Skip to content

Add App Role Assignment To Service Principal

Azure

Add App Role Assignment To Service Principal

service: Azure - Microsoft Entra ID
techniques:

Event

Grants an application role to a service principal, allowing it to act with that role’s permissions within the application.

Security Context

  • Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.

Log Source

Entra ID Audit Logs

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud grants the previously-registered BoggartImpersonator service principal the Microsoft Graph app role RoleManagement.ReadWrite.Directory (real Graph appRole id 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). This is a tenant-wide privilege-escalation primitive: any caller who can authenticate as BoggartImpersonator can now mint role assignments to any directory role. The targetResources[0] is the service principal that received the role; modifiedProperties reflects the appRoleAssignment that was created, and additionalDetails includes the granting principal’s UPN.

{
"id": "Directory_90000000-0000-4000-8000-000001100100_7C3D8_44528916",
"category": "ApplicationManagement",
"correlationId": "90000000-0000-4000-8000-000001100100",
"result": "success",
"resultReason": "",
"activityDisplayName": "Add app role assignment to service principal",
"activityDateTime": "2026-04-15T17:48:14.6720581Z",
"loggedByService": "Core Directory",
"operationType": "Assign",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"userPrincipalName": "draco@fantasticlogs.cloud",
"ipAddress": "203.0.113.66",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "40000000-0000-4000-8000-000000000010",
"displayName": "BoggartImpersonator",
"type": "ServicePrincipal",
"userPrincipalName": null,
"groupType": null,
"modifiedProperties": [
{
"displayName": "AppRole.DisplayName",
"oldValue": "[]",
"newValue": "[\"RoleManagement.ReadWrite.Directory\"]"
},
{
"displayName": "AppRole.Id",
"oldValue": "[]",
"newValue": "[\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\"]"
},
{
"displayName": "AppRole.Value",
"oldValue": "[]",
"newValue": "[\"RoleManagement.ReadWrite.Directory\"]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"AppRole.DisplayName, AppRole.Id, AppRole.Value\""
}
]
}
],
"additionalDetails": [
{
"key": "User-Agent",
"value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)"
}
]
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...