Add Federated Identity Credential
Azure
Add Federated Identity Credential
Event
Adds a federated identity credential to an application, enabling secretless persistent access via workload identity federation.
Security Context
- Federated identity credentials allow external identity providers to authenticate as the application without secrets, providing a stealthy persistence mechanism that bypasses credential rotation and monitoring of traditional client secrets.
- Adversaries add federated credentials pointing to attacker-controlled identity providers, enabling persistent access that does not generate the typical credential-based audit signals.
Log Source
Entra ID Audit Logs
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud adds a federated identity credential to the previously-registered BoggartImpersonator application, with the issuer set to a public GitHub Actions OIDC endpoint and subject keyed to an attacker-controlled GitHub repo (repo:draco-org/persistence-runner:ref:refs/heads/main). Anyone who can produce a token from that GitHub workflow can now authenticate as the application — secretless, audit-light, and survives any rotation of the application’s actual client secret.
{ "id": "Directory_90000000-0000-4000-8000-000001100110_9D2C4_71832055", "category": "ApplicationManagement", "correlationId": "90000000-0000-4000-8000-000001100110", "result": "success", "resultReason": "", "activityDisplayName": "Update application – Certificates and secrets management", "activityDateTime": "2026-04-15T18:33:07.4419006Z", "loggedByService": "Core Directory", "operationType": "Update", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "40000000-0000-4000-8000-001010011010", "displayName": "BoggartImpersonator", "type": "Application", "userPrincipalName": null, "groupType": null, "modifiedProperties": [ { "displayName": "FederatedIdentityCredentials", "oldValue": "[]", "newValue": "[{\"name\":\"github-persistence\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:draco-org/persistence-runner:ref:refs/heads/main\",\"audiences\":[\"api://AzureADTokenExchange\"],\"description\":\"GitHub Actions token exchange\"}]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"FederatedIdentityCredentials\"" } ] } ], "additionalDetails": [ { "key": "User-Agent", "value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)" } ]}MITRE ATT&CK Mapping
Tactics: Persistence
Techniques:
- T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.