Azure Enumeration | Cloud Security

Azure enumeration is the process of discovering resources, identities, and attack surfaces in Microsoft's cloud platform. Unlike AWS, Azure is deeply integrated with Microsoft's ecosystem - Active Directory, Office 365, and Windows environments. This integration creates unique enumeration opportunities.

Azure enumeration often starts with unauthenticated discovery of Azure AD tenants, blob storage, and web apps. With credentials, you can map the entire Azure subscription: virtual machines, databases, key vaults, and more. Understanding Azure's structure is key to effective penetration testing.

Azure AD = Entra ID

Microsoft rebranded Azure AD to "Microsoft Entra ID" in 2023. The tools and APIs still use "Azure AD" terminology, so you'll see both names used interchangeably.

Azure Structure

1Azure Hierarchy:
2 
3Microsoft Entra ID (Azure AD) Tenant
4│
5├── Users, Groups, Service Principals, Managed Identities
6│
7└── Management Groups (optional organizational level)
8    │
9    └── Subscriptions (billing boundary)
10        │
11        └── Resource Groups (logical containers)
12            │
13            └── Resources (VMs, Storage, Databases, etc.)
14 
15 
16Key Concepts:
17─────────────────────────────────────────────────────────────────────
18Tenant              │ Azure AD instance, contains all identities
19                    │ Identified by tenant ID (GUID) or domain
20─────────────────────────────────────────────────────────────────────
21Subscription        │ Billing container for Azure resources
22                    │ One tenant can have multiple subscriptions
23─────────────────────────────────────────────────────────────────────
24Resource Group      │ Logical grouping of resources
25                    │ Resources inherit permissions from RG
26─────────────────────────────────────────────────────────────────────
27RBAC                │ Role-Based Access Control
28                    │ Roles assigned at scope (subscription/RG/resource)
29─────────────────────────────────────────────────────────────────────
30Service Principal   │ Application identity (like IAM role)
31                    │ Used for automation and app access
32─────────────────────────────────────────────────────────────────────
33Managed Identity    │ Auto-managed service principal for Azure services
34                    │ No credentials to manage

Unauthenticated Enumeration

bash

1606070;"># Finding Azure Resources Without Credentials
2 
3606070;"># Tenant Discovery
4─────────────────────────────────────────────────────────────────────
5606070;"># Check if company uses Azure AD
6curl https:606070;">//login.microsoftonline.com/company.com/.well-known/openid-configuration
7606070;"># If valid, returns tenant info
8 
9606070;"># Get tenant ID
10curl https:606070;">//login.microsoftonline.com/company.com/v2.0/.well-known/openid-configuration | jq .issuer
11606070;"># Returns: https://login.microsoftonline.com/{tenant-id}/v2.0
12 
13606070;"># Check if domain is federated
14curl 606070;">#a5d6ff;">"https://login.microsoftonline.com/getuserrealm.srf?login=test@company.com&xml=1"
15606070;"># NameSpaceType tells you: Managed (cloud-only) vs Federated (on-prem AD)
16 
17 
18606070;"># Azure Blob Storage Discovery
19─────────────────────────────────────────────────────────────────────
20606070;"># Blob storage URLs:
21606070;"># https://{account}.blob.core.windows.net/{container}/{blob}
22 
23606070;"># Check if storage account exists
24curl -I https:606070;">//company.blob.core.windows.net
25606070;"># 200/400 = exists, DNS error = doesn't exist
26 
27606070;"># Try common container names
28curl https:606070;">//company.blob.core.windows.net/public?restype=container&comp=list
29curl https:606070;">//company.blob.core.windows.net/backup?restype=container&comp=list
30curl https:606070;">//company.blob.core.windows.net/data?restype=container&comp=list
31 
32606070;"># MicroBurst blob enumeration
33Import-Module MicroBurst.psm1
34Invoke-EnumerateAzureBlobs -Base company
35 
36 
37606070;"># Azure Web Apps Discovery
38─────────────────────────────────────────────────────────────────────
39606070;"># Web app URLs:
40606070;"># https://{appname}.azurewebsites.net
41606070;"># https://{appname}.scm.azurewebsites.net (Kudu management)
42 
43606070;"># Check if app exists
44curl -I https:606070;">//company-app.azurewebsites.net
45 
46606070;"># Try Kudu console (if accessible)
47curl https:606070;">//company-app.scm.azurewebsites.net
48 
49606070;"># Azure Functions:
50606070;"># https://{functionapp}.azurewebsites.net/api/{function}
51 
52 
53606070;"># DNS Enumeration for Azure
54─────────────────────────────────────────────────────────────────────
55606070;"># Common Azure subdomains
56subfinder -d company.com | grep -E 606070;">#a5d6ff;">'azure|microsoft|windows.net'
57 
58606070;"># Azure service DNS patterns:
59*.blob.core.windows.net          606070;"># Blob storage
60*.file.core.windows.net          606070;"># File storage
61*.queue.core.windows.net         606070;"># Queue storage
62*.table.core.windows.net         606070;"># Table storage
63*.database.windows.net           606070;"># SQL Database
64*.documents.azure.com            606070;"># Cosmos DB
65*.vault.azure.net                606070;"># Key Vault
66*.azurewebsites.net              606070;"># Web Apps
67*.azureedge.net                  606070;"># CDN
68*.trafficmanager.net             606070;"># Traffic Manager

powershell

1606070;"># PowerShell Unauthenticated Enumeration
2 
3606070;"># AADInternals - Azure AD reconnaissance
4Install-Module AADInternals
5Import-Module AADInternals
6 
7606070;"># Get tenant info
8Get-AADIntTenantID -Domain company.com
9Get-AADIntLoginInformation -Domain company.com
10 
11606070;"># Check OpenID configuration
12Invoke-AADIntReconAsOutsider -DomainName company.com
13 
14606070;"># Output includes:
15606070;"># - Tenant ID
16606070;"># - Tenant name
17606070;"># - Federation info
18606070;"># - User enumeration possibility
19 
20 
21606070;"># User Enumeration (if enabled)
22606070;"># Works if "User enumeration" not blocked in Azure AD
23$users = @(606070;">#a5d6ff;">"admin@company.com", "hr@company.com", "it@company.com")
24foreach ($user in $users) {
25    $result = Invoke-WebRequest -Uri 606070;">#a5d6ff;">"https://login.microsoftonline.com/common/GetCredentialType" -Method POST -Body (@{username=$user} | ConvertTo-Json) -ContentType "application/json"
26    if ($result.Content -match 606070;">#a5d6ff;">'"IfExistsResult":0') {
27        Write-Output 606070;">#a5d6ff;">"EXISTS: $user"
28    }
29}

Authenticated Enumeration

bash

1606070;"># Azure CLI Enumeration
2 
3606070;"># Login
4az login                    606070;"># Interactive browser login
5az login --use-device-code  606070;"># Device code flow (for headless)
6az login --service-principal -u APP_ID -p SECRET --tenant TENANT_ID
7 
8606070;"># Get current account info
9az account show
10az account list             606070;"># All accessible subscriptions
11 
12606070;"># Set subscription
13az account set --subscription 606070;">#a5d6ff;">"Subscription Name"
14 
15 
16606070;"># Resource Enumeration
17─────────────────────────────────────────────────────────────────────
18606070;"># List all resources in subscription
19az resource list --output table
20 
21606070;"># List resource groups
22az group list --output table
23 
24606070;"># List virtual machines
25az vm list --output table
26az vm list --query 606070;">#a5d6ff;">'[].{Name:name, RG:resourceGroup, IP:publicIpAddress}'
27 
28606070;"># List storage accounts
29az storage account list --query 606070;">#a5d6ff;">'[].{Name:name, RG:resourceGroup}'
30 
31606070;"># List web apps
32az webapp list --output table
33 
34606070;"># List SQL databases
35az sql server list
36az sql db list --server SERVER_NAME --resource-group RG
37 
38 
39606070;"># Network Enumeration
40─────────────────────────────────────────────────────────────────────
41606070;"># List virtual networks
42az network vnet list
43 
44606070;"># List network security groups
45az network nsg list --output table
46 
47606070;"># Get NSG rules (look for 0.0.0.0/0!)
48az network nsg rule list --nsg-name NSG_NAME --resource-group RG
49 
50606070;"># List public IPs
51az network public-ip list --output table
52 
53 
54606070;"># Key Vault Enumeration (secrets!)
55─────────────────────────────────────────────────────────────────────
56606070;"># List key vaults
57az keyvault list
58 
59606070;"># List secrets in vault (if you have access)
60az keyvault secret list --vault-name VAULT_NAME
61 
62606070;"># Get secret value
63az keyvault secret show --vault-name VAULT_NAME --name SECRET_NAME

powershell

1606070;"># PowerShell Azure Enumeration
2 
3606070;"># Az Module
4Connect-AzAccount
5 
6606070;"># Get subscription info
7Get-AzSubscription
8Set-AzContext -Subscription 606070;">#a5d6ff;">"Subscription Name"
9 
10606070;"># Resource enumeration
11Get-AzResource
12Get-AzResourceGroup
13Get-AzVM
14Get-AzStorageAccount
15Get-AzWebApp
16Get-AzKeyVault
17 
18606070;"># Get role assignments (who has access to what)
19Get-AzRoleAssignment
20 
21 
22606070;"># AzureAD Module (for Azure AD enumeration)
23Connect-AzureAD
24 
25606070;"># Users
26Get-AzureADUser -All $true
27Get-AzureADUser -SearchString 606070;">#a5d6ff;">"admin"
28 
29606070;"># Groups
30Get-AzureADGroup -All $true
31Get-AzureADGroupMember -ObjectId GROUP_ID
32 
33606070;"># Service Principals (applications)
34Get-AzureADServicePrincipal -All $true
35 
36606070;"># App Registrations
37Get-AzureADApplication -All $true
38 
39 
40606070;"># Microsoft Graph (newer, replacing AzureAD module)
41Connect-MgGraph -Scopes 606070;">#a5d6ff;">"User.Read.All", "Group.Read.All"
42 
43Get-MgUser -All
44Get-MgGroup -All
45Get-MgApplication -All

Check Role Assignments

After initial enumeration, always check Get-AzRoleAssignment. Understanding who has access to what reveals misconfigurations and potential privilege escalation paths.

Azure Enumeration Tools

bash

1606070;"># Specialized Azure Security Tools
2 
3606070;"># AzureHound (BloodHound for Azure)
4─────────────────────────────────────────────────────────────────────
5606070;"># Collects Azure AD and Azure RM data for attack path analysis
6azurehound list -u user@company.com -p password --tenant TENANT_ID
7 
8606070;"># Or with refresh token
9azurehound list --refresh-token TOKEN
10 
11606070;"># Import into BloodHound for visualization
12 
13 
14606070;"># ROADtools (Azure AD analysis)
15─────────────────────────────────────────────────────────────────────
16606070;"># Gather Azure AD data
17roadrecon auth -u user@company.com -p password
18roadrecon gather
19 
20606070;"># Launch GUI for analysis
21roadrecon gui
22 
23606070;"># Shows: Users, groups, apps, service principals, devices, roles
24 
25 
26606070;"># MicroBurst (Azure security toolkit)
27─────────────────────────────────────────────────────────────────────
28Import-Module MicroBurst.psm1
29 
30606070;"># Blob enumeration (unauthenticated)
31Invoke-EnumerateAzureBlobs -Base company
32 
33606070;"># Subscription enumeration
34Get-AzDomainInfo -folder output
35 
36606070;"># REST API enumeration
37Get-AzurePasswords  606070;"># Automation accounts, Key Vault
38 
39 
40606070;"># ScoutSuite (multi-cloud security auditing)
41─────────────────────────────────────────────────────────────────────
42scout azure --user-account
43606070;"># Generates HTML report with security findings
44 
45 
46606070;"># PowerZure (Azure pentest toolkit)
47─────────────────────────────────────────────────────────────────────
48Import-Module PowerZure.psm1
49 
50606070;"># Enumeration
51Get-AzureTargets
52Get-AzureRunAsAccounts
53Get-AzureKeyVaultContent
54 
55606070;"># Privilege escalation
56Get-AzureRole
57Invoke-AzureElevatedAccessReview

Azure Metadata Service

bash

1606070;"># Azure Instance Metadata Service (IMDS)
2 
3606070;"># Same IP as AWS, but requires header
4http:606070;">//169.254.169.254/metadata/
5 
6606070;"># Get instance info
7curl -H 606070;">#a5d6ff;">"Metadata: true"   "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
8 
9606070;"># Response includes:
10606070;"># - VM name, resource group, subscription ID
11606070;"># - Network configuration
12606070;"># - Tags
13 
14 
15606070;"># Get Managed Identity Token (THE PRIZE!)
16─────────────────────────────────────────────────────────────────────
17606070;"># Token for Azure Resource Manager
18curl -H 606070;">#a5d6ff;">"Metadata: true"   "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
19 
20606070;"># Response:
21{
22  606070;">#a5d6ff;">"access_token": "eyJ0eXAiOi...",
23  606070;">#a5d6ff;">"client_id": "xxx",
24  606070;">#a5d6ff;">"expires_on": "xxx",
25  606070;">#a5d6ff;">"resource": "https://management.azure.com/",
26  606070;">#a5d6ff;">"token_type": "Bearer"
27}
28 
29606070;"># Token for other services
30606070;"># Graph API:
31resource=https:606070;">//graph.microsoft.com/
32 
33606070;"># Key Vault:
34resource=https:606070;">//vault.azure.net/
35 
36606070;"># Storage:
37resource=https:606070;">//storage.azure.com/
38 
39 
40606070;"># Using the Token
41─────────────────────────────────────────────────────────────────────
42606070;"># List subscriptions
43curl -H 606070;">#a5d6ff;">"Authorization: Bearer $TOKEN"   "https://management.azure.com/subscriptions?api-version=2020-01-01"
44 
45606070;"># List resources in subscription
46curl -H 606070;">#a5d6ff;">"Authorization: Bearer $TOKEN"   "https://management.azure.com/subscriptions/SUB_ID/resources?api-version=2021-04-01"
47 
48606070;"># List Key Vault secrets
49curl -H 606070;">#a5d6ff;">"Authorization: Bearer $KEYVAULT_TOKEN"   "https://VAULT_NAME.vault.azure.net/secrets?api-version=7.3"

SSRF to Metadata

Azure metadata requires the "Metadata: true" header, which provides some SSRF protection. However, if you can inject headers or use a server-side proxy that adds headers, metadata is still accessible.

Azure Enumeration Methodology

Systematic Azure Enumeration

External ReconnaissanceDiscover tenant ID, domain info, federated vs managed. Enumerate storage accounts, web apps, and other public resources.

User EnumerationIf not blocked, enumerate valid usernames via GetCredentialType API. Look for patterns in naming conventions.

AuthenticationAttempt access with found/guessed credentials. Try password spraying (carefully!). Look for OAuth misconfigurations.

Azure AD EnumerationWith access, enumerate users, groups, service principals, and applications. Use AzureHound for attack path mapping.

Resource EnumerationList all subscriptions, resource groups, and resources. Check VMs, storage, databases, Key Vaults.

Permission AnalysisReview role assignments. Look for overprivileged identities, dangerous permissions, and escalation paths.

Knowledge Check

Quick Quiz

Question 1 of 3

How can you check if a company uses Azure AD without authentication?

Challenges

Azure Tenant Reconnaissance

Challenge

🔥 intermediate

Given a company domain (company.com), write commands to: 1) Check if they use Azure AD, 2) Get the tenant ID, 3) Determine if it's federated or managed, 4) Attempt user enumeration.

Need a hint? (4 available)

Key Takeaways

Azure structure: Tenant (identity) → Subscription (billing) → Resource Groups → Resources
Tenant info is publicly discoverable via OpenID configuration endpoints
Blob storage enumeration can find publicly accessible data
Azure metadata (169.254.169.254) requires Metadata: true header
Tools: AzureHound, ROADtools, MicroBurst, ScoutSuite for comprehensive enumeration
Always check role assignments to understand access and find misconfigurations

Related Lessons

Azure AD Attacks

Azure Storage Attacks

Cloud Security Fundamentals