AZ_ADD_SECRET

Summary

FSProtect ACL Alias

AZ_ADD_SECRET

Entra ID (Azure AD) Alias

Add Secrets

Affected Object Types

App registrations & Service Principals

Exploitation Certainty

Certain

Graph Permission / Role

Ability to add credentials via Graph endpoints or Graph scopes (e.g., Application.ReadWrite.All, Directory.ReadWrite.All) and/or directory roles (e.g., Application Administrator, Cloud Application Administrator, Global Administrator) or explicit Owner on the Application / Service Principal

Description

AZ_ADD_SECRET represents the ability for a principal (user, service principal, or group) to add a new client secret / password credential to an App Registration (application) or a Service Principal.

Adding a secret gives an attacker or a controlled identity the ability to:

Exchange the application’s client id + secret for tokens and act as that application, using any privileges granted to the app (delegated or application permissions).
If the application has broad application permissions (for example Application.ReadWrite.All), an attacker can perform tenant-wide actions or escalate further.
If the service principal represents infrastructure, cloud resources, or role-assignable services, the new secret may be used to access production systems or pivot laterally.

Because secrets are persistent credentials that can be used from anywhere, the ability to add secrets is highly sensitive.

Identification

PowerShell

function Expand-GroupUsers {
    param([string]$GroupId)
    $seenGroups = New-Object System.Collections.Generic.HashSet[string]
    $seenUsers  = New-Object System.Collections.Generic.HashSet[string]
    $users = @()
    $q = New-Object System.Collections.Generic.Queue[object]
    $null = $seenGroups.Add($GroupId)
    $q.Enqueue($GroupId)
    while($q.Count -gt 0){
        $gid = $q.Dequeue()
        try{ $members = Get-AzureADGroupMember -All $true -ObjectId $gid }catch{ continue }
        foreach($m in $members){
            if($m.ObjectType -eq 'User'){
                if($seenUsers.Add($m.ObjectId)){ $users += $m }
            }elseif($m.ObjectType -eq 'Group'){
                if($seenGroups.Add($m.ObjectId)){ $q.Enqueue($m.ObjectId) }
            }
        }
    }
    $users
}

function Get-AddableUsersByRoles {
    $roles = @('Application Administrator','Cloud Application Administrator','Global Administrator')
    $activeRoles = Get-AzureADDirectoryRole | Where-Object { $_.DisplayName -in $roles }
    $roleUsers = @{}
    foreach($r in $activeRoles){
        $members = @(Get-AzureADDirectoryRoleMember -ObjectId $r.ObjectId)
        $u = @()
        foreach($m in $members){
            if($m.ObjectType -eq 'User'){
                $u += $m
            }elseif($m.ObjectType -eq 'Group'){
                $u += Expand-GroupUsers -GroupId $m.ObjectId
            }
        }
        $uniq = $u | Group-Object ObjectId | ForEach-Object { $_.Group[0] }
        $roleUsers[$r.DisplayName] = $uniq
    }

    $rows = @()
    foreach($rn in $roleUsers.Keys){
        foreach($u in $roleUsers[$rn]){
            $upn = if($u.PSObject.Properties.Name -contains 'UserPrincipalName'){ $u.UserPrincipalName } else { '' }
            $rows += [pscustomobject]@{
                Role = $rn
                UserDisplayName = $u.DisplayName
                UserPrincipalName = $upn
                UserId = $u.ObjectId
            }
        }
    }
    $rows
}

function Get-AllAppOwners {
    # Get all applications and service principals and list owners
    $apps = Get-AzureADApplication -All $true
    $rows = foreach($a in $apps){
        $owners = @(Get-AzureADApplicationOwner -ObjectId $a.ObjectId)
        foreach($o in $owners){
            [pscustomobject]@{
                AppDisplayName = $a.DisplayName
                AppId = $a.AppId
                OwnerDisplayName = $o.DisplayName
                OwnerObjectId = $o.ObjectId
                OwnerType = $o.ObjectType
            }
        }
    }
    $rows
}

$roleRows = Get-AddableUsersByRoles
$ownerRows = Get-AllAppOwners

"=== USERS WHO CAN ADD SECRETS (BY TENANT ROLES) ==="
$roleRows | Sort-Object Role,UserDisplayName | Format-Table -AutoSize

"=== APPLICATION OWNERS ==="
$ownerRows | Sort-Object AppDisplayName,OwnerDisplayName | Format-Table -AutoSize

Azure CLI

# Reset (replace) an application (App Registration) credential (creates a new password and replaces existing if you don't use --append)
az ad app credential reset --id <AppObjectIdOrAppId> --append

# Reset a service principal credential
az ad sp credential reset --id <ServicePrincipalObjectIdOrAppId> --append

Azure GUI

Application owners who can add client secrets

Open Microsoft Entra admin center → Applications → App registrations.
Select the target application (the App Registration you want to assess).
In the left menu of the application blade, go to Owners.
- Anyone listed as Owner can go to Certificates & secrets for this app and add new client secrets.

