AZ_MG_ADD_SECRET

Summary

FSProtect ACL Alias

AZ_MG_ADD_SECRET

Entra ID (Azure AD) Alias

Add Secrets (Microsoft Graph)

Affected Object Types

App registrations & Service Principals

Exploitation Certainty

Certain

Graph Permission / Role

Ability to add password credentials via Microsoft Graph using application permission Application.ReadWrite.All and/or directory roles such as Application Administrator, Cloud Application Administrator, Global Administrator or explicit Owner on the Application / Service Principal

Description

AZ_MG_ADD_SECRET represents the ability for a principal to add a new client secret / password credential via Microsoft Graph to an App Registration (application) or a Service Principal.

Adding a secret gives an attacker or a controlled identity the ability to:

Exchange the application’s client id + secret for tokens and act as that application, using any privileges granted to the app (delegated or application permissions).
If the application has broad application permissions, the attacker can perform tenant-wide actions or escalate further.
If the service principal represents infrastructure, cloud resources, or privileged automation, the new secret may be used to access production systems or pivot laterally.

Because secrets are persistent credentials that can be used from anywhere, the ability to add secrets is highly sensitive.

Identification

PowerShell (Microsoft Graph)

Enumerate service principals that have Microsoft Graph application permissions capable of adding secrets.

Connect-MgGraph -Scopes "Application.Read.All","Directory.Read.All"

# Get Microsoft Graph service principal and target app role IDs
$graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'" -Property Id,AppRoles
$targetPerms = @("Application.ReadWrite.All")
$targetRoleIds = $graphSp.AppRoles | Where-Object { $_.Value -in $targetPerms } | Select-Object -ExpandProperty Id

# Query app role assignments directly from Microsoft Graph SP
$assignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All

# Filter for target permissions and build results
$results = $assignments | Where-Object { $_.AppRoleId -in $targetRoleIds } | ForEach-Object {
    $appRoleId = $_.AppRoleId
    [PSCustomObject]@{
        ServicePrincipalName = $_.PrincipalDisplayName
        ServicePrincipalId   = $_.PrincipalId
        Permission           = ($graphSp.AppRoles | Where-Object { $_.Id -eq $appRoleId }).Value
    }
}

$results | Format-Table -AutoSize

Azure GUI

Enterprise applications (service principals) that can add secrets via Graph
- Go to Enterprise applications -> select the application (service principal).
- Open Permissions / API permissions.
- Under Microsoft Graph -> review Application permissions for:
  - Application.ReadWrite.All

Note: For identification of directory roles (Application Administrator, Cloud Application Administrator, Global Administrator) and explicit owners that can add secrets, see AZ_ADD_SECRET.

Exploitation

An attacker with Application.ReadWrite.All permission or ownership of an application can add a client secret and then authenticate as that application to abuse its permissions.

PowerShell (Microsoft Graph)

Connect-MgGraph -Scopes "Application.ReadWrite.All"

$appName    = "Example App"
$secretName = "AddedSecret"
$validDays  = 180

$app = Get-MgApplication -Filter "displayName eq '$appName'" | Select-Object -First 1

$passwordCred = @{
    displayName = $secretName
    endDateTime = (Get-Date).ToUniversalTime().AddDays($validDays)
}

$resp = Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential $passwordCred

[PSCustomObject]@{
    ApplicationName = $app.DisplayName
    AppId           = $app.AppId
    SecretText      = $resp.SecretText
    ExpiresUtc      = $resp.EndDateTime
} | Format-List

Azure GUI

Go to Microsoft Entra admin center -> App registrations (or Enterprise applications).
Open the target object.
Go to Certificates & secrets.
Under Client secrets, create a new secret.
Copy the secret immediately and store it securely.

Mitigation

Minimize owners on applications and service principals.
Remove unnecessary Graph permissions from service principals:
- Review and remove Application.ReadWrite.All when not required.
- Prefer least-privilege patterns and narrow ownership boundaries.
Configure Application management policies to restrict credential operations:
- Restrict or block password credential additions where possible.
- Enforce maximum secret lifetimes.
- Control exceptions with explicit scoping and approvals.
Use privileged access controls for admin roles (PIM where available).
Require change management for credential changes on production identities.
Regular access reviews:
- Go to Identity Governance -> Access Reviews.
- Review application owners and service principals with privileged permissions.

Detection

Monitor Entra Audit logs for secret additions.

Go to Microsoft Entra admin center -> Audit logs.
Filter by Category: ApplicationManagement.
Look for events:
- Update application - Certificates and secrets management
- Add service principal credentials
Review:
- Initiated by (actor)
- Target resources
- Modified properties related to password credentials

Alert on:

Secret additions to applications with privileged Graph permissions.
Secret additions outside of change management windows.
Secret additions by unexpected actors.

References

PreviousAZ_MG_ADD_OWNER NextAZ_MG_APPLICATION_READWRITE_ALL

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagExploitation

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagMitigation

hashtagDetection

hashtagReferences

Summary

Description

Identification

PowerShell (Microsoft Graph)

Azure GUI

Exploitation

PowerShell (Microsoft Graph)

Azure GUI

Mitigation

Detection

References