principal exists in your Entra directory using the cmdlet below. 
Get-MgServicePrincipal -ServicePrincipalId "<ServicePrincipalID>"

Error New-MgGroupMember_CreateExpanded: Directory object type: ServicePrincipal cannot be added to Unified Groups.

This error occurs when you try to add a service principal to a Microsoft 365 group (unified group). As service principals are not allowed in unified groups, they can only be added to security groups.

Fix Make sure the group in which you're trying to add a service principal as a member is a security group using the cmdlet below. 
Get-MgGroup -GroupId "<GroupId>" | Select-Object Id, DisplayName, GroupTypes

Error New MgGroupMember CreateExpanded Invalid object identifier '<GroupID>'.

This error occurs when you try to add a service principal to a group, but the group ID entered is invalid.

Fix Make sure you are using the correct group object ID by running the cmdlet below with the group name. 
Get-MgGroup -Filter "displayName eq '<GroupName>'" | Select-Object Id, DisplayName, GroupTypes

Error New-MgGroupMember_CreateExpanded: One or more added object references already exist for the following modified properties: 'members'.

This error occurs when you attempt to add a service principal to a group where it is already a member.

Fix Before adding the service principal, check whether it’s already a member of the group by executing the cmdlet below. 
Get-MgGroupMember -GroupId "<GroupId>" | Where-Object { $_.Id -eq "<ServicePrincipalId>" }

Error Remove-MgGroupMemberByRef_Delete: Resource “<ServicePrincipalId>” does not exist or one of its queried reference-property objects are not present.

This error occurs when you try to remove the service principal that is not a member of the group.

Fix Make sure the service principal is a member of the group using the cmdlet below. 
Get-MgGroupMember -GroupId "<GroupId>" | Where-Object { $_.Id -eq "<ServicePrincipalId>" }
Microsoft Entra ID
Frequently Asked Questions

Manage Service Principals in Microsoft Entra ID Groups

What are the benefits of adding the service principal to security groups in Microsoft 365?
How to add a service principal to the group in Microsoft Entra ID?
How to find the list of Entra ID groups where a specific service principal is a member?
How to remove a service principal from an Entra ID group in Microsoft 365?

1. What are the benefits of adding the service principal to security groups in Microsoft 365?

Adding a service principal to a security group in Microsoft 365 helps streamline administration. Below are some key benefits.

Benefits of assigning service principals to security groups in Microsoft 365

  • Adding a service principal to a security group allows centralized permission management. Instead of assigning roles or access individually, you can manage permissions at the group level.
  • Apply permissions to large numbers of service principals easily to support rapid environment expansion without added complexity.
  • Reduces the risk of over-permissioned or unmanaged service principals caused by individualized assignments or lack of group membership.

2. How to add a service principal to the group in Microsoft Entra ID?

Some applications registered in Microsoft Entra ID use service principals to access resources. If the app requires permissions tied to a security group, you must add its service principal as a group member. Otherwise, the app won’t have the necessary access, and related tasks may fail.

Admins can use the methods outlined below, such as the Entra admin center or Microsoft Graph PowerShell, to add service principals to security groups based on their needs.

Add a service principal to a security group using the Entra admin center

  • Go to Microsoft Entra admin center»Groups»Overview, and select the count associated with the Security groups.
  • Open the desired security group. Then, under Manage, choose Members»Add members.
  • In the search box, enter the GUID or name of the service principal. You can also switch to the Enterprise Applications tab to narrow the search and locate the desired service principal.
  • Select all the service principals you want to add by checking their boxes, then click Select to add them to the group.
add-service-principal-member-to-group

Assign a service principal to an Azure AD group using PowerShell

Use the following cmdlet to connect to the Microsoft Graph PowerShell module with the necessary permissions.

Connect-MgGraph -Scopes "Group.ReadWrite.All"

Then, run the following cmdlet to add the service principal to the desired security group by replacing <GroupObjectId> with the group ID and <ServicePrincipalObjectId> with the service principal ID.

New-MgGroupMember -GroupId "<GroupObjectId>" -DirectoryObjectId "<ServicePrincipalObjectId>"
  • If you want to add multiple service principals to a security group, prepare a CSV file with a column named ServicePrincipalId containing the IDs of the service principals.
  • Then run the following cmdlet, replacing <FilePath> with the path to your CSV file and <GroupId> with the actual group ID.
add-service-principals-csv 
Import-Csv "<FilePath>" | ForEach-Object { New-MgGroupMember -GroupId "<GroupId>" -DirectoryObjectId $_.ServicePrincipalId }

The execution of above script adds all the service principals listed in the CSV file to the respective group.

