Add secrets to app

If you have a access_token that is able to Get-AzADApplication:

It is possible to check if that access_token can set a secret on that app using a script: https://github.com/lutzenfried/OffensiveCloud/blob/main/Azure/Tools/Add-AzADAppSecret.ps1.

To abuse, you will need a access_token and the MicrosoftGraphToken!

Now, using these secret we can impersonate that application.

Last updated 22 hours ago