Entra ID Federated Identity Credential Issuer Modified

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Entra ID Federated Identity Credential Issuer Modified

Detects when the issuer URL of a federated identity credential is changed on an Entra ID application. Adversaries may modify the issuer to point to an attacker-controlled identity provider, enabling them to authenticate as the application’s service principal and gain persistent access to Azure resources. This technique allows bypassing traditional authentication controls by federating trust with a malicious external identity provider.

Rule type: esql

Rule indices: None

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Domain: Identity
Data Source: Azure
Data Source: Microsoft Entra ID
Data Source: Microsoft Entra ID Audit Logs
Use Case: Identity and Access Audit
Tactic: Persistence
Tactic: Privilege Escalation
Resources: Investigation Guide

Version: 8

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Entra ID Federated Identity Credential Issuer Modified

This rule detects when the issuer URL within a federated identity credential is modified on an Entra ID application. Federated identity credentials allow applications to authenticate using tokens from external identity providers (like GitHub Actions, AWS, etc.) without managing secrets. Adversaries can abuse this by changing the issuer to an attacker-controlled identity provider, allowing them to generate valid tokens and authenticate as the application’s service principal.

This technique provides persistent access to Azure resources with the application’s permissions and bypasses secret-based authentication controls.

Possible investigation steps

Review azure.auditlogs.properties.initiated_by.user.userPrincipalName and ipAddress to identify who made the change and from where.
Examine the Esql.external_idp_old_issuer and Esql.external_idp_new_issuer fields to determine if the new issuer is expected or potentially malicious.
Check if the new issuer domain is controlled by the organization or if it’s an external/suspicious domain.
Review the application’s assigned roles and permissions to understand the scope of access gained.
Use azure.correlation_id to pivot to related changes in the same session.
Check for subsequent Azure sign-in activity using the modified federated credential.
Investigate if the application has been used to access sensitive resources after the change.

False positive analysis

Legitimate migrations from one identity provider to another (e.g., GitHub to GitLab) may trigger this detection.
DevOps teams may update issuer URLs as part of CI/CD pipeline changes.
Validate any changes with the application owner or DevOps team before taking action.

Response and remediation

If the change is unauthorized, immediately remove or revert the federated identity credential.
Rotate any secrets or certificates associated with the application.
Review Azure sign-in logs and audit logs for any unauthorized activity using the application’s identity.
Disable the application or service principal if compromise is confirmed.
Investigate how the unauthorized change occurred (e.g., compromised admin account, over-privileged service principal).
Implement conditional access policies and PIM (Privileged Identity Management) to protect application management operations.

Setup

edit

Microsft Entra ID Audit Logs

This rule requires the Azure integration with Microsoft Entra ID Audit Logs data stream ingesting in your Elastic Stack deployment. For more information, refer to the Microsoft Entra ID Audit Logs integration documentation.

Rule query

edit

from logs-azure.auditlogs-* metadata _id, _version, _index
| where event.action == "Update application"
| where `azure.auditlogs.properties.target_resources.0.modified_properties.0.display_name` == "FederatedIdentityCredentials"
| eval Esql.target_resources_old_value_clean = replace(`azure.auditlogs.properties.target_resources.0.modified_properties.0.old_value`, "\\\\", "")
| eval Esql.target_resources_new_value_clean = replace(`azure.auditlogs.properties.target_resources.0.modified_properties.0.new_value`, "\\\\", "")
| dissect Esql.target_resources_old_value_clean "%{}\"Issuer\":\"%{Esql.external_idp_old_issuer}\"%{}"
| dissect Esql.target_resources_new_value_clean "%{}\"Issuer\":\"%{Esql.external_idp_new_issuer}\"%{}"
| where Esql.external_idp_old_issuer is not null and Esql.external_idp_new_issuer is not null
| where Esql.external_idp_old_issuer != Esql.external_idp_new_issuer
| keep @timestamp, Esql.*, azure.*, event.*, cloud.*, related.*, tags, source.*, agent.*, client.*, _id, _version, _index, data_stream.namespace

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Account Manipulation
- ID: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
Sub-technique:
- Name: Additional Cloud Credentials
- ID: T1098.001
- Reference URL: https://attack.mitre.org/techniques/T1098/001/
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Domain or Tenant Policy Modification
- ID: T1484
- Reference URL: https://attack.mitre.org/techniques/T1484/
Sub-technique:
- Name: Trust Modification
- ID: T1484.002
- Reference URL: https://attack.mitre.org/techniques/T1484/002/

« Entra ID External Guest User Invited Entra ID Global Administrator Role Assigned »