Skip to main content
Applies to BloodHound Enterprise and CE Any principal that can obtain a token from the FIC’s trusted issuer matching its subject claim can authenticate as the App Registration, which in turn runs as its associated Service Principal via the AZRunsAs relationship.

Abuse Info

No additional abuse is necessary to traverse this edge. The abuse primitive is captured on the edge leading to this FIC. Once a token has been obtained from the FIC’s trusted issuer, it can be exchanged at the Microsoft identity platform token endpoint for an access token authenticating as the target App Registration. From there, follow the AZRunsAs edge to understand what Service Principal context, and associated permissions, the attacker gains.

Opsec Considerations

No opsec considerations apply to this edge.

References

Understanding Federated Identity Credentials: Simplifying Secure Access