# AZ\_RUNS\_AS ## Summary | | | | ----------------------------- | ------------------------------------- | | **FSProtect ACL Alias** | AZ\_RUNS\_AS | | **Entra ID (Azure AD) Alias** | Runs As | | **Affected Object Types** | App Registration -> Service Principal | | **Exploitation Certainty** | Certain | ## Description `AZ_RUNS_AS` represents the relationship where an Azure App Registration authenticates to the tenant using its associated Service Principal. When an App Registration needs to authenticate to Microsoft Entra ID, it does so through its Service Principal. If you have control of an App Registration, you are effectively abusing that control plus the privileges assigned to the Service Principal it runs as. This edge is critical for privilege escalation because: * Controlling an App allows you to add credentials (secrets/certificates) to authenticate as its Service Principal. * The Service Principal may have dangerous permissions (API permissions, Azure RBAC roles, or Entra directory roles). * Apps often have more permissions than necessary due to over-provisioning. ## Identification ### PowerShell (Microsoft Graph) List all App Registrations and their associated Service Principals: ```powershell Connect-MgGraph -Scopes "Application.Read.All" Get-MgApplication -All | ForEach-Object { $sp = Get-MgServicePrincipal -Filter "appId eq '$($_.AppId)'" -ErrorAction SilentlyContinue [PSCustomObject]@{ AppName = $_.DisplayName AppId = $_.AppId AppObjectId = $_.Id SPObjectId = $sp.Id SPDisplayName = $sp.DisplayName } } | Format-Table -AutoSize ``` ### Azure GUI 1. Open **Microsoft Entra admin center** -> **App registrations**. 2. Select an application. 3. Note the **Application (client) ID**. 4. Navigate to **Enterprise applications** and search by the same App ID to find the Service Principal. ## Abuse Info This edge should be taken into consideration when abusing control of an App. Apps authenticate with Service Principals to the tenant, so if you have control of an App, what you are abusing is that control plus the fact that the App runs as a privileged Service Principal. To abuse this relationship, you need control over the App Registration through another edge (e.g., [AZ\_ADD\_SECRET](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_ADD_SECRET/README.md), [AZ\_ADD\_OWNER](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_ADD_OWNER/README.md), [AZ\_APP\_ADMIN](https://gitlab.com/forestall/fsprotect-knowledge-base/-/blob/main/edges/AZ_APP_ADMIN/README.md)). Once you have that control, you can add credentials to the App and authenticate as the Service Principal it runs as. ## Mitigation * Limit who can add credentials to App Registrations. * Use certificate-based authentication instead of secrets where possible. * Apply least-privilege to Service Principals. * Regularly review and rotate App credentials. * Monitor for unexpected credential additions. ## Detection Monitor Entra **Audit logs** for credential changes and sign-in activity. * Alert on: * New credentials added to App Registrations (`Add application credentials`). * Service Principal sign-ins from unusual locations or IPs. * Unexpected API calls by Service Principals. * Investigate: * **Initiated by (actor)** * **Target application** * Correlation with known change requests ## References * * * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_runs_as.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.