![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 80%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,098 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@John Doyle , Thank you for reaching out and sharing a query. In this case, when a user creates a Service principal, he just gets added as an owner to that service principal. But having said that the Global Admin of the tenant can always override stuff and he can change/update the owner of that application whenever he wants.
Now comings to the points that you have listed:
- The company removes/disables Bens account in the companies Azure Active Directory. ---> Ben is no longer a part of your org or AAD tenant. hence no way he can log in from outside.
- Ben never added another Owner to the SP. --> No Problem, The Global Admin of the tenant can override and update the owner on the Service Principal.
- Ben is only one who knows the password or has the certificate. --> The Global Admin/Application Administrations in your tenant can update/change the password or attach a new certificate to the service Principal. It is always a good practice to that that immediately. Since Ben still holds the app secret or certificate, he can still login to your tenant using the service principal and using one of those as password. So best way, update the creds of the service principal immediately.
- Can Ben use that SP user and pass/certificate to continue to use the subscription(s) the SP is on? --> Yes, Ben still can use these password and certificate and login to your tenant as the service principal
- Is the Service Principal also deactivated when Bens account is deactivated/removed? --> No.
- Do we have to remove the SP manually from the Subscription? --> Yes, it has to be removed manually. The Global Admin/Application Administrator can do this job.
- Do we have to remove the SP manually from the Subscription? --> If the Service Prinicipal itself is deleted from your tenant, then no need to manually remove it from Subscription, as it would get removed automatically from there. But if the Service Principal still remains in the tenant, then yes from subscription it has to be removed manually.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.