Your company uses Microsoft Defender for Cloud to monitor Azure DevOps environments. You receive an alert that a service principal has excessive permissions. What is the first step you should take to investigate and remediate?
Audit logs provide details on permissions and usage.
Why this answer
Option B is correct because reviewing the Entra ID audit logs helps understand the scope of permissions and actions taken. Option A is wrong because resetting credentials immediately might lock out legitimate users without investigation. Option C is wrong because deleting the service principal could break dependencies.
Option D is wrong because you need to investigate before adjusting permissions.