AZ_MG_ADD_SECRET

Summary

FSProtect ACL Alias

AZ_MG_ADD_SECRET

Entra ID (Azure AD) Alias

Add Secrets (Microsoft Graph)

Affected Object Types

App registrations & Service Principals

Exploitation Certainty

Certain

Graph Permission / Role

Ability to add password credentials via Microsoft Graph using delegated scopes and/or application permissions such as: Application.ReadWrite.All, Directory.ReadWrite.All, Application.ReadWrite.OwnedBy and/or directory roles such as Application Administrator, Cloud Application Administrator, Privileged Role Administrator, Global Administrator or explicit Owner on the Application / Service Principal

Description

AZ_MG_ADD_SECRET represents the ability for a principal to add a new client secret / password credential via Microsoft Graph to an App Registration (application) or a Service Principal.

Adding a secret gives an attacker or a controlled identity the ability to:

Exchange the application’s client id + secret for tokens and act as that application, using any privileges granted to the app (delegated or application permissions).
If the application has broad application permissions, the attacker can perform tenant-wide actions or escalate further.
If the service principal represents infrastructure, cloud resources, or privileged automation, the new secret may be used to access production systems or pivot laterally.

Because secrets are persistent credentials that can be used from anywhere, the ability to add secrets is highly sensitive.

Identification

PowerShell (Microsoft Graph)

Identify service principals with Graph app permissions (PowerShell)

Install-Module Microsoft.Graph-Scope CurrentUser
Import-Module Microsoft.Graph

$ErrorActionPreference ='Stop'

# Read-only scopes to enumerate enterprise apps and their Graph app role assignments
Connect-MgGraph-Scopes"Application.Read.All","AppRoleAssignment.Read.All","Directory.Read.All"

# Microsoft Graph service principal
$msGraphAppId ="00000003-0000-0000-c000-000000000000"
$graphSp =Get-MgServicePrincipal-Filter"appId eq '$msGraphAppId'"-Property Id,AppRoles

$targetAppPerms =@(
"Application.ReadWrite.All",
"Directory.ReadWrite.All",
"Application.ReadWrite.OwnedBy"
)

# Map permission value -> AppRoleId
$roleMap =@{}
$graphSp.AppRoles |
Where-Object {$_.IsEnabled-and$_.Value-in$targetAppPerms } |
ForEach-Object {$roleMap[$_.Value] =$_.Id }

$results =@()

# Enumerate service principals and check their app role assignments to Microsoft Graph
$allSps =Get-MgServicePrincipal-All-Property Id,AppId,DisplayName
foreach ($spin$allSps) {
$assignments =$null
try {$assignments =Get-MgServicePrincipalAppRoleAssignment-ServicePrincipalId$sp.Id-All }
catch {continue }

$hits =$assignments |Where-Object {
$_.ResourceId-eq$graphSp.Id-and ($roleMap.Values-contains$_.AppRoleId)
  }

foreach ($hin$hits) {
$permName = ($roleMap.GetEnumerator() |Where-Object {$_.Value-eq$h.AppRoleId }).Key
$results += [pscustomobject]@{
      ServicePrincipalDisplayName =$sp.DisplayName
      ServicePrincipalId          =$sp.Id
      ServicePrincipalAppId       =$sp.AppId
      GraphApplicationPermission  =$permName
    }
  }
}

"=== SERVICE PRINCIPALS WITH GRAPH APP PERMISSIONS THAT CAN ADD SECRETS ==="
$results |
Sort-Object GraphApplicationPermission, ServicePrincipalDisplayName |
Format-Table-AutoSize

Azure GUI

Application owners who can add client secrets

Go to Microsoft Entra admin center → App registrations → select the target app.
Open Owners and list all identities shown there.
Review Certificates & secrets exposure and ownership model.

Enterprise applications (service principals) that can add secrets via Graph

Go to Enterprise applications → select the application (service principal).
Open Permissions / API permissions.
Under Microsoft Graph → review Application permissions for:
- Application.ReadWrite.All
- Directory.ReadWrite.All
- Application.ReadWrite.OwnedBy

Directory roles whose members can add secrets

Go to Roles & administrators.
Review memberships for:
- Global Administrator
- Privileged Role Administrator
- Application Administrator
- Cloud Application Administrator
If any role assignment is a group, enumerate transitive membership.

Exploitation

PowerShell (Microsoft Graph)

Add a client secret to an application (PowerShell)

$targetAppId = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" 
$secretName  = "RotatedByGraphPS"
$validDays   = 180

$app = Get-MgApplication -Filter "appId eq '$targetAppId'"
if (-not $app) { throw "Application bulunamadı. appId=$targetAppId" }

$passwordCred = @{
  displayName = $secretName
  endDateTime = (Get-Date).ToUniversalTime().AddDays($validDays)
}

$resp = Add-MgApplicationPassword -ApplicationId $app.Id -PasswordCredential $passwordCred

[PSCustomObject]@{
  ApplicationDisplayName = $app.DisplayName
  ApplicationObjectId    = $app.Id
  KeyId                  = $resp.KeyId
  SecretText             = $resp.SecretText
  EndDateTimeUtc         = $resp.EndDateTime
} | Format-List

Azure GUI

Go to Microsoft Entra admin center → App registrations (or Enterprise applications).
Open the target object.
Go to Certificates & secrets.
Under Client secrets, create a new secret through your approved workflow.
Copy the secret immediately and store it securely.

Mitigation

Minimize Owners on applications and service principals.
Remove unnecessary Graph permissions from service principals:
- Prioritize removing Directory.ReadWrite.All and Application.ReadWrite.All when not required.
- Prefer least-privilege patterns and narrow ownership boundaries.
Configure Application management policies to restrict credential operations:
- Restrict or block password credential additions where possible.
- Enforce maximum secret lifetimes.
- Control exceptions with explicit scoping and approvals.
Use privileged access controls for admin roles (JIT / PIM where available).
Require change management for credential changes on production identities.

Detection

Use Entra Audit logs to see who added a new client secret.

Go to Microsoft Entra admin center → Audit logs.
Use Category that corresponds to Application management.
Look for events related to credentials, such as:
- Update application – Certificates and secrets management
Open the event and review:
- Initiated by
- Target resources
- Any modified properties related to password credentials

References

PreviousAZ_MG_ADD_OWNER NextAZ_MG_APPLICATION_READWRITE_ALL

Last updated 6 days ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagApplication owners who can add client secrets

hashtagEnterprise applications (service principals) that can add secrets via Graph

hashtagDirectory roles whose members can add secrets

hashtagExploitation

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagMitigation

hashtagDetection

hashtagReferences

Summary

Description

Identification

PowerShell (Microsoft Graph)

Azure GUI

Application owners who can add client secrets

Enterprise applications (service principals) that can add secrets via Graph

Directory roles whose members can add secrets

Exploitation

PowerShell (Microsoft Graph)

Azure GUI

Mitigation

Detection

References