GITBOOK-716: No subject

SUMMARY.md

@@ -399,7 +399,7 @@
     * [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
     * [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
   * [Az - Services](pentesting-cloud/azure-security/az-services/README.md)
-    * [Az - Entra ID (formerly AzureAD - AAD)](pentesting-cloud/azure-security/az-services/az-azuread.md)
+    * [Az - Entra ID (formerly AzureAD - AAD) & IAM](pentesting-cloud/azure-security/az-services/az-azuread.md)
     * [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md)
     * [Az - ACR](pentesting-cloud/azure-security/az-services/az-acr.md)
     * [Az - Application Proxy](pentesting-cloud/azure-security/az-services/az-application-proxy.md)

pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md

@@ -133,7 +133,7 @@ az ad sp credential reset --id <sp-id> --append
 
 ### `microsoft.directory/servicePrincipals/owners/update`
 
-Similar to applications, owning a service principal allows control over its credentials and permissions.
+Similar to applications, this permission allows to add more owners to a service principal. Owning a service principal allows control over its credentials and permissions.
 
 ```bash
 # Add new owner
@@ -258,7 +258,7 @@ It might be possible for users to escalate privileges modifying their own proper
 
 ### `microsoft.directory/users/password/update`
 
-This permission allows to reset password to non-admin users, allowing a potential attacker to escalate privileges to other users.
+This permission allows to reset password to non-admin users, allowing a potential attacker to escalate privileges to other users. This permission cannot be assigned to custom roles.
 
 ```bash
 az ad user update --id <user-id> --password "kweoifuh.234"

pentesting-cloud/azure-security/az-services/az-azuread.md

@@ -1,4 +1,4 @@
-# Az - Entra ID (formerly AzureAD - AAD)
+# Az - Entra ID (formerly AzureAD - AAD) & IAM
 
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1) (1) (1).png" alt="" data-size="line">\
@@ -728,10 +728,11 @@ For more information about Azure roles check:
 
 {% tabs %}
 {% tab title="az cli" %}
+{% code overflow="wrap" %}
 ```bash
 # Get roles
 az role definition list
-# Get assigned roles
+# Get all assigned roles
 az role assignment list --all --query "[].roleDefinitionName"
 az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
 # Get info of 1 role
@@ -744,7 +745,12 @@ az role definition list --resource-group <resource_group>
 az role definition list --scope <scope>
 # Get all the principals a role is assigned to
 az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"
+# Get all the roles assigned to a user
+az role assignment list --assignee "<email>" --all --output table
+# Get all the roles assigned to a user by filtering
+az role assignment list --all --query "[?principalName=='carlos@carloshacktricks.onmicrosoft.com']" --output table
 ```
+{% endcode %}
 {% endtab %}
 
 {% tab title="Az PowerShell" %}
@@ -788,25 +794,47 @@ For more information about Azure roles check:
 {% tab title="az cli" %}
 {% code overflow="wrap" %}
 ```bash
-# List temaplte roles
+# List template Entra ID roles
 az rest --method GET \
   --uri "https://graph.microsoft.com/v1.0/directoryRoleTemplates"
 
-# List enabled built-in roles
+# List enabled built-in Entra ID roles
 az rest --method GET \
   --uri "https://graph.microsoft.com/v1.0/directoryRoles"
 
-# List all roles with their permissions (including custom roles)
+# List all Entra ID roles with their permissions (including custom roles)
 az rest --method GET \
   --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions"
 
-# List only custom roles
+# List only custom Entra ID roles
 az rest --method GET \
   --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)'
 
-# List members of a role
+# List all assigned Entra ID roles
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments"
+
+# List members of a Entra ID roles
 az rest --method GET \
   --uri "https://graph.microsoft.com/v1.0/directoryRoles/<role-id>/members"
+
+# List Entra ID roles assigned to a user
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/users/<user-id>/memberOf/microsoft.graph.directoryRole" \
+  --query "value[]" \
+  --output json
+
+# List Entra ID roles assigned to a group
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/groups/$GROUP_ID/memberOf/microsoft.graph.directoryRole" \
+  --query "value[]" \
+  --output json
+
+# List Entra ID roles assigned to a service principal
+az rest --method GET \
+  --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$SP_ID/memberOf/microsoft.graph.directoryRole" \
+  --query "value[]" \
+  --output json
 ```
 {% endcode %}
 {% endtab %}
@@ -921,6 +949,17 @@ Moreover, **PIM send emails** whenever a privileged role is being assigned to so
 
 <figure><img src="../../../.gitbook/assets/image (354).png" alt=""><figcaption></figcaption></figure>
 
+When PIM is enabled it's possible to configure each role with certain requirements like:
+
+* Maximum duration (hours) of activation
+* Require MFA on activation
+* Require Conditional Access acuthenticaiton context
+* Require justification on activation
+* Require ticket information on activation
+* Require approval to activate
+* Max time to expire the elegible assignments&#x20;
+* A lot more configuration on when and who to send notifications when certain actions happen with that role
+
 ### Conditional Access Policies <a href="#title-text" id="title-text"></a>
 
 Check: