Passwordless persistence: the app backdoor secret rotation cannot fix

Workload identity federation lets an app trust an external OIDC issuer so a workload can authenticate with no stored secret. That is convenient, and it is also a near-perfect backdoor.

How the attack works

An attacker who can manage an app registration adds a federated identity credential to it: an external issuer plus a subject claim they control. From an attacker-controlled workload they then mint access tokens for the application by client assertion, with no client secret and no certificate involved. The service principal uses those tokens to exercise the app’s Microsoft Graph application permissions, reading mail and directory data. When a well-meaning operator rotates the app’s secret in response to an alert, the token minting continues uninterrupted. This maps to T1098, Account Manipulation, and T1556, Modify Authentication Process.

Why it works

The federated credential is a separate, passwordless trust. Rotating a client secret only touches the secret-based path, so it never disturbs the federation. The attacker chose the one persistence method that the obvious cleanup does not reach.

How to fix it

Containment is to delete the rogue federated identity credential object from the application, then revoke the service principal’s tokens so anything already issued dies. Secret rotation is irrelevant here, and disabling the creator or blocking one source leaves the trust usable from anywhere. For the class of risk, inventory federated credentials across all app registrations, alert on creation or modification of one, and restrict who can manage application credentials. The audit log names who added the credential, and the service-principal sign-in log shows its use.

Practice it

We built this as a GraphLattice Range scenario so administrators can rehearse passwordless persistence and the cleanup that secret rotation cannot deliver.