🛡️ Azure Pentesting: Understanding the Foundations

Before we start compromising identities, abusing misconfigurations, or chaining privileges in an Azure cloud environment, we need to understand how Azure is built both from a governance and an identity perspective.

This section outlines two essential concepts every cloud pentester should grasp before targeting Azure environments:

1. The different Azure cloud environments and how they affect tooling and API interaction.
2. The Azure resource hierarchy, which determines how access and policy inheritance function.

🌐 Azure Clouds and Regions

To comply with regional laws, privacy regulations, and government requirements, Microsoft maintains separate Azure cloud instances, including:

• Azure Public Cloud (azure.com)
• Azure Government (azure.us)
• Azure China (partner hosted by 21Vianet)
• Azure Germany (legacy, not accepting new customers)

Although these clouds provide similar services, they operate in completely isolated environments with unique identity endpoints, portal domains, and service URLs.

⚠️ Pentest Implications

• API endpoints differ: Your tools must be configured to authenticate and interact with the correct cloud (e.g., https://login.microsoftonline.us/ for Azure Gov).
• Token scopes and audience claims in JWTs vary across clouds.
• Geopolitical data residency requirements often influence architectural decisions understanding this may help predict where sensitive data resides.

📌 Make sure to adjust Azure CLI, PowerShell, or SDK configurations accordingly when targeting non public clouds.

🏗️ Azure Resource Management Hierarchy

Azure organizes its cloud resources in a multi level hierarchy to allow for scalable governance, access control, and policy enforcement.

Understanding this hierarchy is critical for lateral movement, persistence, and privilege escalation.

🔐 Access Inheritance Principle

Access assigned at a higher level (e.g., tenant or subscription) automatically cascades down to all child objects unless explicitly overridden. For attackers, this means a single privileged identity at a high level can control dozens or hundreds of downstream resources.

1. 🧬 Azure AD Tenant

• The root identity platform that authenticates and authorizes all users, apps, and service principals.
• All Azure subscriptions are tied to one and only one Azure Active Directory (AAD) tenant.
• Acts as the identity provider for Azure resources and Microsoft 365.
• Supports hybrid identity via tools like Azure AD Connect, syncing on prem AD users to Azure.

🎯 Attack Surface

• Misconfigured user roles or excessive privileges in Azure AD accounts.
• Service principals or app registrations with overly permissive API permissions (e.g., Directory.Read.All, User.ReadWrite.All).
• Password spray, token replay, OAuth abuse, and token impersonation.

🛠️ Use Get-AzADUser, Get-AzADServicePrincipal and az ad app list to enumerate identities.

2. 🌲 Root Management Group (Optional)

• Top level container for organizing all subscriptions in a tenant.
• Disabled by default, but recommended by Microsoft for enterprise governance.
• Enables centralized enforcement of Azure Policy, RBAC, and Blueprints.

🧨 Pentest Tip

• Gaining control of a user with access to the Root Management Group can potentially give visibility and control over all child subscriptions.

3. 🧩 Child Management Groups

• Nested under the root group.
• Allow logical separation of environments (e.g., Dev, Prod, Finance) or business units.
• Support up to six levels of nesting.

🧨 Pentest Tip

• Attackers can pivot across subscriptions by abusing misconfigured RBAC or inherited permissions across sibling management groups.

4. 💳 Subscription

• Logical boundary for billing and usage tracking.
• Most common attack scope target for red teamers access here means the ability to provision, modify, or destroy cloud resources.
• Subscriptions can be grouped under management groups, but operate independently by default.

Common Misconfigurations:

• Over permissioned users (e.g., Owner, Contributor roles).
• Unused subscriptions still retaining active secrets or services.

✅ Tip for defenders: Use Privileged Identity Management (PIM) to enforce Just in Time access.

5. 📁 Resource Group (RG)

• Logical container within a subscription.
• Hosts resources that typically share the same lifecycle (e.g., a single application stack).
• Access can be delegated at the RG level using Azure RBAC.

