Skip to content

Microsoft Intune service principal

Few weeks ago I decided to clean up my tenant, I noticed that I have lots of Azure AD service principals that are no longer needed, this is my oldest tenant and I have been testing for many stuff over past few years. My first plan was delete those what I have created, but there are lots of them. So I was thinking “how about I just delete all?

There are some service principals are for internal usage in Azure, example “Microsoft Graph”, we can’t delete those from Azure Portal nor by PowerShell, which means it should be very safe run this one liner PowerShell to delete service principals (Don’t do that!):

Get-AzureADServicePrincipal | ForEach-Object {Remove-AzureADServicePrincipal -ObjectId $_.ObjectId}

Azure Tenant Default service principals

When we create a new Azure Tenant, these 16 service principals are automatically created. The highlighted three service principals “Microsoft password reset service“, “O365 Demeter” and “Azure Portal” can be removed by PowerShell, rest of those are internet service principals, removal is not allowed.

Azure ESTS Service00000001-0000-0000-c000-000000000000
Windows Azure Active Directory00000002-0000-0000-c000-000000000000
Microsoft Graph00000003-0000-0000-c000-000000000000
Microsoft App Access Panel0000000c-0000-0000-c000-000000000000
Microsoft Graph Change Tracking0bf30f3b-4a52-48df-9a82-234910c4a086
Windows Azure Service Management API797f4846-ba00-4fd7-ba43-dac1f8f63013
IAM Supportabilitya57aca87-cbc0-4f3c-8b9e-dc095fdc8978
Office 365 Configureaa9ecb1e-fd53-4aaa-a8fe-7a54de2c1334
AAD Request Verification Service – PRODc728155f-7b2a-4502-a08b-b8af9b269319
MCAPI Authorization Prodd73f4b35-55c9-48c7-8b10-651f6f2acb2e
Microsoft password reset service 93625bc8-bfe2-437a-97e0-3d0060024faa
O365 Demeter 982bda36-4632-4165-a46a-9863b1bbcf7d
Azure Portalc44b4083-3bb0-49c1-b47d-974e53cbdf3c

How about “Microsoft Intune”

There is no Microsoft Intune service principal when create a new tenant without EMS or Intune licenses, this service principal is automatically created when we first time active EMS or Intune licenses, we can find this two application in MDM and MAM settings and from Enterprise Applications

What happened when delete Microsoft Intune service principal? Good question! I have tried it twice in two of my test tenants, so that I can confirm my results. After remove this service principal, I lost access to Intune blade, it behaved just like if I don’t have EMS or Intune license

So can we fix this by create the Microsoft Intune service principal using PowerShell?

New-AzureADServicePrincipal -AppId 0000000a-0000-0000-c000-000000000000

Bad news! Even though I recreated this Microsoft Intune service principal, and my licenses are assigned, I still don’t have access to Intune. I have tried deleted all my license subscriptions, bought new license, and let the new license recreate this service principal for me, but still no luck.

So what now? In this moment when I am writing this blog, I have support case opened with Microsoft for over three weeks, support engineer has been advise me create new service principal, active MDM authority from office portal, none of theses helped. They have now promised they will try reproduce this issue and discuss internally what is the next step. I will update this post if I gets any results.

What do I learn?

  • When create Azure Application, always assign owner, so that we know who owns this application, and no one delete your apps
  • Any Global Administrator, Application Administrator and Cloud Application Administrator can delete applications and service principals, so make sure they don’t accidently delete “Microsoft Intune”
  • Don’t delete anything that are allowed to delete
  • Don’t do it
  • Don’t do it
  • Don’t do it

2 thoughts on “Microsoft Intune service principal”

    1. Microsoft Support fixed my issue. Also, I have heard from another friend of mine that Microsoft has improved this, the issue will be automatically remediated and fixed.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.