Skip to content

AZT501.2 - Account Manipulation: Service Principal Manipulation#

An adverary may manipulate a service principal to maintain access in an Azure tenant

Resource

Azure Active Directory

Actions

  • microsoft.directory/servicePrincipals/enable
  • microsoft.directory/servicePrincipals/credentials/update
  • microsoft.directory/servicePrincipals/owners/update

Detections

Logs#

Data Source Operation Name Action Log Location
Azure Active Directory Update application – Certificates and secrets management microsoft.directory/servicePrincipals/credentials/update AzureAD Audit Logs
Azure Active Directory Update service principal microsoft.directory/servicePrincipals/credentials/update AzureAD Audit Logs
Azure Active Directory Update user microsoft.directory/users/password/update AzureAD Audit Logs

Queries#

|where OperationName =="Update application – Certificates and secrets management" or OperationName =="Update service principal" or OperationName =="Update user"