🧨 Pentest Tip

• If you compromise a user with Contributor rights on an RG, you can deploy custom VMs, access storage accounts, or inject code into functions.

6. ⚙️ Resources

• The lowest level in the hierarchy individual services like:
  • Virtual Machines (VMs)
  • Key Vaults
  • Azure Functions
  • Storage Accounts
  • Cosmos DB, etc.

🎯 Common Resource Targets

• Azure Key Vaults: Often hold secrets, certificates, and tokens if access policies are misconfigured, they are treasure troves.
• Storage Accounts: Public blob containers or weak SAS tokens can lead to data exfiltration.
• Managed Identities: Useful for pivoting and acquiring new access tokens.

🕵️‍♂️ Why Hierarchy Matters to Attackers

Each level of the hierarchy offers a distinct blast radius:

An attacker with access at the Tenant or Root MG level can potentially compromise the entire cloud presence of an organization.

☁️ An Overview of Azure Services

With over 200 services available, Azure is one of the most comprehensive cloud platforms on the market. While this might seem overwhelming, these services can generally be categorized into five functional groups, which simplifies how we approach them from a penetration testing perspective.

🏗️ 1. Application Hosting Services

These services offer compute environments for deploying applications:

• Azure App Service: PaaS offering for web and API hosting.
• Azure Virtual Machines (VMs): IaaS compute instances.
• Azure Kubernetes Service (AKS): Managed container orchestration using Kubernetes.

💡 Pentest Tip: Misconfigured VMs or AKS clusters can expose internal networks, secrets in disk images, or allow code execution.

💾 2. Data Storage Services

These store application and user data in various formats:

• Azure Storage Accounts (Blob, File, Table, Queue)
• Azure SQL Database
• Azure Cosmos DB

💡 Common Misconfig: Public storage containers, weak Shared Access Signatures (SAS), or open SQL endpoints.

🔧 3. Application Creation Services

Services to build and orchestrate application logic:

• Azure Logic Apps: Visual workflow automation.
• Azure Functions: Serverless functions triggered by events.

💡 Abuse Case: An attacker can inject malicious payloads into Logic Apps or Functions if they have write access.

🧠 4. Application Enhancement Services

These add smart features to apps, typically via SaaS APIs:

• Azure Cognitive Services (Vision, Language, etc.)

💡 Usage in Testing: Often used by internal dev teams. While less of a direct target, tokens to these services may provide access to sensitive inference models.

📈 5. Monitoring and Management Services

These manage and observe the health and behavior of Azure resources:

• Azure Monitor, Application Insights, API Management
• Azure Security Center, Microsoft Sentinel

💡 Recon Tip: These services are a goldmine for log data and event tracing. If accessible, they may leak operational secrets or incident response tooling.

🔐 Understanding the Azure RBAC Structure

Azure RBAC (Role Based Access Control) governs who can do what in the Azure ecosystem. It is central to securing cloud environments and equally, central to most privilege escalation paths during pentests.

🧩 RBAC Components

RBAC is composed of three core elements:

1. Security Principals: Who gets access (user, group, service principal, or managed identity)
2. Role Definitions: What actions are allowed (e.g., Contributor, Reader)
3. Role Assignments: Where those roles are applied (scope)

👥 Security Principals

These are the Azure AD objects that represent identities:

• User Accounts

• Internal: Native or synced from on prem AD.
• External (Guests): Invited using B2B collaboration.
• Format: username@domain.com or user_home#EXT#@tenant.onmicrosoft.com.

💡 Pentest Entry Point: These accounts are prime targets for phishing, password spray, or token theft.

• Service Principals

• App identities used in automation or backend integrations.
• Created during App Registration in Azure AD.
• Authenticated via certificates, secrets, or federated credentials.
• May have owner accounts who can manage their secrets and permissions.

💡 Red Team Tactic: Service principals with Contributor or Owner rights can be used for persistence or lateral movement.

• Managed Identities

• System assigned (linked to one resource) or user assigned (can be reused).
• Used to securely allow services to authenticate without credentials.

💡 Attack Vector: If you control a resource with a managed identity, you may impersonate it to get tokens via the Instance Metadata Service (IMDS).

• Groups

• Contain users or other identities for bulk access control.
• Types: Security Groups, Microsoft 365 Groups.
• Memberships can be assigned or dynamic (based on rules).

💡 Escalation Trick: If a dynamic group rule can be matched by a low privileged user, they may escalate privileges silently.

📜 Role Definitions

A role definition is a collection of permissions. Each role specifies:

• actions: control plane permissions (e.g., start VM)
• dataActions: data level access (e.g., read from blob)
• notActions: excluded control plane permissions
• notDataActions: excluded data access

🔍 Example: Contributor Role

1{
2"roleName": "Contributor",
3"permissions": [
4  {
5    "actions": ["*"],
6    "notActions": [
7      "Microsoft.Authorization/*/Delete",
8      "Microsoft.Authorization/*/Write"
9    ]
10  }
11],
12"assignableScopes": ["/"]
13}

💡 Key Insight

Contributor can do almost everything except assign permissions but that’s often enough to escalate (e.g., deploy malicious VMs, inject scripts, extract secrets).

🗺️ Role Assignment and Scope

RBAC roles can be applied at various scopes

• Root Management Group
• Child Management Groups
• Subscription
• Resource Group
• Individual Resource

Access assigned at a higher level cascades downward. An Owner at the root management group can control everything in the tenant.

🚨 Attack Path: If you compromise a token with Owner rights at the subscription level, you can deploy payloads, exfiltrate data, create new users, or disable monitoring.

🎯 Built-in Roles vs. Custom Roles

Most Common Built in Roles

⚖️ Azure RBAC vs. Azure AD Roles

🔄 These are separate systems.

• Azure RBAC controls access to Azure resources.
• Azure AD roles control access to identity related features, like user management, MFA policies, etc.

Each system has its own set of built in and custom roles. Currently

• ~60 Azure AD built in roles
• ~220 Azure RBAC built in roles

🧠 Final Thoughts

RBAC is often misconfigured in real world Azure environments. Attackers who understand the hierarchy and role inheritance can move from least privileged users to full tenant control in a surprisingly short time.

🌐 Accessing the Azure Cloud

There are multiple ways to interact with an Azure tenant, and each interface offers specific advantages both for administrators and penetration testers. Understanding these access methods is crucial when enumerating services, executing commands, or abusing permissions.

🔹 Azure Portal

The Azure Portal is a web based graphical interface used to manage Azure resources. It is accessible via:

• 🔗 https://portal.azure.com for public cloud
• Other domains exist for Azure China, Azure Government, and Azure Germany

After authentication through Azure AD, users gain access to dashboards, services, and subscriptions.

🧭 Key Features:

• Left hand side "blades" for service navigation
• Global search bar for quick access
• Switch directory in the top-right to toggle between Azure AD tenants
• Subscriptions > My Role shows your current RBAC level
• IAM blade allows you to view all user permissions on a resource

🔐 Pentester Note:

Misconfigured roles (e.g., users with unexpected Contributor or Owner roles) can often be spotted here during recon.

🖥️ Cloud Shell

Azure Cloud Shell is a browser based shell available inside the portal and at:

• 🔗 https://shell.azure.com

You can choose Bash or PowerShell environments both come preloaded with tools like Azure CLI and kubectl.

⚠️ Security Insight: Cloud Shell runs in the context of the signed in user. If hijacked, it can be used to escalate privileges or inject malicious commands.

💻 Azure CLI

The Azure CLI is a powerful cross platform command line tool that provides programmatic access to Azure services.

🔧 Installation:

• Windows: Install CLI
• All platforms: Official CLI Docs

🔐 Authentication:

1az login

You’ll be redirected to a browser for Azure AD authentication. Once logged in, the CLI will list your subscriptions and tenants.

1az resource list

🧪 Pentester Use Case

• Scriptable environment for automation
• Effective for enumeration, lateral movement, and token replay attacks

💡 Use --help to discover supported subcommands (e.g., az vm, az ad, az keyvault).

🧩 PowerShell + Az Module

PowerShell offers deep integration with Azure through the Az module, making it ideal for large scale resource manipulation and scripting.

📦 Installation:

1Install-Module -Name Az

🔐 Connect to Azure

1Connect-AzAccount

his will open an Azure AD login window. Once authenticated, you're ready to issue Az commands.

🧰 Features:

• Tab completion for cmdlets and parameters
• Access to hundreds of submodules (e.g., Az.Compute, Az.KeyVault)
• Ideal for complex filtering, reporting, and chaining via the pipeline

🧪 Red Team Insight

PowerShell provides access to tokens, metadata, service principals, and role enumeration often used to build custom enumeration and escalation scripts.

👤 AzureAD Module

This module specializes in Azure Active Directory management and enumeration.

📦 Install and Connect

1Install-Module -Name AzureAD
2Connect-AzureAD

🧪 Offensive Use:

• Enumerate users, groups, and app registrations
• Query group membership
• Check MFA and conditional access status

Useful for identity pivoting, privilege enumeration, and gathering target metadata.

🔁 Azure REST APIs

Azure also exposes all of its services via RESTful APIs, enabling powerful low level interaction often used in automation, custom apps, and by penetration testers.

✅ Advantages

• Native support for OAuth2 access tokens
• REST endpoints mirror CLI and PowerShell functionality
• Compatible with tools like:
  • curl
  • Postman
  • httpie

🧪 Pentest Usage:

• Replay stolen tokens via API calls
• Execute custom API requests outside monitored tooling
• Abuse under-documented endpoints

🔍 Summary

🧠 Azure Resource Manager (ARM): The Control Plane Core

No matter how you're accessing the Azure cloud whether through the Portal, CLI, PowerShell, or REST APIs all operations are funneled through a single, unified backend: the Azure Resource Manager (ARM).

Think of ARM as the central control plane that coordinates and manages every action performed on Azure resources.

🔧 What Is Azure Resource Manager?

Azure Resource Manager (ARM) is the orchestration layer that processes, validates, and routes every request made to Azure services.

Whenever you:

• Deploy a virtual machine
• Update a key vault
• Assign an RBAC role
• Query the status of a resource group

...you’re talking to ARM even if you're using a completely different interface.

✅ Consistent access control: Regardless of interface, ARM ensures that authentication, authorization, and logging remain consistent across all tools and APIs.

🗂️ Resource Providers

ARM communicates with backend services known as resource providers to execute your requests.

Each provider is responsible for a specific category of Azure services:

You can list all registered providers in your subscription using the CLI:

1az provider list --query "[].namespace"

🧪 Pentesting Context

• ARM acts as a central attack surface. Any request that can be authenticated (using valid tokens, service principals, or managed identities) can be sent directly to ARM via REST APIs bypassing the UI entirely.
• Role assignments, deployments, and privilege escalation often involve abusing misconfigured permissions passed through ARM (e.g., Microsoft.Authorization/*/Write).
• Access to ARM logs or requests (via Azure Monitor or Defender for Cloud) can also expose sensitive operational data.

💡 Red Team Tip: You don’t need GUI access to attack Azure. With a valid token and a solid understanding of ARM’s API endpoints, you can automate attacks, deploy payloads, or move laterally through services at scale

🧭 Summary

ARM is the gatekeeper and traffic director of the Azure control plane. It provides Unified authentication/authorization

• A consistent deployment model (ARM templates, Bicep, Terraform)
• A central audit trail for cloud operations
• A key attack vector during privilege escalation