How to trace creation of a user by a Service Principal and Microsoft Substrate Management?

Hello Rob,

The "Microsoft Baseboard Management" service principal is indeed the first-party service principal used by Exchange Online during dual write operations to Azure Active Directory (AAD). For example, this service principal may be used when creating mailboxes directly in Exchange Online Appears in the audit log as the person who created the user account. These audit log entries refer to create/update/deletion operations performed by EXO on AAD. These entries are informational in nature and require no action.

To track the specific events that prompted the creation of this user account, you may need to search the Office 365 unified audit logs within the time range of the activity. This may provide a better understanding of the actors who initiated the request in Exchange Online. For more information, please refer to: https://www.jasonfritts.me/2020/08/04/what-is-microsoft-substrate-management-and-why-is-it-creating-users-in-my-tenant/（Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.) https://learn.microsoft.com/en-us/answers/questions/489406/audit-logs-activities

Hope the above information is helpful to you！

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in [our documentation] to enable e-mail notifications if you want to receive the related email notification for this thread.

Here are several approaches to trace the root cause of this user creation:

1. Examine Additional Audit Log Properties

Look for these specific properties in the audit log entry:

• InitiatedBy - May show which service initiated the action
• AdditionalDetails - Might contain clues about the originating service
• TargetResources - Check for any associated objects with the user creation

2. Check Related Audit Events Around the Same Time

Look for these event types that might be related:

• Add member to group (if the user was added to a Teams team or group)
• Create team or Create group events
• Meeting-related events if it was a meeting room account

3. Review Service Principal Activity

Use PowerShell to examine the service principal's activity:

Get-AzureADServicePrincipal -ObjectId 0a82471e-81c7-4d45-99ee-a9d434bfe075

Get-AzureADServicePrincipalAppRoleAssignedTo -ObjectId 0a82471e-81c7-4d45-99ee-a9d434bfe075

4. Check User Attributes

Examine the attributes of the created user for clues:

• UserType (Member or Guest)
• CreationType (if populated)
• MailNickname and other Exchange attributes
• Department or other attributes that might indicate purpose

5. Common Triggers for Automated User Creation

This type of creation often happens when:

• A new Teams team is created (creates underlying groups)
• A shared mailbox is converted to a user account
• A resource mailbox is created
• A guest user is invited through a group-based process
• An automated provisioning process runs

6. Advanced Query with Unified Audit Log

Try a more comprehensive audit log search around the time of creation:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -ObjectId <new-user-upn> -Formatted

Limitations

Unfortunately, when actions are performed by backend services like Microsoft Substrate Management, the audit trail may not always provide complete visibility into the original triggering event. The service principal is often just the mechanism that performs the action, not the source of the request.

If this was a one-time occurrence and you can't find the root cause, you might need to monitor for future occurrences with more detailed logging in place.