AZT405.3 - Azure AD Application: Application Registration Owner#
By compromising an account who is an 'Owner' over an application that is configured with additional roles or API permissions, an attacker can escalate their privileges by adding a certificate or credentials & logging in as the service principal.
Azure Active Directory
|Data Source||Operation Name||Category||Log Location|
|Azure AD||Update application – Certificates and secrets management||ApplicationManagement||AzureAD Audit Logs|
AuditLogs |where OperationName =="Update application – Certificates and secrets management" and Category=="ApplicationManagement"