AZ_RUNS_AS

Summary

FSProtect ACL Alias

AZ_RUNS_AS

Entra ID (Azure AD) Alias

Runs As

Affected Object Types

App Registration -> Service Principal

Exploitation Certainty

Certain

Description

AZ_RUNS_AS represents the relationship where an Azure App Registration authenticates to the tenant using its associated Service Principal.

When an App Registration needs to authenticate to Microsoft Entra ID, it does so through its Service Principal. If you have control of an App Registration, you are effectively abusing that control plus the privileges assigned to the Service Principal it runs as.

This edge is critical for privilege escalation because:

Controlling an App allows you to add credentials (secrets/certificates) to authenticate as its Service Principal.
The Service Principal may have dangerous permissions (API permissions, Azure RBAC roles, or Entra directory roles).
Apps often have more permissions than necessary due to over-provisioning.

Identification

PowerShell (Microsoft Graph)

List all App Registrations and their associated Service Principals:

Connect-MgGraph -Scopes "Application.Read.All"
Get-MgApplication -All | ForEach-Object {
    $sp = Get-MgServicePrincipal -Filter "appId eq '$($_.AppId)'" -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        AppName = $_.DisplayName
        AppId = $_.AppId
        AppObjectId = $_.Id
        SPObjectId = $sp.Id
        SPDisplayName = $sp.DisplayName
    }
} | Format-Table -AutoSize

Azure GUI

Open Microsoft Entra admin center -> App registrations.
Select an application.
Note the Application (client) ID.
Navigate to Enterprise applications and search by the same App ID to find the Service Principal.

Abuse Info

This edge should be taken into consideration when abusing control of an App. Apps authenticate with Service Principals to the tenant, so if you have control of an App, what you are abusing is that control plus the fact that the App runs as a privileged Service Principal.

To abuse this relationship, you need control over the App Registration through another edge (e.g., AZ_ADD_SECRET, AZ_ADD_OWNER, AZ_APP_ADMIN). Once you have that control, you can add credentials to the App and authenticate as the Service Principal it runs as.

Mitigation

Limit who can add credentials to App Registrations.
Use certificate-based authentication instead of secrets where possible.
Apply least-privilege to Service Principals.
Regularly review and rotate App credentials.
Monitor for unexpected credential additions.

Detection

Monitor Entra Audit logs for credential changes and sign-in activity.

Alert on:
- New credentials added to App Registrations (Add application credentials).
- Service Principal sign-ins from unusual locations or IPs.
- Unexpected API calls by Service Principals.
Investigate:
- Initiated by (actor)
- Target application
- Correlation with known change requests

References

https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals
https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs

PreviousAZ_RESET_PASSWORD NextAZ_SECURITY_ADMIN

Last updated 1 month ago

Was this helpful?

hashtagSummary

hashtagDescription

hashtagIdentification

hashtagPowerShell (Microsoft Graph)

hashtagAzure GUI

hashtagAbuse Info

hashtagMitigation

hashtagDetection

hashtagReferences