Identify Apps Using Service Principal-less Authentication

Big change coming March 31, 2026 — Microsoft Entra ID will stop allowing service principal-less authentication. If your apps use this method, they may suddenly stop working.

What’s Changing?

Some apps connect to your tenant without being properly registered. This is called service principal-less authentication, and it’s a security risk. These apps don’t have proper IDs, permissions, or visibility for admins.

Microsoft is closing this gap. From March 2026, all apps must be registered as enterprise applications in your tenant to authenticate.

What You Need to Do

Step 1: Find the affected apps:

1. Navigate to the Microsoft Entra admin center.

2. On the left navigation panel, go to Identity > Show more… > Monitoring & health > Sign-in logs.

3. Go to the Service principal sign-ins tab.

4. Add filters and Filter by Service principal ID, enter `00000000-0000-0000-0000-000000000000` in the input field, and click Apply.

5. Change the Date sorting to be Last 1 month.

6. Click on the log to view the details, and navigate to the Application ID in the side panel to find the Client Application ID for the next step.

Note:

If the application is owned by Microsoft — you don’t need to take any action.

The Microsoft Entra ID team has confirmed that they will handle the migration of all Microsoft first-party apps to ensure they comply with the upcoming service principal requirements.

Step 2: Register them

Create an enterprise application for each app using its client ID or reach out to 3rd party app owners to ask how they plan to handle the March 2026 change.

Step 3: Verify the fix

After registration, check the sign-in logs again. The app should now show a proper service principal ID (a unique GUID).

Don’t wait until March 2026 — start updating your apps now to avoid unexpected outages.

Reference:

Service principal-less authentication mitigation

Fady Samy

Fady Samy

Identify Apps Using Service Principal-less Authentication

Big change coming March 31, 2026 — Microsoft Entra ID will stop allowing service principal-less authentication. If your apps use this method, they may suddenly stop working.

What’s Changing?

Some apps connect to your tenant without being properly registered. This is called service principal-less authentication, and it’s a security risk. These apps don’t have proper IDs, permissions, or visibility for admins.

Microsoft is closing this gap. From March 2026, all apps must be registered as enterprise applications in your tenant to authenticate.

Step 1: Find the affected apps:

1. Navigate to the Microsoft Entra admin center.

2. On the left navigation panel, go to Identity > Show more… > Monitoring & health > Sign-in logs.

3. Go to the Service principal sign-ins tab.

4. Add filters and Filter by Service principal ID, enter `00000000-0000-0000-0000-000000000000` in the input field, and click Apply.

5. Change the Date sorting to be Last 1 month.

6. Click on the log to view the details, and navigate to the Application ID in the side panel to find the Client Application ID for the next step.

Note:

If the application is owned by Microsoft — you don’t need to take any action.

The Microsoft Entra ID team has confirmed that they will handle the migration of all Microsoft first-party apps to ensure they comply with the upcoming service principal requirements.

Step 2: Register them

Create an enterprise application for each app using its client ID or reach out to 3rd party app owners to ask how they plan to handle the March 2026 change.

Step 3: Verify the fix

After registration, check the sign-in logs again. The app should now show a proper service principal ID (a unique GUID).

Don’t wait until March 2026 — start updating your apps now to avoid unexpected outages.

Reference:

Service principal-less authentication mitigation

Leave a reply

Cancel reply

Identify Apps Using Service Principal-less Authentication

Big change coming March 31, 2026 — Microsoft Entra ID will stop allowing service principal-less authentication. If your apps use this method, they may suddenly stop working.

What’s Changing?

Some apps connect to your tenant without being properly registered. This is called service principal-less authentication, and it’s a security risk. These apps don’t have proper IDs, permissions, or visibility for admins.

Microsoft is closing this gap. From March 2026, all apps must be registered as enterprise applications in your tenant to authenticate.

Step 1: Find the affected apps:

1. Navigate to the Microsoft Entra admin center.

2. On the left navigation panel, go to Identity > Show more… > Monitoring & health > Sign-in logs.

3. Go to the Service principal sign-ins tab.

4. Add filters and Filter by Service principal ID, enter 00000000-0000-0000-0000-000000000000 in the input field, and click Apply.

5. Change the Date sorting to be Last 1 month.

6. Click on the log to view the details, and navigate to the Application ID in the side panel to find the Client Application ID for the next step.

Note:

If the application is owned by Microsoft — you don’t need to take any action.

The Microsoft Entra ID team has confirmed that they will handle the migration of all Microsoft first-party apps to ensure they comply with the upcoming service principal requirements.

Step 2: Register them

Create an enterprise application for each app using its client ID or reach out to 3rd party app owners to ask how they plan to handle the March 2026 change.

Step 3: Verify the fix

After registration, check the sign-in logs again. The app should now show a proper service principal ID (a unique GUID).

Don’t wait until March 2026 — start updating your apps now to avoid unexpected outages.

Reference:

Service principal-less authentication mitigation

Leave a reply

Cancel reply

4. Add filters and Filter by Service principal ID, enter `00000000-0000-0000-0000-000000000000` in the input field, and click Apply.