Microsoft.Directory/servicePrincipals/credentials/update
Event
Adds or updates credentials (client secrets or certificates) for an Entra ID service principal.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.
Log Source
Entra ID Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Credential Access Persistence Privilege Escalation
Techniques:
- T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azu...