Add Federated Identity Credential
Event
Adds a federated identity credential to an application, enabling secretless persistent access via workload identity federation.
Security Context
- Federated identity credentials allow external identity providers to authenticate as the application without secrets, providing a stealthy persistence mechanism that bypasses credential rotation and monitoring of traditional client secrets.
- Adversaries add federated credentials pointing to attacker-controlled identity providers, enabling persistent access that does not generate the typical credential-based audit signals.
Log Source
Entra ID Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azu...