Directory roles whose members can add client secrets

In Microsoft Entra admin center, go to Roles & administrators.
Look for the following roles:
- Global Administrator (GA)
- Privileged Role Administrator (PRA)
- Application Administrator
- Cloud Application Administrator
Click each role → open Assignments.
- Any user or service principal assigned to one of these roles can add client secrets to App Registrations (including the target app), even if they are not listed as Owners.
- If a group is assigned to one of these roles, enumerate the group’s transitive members (including nested groups) to find all effective identities that can add secrets.

Exploitation

PowerShell

$appName     = "example"
$description = "My custom description"

$pc = New-Object Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Models.ApiV10.MicrosoftGraphPasswordCredential
$pc.DisplayName   = $description
$pc.StartDateTime = Get-Date
$pc.EndDateTime   = (Get-Date).AddYears(1)

$cred = New-AzADAppCredential `
  -ObjectId (Get-AzADApplication -DisplayName $appName).Id `
  -PasswordCredentials $pc

Write-Host ""
Write-Host "New client secret value:" $($cred.SecretText)
Write-Host "Description:" $description

Azure GUI

Open Microsoft Entra admin center → Applications → App registrations.
Select the target application you want to manage.
In the left menu of the application blade, go to Certificates & secrets.
Under Client secrets, click + New client secret.
Enter a Description for the secret.
Choose the Expiration period (e.g., 3 months, 6 months, 12 months, or custom).
Click Add.
A new secret value will appear under Value.
- Copy the secret immediately — you will not be able to see it again after leaving the page.

Mitigation

Limit application owners who can add client secrets

Open Microsoft Entra admin center → Applications → App registrations.
Select the target application.
In the left menu, go to Owners.
Review the list of Owners:
- Remove any identity that does not need to manage secrets for this app.
- To remove: select the owner → click Remove.
Keep the owner list as small as possible:
- Prefer a dedicated admin group (with tight membership) instead of many individual owners.
- Avoid adding regular users or broad groups as owners.

Limit directory roles whose members can add client secrets

In Microsoft Entra admin center, go to Roles & administrators.
For each of the following roles:
- Global Administrator (GA)
- Privileged Role Administrator (PRA)
- Application Administrator
- Cloud Application Administrator
Click the role → open Assignments.
Review all users, service principals, and groups assigned to the role:
- Remove any assignment that does not require the ability to manage application credentials (including secrets).
- To remove: select the assignment → click Remove assignment.
If a group is assigned to one of these roles:
- Ensure the group’s membership is strictly controlled (only admins who truly need app-management rights).
- Avoid large or generic groups (e.g., “All IT”, “Developers”) being assigned to these roles.

Detection

Use Entra Audit Logs to see who added a new client secret

Open Microsoft Entra admin center → Identity → Monitoring & health → Audit logs.

In the Audit logs view, set:
- Date filter to the time window you want to investigate.
- Service (if available) to Application management or similar.

Use Add filters → filter by:
- Category / Activity: look for activities such as
  - “Update application – Certificates and secrets management”
- Optionally filter by Target (the specific application) if you know the app.

Open the relevant audit event(s):
- Check the Initiated by field to see which identity added the secret (user, service principal, or group via app).
- Check the Target to confirm the App Registration / Service Principal that received a new secret.

PreviousAZ_ADD_OWNER NextAZ_APP_ADMIN

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell

hashtagAzure CLI

hashtagAzure GUI

hashtagApplication owners who can add client secrets

hashtagDirectory roles whose members can add client secrets

hashtagExploitation

hashtagPowerShell

hashtagAzure GUI

hashtagMitigation

hashtagLimit application owners who can add client secrets

hashtagLimit directory roles whose members can add client secrets

hashtagDetection

Summary

Description

Identification

PowerShell

Azure CLI

Azure GUI

Application owners who can add client secrets

Directory roles whose members can add client secrets

Exploitation

PowerShell

Azure GUI

Mitigation

Limit application owners who can add client secrets

Limit directory roles whose members can add client secrets

Detection