3. How to find the list of Entra ID groups where a specific service principal is a member?

Sometimes, a service principal is added to multiple security groups to access SharePoint libraries, Teams channels, or OneDrive content. As an admin, you may need to identify the groups a service principal is a member of to troubleshoot access issues, validate permissions, or perform access reviews.

While the Microsoft Entra admin center allows you to view group membership for only one group at a time, you can use Microsoft Graph PowerShell to check multiple groups at once.

List all groups where a specific service principal is a member of

  • Connect the Microsoft Graph PowerShell module using the cmdlet below.
    Connect-MgGraph -Scopes "Application.Read.All", "Directory.Read.All"
  • Execute the script below, replacing <ServicePrincipalID> with the actual service principal ID, to list all groups where a service principal is a member.
    $groups = Get-MgServicePrincipalMemberOf -ServicePrincipalId "<ServicePrincipalID>" -All |
    Where-Object { $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.group" } |
    ForEach-Object {
        [PSCustomObject]@{
            Id             = $_.Id
            GroupName      = $_.AdditionalProperties.displayName
            Description    = $_.AdditionalProperties.description
            MailEnabled    = $_.AdditionalProperties.mailEnabled
            CreatedDate    = $_.AdditionalProperties.createdDateTime
        }
    }
$groups | Format-Table -AutoSize
  • This will display all groups where the service principal is a member of. It includes details such as group ID, group name, group description, mail-enabled status, and creation date.
list-groups-with-specific-service-principal

Note: You can get the service principal ID by using the cmdlet below. Replace <AppName> with the actual name of the enterprise application.

Get-MgServicePrincipal -Filter "DisplayName eq ‘<AppName>’" | Select-Object Id, DisplayName

Stop spending hours on manual checks! Leverage AdminDroid to get instant alerts when a service principal is added to a group.

  • In the All security groups report, set up alerts by configuring the property to 'Service Principal as Member ' and the Alert to 'Count Increased by 1 Service Principal'.
  • This triggers alerts whenever a service principal is added to a group so that proper monitoring and control can be maintained.
alerts-service-principal-added-to-group

4. How to remove a service principal from an Entra ID group in Microsoft 365?

A service principal may be added to an Entra ID group to allow an application to do any management action within Microsoft 365. Once the application no longer requires this level of access, it should be removed from the group.

Admins should remove the service principal from the group to ensure that only active applications have access. Failure to revoke membership can create security and compliance risks. This can be done through the Entra admin center or Microsoft Graph PowerShell.

Remove a service principal from a security group using Entra admin center

  • In Microsoft Entra Admin Center, go to Groups»Overview»Security group count.
  • Select a specific group and select Members under Manage to view the service principals added as members.
  • Then, select all the service principals you want to remove, and click Remove.
  • When prompted for confirmation, click OK to remove the selected service principals from the group.
remove-service-principal-from-group-via-entra

Revoke a service principal’s group membership using PowerShell

Connect to the Microsoft Graph PowerShell module using the cmdlet below.

Connect-MgGraph -Scopes "Group.ReadWrite.All"

Execute the cmdlet below after replacing <GroupObjectId> with the group ID and <ServicePrincipalObjectId> with the actual service principal ID. This will remove the service principal as a member from the specific security group.

Remove-MgGroupMemberByRef -GroupId "<GroupObjectId>" -DirectoryObjectId "<ServicePrincipalObjectId>"
  • To remove multiple service principals, create a CSV file with a column named ServicePrincipalId, and list the service principal IDs you wish to remove.
  • Then, execute the cmdlet below by replacing <FilePath> with the path to your CSV file and <GroupId> with the actual group ID to remove the service principals from the group.
remove-service-principals-csv 
Import-Csv "<FilePath>" | ForEach-Object { Remove-MgGroupMemberByRef -GroupId "<GroupId>" -DirectoryObjectId $_.ServicePrincipalId }

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Microsoft Entra ID
How to Find Entra ID Groups with Service Principals as Members
Microsoft Entra ID Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo