improvements

src/pentesting-cloud/azure-security/README.md

@@ -175,23 +175,53 @@ You should start finding out the **permissions you have** over the resources. Fo
 
 The Az PoswerShell command **`Get-AzResource`** lets you **know the resources your current user has visibility over**.
 
-Moreover, you can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources" or executing: `az rest --method GET --url "https://management.azure.com/subscriptions/<subscription-id>/resources?api-version=2021-04-01"`
+Moreover, you can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources" or executing: 
+```bash
+az rest --method GET --url "https://management.azure.com/subscriptions/<subscription-id>/resources?api-version=2021-04-01"
+```
 
 2. **Find the permissions you have over the resources you have access to and find the roles assigned to you**:
 
 Note that you need the permission **`Microsoft.Authorization/roleAssignments/read`** to execute this action.
 
-Furthermore, with enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in: **`Get-AzRoleAssignment -Scope /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.RecoveryServices/vaults/vault-m3ww8ut4`**. 
+Furthermore, with enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in:
+```bash
+Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/Resource_Group_1/providers/Microsoft.RecoveryServices/vaults/vault-m3ww8ut4
+```
 
-It's also possible to get this information running **`az rest --method GET --uri "https://management.azure.com/<Scope>/providers/Microsoft.Authorization/roleAssignments?api-version=2020-08-01-preview" | jq ".value"`** like in:
+It's also possible to get this information running:
+```bash
+az rest --method GET --uri "https://management.azure.com/<Scope>/providers/Microsoft.Authorization/roleAssignments?api-version=2020-08-01-preview" | jq ".value"
+```
 
-- **`az rest --method GET --uri "https://management.azure.com//subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/vault-m3ww8ut4/providers/Microsoft.Authorization/roleAssignments?api-version=2020-08-01-preview" | jq ".value"`**
+like in:
 
-3. **Find the granular permissions of the roles attached to you **:
+```bash
+az rest --method GET --uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/vault-m3ww8ut4/providers/Microsoft.Authorization/roleAssignments?api-version=2020-08-01-preview" | jq ".value"
+```
+
+Another option is to get the roles attached to you in azure with:
+
+```bash
+az role assignment list --assignee "<email>" --all --output table
+```
+
+Or running the following (If the results are empty it might be because you don't have the permission to get them):
+
+```bash
+az rest --method GET --uri 'https://management.azure.com/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter=principalId eq '<user-id>'
+```
+
+
+3. **Find the granular permissions of the roles attached to you**:
 
 Then, to get the granular permission you could run **`(Get-AzRoleDefinition -Id "<RoleDefinitionId>").Actions`**.
 
-Or call the API directly with **`az rest --method GET --uri "https://management.azure.com//subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<RoleDefinitionId>?api-version=2020-08-01-preview" | jq ".properties"`**.
+Or call the API directly with
+
+```bash
+az rest --method GET --uri "https://management.azure.com//subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<RoleDefinitionId>?api-version=2020-08-01-preview" | jq ".properties"
+```
 
 
 In the following section you can find **information about the most common Azure services and how to enumerate them**:

src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md

@@ -12,6 +12,16 @@ Here are a couple of examples:
 1. **Sign-In Risk Policy**: This policy could be set to require multi-factor authentication (MFA) when a sign-in risk is detected. For example, if a user's login behavior is unusual compared to their regular pattern, such as logging in from a different country, the system can prompt for additional authentication.
 2. **Device Compliance Policy**: This policy can restrict access to Azure services only to devices that are compliant with the organization's security standards. For instance, access could be allowed only from devices that have up-to-date antivirus software or are running a certain operating system version.
 
+## Enumeration
+
+```bash
+# Get all the policies from Azure without needing any special permission with (idea from https://github.com/LuemmelSec/APEX/blob/main/APEX.ps1)
+az rest --method GET --uri 'https://graph.windows.net/<tenant-id>/policies?api-version=1.61-internal' | jq '.value[] | select(.policyType == 18) | {displayName, policyDetail: (.policyDetail[] | fromjson)}'
+
+# You need Policy.Read.ConditionalAccess or Policy.Read.All permission in Entra ID
+az rest --method get --uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies"
+```
+
 ## Conditional Acces Policies Bypasses
 
 It's possible that a conditional access policy is **checking some information that can be easily tampered allowing a bypass of the policy**. And if for example the policy was configuring MFA, the attacker will be able to bypass it.