diff --git a/src/pentesting-cloud/azure-security/az-basic-information/README.md b/src/pentesting-cloud/azure-security/az-basic-information/README.md
index 6aa5adc72..ceddaac34 100644
--- a/src/pentesting-cloud/azure-security/az-basic-information/README.md
+++ b/src/pentesting-cloud/azure-security/az-basic-information/README.md
@@ -259,8 +259,10 @@ This roles can **also be assigned over logic containers** (such as management gr
   - A principal with a excluded permission won’t be able to use it even if the permissions is being granted elsewhere
 - It’s possible to use wildcards
 - The used format is a JSON
-  - `actions` are for control actions over the resource
-  - `dataActions` are permissions over the data within the object
+  - `actions` refer to permissions for management operations on resources, such as creating, updating, or deleting resource definitions and settings.
+  - `dataActions` are permissions for data operations within the resource, allowing you to read, write, or delete the actual data contained in the resource.
+  - `notActions` and `notDataActions` are used to exclude specific permissions from the role. However, **they don't deny them**, if a different role grants them, the principal will have them.
+  - `assignableScopes` is an array of scopes where the role can be assigned (like management groups, subscriptions, or resource groups).
 
 Example of permissions JSON for a custom role:
 
@@ -297,7 +299,7 @@ Example of permissions JSON for a custom role:
 ### Permissions order
 
 - In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
-- An explicit **deny role assignment takes precedence** over the role granting the permission.
+- An explicit **deny assignment takes precedence** over the role granting the permission.
 
 <figure><img src="../../../images/image (191).png" alt=""><figcaption><p><a href="https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10">https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10</a></p></figcaption></figure>
 
@@ -310,6 +312,12 @@ This elevation can be done at the end of the page: [https://portal.azure.com/#vi
 
 <figure><img src="../../../images/image (349).png" alt=""><figcaption></figcaption></figure>
 
+### Deny Assignments
+
+Just like role assignments, **deny assignments** are used to **control access to Azure resources**. However, **deny assignments** are used to **explicitly deny access** to a resource, even if a user has been granted access through a role assignment. **Deny assignments** take precedence over **role assignments**, meaning that if a user is granted access through a role assignment but is also explicitly denied access through a deny assignment, the deny assignment will take precedence.
+
+Just like role assignments, **deny assignments** are applied over some scope indicating the affected principals and the permissions that are being denied. Moreover, in the case of deny assignments, it's possible to **prevent the deny to be inherited** by children resources.
+
 ### Azure Policies
 
 **Azure Policies** are rules that help organizations ensure their resources meet specific standards and compliance requirements. They allow you to **enforce or audit settings on resources in Azure**. For example, you can prevent the creation of virtual machines in an unauthorized region or ensure that all resources have specific tags for tracking.
diff --git a/src/pentesting-cloud/azure-security/az-services/az-azuread.md b/src/pentesting-cloud/azure-security/az-services/az-azuread.md
index 1cfedb5d7..161032346 100644
--- a/src/pentesting-cloud/azure-security/az-services/az-azuread.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-azuread.md
@@ -901,6 +901,10 @@ az role assignment list --all --query "[].{principalName:principalName,principal
 az role assignment list --assignee "<email>" --all --output table
 # Get all the roles assigned to a user by filtering
 az role assignment list --all --query "[?principalName=='admin@organizationadmin.onmicrosoft.com']" --output table
+# Get deny assignments
+az rest --method GET --uri "https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01"
+## Example scope of subscription
+az rest --method GET --uri "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01"
 ```
 
 {{#endtab }}
@@ -936,6 +940,13 @@ Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
 # Get roles of a user or resource
 Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
 Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>
+# Get deny assignments
+Get-AzDenyAssignment # Get from current subscription
+Get-AzDenyAssignment -Scope '/subscriptions/96231a05-34ce-4eb4-aa6a-70759cbb5e83/resourcegroups/testRG/providers/Microsoft.Web/sites/site1'
+```
+
+{{#endtab }}
+{{#endtabs }}
 ```
 
 {{#endtab }}