AZ_GET_CERTIFICATES

Summary

FSProtect ACL Alias

AZ_GET_CERTIFICATES

Azure Alias

Get Certificates (Key Vault Data Plane)

Affected Object Types

Key Vaults

Exploitation Certainty

Certain

Permission

Key Vault data-plane permission certificates/get — either via Key Vault access policy or Azure RBAC role Key Vault Certificates User or Key Vault Certificate User

Description

AZ_GET_CERTIFICATES represents the ability to read certificates from an Azure Key Vault. This is a data-plane permission that allows retrieval of certificate objects (and their associated private keys, if exportable) stored in the vault.

Key Vault certificates are used for:

  • Service principal authentication — certificates used as credentials for Entra ID applications.

  • TLS/SSL certificates — for web apps, API gateways, and other services.

  • Code signing certificates.

  • Encryption certificates — S/MIME, document encryption.

The most dangerous scenario is when certificates are used as service principal credentials. Exporting such a certificate allows an attacker to authenticate as the service principal and inherit all its permissions, including potentially privileged API permissions or Azure RBAC roles.

Identification

PowerShell (Az Module)

Azure GUI

  1. Open Azure Portal → navigate to the target Key Vault.

  2. Go to Access policies → review policies that include Get under Certificate permissions.

  3. Alternatively, go to Access control (IAM) → review assignments for certificate-related roles.

Exploitation

Step 1 — Grant Yourself Certificate Access (as Key Vault Contributor)

Step 2 — Read and Export Certificates

Read and Export Certificates

Via PowerZure

  • Get-AzureKeyVaultContent

  • Export-AzureKeyVaultContent

Opsec Considerations

Azure will create a new log event for the Key Vault whenever a certificate is accessed. Each CertificateGet operation is logged in Key Vault diagnostic logs with the caller identity and IP address.

Mitigation

  1. Restrict certificate access policies

    • Go to Azure Portal → target Key Vault → Access policies.

    • Remove get permission from any principal that does not need to read certificates.

  2. Mark certificates as non-exportable

    • When creating certificates, set the private key as not exportable to prevent extraction.

  3. Switch to Azure RBAC model

    • Use granular RBAC roles for certificate access control.

  4. Use managed identities instead of certificates

    • Prefer managed identities over certificate-based service principal authentication where possible.

  5. Enable diagnostic logging

    • Go to Key Vault → Diagnostic settings → enable AuditEvent logging.

Detection

Monitor certificate access in Key Vault diagnostic logs.

  • Enable AuditEvent logging on the Key Vault.

  • Alert on:

    • CertificateGet operations, especially on certificates used for service principal auth.

    • Bulk certificate access from unusual identities.

    • Certificate downloads outside of expected automation patterns.

Azure Monitor / Log Analytics (KQL)

References

Last updated

Was this helpful?