{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/federated_identity/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["azure","entra_id","federated_identity","persistence","privilege_escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies modifications to the issuer URL within a federated identity credential on an Entra ID application. Federated identity credentials enable applications to authenticate using tokens from external identity providers (e.g., GitHub Actions, AWS) without managing secrets. An attacker can exploit this by changing the issuer to an attacker-controlled identity provider, enabling them to generate valid tokens and authenticate as the application\u0026rsquo;s service principal. This technique provides persistent access to Azure resources with the application\u0026rsquo;s permissions, effectively bypassing traditional secret-based authentication. The detection logic focuses on the \u0026ldquo;Update application\u0026rdquo; event within Entra ID audit logs, specifically targeting changes to the \u0026ldquo;FederatedIdentityCredentials\u0026rdquo; property. It is applicable to environments using Azure and Entra ID and is relevant for defenders aiming to prevent unauthorized access and maintain the integrity of their cloud infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an Entra ID account with sufficient privileges to modify application registrations.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Entra ID portal or uses PowerShell/Azure CLI to locate a target application with federated identity credentials configured.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026ldquo;Issuer\u0026rdquo; URL of an existing Federated Identity Credential within the application registration. They replace the legitimate issuer URL with a URL controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker configures their own identity provider to issue tokens that match the application\u0026rsquo;s expected audience and subject claims.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious token from their identity provider, impersonating the legitimate service principal.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the crafted token to authenticate to Azure resources, bypassing normal authentication controls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the application\u0026rsquo;s permissions to access sensitive data, modify configurations, or deploy malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the Azure environment by continuing to use the compromised federated identity configuration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to gain persistent access to Azure resources with the permissions of the compromised application. This could lead to data breaches, unauthorized modifications to critical infrastructure, and deployment of malicious code within the cloud environment. The impact is significant because it bypasses traditional authentication methods and relies on a trust relationship established with an external identity provider. The rule is rated high severity because it directly addresses a persistence and privilege escalation technique that can severely impact the confidentiality, integrity, and availability of cloud resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the Azure integration with Microsoft Entra ID Audit Logs data stream to ingest data in your Elastic Stack deployment, as required by the rule setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unauthorized modifications to federated identity credential issuers in Entra ID (\u003ccode\u003eEntra ID Federated Identity Credential Issuer Modified\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eazure.auditlogs.properties.initiated_by.user.userPrincipalName\u003c/code\u003e and \u003ccode\u003eipAddress\u003c/code\u003e logs to determine the source of detected changes, as recommended in the rule\u0026rsquo;s triage notes.\u003c/li\u003e\n\u003cli\u003eImplement conditional access policies and PIM (Privileged Identity Management) to protect application management operations within Entra ID, as suggested in the rule\u0026rsquo;s response and remediation guidance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-18T21:22:55Z","date_published":"2026-03-18T21:22:55Z","id":"/briefs/2026-03-entra-id-federated-issuer-modified/","summary":"Modification of the issuer URL of a federated identity credential in Entra ID can allow an attacker to authenticate as the application's service principal, granting persistent access to Azure resources by pointing to an attacker-controlled identity provider and bypassing normal authentication.","title":"Entra ID Federated Identity Credential Issuer Modified","url":"https://feed.craftedsignal.io/briefs/2026-03-entra-id-federated-issuer-modified/"}],"language":"en","title":"CraftedSignal Threat Feed — Federated_identity","version":"https://jsonfeed.org/version/1.1"}