KQL Search

Query Details

HomeAI ToolsDevice Query

Unauthorized Federated Credential Added To Managed Identity

Query

id: 6062fcdc-6377-4e24-8673-465a7910c404
name: Unauthorized Federated Credential Added to Managed Identity
version: 1.0.0
kind: Scheduled
description: |-
  Detected the addition of an unauthorized Federated Identity Credential to a User Assigned Managed Identity.

  The activity involved configuring a Managed Identity to trust a specific external repository or organization that was not on the approved allow-list.

  This configuration established a potential backdoor, allowing:
  * Persistence: External workflows (e.g., GitHub Actions) from the unauthorized organization (AttackerOrg) were authorized to exchange their OIDC tokens for valid Azure Access Tokens.
  * Privilege Escalation: An external actor effectively gained the permissions associated with the internal Managed Identity without requiring a password or secret.
  * Defense Evasion: The actor utilized legitimate cloud federation protocols to bypass traditional credential monitoring.
severity: Medium
queryFrequency: 10m
queryPeriod: 14m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- DefenseEvasion
- LateralMovement
relevantTechniques:
- T1098.001
- T1484.002
- T1550.001
- T1078.004
query: |-
  let allowedRepos = dynamic(["REPLACE_WITH_YOUR_ALLOWED_REPOSITORIES"]);
  AzureActivity
  | where OperationNameValue =~ "MICROSOFT.MANAGEDIDENTITY/USERASSIGNEDIDENTITIES/FEDERATEDIDENTITYCREDENTIALS/WRITE"
  | where ActivityStatusValue =~ "Success"
  | extend UMIName = tostring(split(tostring(Properties_d.resource), '/')[0])
  | extend FederatedCredentialName = tostring(split(tostring(Properties_d.resource), '/')[0])
  | extend UniqueTokenIdentifier = tostring(parse_json(Claims).uti)
  | project
      TimeGenerated,
      UMIName,
      FederatedCredentialName,
      Caller,
      CallerIpAddress,
      UniqueTokenIdentifier,
      _ResourceId
  | join kind=inner (AuditLogs
      | where OperationName == "Update service principal"
      | where TargetResources has "FederatedIdentityCredentials"
      | mv-expand TargetResources to typeof(dynamic)
      | extend UMIName = tostring(TargetResources.displayName)
      | project UMIName, TargetResources)
      on UMIName
  | extend modifiedProperties = TargetResources.modifiedProperties
  | mv-apply ModifiedProperty = modifiedProperties to typeof(dynamic) on (where ModifiedProperty.displayName == "FederatedIdentityCredentials")
  | extend NewCredentials = todynamic(tostring(ModifiedProperty.newValue))
  | mv-expand NewCredential = NewCredentials to typeof(dynamic)
  // Extract the attacker organization name and repository name
  | extend AttackerOrg = replace_regex(tostring(NewCredential.Subject), '^repo:(.*?)/.*$', @'\1')
  | extend AttackerRepo = replace_regex(tostring(NewCredential.Subject), '^repo:(.*?)/(.*?):.*$', @'\2')
  | where AttackerOrg !in (allowedRepos)
  | project-away TargetResources, modifiedProperties, ModifiedProperty, NewCredentials, UMIName1
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    groupByEntities:
    - IP
    - Account
    - AzureResource
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  AttackerOrg: AttackerOrg
  AttackerRepo: AttackerRepo
  uti: UniqueTokenIdentifier
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: CallerIpAddress
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Caller
- entityType: AzureResource
  fieldMappings:
  - identifier: ResourceId
    columnName: _ResourceId
suppressionDuration: 5h

Explanation

This query is designed to detect unauthorized additions of Federated Identity Credentials to User Assigned Managed Identities in Azure. Here's a simple breakdown of what it does:

  1. Purpose: The query identifies when a Managed Identity is configured to trust an external repository or organization that is not on an approved list. This could potentially allow unauthorized access to Azure resources.

  2. Potential Risks:

    • Persistence: Unauthorized external workflows (like GitHub Actions) could obtain Azure Access Tokens.
    • Privilege Escalation: External actors might gain permissions associated with the Managed Identity without needing a password or secret.
    • Defense Evasion: Legitimate cloud federation protocols are used to bypass traditional credential monitoring.

  3. Query Details:

    • It checks for successful operations where Federated Identity Credentials are written to a Managed Identity.
    • It joins this data with audit logs to find updates to service principals involving Federated Identity Credentials.
    • The query extracts the organization and repository names from the new credentials.
    • It filters out any credentials that are not from allowed repositories.

  4. Alert Configuration:

    • If unauthorized credentials are detected, an alert is generated.
    • Alerts are grouped by IP, Account, and Azure Resource to manage incidents effectively.

  5. Severity: The severity level of this detection is set to Medium, indicating a significant security concern that needs attention.

  6. Frequency: The query runs every 10 minutes, checking activities from the past 14 minutes to ensure timely detection.

Overall, this query helps in identifying and alerting on potential security breaches involving unauthorized federated credentials in Azure environments.

Details

Fabian Bader profile picture

Fabian Bader

Released: February 5, 2026

Tables

AzureActivityAuditLogs

Keywords

AzureActivityAuditLogsManagedIdentityUserAssignedIdentitiesFederatedIdentityCredentialsServicePrincipalCallerIpAddressUniqueTokenIdentifierResourceIdAttackerOrgAttackerRepo

Operators

letdynamic=~splittostringparse_jsonprojectjoinkind=innermv-expandtotypeofextendreplace_regex!inproject-awaymv-applyonwhere

Actions