> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# AZAuthenticatesTo

> The AZAuthenticatesTo edge indicates that a Federated Identity Credential (FIC) is configured on an Azure App Registration, allowing an external identity provider to authenticate as the application without a password or certificate.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

Any principal that can obtain a token from the FIC's trusted issuer matching its subject claim can authenticate as the App Registration, which in turn runs as its associated Service Principal via the AZRunsAs relationship.

## Abuse Info

No additional abuse is necessary to traverse this edge. The abuse primitive is captured on the edge leading to this FIC. Once a token has been obtained from the FIC's trusted issuer, it can be exchanged at the Microsoft identity platform token endpoint for an access token authenticating as the target App Registration.

From there, follow the AZRunsAs edge to understand what Service Principal context, and associated permissions, the attacker gains.

## Opsec Considerations

No opsec considerations apply to this edge.

## References

[Understanding Federated Identity Credentials: Simplifying Secure Access](https://medium.com/@zahmed333/understanding-federated-identity-credentials-simplifying-secure-access-6b67fa79475b)