Entra ID Federated Identity Credential Issuer Modified

This detection identifies modifications to the issuer URL within a federated identity credential on an Entra ID application. Federated identity credentials enable applications to authenticate using tokens from external identity providers (e.g., GitHub Actions, AWS) without managing secrets. An attacker can exploit this by changing the issuer to an attacker-controlled identity provider, enabling them to generate valid tokens and authenticate as the application’s service principal. This technique provides persistent access to Azure resources with the application’s permissions, effectively bypassing traditional secret-based authentication. The detection logic focuses on the “Update application” event within Entra ID audit logs, specifically targeting changes to the “FederatedIdentityCredentials” property. It is applicable to environments using Azure and Entra ID and is relevant for defenders aiming to prevent unauthorized access and maintain the integrity of their cloud infrastructure.

Attack Chain

1. An attacker compromises an Entra ID account with sufficient privileges to modify application registrations.
2. The attacker navigates to the Entra ID portal or uses PowerShell/Azure CLI to locate a target application with federated identity credentials configured.
3. The attacker modifies the “Issuer” URL of an existing Federated Identity Credential within the application registration. They replace the legitimate issuer URL with a URL controlled by the attacker.
4. The attacker configures their own identity provider to issue tokens that match the application’s expected audience and subject claims.
5. The attacker crafts a malicious token from their identity provider, impersonating the legitimate service principal.
6. The attacker uses the crafted token to authenticate to Azure resources, bypassing normal authentication controls.
7. The attacker leverages the application’s permissions to access sensitive data, modify configurations, or deploy malicious code.
8. The attacker maintains persistent access to the Azure environment by continuing to use the compromised federated identity configuration.

Impact

Successful exploitation allows an attacker to gain persistent access to Azure resources with the permissions of the compromised application. This could lead to data breaches, unauthorized modifications to critical infrastructure, and deployment of malicious code within the cloud environment. The impact is significant because it bypasses traditional authentication methods and relies on a trust relationship established with an external identity provider. The rule is rated high severity because it directly addresses a persistence and privilege escalation technique that can severely impact the confidentiality, integrity, and availability of cloud resources.

Recommendation

• Enable the Azure integration with Microsoft Entra ID Audit Logs data stream to ingest data in your Elastic Stack deployment, as required by the rule setup instructions.
• Deploy the provided Sigma rule to your SIEM to detect unauthorized modifications to federated identity credential issuers in Entra ID (Entra ID Federated Identity Credential Issuer Modified).
• Review azure.auditlogs.properties.initiated_by.user.userPrincipalName and ipAddress logs to determine the source of detected changes, as recommended in the rule’s triage notes.
• Implement conditional access policies and PIM (Privileged Identity Management) to protect application management operations within Entra ID, as suggested in the rule’s response and remediation guidance.