services / Azure / Azure Automation connection asset
An Azure Automation Connection asset stores the authentication configuration runbooks use to connect to external services (e.g. service principal app/tenant IDs, certificate thumbprints, subscription bindings). Secret field values are stored encrypted and write-only.
Connection assets reference credential material, but the control plane does not return the encrypted secret field values in plaintext; they are resolved only at runbook runtime via Get-AutomationConnection.
Microsoft.Automation/automationAccounts/connections/write
Create/update lets an attacker plant or alter the credential/service-principal material that runbooks authenticate with, staging persistent attacker-controlled credentials and redirecting automated jobs to authenticate as a modified identity (lateral movement).
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security