Techniques
Sample rules
Entra ID Service Principal Federated Credential Authentication by Unusual Client
- source: elastic
- technicques:
- T1078
- T1550
Description
Identifies when a service principal authenticates using a federated identity credential for the first time in the historical window. This indicates that Entra ID validated a JWT token potentially against an external OIDC identity provider and issued an access token. While legitimate for CI/CD workflows (GitHub Actions, Azure DevOps), adversaries may abuse this by configuring rogue identity providers (BYOIDP) to authenticate as compromised applications. First-time federated credential usage for a service principal warrants investigation to determine if the external identity provider is legitimate.
Detection logic
event.dataset: "azure.signinlogs"
and azure.signinlogs.category: "ServicePrincipalSignInLogs"
and azure.signinlogs.properties.client_credential_type: "federatedIdentityCredential"
and azure.signinlogs.result_signature: "SUCCESS"
and azure.signinlogs.properties.app_id: *
and not azure.signinlogs.properties.app_owner_tenant_id: (
"f8cdef31-a31e-4b4a-93e4-5f571e91255a" or
"72f988bf-86f1-41af-91ab-2d7cd011db47"
)