# Azure

<figure><img src="/files/D3MFHCcox8RgA4x2jvBR" alt="" width="375"><figcaption></figcaption></figure>

## Contents

{% content-ref url="/pages/9Be8jHwkX1moQ8nywWY1" %}
[Architecture](/pentesting-notes/cloud/azure/architecture.md)
{% endcontent-ref %}

{% content-ref url="/pages/3WUMf3c1jJpeIsJOZjyS" %}
[Service Discovery, Recon, Enumeration and Initial Access Attacks](/pentesting-notes/cloud/azure/service-discovery-recon-enumeration-and-initial-access-attacks.md)
{% endcontent-ref %}

{% content-ref url="/pages/pJufUoZVutlamNexMvZ5" %}
[Authenticated Enumeration](/pentesting-notes/cloud/azure/authenticated-enumeration.md)
{% endcontent-ref %}

{% content-ref url="/pages/UI0YjpNDhgAOuBWXtFGf" %}
[Privilege Escalation](/pentesting-notes/cloud/azure/privilege-escalation.md)
{% endcontent-ref %}

{% content-ref url="/pages/0WFxtqYavEHN42mjgY6x" %}
[Lateral Movement](/pentesting-notes/cloud/azure/lateral-movement.md)
{% endcontent-ref %}

## Introduction

**Entra ID** is the new name for what was previously known as **Azure Active Directory (Azure AD)**, Microsoft's cloud-based identity and access management service. It is part of the **Microsoft Entra** product family, which focuses on securing and managing access across various digital environments, such as cloud, on-premises, and hybrid setups.

<figure><img src="/files/9bwvqmpZ22VxJUMtkMvs" alt=""><figcaption></figcaption></figure>

Microsoft Entra ID empowers organizations to manage and secure identities so people can access the applications and services they need. Microsoft Entra ID provides an identity solution that integrates broadly, from on-premises legacy apps to thousands of top software-as-a-service (SaaS) applications.

## Azure Kill Chain

<figure><img src="/files/zSXSnMKM6mDFt5eYLp6o" alt=""><figcaption></figcaption></figure>

* **Reconnaissance**\
  Attackers gather information about the Azure environment, such as public-facing applications, IP addresses, Azure AD configuration, and exposed APIs. Tools like Azure CLI, PowerShell, or third-party scanners may be used to probe for vulnerabilities.
* **Initial Access**\
  Attackers gain a foothold in the Azure tenant. This could involve exploiting weak credentials, phishing attacks to steal Azure AD credentials, exploiting exposed APIs, or compromising an application hosted in Azure.
* **Enumeration**\
  Enumeration involves attackers actively probing and listing resources, configurations, and users in the Azure environment to identify potential vulnerabilities or misconfigurations that they can exploit. This is a deeper, more targeted activity than reconnaissance, which is often passive.
* **Privilege Escalation**\
  After gaining access, attackers aim to elevate privileges to obtain broader control over the Azure tenant. They may exploit misconfigured role-based access control (RBAC), manipulate Azure AD permissions, or exploit vulnerabilities in virtual machines or containers.
* **Persistence**\
  Attackers establish mechanisms to maintain long-term access. In Azure, this might involve creating malicious service principals, altering configurations for continuous access, or deploying backdoors in virtual machines or serverless functions.
* **Lateral Movement**\
  Attackers navigate the Azure environment to find and access additional resources. This could involve moving between subscriptions, accessing storage accounts, databases, or other resources linked to Azure services.

## Permissions for white/greybox pentest

To start a white box hardening review of some Entra ID tenants you need to ask for **`Global Reader` role on each tenant**. Moreover, to perform a hardening review of different Azure subscriptions you would need at least the **`Reader`role over all the subscriptions**.

Note that if those roles aren't enough to access all the info you need, you could also ask the client for roles with the permissions you need. Just try to **minimize the amount of not read-only permissions you ask for!**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.incendium.rocks/pentesting-notes/cloud/azure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.