gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-28 05:33:10 -08:00
Code Issues Packages Projects Releases Wiki Activity

azure basics

Browse Source
This commit is contained in:
Carlos Polop
2025-02-08 19:23:41 +01:00
parent 117bb933af
commit fd5fc9957a
2 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/pentesting-cloud/azure-security/az-basic-information/README.md
View File

@@ -259,8 +259,10 @@ This roles can **also be assigned over logic containers** (such as management gr
- A principal with a excluded permission wont be able to use it even if the permissions is being granted elsewhere
- Its possible to use wildcards
- The used format is a JSON
- `actions` are for control actions over the resource
- `dataActions` are permissions over the data within the object
- `actions` refer to permissions for management operations on resources, such as creating, updating, or deleting resource definitions and settings.
- `dataActions` are permissions for data operations within the resource, allowing you to read, write, or delete the actual data contained in the resource.
- `notActions` and `notDataActions` are used to exclude specific permissions from the role. However, **they don't deny them**, if a different role grants them, the principal will have them.
- `assignableScopes` is an array of scopes where the role can be assigned (like management groups, subscriptions, or resource groups).
Example of permissions JSON for a custom role:
@@ -297,7 +299,7 @@ Example of permissions JSON for a custom role:
### Permissions order
- In order for a **principal to have some access over a resource** he needs an explicit role being granted to him (anyhow) **granting him that permission**.
- An explicit **deny role assignment takes precedence** over the role granting the permission.
- An explicit **deny assignment takes precedence** over the role granting the permission.
<figure><img src="../../../images/image (191).png" alt=""><figcaption><p><a href="https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10">https://link.springer.com/chapter/10.1007/978-1-4842-7325-8_10</a></p></figcaption></figure>
@@ -310,6 +312,12 @@ This elevation can be done at the end of the page: [https://portal.azure.com/#vi
<figure><img src="../../../images/image (349).png" alt=""><figcaption></figcaption></figure>
### Deny Assignments
Just like role assignments, **deny assignments** are used to **control access to Azure resources**. However, **deny assignments** are used to **explicitly deny access** to a resource, even if a user has been granted access through a role assignment. **Deny assignments** take precedence over **role assignments**, meaning that if a user is granted access through a role assignment but is also explicitly denied access through a deny assignment, the deny assignment will take precedence.
Just like role assignments, **deny assignments** are applied over some scope indicating the affected principals and the permissions that are being denied. Moreover, in the case of deny assignments, it's possible to **prevent the deny to be inherited** by children resources.
### Azure Policies
**Azure Policies** are rules that help organizations ensure their resources meet specific standards and compliance requirements. They allow you to **enforce or audit settings on resources in Azure**. For example, you can prevent the creation of virtual machines in an unauthorized region or ensure that all resources have specific tags for tracking.

11
src/pentesting-cloud/azure-security/az-services/az-azuread.md
View File

@@ -901,6 +901,10 @@ az role assignment list --all --query "[].{principalName:principalName,principal
az role assignment list --assignee "<email>" --all --output table
# Get all the roles assigned to a user by filtering
az role assignment list --all --query "[?principalName=='admin@organizationadmin.onmicrosoft.com']" --output table
# Get deny assignments
az rest --method GET --uri "https://management.azure.com/{scope}/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01"
## Example scope of subscription
az rest --method GET --uri "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/providers/Microsoft.Authorization/denyAssignments?api-version=2022-04-01"
```
{{#endtab }}
@@ -936,6 +940,13 @@ Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
# Get roles of a user or resource
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>
# Get deny assignments
Get-AzDenyAssignment # Get from current subscription
Get-AzDenyAssignment -Scope '/subscriptions/96231a05-34ce-4eb4-aa6a-70759cbb5e83/resourcegroups/testRG/providers/Microsoft.Web/sites/site1'
```
{{#endtab }}
{{#endtabs }}
```
{{#endtab }}