AZT404.4 - Principal Impersonation: App Service#

By utilizing an App Service configured with a managed identity or other identity provider, an attacker can execute Azure operations on a given resource.

Resource

App Service

Actions

Microsoft.Web/sites/write

Examples

Az PowerShellAzure CLIAzure REST APIAzure Portal

Update-AzStaticWebApp

az staticwebapp update

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}?api-version=2021-02-01

appservice

Detections

Logs#

Data Source	Operation Name	Action	Log Location
Resource	Update website	Microsoft.Web/sites/write	Azure Activity Logs
Resource	Start Web App	Microsoft.Web/sites/start/action	Azure Activity Logs

Queries#

Log Analytics

AzureActivity 
 |where OperationNameValue=="Microsoft.Web/sites/write" or OperationNameValue=="Microsoft.Web/sites/start/action"

Additional Resources

https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp