> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# AZLogicAppContributor

> The Logic Contributor role grants full control of the target Logic App. This includes the ability to execute arbitrary commands on the Logic App.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

## Abuse Info

Currently you need access to the portal GUI to execute this abuse. The abuse involves adding or modifying an existing logic app to coerce the logic app into sending a JWT for its managed identity service principal to a web server you control.

You can see a full walkthrough for executing that abuse in this blog post: [Andy Robbins - Managed Identity Attack Paths, Part 2: Logic Apps](https://medium.com/p/52b29354fc54)

## Opsec Considerations

This will depend on which particular abuse you perform, but in general Azure will create a log event for each abuse.

## References

* [https://github.com/BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK)
* [https://medium.com/p/52b29354fc54](https://medium.com/p/52b29354fc54)
* [https://specterops.io/blog/2023/04/18/introducing-bloodhound-4-3-get-global-admin-more-often/](https://specterops.io/blog/2023/04/18/introducing-bloodhound-4-3-get-global-admin-more-often/)