comparison reader with security reader

Author: carlospolop

src/SUMMARY.md

@@ -398,8 +398,8 @@
   - [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md)
   - [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md)
     - [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md)
-    - [Az - Storage Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md)
-    - [Az - VMs Unath](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md)
+    - [Az - Storage Unauth](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md)
+    - [Az - VMs Unauth](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md)
     - [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md)
     - [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md)
   - [Az - Services](pentesting-cloud/azure-security/az-services/README.md)

src/pentesting-cloud/azure-security/az-permissions-for-a-pentest.md

@@ -2,9 +2,30 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-To start a white box hardening review of some Entra ID tenats you need to ask for **Global Reader role on each tenant**. Moreover, to perform a hardening review of different Azure subscriptions you would need at least the **Reader permissions over all the subscriptions**.
+To start a white box hardening review of some Entra ID tenats you need to ask for **`Global Reader` role on each tenant**. Moreover, to perform a hardening review of different Azure subscriptions you would need at least the **`Reader`role over all the subscriptions**.
 
 Note that if those roles aren't enough to access all the info you need, you could also ask the client for roles with the permissions you need. Just try to **minimize the amount of not read-only permissions you ask for!**
 
+Another option is to ask for **`Security Reader` role** instead of `Reader` if the client complaints to reduce the granted privileges. However, this increases the possibility of the pentester asking for more read roles later as the `Reader` role grants `"*/read"` while the `Security Reader` role grants:
+
+```json
+"actions": [
+    "Microsoft.Authorization/*/read",
+    "Microsoft.Insights/alertRules/read",
+    "Microsoft.operationalInsights/workspaces/*/read",
+    "Microsoft.Resources/deployments/*/read",
+    "Microsoft.Resources/subscriptions/resourceGroups/read",
+    "Microsoft.Security/*/read",
+    "Microsoft.IoTSecurity/*/read",
+    "Microsoft.Support/*/read",
+    "Microsoft.Security/iotDefenderSettings/packageDownloads/action",
+    "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
+    "Microsoft.Security/iotSensors/downloadResetPassword/action",
+    "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",
+    "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
+    "Microsoft.Management/managementGroups/read"
+]
+```
+
 {{#include ../../banners/hacktricks-training.md}}