services / Azure / Logic Apps workflow

An Azure Logic Apps workflow: a managed automation/integration resource that orchestrates triggers and actions across connected systems, often running under a managed identity with connections to downstream services.

Workflows commonly hold a managed identity and connection references granting broad downstream access; the control-plane definition reveals integration logic, while access keys/callback URLs are bearer credentials that can invoke the workflow.


Microsoft.​Logic/​workflows/​listCallbackUrl/​action

Returns the callback URL containing an embedded SAS signature that is a bearer credential, letting an attacker trigger the workflow out-of-band without further Azure permissions, which executes its actions under the workflow's managed identity (lateral movement into connected systems).

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Logic
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog