# Az - Logic Apps Post Exploitation

{{#include ../../../banners/hacktricks-training.md}}

## Logic Apps Database Post Exploitation
For more information about logic apps check:

{{#ref}}
../az-services/az-logic-apps.md
{{#endref}}

### `Microsoft.Logic/workflows/read`, `Microsoft.Logic/workflows/write` && `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
With these permissions, you can modify Logic App workflows and manage their identities. Specifically, you can assign or remove system-assigned and user-assigned managed identities to workflows, which allows the Logic App to authenticate and access other Azure resources without explicit credentials.

```bash
az logic workflow identity remove/assign \
  --name <workflow_name> \
  --resource-group <resource_group_name> \
  --system-assigned true \
  --user-assigned "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity_name>"
```

### `Microsoft.Web/sites/read`, `Microsoft.Web/sites/write`
With these permissions, you can create or update Logic Apps hosted on an App Service Plan. This includes modifying settings such as enabling or disabling HTTPS enforcement.

```bash
az logicapp update \
  --resource-group <resource_group_name> \
  --name <logic_app_name> \
  --set httpsOnly=false
```

### `Microsoft.Web/sites/stop/action`, `Microsoft.Web/sites/start/action` || `Microsoft.Web/sites/restart/action`
With this permission, you can start/stop/restart a web app, including Logic Apps hosted on an App Service Plan. This action ensures that a previously stopped app is brought online and resumes its functionality. This can disrupt workflows, trigger unintended operations, or cause downtime by starting, stopping, or restarting Logic Apps unexpectedly.

```bash
az webapp start/stop/restart \
  --name <logic_app_name> \
  --resource-group <resource_group_name>
```


### `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/read` && `Microsoft.Web/sites/config/write`

With this permission, you can configure or modify settings for web apps, including Logic Apps hosted on an App Service Plan. This allows changes to app settings, connection strings, authentication configurations, and more.

```bash
az logicapp config appsettings set \
  --name <logic_app_name> \
  --resource-group <resource_group_name> \
  --settings "<key>=<value>"
```

### `Microsoft.Logic/integrationAccounts/write`
With this permission, you can create, update, or delete Azure Logic Apps integration accounts. This includes managing integration account-level configurations like maps, schemas, partners, agreements, and more.

```bash
az logic integration-account create \
  --resource-group <resource_group_name> \
  --name <integration_account_name> \
  --location <location> \
  --sku <Standard|Free> \
  --state Enabled
```

### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/batchConfigurations/write`

With this permission, you can create or modify batch configurations within an Azure Logic Apps integration account. Batch configurations define how Logic Apps process and group incoming messages for batch processing.

```bash
az logic integration-account batch-configuration create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <batch_configuration_name> \
  --release-criteria '{
      "messageCount": 100,
      "batchSize": 1048576,
  }'
```

### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/maps/write`
With this permission, you can create or modify maps within an Azure Logic Apps integration account. Maps are used to transform data from one format to another, enabling seamless integration between different systems and applications.

```bash
az logic integration-account map create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <map_name> \
  --map-type <Xslt|Xslt20|Xslt30> \
  --content-type application/xml \
  --map-content map-content.xslt
```

### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/partners/write`
With this permission, you can create or modify partners in an Azure Logic Apps integration account. Partners represent entities or systems that participate in business-to-business (B2B) workflows.

```bash
az logic integration-account partner create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <partner_name> \
  --partner-type <partner-type> \
  --content '{
    "b2b": {
      "businessIdentities": [
        {
          "qualifier": "ZZ",
          "value": "TradingPartner1"
        }
      ]
    }
  }'
```

### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/sessions/write`
With this permission, you can create or modify sessions within an Azure Logic Apps integration account. Sessions are used in B2B workflows to group messages and track related transactions over a defined period.

```bash
az logic integration-account session create \
  --resource-group <resource_group_name> \
  --integration-account-name <integration_account_name> \
  --name <session_name> \
  --content '{
    "properties": {
      "sessionId": "session123",
      "data": {
        "key1": "value1",
        "key2": "value2"
      }
    }
  }'
```

### "*/delete"
With this permissions you can delete resources related to Azure Logic Apps



{{#include ../../../banners/hacktricks-training.md}}