# AZ\_MG\_ADD\_SECRET ## Summary | | | | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_MG\_ADD\_SECRET | | **Entra ID (Azure AD) Alias** | Add Secrets (Microsoft Graph) | | **Affected Object Types** | App registrations & Service Principals | | **Exploitation Certainty** | Certain | | **Graph Permission / Role** | Ability to add password credentials via Microsoft Graph using application permission `Application.ReadWrite.All` and/or directory roles such as **Application Administrator**, **Cloud Application Administrator**, **Global Administrator** or explicit **Owner** on the Application / Service Principal | ## Description `AZ_MG_ADD_SECRET` represents the ability for a principal to **add a new client secret / password credential via Microsoft Graph** to an App Registration (application) or a Service Principal. Adding a secret gives an attacker or a controlled identity the ability to: * Exchange the application’s client id + secret for tokens and act as that application, using any privileges granted to the app (delegated or application permissions). * If the application has broad application permissions, the attacker can perform tenant-wide actions or escalate further. * If the service principal represents infrastructure, cloud resources, or privileged automation, the new secret may be used to access production systems or pivot laterally. Because secrets are persistent credentials that can be used from anywhere, the ability to add secrets is highly sensitive. ## Identification ### PowerShell (Microsoft Graph) Enumerate service principals that have **Microsoft Graph application permissions** capable of adding secrets. ```powershell Connect-MgGraph -Scopes "Application.Read.All","Directory.Read.All" # Get Microsoft Graph service principal and target app role IDs $graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'" -Property Id,AppRoles $targetPerms = @("Application.ReadWrite.All") $targetRoleIds = $graphSp.AppRoles | Where-Object { $_.Value -in $targetPerms } | Select-Object -ExpandProperty Id # Query app role assignments directly from Microsoft Graph SP $assignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $graphSp.Id -All # Filter for target permissions and build results $results = $assignments | Where-Object { $_.AppRoleId -in $targetRoleIds } | ForEach-Object { $appRoleId = $_.AppRoleId [PSCustomObject]@{ ServicePrincipalName = $_.PrincipalDisplayName ServicePrincipalId = $_.PrincipalId Permission = ($graphSp.AppRoles | Where-Object { $_.Id -eq $appRoleId }).Value } } $results | Format-Table -AutoSize ``` ### Azure GUI 1. **Enterprise applications (service principals) that can add secrets via Graph** * Go to **Enterprise applications** -> select the application (service principal). * Open **Permissions / API permissions**. * Under **Microsoft Graph** -> review **Application permissions** for: * `Application.ReadWrite.All` > **Note:** For identification of directory roles (Application Administrator, Cloud Application Administrator, Global Administrator) and explicit owners that can add secrets, see [AZ\_ADD\_SECRET](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_ADD_SECRET/README.md). ## Exploitation An attacker with `Application.ReadWrite.All` permission or ownership of an application can add a client secret and then authenticate as that application to abuse its permissions. ### PowerShell (Microsoft Graph) ```powershell Connect-MgGraph -Scopes "Application.ReadWrite.All" $appName = "Example App" $secretName = "AddedSecret" $validDays = 180 $app = Get-MgApplication -Filter "displayName eq '$appName'" | Select-Object -First 1 $passwordCred = @{ displayName = $secretName endDateTime = (Get-Date).ToUniversalTime().AddDays($validDays) } $resp = Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential $passwordCred [PSCustomObject]@{ ApplicationName = $app.DisplayName AppId = $app.AppId SecretText = $resp.SecretText ExpiresUtc = $resp.EndDateTime } | Format-List ``` ### Azure GUI * Go to **Microsoft Entra admin center** -> **App registrations** (or **Enterprise applications**). * Open the target object. * Go to **Certificates & secrets**. * Under **Client secrets**, create a new secret. * Copy the secret immediately and store it securely. ## Mitigation * **Minimize owners** on applications and service principals. * **Remove unnecessary Graph permissions** from service principals: * Review and remove `Application.ReadWrite.All` when not required. * Prefer least-privilege patterns and narrow ownership boundaries. * **Configure Application management policies** to restrict credential operations: * Restrict or block password credential additions where possible. * Enforce maximum secret lifetimes. * Control exceptions with explicit scoping and approvals. * **Use privileged access controls** for admin roles (PIM where available). * **Require change management** for credential changes on production identities. * **Regular access reviews**: * Go to **Identity Governance** -> **Access Reviews**. * Review application owners and service principals with privileged permissions. ## Detection Monitor Entra **Audit logs** for secret additions. * Go to **Microsoft Entra admin center** -> **Audit logs**. * Filter by **Category: ApplicationManagement**. * Look for events: * **Update application - Certificates and secrets management** * **Add service principal credentials** * Review: * **Initiated by (actor)** * **Target resources** * Modified properties related to password credentials Alert on: * Secret additions to applications with privileged Graph permissions. * Secret additions outside of change management windows. * Secret additions by unexpected actors. ## References * [https://learn.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0\&utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0\&utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/add-mgapplicationpassword?view=graph-powershell-1.0](https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/add-mgapplicationpassword?view=graph-powershell-1.0\&utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/add-mgserviceprincipalpassword?view=graph-powershell-1.0](https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/add-mgserviceprincipalpassword?view=graph-powershell-1.0\&utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-app-management-policies](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-app-management-policies?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications](https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications?utm_source=chatgpt.com) * [https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs](https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs?utm_source=chatgpt.com) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_mg_add_secret.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.