Az - Permissions for a Pentest

Reading time: 2 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

To start a white box hardening review of some Entra ID tenats you need to ask for Global Reader role on each tenant. Moreover, to perform a hardening review of different Azure subscriptions you would need at least the Readerrole over all the subscriptions.

Note that if those roles aren't enough to access all the info you need, you could also ask the client for roles with the permissions you need. Just try to minimize the amount of not read-only permissions you ask for!

Another option is to ask for Security Reader role instead of Reader if the client complaints to reduce the granted privileges. However, this increases the possibility of the pentester asking for more read roles later as the Reader role grants "*/read" while the Security Reader role grants:

json
"actions": [
    "Microsoft.Authorization/*/read",
    "Microsoft.Insights/alertRules/read",
    "Microsoft.operationalInsights/workspaces/*/read",
    "Microsoft.Resources/deployments/*/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Security/*/read",
    "Microsoft.IoTSecurity/*/read",
    "Microsoft.Support/*/read",
    "Microsoft.Security/iotDefenderSettings/packageDownloads/action",
    "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
    "Microsoft.Security/iotSensors/downloadResetPassword/action",
    "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
    "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
    "Microsoft.Management/managementGroups/read"
]

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks