Add App Role Assignment To Service Principal
Add App Role Assignment To Service Principal
Event
Grants an application role to a service principal, allowing it to act with that role’s permissions within the application.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
Log Source
Entra ID Audit Logs
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud grants the previously-registered BoggartImpersonator service principal the Microsoft Graph app role RoleManagement.ReadWrite.Directory (real Graph appRole id 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). This is a tenant-wide privilege-escalation primitive: any caller who can authenticate as BoggartImpersonator can now mint role assignments to any directory role. The targetResources[0] is the service principal that received the role; modifiedProperties reflects the appRoleAssignment that was created, and additionalDetails includes the granting principal’s UPN.
{ "id": "Directory_90000000-0000-4000-8000-000001100100_7C3D8_44528916", "category": "ApplicationManagement", "correlationId": "90000000-0000-4000-8000-000001100100", "result": "success", "resultReason": "", "activityDisplayName": "Add app role assignment to service principal", "activityDateTime": "2026-04-15T17:48:14.6720581Z", "loggedByService": "Core Directory", "operationType": "Assign", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "40000000-0000-4000-8000-000000000010", "displayName": "BoggartImpersonator", "type": "ServicePrincipal", "userPrincipalName": null, "groupType": null, "modifiedProperties": [ { "displayName": "AppRole.DisplayName", "oldValue": "[]", "newValue": "[\"RoleManagement.ReadWrite.Directory\"]" }, { "displayName": "AppRole.Id", "oldValue": "[]", "newValue": "[\"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8\"]" }, { "displayName": "AppRole.Value", "oldValue": "[]", "newValue": "[\"RoleManagement.ReadWrite.Directory\"]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AppRole.DisplayName, AppRole.Id, AppRole.Value\"" } ] } ], "additionalDetails": [ { "key": "User-Agent", "value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)" } ]}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...