Skip to content

AZT404.2 - Principal Impersonation: Logic Application#

By utilizing a Logic Application configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.


Logic Application


  • Microsoft.Logic/workflows/write
  • Microsoft.Logic/workflows/run/action
  • Microsoft.Logic/operations/read



Data Source Operation Name Action Log Provider
Resource Gets workflow recommend operation groups Microsoft.Logic/locations/workflows/recommendOperationGroups/action AzureActivity
Resource List Trigger Callback URL Microsoft.Logic/workflows/triggers/listCallbackUrl/action AzureActivity
Resource Add or Update Connection Microsoft.Web/connections/write AzureActivity
Azure Active Directory Update website Microsoft.Web/sites/write AuditLogs
Azure Active Directory Start Web App Microsoft.Web/sites/start/action AuditLogs