C-AZ-APP-PERSISTPersistence

Entra Application Persistence

Add a client secret to an existing app registration with privileged roles — survives user-password resets and MFA changes.

§ Where this technique fits

C-AZ-APP-PERSIST is catalogued under the Persistence tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 6 on average.

§ Dossiers chaining this technique

Entra app consent phishing → Global Admin equivalent
Phish a privileged user to consent to an OAuth app requesting Directory.ReadWrite.All + RoleManagement.ReadWrite.Directory — the app then grants itself Global Administrator.
step 6 / 6

§ Where this technique fits

§ Dossiers chaining this technique

Entra app consent phishing → Global Admin equivalent