Microsoft.Directory/servicePrincipals/credentials/update
Azure
Microsoft.Directory/servicePrincipals/credentials/update
Event
Adds or updates credentials (client secrets or certificates) for an Entra ID service principal.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
- Escalating privileges enables adversaries to access sensitive resources and perform administrative actions beyond their initial access level.
- Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.
Log Source
Entra ID Audit Logs
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud (now an owner of the Phoenix-Backup application via azure-add-owner-to-application) adds a new client secret named BackupRotation2026 to its service principal. The secret has a 2-year expiry, giving Draco a long-lived credential that authenticates as the SP — fully bypassing user-account auth. Maps to T1098.001 (additional cloud credentials).
{ "id": "Directory_90000000-0000-4000-8000-000011001100_5E2F8_91029384", "category": "ApplicationManagement", "correlationId": "90000000-0000-4000-8000-000011001100", "result": "success", "resultReason": "", "activityDisplayName": "Update application – Certificates and secrets management", "activityDateTime": "2026-04-15T19:18:32.7038714Z", "loggedByService": "Core Directory", "operationType": "Update", "tenantId": "10000000-0000-4000-8000-000000000001", "initiatedBy": { "app": null, "user": { "id": "30000000-0000-4000-8000-001010011010", "displayName": "Draco Malfoy", "userPrincipalName": "draco@fantasticlogs.cloud", "ipAddress": "203.0.113.66", "userType": "Member", "homeTenantId": "10000000-0000-4000-8000-000000000001", "homeTenantName": null } }, "targetResources": [ { "id": "40000000-0000-4000-8000-000000000001", "displayName": "Phoenix-Backup", "type": "Application", "userPrincipalName": null, "groupType": null, "modifiedProperties": [ { "displayName": "KeyDescription", "oldValue": "[]", "newValue": "[\"KeyIdentifier=60000000-0000-4000-8000-000011001101,KeyType=Password,KeyUsage=Verify,DisplayName=BackupRotation2026\"]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"KeyDescription\"" } ] } ], "additionalDetails": [ { "key": "User-Agent", "value": "python/3.11.6 (Linux-5.15.0-1052-aws-x86_64-with-glibc2.35) AZURECLI/2.56.0 (DEB)" } ]}MITRE ATT&CK Mapping
Tactics: Credential Access Persistence Privilege Escalation
Techniques:
- T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.