Service Principal Adds Client Secret To Target Application
Query
AuditLogs
| where TimeGenerated > ago(20m)
| where OperationName has_all ("Update application", "Certificates and secrets management")
| where TargetResources has "KeyType=Password"
| extend InitiatedByServicePrincipalId = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)
| extend InitiatedByServicePrincipalDisplayName = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| where isnotempty(InitiatedByServicePrincipalId)
| mv-expand TargetResources to typeof(dynamic)
| extend TargetServicePrincipalName = tostring(TargetResources.displayName)
| extend TargetServicePrincipalId = tostring(TargetResources.id)
| extend modifiedProperties = TargetResources.modifiedProperties
| mv-apply ModifiedProperty = modifiedProperties to typeof(dynamic) on (where ModifiedProperty.displayName == "KeyDescription")
| extend NewCredentials = todynamic(tostring(ModifiedProperty.newValue))
| mv-expand NewCredential = NewCredentials to typeof(string)
| extend NewCredential = trim(@'[\[\]]', NewCredential)
| parse-kv NewCredential as (KeyIdentifier: string, KeyType: string, KeyUsage: string, KeyDisplayName: string) with (pair_delimiter=',', kv_delimiter='=')
| project-away NewCredentials, NewCredential, modifiedProperties, ModifiedProperty, KeyUsage
| project-reorder
TimeGenerated,
OperationName,
InitiatedByServicePrincipalDisplayName,
InitiatedByServicePrincipalId,
TargetServicePrincipalName,
TargetServicePrincipalId,
KeyType,
KeyIdentifierExplanation
This query is designed to detect when a non-human identity, specifically an Azure AD Service Principal, adds a new password credential (also known as a Client Secret) to an application or another Service Principal in Azure Active Directory. This action is monitored because it can be a legitimate operation, such as automated credential rotation by management tools, but it can also indicate a security threat. An attacker could exploit this capability to maintain access or escalate privileges by injecting a new secret into a highly privileged application.
Here's a simplified breakdown of the query:
- Purpose: To alert when a Service Principal creates or adds a new Client Secret to a target application.
- Frequency: The query runs every 10 minutes and looks back over the past 12 hours.
- Severity: The alert is classified as medium severity.
- Detection Logic:
- It examines audit logs for operations related to updating applications and managing certificates and secrets.
- It filters for actions where a password credential is involved.
- It extracts details about the Service Principal initiating the action and the target application.
- It identifies and processes the new credentials added.
- Alert Configuration:
- An incident is created for each detection.
- Incidents are grouped if they involve the same entities within a 5-hour window.
- Entity Mapping: The Service Principal's display name is mapped to an account entity for further analysis.
Overall, this query helps in identifying potentially unauthorized or suspicious credential changes that could compromise application security.
Details

Fabian Bader
Released: February 5, 2026
Tables
Keywords
Operators
Severity
MediumTactics
MITRE Techniques
Frequency: 10m
Period: 12h