gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 13:43:24 -08:00
Code Issues Packages Projects Releases Wiki Activity

comparison reader with security reader

Browse Source
This commit is contained in:
Carlos Polop
2025-01-26 18:53:24 +01:00
parent 626155bec1
commit ae6616b63b
2 changed files with 24 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md
View File

@@ -2,9 +2,30 @@
{{#include ../../banners/hacktricks-training.md}}
To start a white box hardening review of some Entra ID tenats you need to ask for **Global Reader role on each tenant**. Moreover, to perform a hardening review of different Azure subscriptions you would need at least the **Reader permissions over all the subscriptions**.
To start a white box hardening review of some Entra ID tenats you need to ask for **`Global Reader` role on each tenant**. Moreover, to perform a hardening review of different Azure subscriptions you would need at least the **`Reader`role over all the subscriptions**.
Note that if those roles aren't enough to access all the info you need, you could also ask the client for roles with the permissions you need. Just try to **minimize the amount of not read-only permissions you ask for!**
Another option is to ask for **`Security Reader` role** instead of `Reader` if the client complaints to reduce the granted privileges. However, this increases the possibility of the pentester asking for more read roles later as the `Reader` role grants `"*/read"` while the `Security Reader` role grants:
```json
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*/read",
"Microsoft.IoTSecurity/*/read",
"Microsoft.Support/*/read",
"Microsoft.Security/iotDefenderSettings/packageDownloads/action",
"Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
"Microsoft.Security/iotSensors/downloadResetPassword/action",
"Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
"Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
"Microsoft.Management/managementGroups/read"
]
```
{{#include ../../banners/hacktricks-training.md}}