Skip to content

Add Federated Identity Credential

Azure

Add Federated Identity Credential

service: Azure - Microsoft Entra ID
tactics:
techniques:

Event

Adds a federated identity credential to an application, enabling secretless persistent access via workload identity federation.

Security Context

  • Federated identity credentials allow external identity providers to authenticate as the application without secrets, providing a stealthy persistence mechanism that bypasses credential rotation and monitoring of traditional client secrets.
  • Adversaries add federated credentials pointing to attacker-controlled identity providers, enabling persistent access that does not generate the typical credential-based audit signals.

Log Source

Entra ID Audit Logs

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud adds a federated identity credential to the previously-registered BoggartImpersonator application, with the issuer set to a public GitHub Actions OIDC endpoint and subject keyed to an attacker-controlled GitHub repo (repo:draco-org/persistence-runner:ref:refs/heads/main). Anyone who can produce a token from that GitHub workflow can now authenticate as the application — secretless, audit-light, and survives any rotation of the application’s actual client secret.

{
"id": "Directory_90000000-0000-4000-8000-000001100110_9D2C4_71832055",
"category": "ApplicationManagement",
"correlationId": "90000000-0000-4000-8000-000001100110",
"result": "success",
"resultReason": "",
"activityDisplayName": "Update application – Certificates and secrets management",
"activityDateTime": "2026-04-15T18:33:07.4419006Z",
"loggedByService": "Core Directory",
"operationType": "Update",
"tenantId": "10000000-0000-4000-8000-000000000001",
"initiatedBy": {
"app": null,
"user": {
"id": "30000000-0000-4000-8000-001010011010",
"displayName": "Draco Malfoy",
"userPrincipalName": "draco@fantasticlogs.cloud",
"ipAddress": "203.0.113.66",
"userType": "Member",
"homeTenantId": "10000000-0000-4000-8000-000000000001",
"homeTenantName": null
}
},
"targetResources": [
{
"id": "40000000-0000-4000-8000-001010011010",
"displayName": "BoggartImpersonator",
"type": "Application",
"userPrincipalName": null,
"groupType": null,
"modifiedProperties": [
{
"displayName": "FederatedIdentityCredentials",
"oldValue": "[]",
"newValue": "[{\"name\":\"github-persistence\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:draco-org/persistence-runner:ref:refs/heads/main\",\"audiences\":[\"api://AzureADTokenExchange\"],\"description\":\"GitHub Actions token exchange\"}]"
},
{
"displayName": "Included Updated Properties",
"oldValue": null,
"newValue": "\"FederatedIdentityCredentials\""
}
]
}
],
"additionalDetails": [
{
"key": "User-Agent",
"value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)"
}
]
}

MITRE ATT&CK Mapping

Tactics: Persistence

Techniques:
  • T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.