Leaked credentials for Workload identities

Azure AD Identity Protection [user identities]

Compromised credentials (e.g. via phishing mail(s) or website compromise via hacking like SQL injection, see example below) that are available publicly (e.g. on the dark web or other public resources) are gathered and verified by Microsoft against the actual Azure AD credentials.

If the username and the password hash is a match (requires Azure AD Connect password hash sync), an High risk alert is raised in Azure AD Identity Protection called Leaked Credentials.

If the User risk policy is configured: All users with user risk High and the access control Require password change.

The user is forced to change the password (and to verify their identity via multi factor authentication). The alert is automatically closed since the password hash changed for the Azure AD user which was compromised.

The current scope of leaked credentials is (was) User credentials.

Azure AD Identity Protection [workload identities]

Workload identities is the category of:

  • App Registrations (Applications)
  • Enterprise Applications (Service Principals)
  • Managed Identities

An App Registration is an application object (definition of the application) in the source Azure AD. Enterprise application is an instances of application in the (source and/or target) Azure AD.

A new feature / detection is leaked credentials for workload identities which gathers information from the dark web, paste (bin) sites and public GitHub (current preview) repositories.

If an object (Application) ID & Secret is found, an alert is raised.

Disclaimer: Microsoft triggered a backfill for the ‘old’ data (a procedure only required once) and all new (delta) detections are triggered upon Commit (detection can take some time, often within 24 hours from my own experience).

Let’s create an App registration where we use the following information

  • Application ID
  • Tenant ID
  • Secret

And let’s create a public Github repo with our Azure credentials like the Application ID (unique identifier) and App Secret (password).

If workload identity credentials are detected, the alert is presented in the following two sections:

Risky workload identities

The risky workload identities section provides an overview of all detected risks from the category workload identities.

Risk detections -> Workload identity detections

The risk detections sections provides an overview of all User detections and Workload identities detections.

The workload identities (offline) detections types are:

  • Azure AD Threat Intelligence
  • Leaked credentials
  • Suspicious sign-ins
  • Unusual addition of credentials to an OAuth app

See Holistic compromised identity signals from Microsoft — Microsoft Tech Community for more information on the other detections.

By selecting the leaked credentials alert, the details are presented

By selecting ‘Click here for more details’ the (public) location of the discovered credentials are shown.

The riskyServicePrincipals detection can also be used via the Graph API Explorer (use the beta endpoint at the time of writing and an account with required IdentityRiskyServicePrincipal.Read.All permissions).

Previously, Azure AD Identity Protection only supported user policies (user risk & sign-in risk). Now, with Azure AD Conditional Access a policy can be created to block access for single-tenant service principals with a high-risk state.

This will automatically prevent access if the service principal is compromised.

Leaked credentials is one of my favorite detections on users, which is now extended to workload identities (service principals)to provide more coverage and a safer world at the end.




Chief Technology Officer @ Nedscaper

Love podcasts or audiobooks? Learn on the go with our new app.

Reveal of Sentinel’s Implementation partner Exidio, and the importance of Exidio to the Sentinel…

On Sick Leave

Chetu Reviews: EMV POS Solutions to Reduce Fraudulent Liabilities

{UPDATE} Charlotte - Quiz Light Novel Hack Free Resources Generator

Hunting 0-days in Cisco DCNM with ShiftLeft Ocular

{UPDATE} Galaxy Trucker Pocket Hack Free Resources Generator

{UPDATE} ヤミカノ Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Derk van der Woude

Derk van der Woude

Chief Technology Officer @ Nedscaper

More from Medium

Bypassing Access Mask Auditing Strategies

Response Actions in Microsoft Defender for Identity

How to write detection rules using Kusto in Microsoft Sentinel (Part 1)

No logs No Crime — A beginners guide to Splunk in Security