services / Azure / Automation project principal
An automation project principal is the identity/access-control binding that grants a security principal (user, group, service principal, or managed identity) access to a Logic Apps automation project. It functions as a scoped RBAC-style binding on a single integration workload.
This is an access-control binding analogous to an Azure role assignment, but scoped to a single Logic automation project rather than tenant/subscription-wide; the asset is the access-control configuration of one integration function.
Microsoft.Logic/automationProjects/principals/write
Creating or updating the principal binding grants a controlled identity access to the project (escalation:privilege), binds/uses identities the automation runs as for lateral movement (escalation:lateral), and establishes a durable access grant (persistence:account), analogous to a role assignment write scoped to a single Logic automation resource.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security