Unauthorized Federated Credential Added To Managed Identity
Query
let allowedRepos = dynamic(["REPLACE_WITH_YOUR_ALLOWED_REPOSITORIES"]);
AzureActivity
| where OperationNameValue =~ "MICROSOFT.MANAGEDIDENTITY/USERASSIGNEDIDENTITIES/FEDERATEDIDENTITYCREDENTIALS/WRITE"
| where ActivityStatusValue =~ "Success"
| extend UMIName = tostring(split(tostring(Properties_d.resource), '/')[0])
| extend FederatedCredentialName = tostring(split(tostring(Properties_d.resource), '/')[0])
| extend UniqueTokenIdentifier = tostring(parse_json(Claims).uti)
| project
TimeGenerated,
UMIName,
FederatedCredentialName,
Caller,
CallerIpAddress,
UniqueTokenIdentifier,
_ResourceId
| join kind=inner (AuditLogs
| where OperationName == "Update service principal"
| where TargetResources has "FederatedIdentityCredentials"
| mv-expand TargetResources to typeof(dynamic)
| extend UMIName = tostring(TargetResources.displayName)
| project UMIName, TargetResources)
on UMIName
| extend modifiedProperties = TargetResources.modifiedProperties
| mv-apply ModifiedProperty = modifiedProperties to typeof(dynamic) on (where ModifiedProperty.displayName == "FederatedIdentityCredentials")
| extend NewCredentials = todynamic(tostring(ModifiedProperty.newValue))
| mv-expand NewCredential = NewCredentials to typeof(dynamic)
// Extract the attacker organization name and repository name
| extend AttackerOrg = replace_regex(tostring(NewCredential.Subject), '^repo:(.*?)/.*$', @'\1')
| extend AttackerRepo = replace_regex(tostring(NewCredential.Subject), '^repo:(.*?)/(.*?):.*$', @'\2')
| where AttackerOrg !in (allowedRepos)
| project-away TargetResources, modifiedProperties, ModifiedProperty, NewCredentials, UMIName1Explanation
This query is designed to detect unauthorized additions of Federated Identity Credentials to User Assigned Managed Identities in Azure. Here's a simple breakdown of what it does:
-
Purpose: The query identifies when a Managed Identity is configured to trust an external repository or organization that is not on an approved list. This could potentially allow unauthorized access to Azure resources.
-
Potential Risks:
- Persistence: Unauthorized external workflows (like GitHub Actions) could obtain Azure Access Tokens.
- Privilege Escalation: External actors might gain permissions associated with the Managed Identity without needing a password or secret.
- Defense Evasion: Legitimate cloud federation protocols are used to bypass traditional credential monitoring.
-
Query Details:
- It checks for successful operations where Federated Identity Credentials are written to a Managed Identity.
- It joins this data with audit logs to find updates to service principals involving Federated Identity Credentials.
- The query extracts the organization and repository names from the new credentials.
- It filters out any credentials that are not from allowed repositories.
-
Alert Configuration:
- If unauthorized credentials are detected, an alert is generated.
- Alerts are grouped by IP, Account, and Azure Resource to manage incidents effectively.
-
Severity: The severity level of this detection is set to Medium, indicating a significant security concern that needs attention.
-
Frequency: The query runs every 10 minutes, checking activities from the past 14 minutes to ensure timely detection.
Overall, this query helps in identifying and alerting on potential security breaches involving unauthorized federated credentials in Azure environments.
Details

Fabian Bader
Released: February 5, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: 10m
Period: 14m