services / Azure / Azure Automation connection asset

An Azure Automation Connection asset stores the authentication configuration runbooks use to connect to external services (e.g. service principal app/tenant IDs, certificate thumbprints, subscription bindings). Secret field values are stored encrypted and write-only.

Connection assets reference credential material, but the control plane does not return the encrypted secret field values in plaintext; they are resolved only at runbook runtime via Get-AutomationConnection.


Microsoft.​Automation/​automationAccounts/​connections/​write

Create/update lets an attacker plant or alter the credential/service-principal material that runbooks authenticate with, staging persistent attacker-controlled credentials and redirecting automated jobs to authenticate as a modified identity (lateral movement).

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Automation
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog