Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts

TL;DR: Azure CLI password spray attacks targeting service principals are spiking, exploiting misconfigured defaults and unmonitored IPv6. Triage now: audit service principal permissions, monitor failed CLI sign-ins, enforce certificate-based authentication.
[References at end]
Azure CLI Password Spray: Another Wake-Up Call for Identity Engineering
Another password spray campaign hit Azure. The technique isn’t new, but most teams still trip over the same flaws: overprivileged service principals, lax Conditional Access, and ignoring IPv6 traffic.
What to Do Right Now (Triage Checklist)
- List all service principals with permissions: Identify which have broad Contributor/Owner rights.
- Block legacy authentication and require MFA: Set Conditional Access policies to enforce strong auth, especially for privileged accounts.
- Monitor failed CLI sign-ins: Run detection queries for spikes—especially from IPv6 blocks.
Case Study: When Permissions Get Out of Control
In 2022, I audited a Fortune 500 Azure deployment after an anomalous sign-in storm. A service principal controlling CI/CD had Owner access across two subscriptions. No Conditional Access, password never rotated, token lifetime set to 90 days. Attackers sprayed passwords against the Azure CLI endpoint and eventually found a hit. Incident writeup: Azure Incident Response Case Study.
Symptoms:
- Authentication failures from rarely-seen IPv6 sources.
- Unusual CLI sign-ins outside business hours.
- Token replay from risky geos.
Lesson? “Best practices” don't mean anything if enforced only in documentation.
Detection: Find the Attack Before It Finds You
Quick triage: failed sign-ins
Sample KQL for Azure Sentinel:
SigninLogs
| where ClientApp == "Azure CLI"
| where IPAddress matches regex @"^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}$"
| summarize FailureCount=count() by IPAddress, ServicePrincipalId
| where FailureCount > 10
Catch abnormal spikes—flag >50 failures/minute from same IP or username.
Forensic queries: Service principal token anomalies
SigninLogs
| where ServicePrincipalId in (your_high_priv_serviceprincipal_guids)
| where ResultType != "0"
| summarize Attempts=count() by TimeGenerated, ServicePrincipalId
Do not ignore low-frequency failures. Sprayers know to throttle.

Remediation: Fix the Root Causes
Hotfixes
- Audit service principals and permissions:
az ad sp list --output table
az role assignment list --assignee <service_principal_id> --output table
- Revoke old credentials:
az ad sp credential list --id <service_principal_id>
az ad sp credential delete --id <service_principal_id> --key-id <key_id>
- Rotate tokens and enforce short lifetimes (via MS Graph): Official Guide
Long-term architecture fixes
- Enforce certificate-based auth for service principals:
- Disable password secrets on app registrations.
- Require certificates for all automation (Microsoft Docs)
- Tighten Conditional Access policies:
- Require MFA for privileged roles.
- Block sign-ins from unmanaged devices.
- Block legacy authentication (see CA policy examples)
- Privileged Identity Management (PIM):
- Assign just-in-time contributor/owner access (Azure AD PIM setup)
What This Means for Your Org
- Cloud Engineers: Own the audit. Validate every pipeline’s service principal permissions.
- SecOps: Monitor sign-in trends. Set detection rules for CLI and IPv6 anomalies.
- IAM Owners: Enforce certificate-based auth and Conditional Access. Push migration roadmap.
- CTO: Set clear policy for least privilege and credential rotation. Budget for periodic reviews.
Lessons That Will Hurt If Ignored
Attackers leverage simple gaps: permissive role assignments, weak auth flows, “security defaults” never customized. IPv6 isn’t exotic—it’s common, and most logging pipelines neglect it. If you aren't filtering, you're exposed. Next campaign won't be louder, but it will be more surgical.
Authentication is a live threat surface. Stop treating CLI tools as afterthoughts. When your supply chain pipeline is compromised, nobody's handing you a checklist. You build your own.
References & Further Reading
- Microsoft Security Advisory: Azure CLI Password Spray
- Azure Sign-in Logs Documentation
- OAuth2 Permissions and Service Principal Security
- Conditional Access Policy Guidance
- Mandiant Azure Password Attack Writeup
Author:
Brian K. Day, CSP (MS-500), Lead Identity Architect (8 years in DevSecOps). Former consultant for Fortune 500 cloud migrations. Presenter, Microsoft Ignite 2023 ("Service Principal Security Essentials") LinkedIn
Publish date: June 2024
Tags: Azure, Identity, Service Principal, Password spray, Security Incident