Unauthorized actor has been added Federated Credential on User-Assigned Managed Identitiy
Unauthorized Actor Has Been Added Federated Credential On User Assigned Managed Identity
Query
let IncludeScope = dynamic(['36955ea9-c98e-4749-b603-ffefe652dd90/lab/lab-platform/lab-management/4d3e5b65-8a52-4b2f-b5cd-1670c700136b']);
let ExcludeActors = IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| where GroupMembership has "<GroupOfAzureIdentityAdministrators>"
| project AccountObjectId;
let ExcludeActorsWithRole = dynamic(['Owner', 'User Access Administrator', 'Subscription Admin']);
let FilteredRiskLevel = "";
AzureActivity
| where OperationNameValue =~ "MICROSOFT.MANAGEDIDENTITY/USERASSIGNEDIDENTITIES/FEDERATEDIDENTITYCREDENTIALS/WRITE" and ActivityStatusValue == "Success"
| extend Hiearchy = parse_json(Properties).hierarchy
| where Hiearchy in~ (IncludeScope)
| extend CallerObjectId = Claims_d.["http://schemas.microsoft.com/identity/claims/objectidentifier"]
| where CallerObjectId !in~ (ExcludeActors)
| extend CallerRole = parse_json(tostring(Authorization_d.evidence)).role
| where CallerRole !in~ (ExcludeActorsWithRole)
| extend UniqueTokenIdentifier = tostring(parse_json(Claims).uti)
| join kind=leftouter (union SigninLogs, AADNonInteractiveUserSignInLogs
| summarize by UniqueTokenIdentifier, RiskLevel, RiskLevelDuringSignIn
)
on $left.UniqueTokenIdentifier == $right.UniqueTokenIdentifier
| where RiskLevel in (FilteredRiskLevel) or RiskLevelDuringSignIn in (FilteredRiskLevel)
| extend Severity = iff(RiskLevelDuringSignIn != "none", "High", "Medium")
| project
TimeGenerated,
Caller,
CallerIpAddress,
CorrelationId,
ResourceId = _ResourceId,
UniqueTokenIdentifier,
FederatedCredentialEntity = parse_json(Properties).entity,
Hierarchy,
RiskLevelDuringSignIn,
SeverityExplanation
This query is designed to detect and alert when an unauthorized actor is added as a federated credential to a user-assigned managed identity in Azure. Here's a simplified summary:
-
Scope and Exclusions:
- It includes specific Azure resources to monitor.
- Excludes certain actors based on their group membership or roles (like Owner, User Access Administrator, Subscription Admin).
-
Activity Monitoring:
- Monitors Azure activities specifically for successful operations where federated identity credentials are written to user-assigned managed identities.
-
Risk Assessment:
- Checks if the actor involved in the operation is not in the excluded list.
- Joins with sign-in logs to assess the risk level during sign-in.
- If any sign-in risk is detected, the severity of the incident is set to "High"; otherwise, it remains "Medium".
-
Incident Creation:
- If any unauthorized addition is detected, an incident is created.
- The incident includes details like the time of the event, caller information, IP address, resource ID, and risk level during sign-in.
-
Alert Configuration:
- Alerts are generated as single alerts without grouping.
- Custom details and entity mappings are provided for better context in the alert.
-
Suppression:
- Suppression is not enabled, meaning alerts will be generated immediately without delay.
In essence, this query helps in identifying and alerting on potential unauthorized access attempts by monitoring changes to federated credentials on user-assigned managed identities, ensuring that only authorized actors are making such changes.
Details

Thomas Naunheim
Released: August 2, 2024
Tables
AzureActivityIdentityInfoSigninLogsAADNonInteractiveUserSignInLogs
Keywords
DevicesUserAzureResourceAccountIP
Operators
letdynamicwheresummarizearg_maxbyhasprojectago=~andextendparse_jsonin~tostring!in~joinkindunionon==iniffor
Severity
MediumTactics
Persistence
Frequency: 1h
Period: 14d