services / Azure / Automation project principal

An automation project principal is the identity/access-control binding that grants a security principal (user, group, service principal, or managed identity) access to a Logic Apps automation project. It functions as a scoped RBAC-style binding on a single integration workload.

This is an access-control binding analogous to an Azure role assignment, but scoped to a single Logic automation project rather than tenant/subscription-wide; the asset is the access-control configuration of one integration function.


Microsoft.​Logic/​automationProjects/​principals/​write

Creating or updating the principal binding grants a controlled identity access to the project (escalation:privilege), binds/uses identities the automation runs as for lateral movement (escalation:lateral), and establishes a durable access grant (persistence:account), analogous to a role assignment write scoped to a single Logic automation resource.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Logic
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog