Azure API vulnerability and roles misconfiguration compromise corporate networks
100 comments
·July 2, 2025gwynforthewyn
filleokus
> It’s pretty clear if you check github that Azure’s services and documentation are written by distributed teams with little coordination.
I've come to the same conclusion after dealing (and reporting) jankyness in both the Azure (ARM) API and especially the CLI. [0] is a nice issue I look at every once in a while. I think an installed az cli is now 700 MB+ of Python code and different bundled python versions...
gwynforthewyn
It’s legitimately fun to see people gaining hope something would happen about this and then losing hope, again and again. Thanks for the laugh.
This is how you can tell that people doing systems work aren’t running the sdk project. A gig dependency for a few python scripts is hard to swallow.
CamouflagedKiwi
Why do all these use Python? AWS, GCP, Azure, all three CLIs use Python; they're slow, bloated, heavy to install... what advantage does Python really offer here? You can't in any sensible way rely on it being installed (in your linked issue we see that they actually bundle it) so it's not even an 'easy' runtime.
ptx
Python takes up less than 16 MB on disk (python3.11-minimal + libpython3.11-stdlib on Debian) so whatever Microsoft did to make their Azure CLI package take up almost 700 MB, I don't think the language is the problem.
jlarocco
I don't understand the Python hate. What would they use instead?
Python is installed on most systems and easy to install when it's not. Only Azure is dumb enough to bundle it, and that was a complaint in the bug - there's no good reason to do so in this day and age.
The performance bottle neck in all three is usually the network communication - have you seen cases where the Python CLI app itself was using 100% of a CPU and slowing things down? I personally haven't.
Looking at the crazy way Azure packaged their CLI, it's hard to believe they weren't making it bloated on purpose.
jlarocco
> It’s pretty clear if you check github that Azure’s services and documentation are written by distributed teams with little coordination. We have a saying in-house that the info is all in their docs, but the sentences and paragraphs for even trivial things are split across ten or fifteen articles.
You can say that for the APIs themselves. It's like every API call has 80% of the info I want, but the other 20% that logically belongs with that 80% has to come from multiple other API calls.
The one that annoys me on a daily basis is fetching the logs for a pipeline run. The endpoint is `_apis/build/builds/<id>/logs` and it returns a list of pipeline log objects without the task name that generated them. You get an object with these fields: `{"lineCount", "createdOn", "lastChangedOn", "id", "type", "url"}` but no mention of the pipeline stage that generated it.. whether it's the build step, test run, publishing stage, etc. And those ids change (for example if you re-run a failed job, the unit tests may have ID 4 from the first run, and ID 17 for the second try), so you can't just rely on that.
And the pipeline log viewer on the website is garbage. When you click the link to view the logs it doesn't show you the logs it's collected already but starts showing new logs from that point forward and even for that, sometimes it truncates output and will skip lines. Somehow they managed to make trawling through logs even worse than it would normally be.
0cf8612b2e1e
… it was written by an enthusiastic junior dev and released with little review
jiggawatts
The new Notepad would hang for minutes if you used it to open a large text file. It also stuttered when scrolling. It’s incredible to see something so low quality make it into a core operating system app release.
magicalhippo
> a junior who didn’t know better and was just trying to make progress
While totally plausible, that's kinda besides the point IMO. This shows regardless of how it happened, they don't have sufficient test coverage of these roles. Meaning built-in roles cannot be trusted.
coredog64
AWS documentation is similarly bad: I used to joke that it was all written down to remind the service team of something rather than as something that is useful for users to read in advance and understand the service.
rohan_
Anecdotally - working with Azure has been hell on earth for me. Insanely unintuitive and buggy interface. Many cryptic errors preventing me from doing anything.
lifty
Microsoft doesn’t really respect their users because most of the users don’t decide by themselves to use Azure. Someone else make the decision for them. And it’s probably like that for many of their other products.
p_ing
How does this not apply to - insert any product - in an enterprise space? With rare exceptions, users don't decide which software they use.
dminvs
in the case of Azure, the users are the engineers tasked with implementing the infra
I'm not sure I've ever heard of a shop adopting Azure on pure engineering merit but my anecdata are hardly exhaustive. it tends to be forced for weird business reasons (retailers mistrusting Amazon, data residency requirements, sweetheart credit deal, CIO convinced by Azure rep over golf)
lifty
You’re right. It’s the embodiment of enterprise software sales. But some how AWS and GCP do it a bit better.
aktuel
That probably explains why all enterprise software sucks.
comrade1234
Yes it sucks and the documentation sucks even more. I think azure and whatever you call the google cloud configuration site are both so complicated because they're best for giant corporations with thousands of employees and many many roles in the organization with different privileges. However if you're just a single developer setting up something simple it's hellish.
It would be nice if they provided a simple setup configuration option for simple setups.
Anon1096
Quite honestly a single person working at a micro scale is not the target market for the hyperscalers. You're better served not going for managed services (and buying unmanaged services on the big clouds also doesn't make sense without needing the entire ecosystem around it).
patmorgan23
Is AWS any better? (Genuine question)
programmertote
Not from my experience. I've worked with all three of them. If one can stick with the web UI to provision permissions and the permissions required are simple/straightforward, Google Cloud (again, this is my personal opinion, so please take it with a grain of salt) is the most usable among the three.
BUT all three of them (AWS, Azure and GCP) have pros and cons, so you just have to spend a good amount of time learning their quirks.
everfrustrated
AWS IAM is very very well designed. They clearly have some sort of internal security & architecture review process that works.
coredog64
There is similar issue with AWS. AWS provides a "ReadOnlyAccess" managed policy that has additional privileges that you probably don't want folks to have (e.g. can read S3 bucket content, not just see bucket names/key names). They recognized this and created a more limited "ViewOnlyAccess" that doesn't have access to content.
There's another common fix, which is to apply a permission boundary to IAM roles. This allows the use of generic policies like "ReadOnlyAccess" but can then be further downscoped to resources by tag (or other similar ABAC schemes)
felixgallo
(I used to work for AWS and am long Amazon stock. In no way do I speak for Amazon)
With Amazon, you are genuinely the customer. AWS may do many things in a bizarre or byzantine way, but it is constantly trying to be there for the developer in ways that many competitors in my opinion are not.
motorest
> Is AWS any better? (Genuine question)
It is, without any question. Even of you work at a Microsoft shop, the benefits you get from vertical integration isn't that clear. Azure requires a far greater cognitive load to handle and to make matters worse ultimately experiences far more outages.
p_ing
Coming from a Windows enterprise background, the UI for the most part makes sense and not something I find difficult to navigate (the original UI was awful). I know your sentiment is not uncommon, but I'm unable to share it.
I will agree, and this is a general Microsoft problem spanning back to the 90s, some error messages aren't useful what so ever. Others are clear and concise. I figure this is due to the different PGs following their own set of rules.
motorest
> Anecdotally - working with Azure has been hell on earth for me. Insanely unintuitive and buggy interface. Many cryptic errors preventing me from doing anything.
What pisses me off the most about Azure is now they designed it as the 90's view of what a cloud provider is. With Azure you don't just provision a VM or God forbid a web service. No no no. You need to provision an app service plan first, where you have to provision what computational resources you allocate to it, and then assign services and even gasp function-as-a-service apps. And even with FaaS stuff you don't just provision a handler. No, that would make too much sense. First you need to provision a function app running on your service plan, and you provision whatever azure functions you need as part of the function app. How much accidental complexity is that? Can't I just deploy an app or God forbid a function?
The same think applies to storage, but it's even worse. You get your storage account, and you need to providion a storage account to be able to provision one or more blob storage containers, azure tables, even simple queues. But wait, you need a storage account to store data in a nosql services, but if you opt for the other nosql service then that's an entirely different thing. For that you can simply go ahead and create an account. You can use the same SDK for both? That's nice. Wait, why do they have two nosql services?
Azure, man. It exists to make every single alternative look good.
p_ing
You can provision an Azure Web Service (PaaS web server running IIS or whatever the Linux version runs) which provisions the computational resource, Azure App Service, as part of the deployment steps.
You certainly can do it in the way you've specified but I only see that as useful if you're provisioning multiple Web Services to point to a single App Service.
But to answer your question, yes you can "just" provision a Function or Web Service, the wizard walks you through it. The App Service behind the scenes is just details and not something you must interact with post-Function creation.
motorest
> You can provision an Azure Web Service (...) which provisions the computational resource, Azure App Service, as part of the deployment steps.
That's not a solution because deployment steps aren't a problem. The brain-dead aspect of Azure is how it forces users to handle the complexity of having to deal with provisioning and budgeting what computational resources used to run a set of web apps. This doesn't even buy isolation. If I'm paying for cloud services, why on earth should I concern myself with how much RAM I need to share across N apps? It's absolutely brain dead.
SvenL
They have a Azure Function Serverless Offering called consumption plan: https://learn.microsoft.com/en-gb/azure/azure-functions/func...
Quote: „Default hosting plan that provides true serverless hosting“
This one doesn’t require an app service plan.
Actually I like that offering, depending on your requirements you have several options to host your functions. That’s pretty great.
If they would offer just one kind of function app or one kind of storage solution people would complain that their very important edge case is not supported. For those simple requirements you can use cloudflare, vercel etc…
motorest
> This one doesn’t require an app service plan.
It requires a plan. You need to know what a plan is and what plan your azure functions are running on. Is it a consumption plan? Or is it a flex consumption plan?
I mean, you can run multiple function apps on the same plan. As a developer, you are required to know which plan a particular function app is running on, and be aware of the implications.
You see how brain dead it is?
koakuma-chan
Yeah that, and in Azure OpenAI you have to create a separate deployment for each model you want to use.
mawax
You can just deploy a function.
You open vscode, install the Azure Functions extensions, walk through the wizard to pick your programming language and write the code. Then create and deploy it from vscode without ever leaving your IDE.
motorest
> You open vscode, install the Azure Functions extensions, walk through the wizard to pick your programming language and write the code. Then create and deploy it from vscode without ever leaving your IDE.
You are talking about something entirely different. Provisioning a function app is not the same as deploying the function app. How easy it is to upload a zip is immaterial to the discussion.
snupples
Which is exactly the opposite of how to effectively manage applications, code, and change at any scale beyond a home project.
tstrimple
> What pisses me off the most about Azure is now they designed it as the 90's view of what a cloud provider is. With Azure you don't just provision a VM or God forbid a web service. No no no. You need to provision an app service plan first
What's funny is you're completely backwards here. Microsoft has a much more modern view of the cloud than AWS where everything is a thin veneer over EC2. Azure started as PaaS first and AWS started as IaaS first and that fingerprint is still all over their products. Building everything in a VM is the most expensive and naive way to adopt the cloud. It's the main reason why complexity and costs blow up. You're building in the cloud wrong and somehow seemed to have missed that a consumption based Function app is the default option and doesn't require an App Service Plan.
motorest
> What's funny is you're completely backwards here. Microsoft has a much more modern view of the cloud than AWS where everything is a thin veneer over EC2. Azure started as PaaS first and AWS started as IaaS first and that fingerprint is still all over their products.
Irrelevant. I don't care about either history or revisionism. I care about deploying apps/functions. In AWS each lambda function is a standalone resource, whereas in AWS you need to 1) provisional an app service plan, 2) deploy a function app on said service plan, 3) deploy the actual function. It's nuts.
Same goes for storage. While in AWS you just go ahead and create a S3 bucket, on Azures you have to providion storage accounts and then provision a blob storage container.
> Building everything in a VM is the most expensive and naive way to adopt the cloud.
Azure is more expensive, harder to manage, even more impossible to estimate costs. Making claims about cost as if it makes Azure look good sounds completely crazy.
everfrustrated
>Microsoft has a much more modern view of the cloud than AWS where everything is a thin veneer over EC2
You must be joking!
I was looking a various Container Registry products and looked up Azure's recently. It has the following limits (On the premium SKU!): 50Mbps upload, 100Mbps down
What sort of a cloud product has limits like this! What a clown show.
sofixa
This is par for the course for Azure. Their security posture is genuinely terrifyingly lackluster.
https://www.lastweekinaws.com/blog/azures_vulnerabilities_ar...
This is from a few years ago but nothing seems to have changed. A cursory search of the Wiz blog with "Azure" reveals so many horrific (cross tenant, trivial to exploit) security vulnerabilities it's hard to imagine many people at Azure care about security. And that's just from one group of security researchers, from Wiz, there are others such as OP.
idosh9
Bizarre vulnerability, unprofessional behavior from Microsoft to leave it open for so long and let Azure organization carry this out on the expense of security.
greenie_beans
Azure identity is so bad. It's like they tried to build it on the original 1998 implementation of LDAP or whatever. Roles fucking inherit??? Like are you kidding me?
motorest
> Azure identity is so bad. It's like they tried to build it on the original 1998 implementation of LDAP or whatever.
I think that Azure AD is literally built on top of Active Directory. That's what you need to do if your goal is to help your customers, who already usd Active Directory, to seamlessly onboard onto their authentication system.
If you stop and think for a moment, you'd understand that it would be absurd not to do that. You have an army of institutional clients already using AD for everything. Are you going to force them to onboard onto another auth system after convincing them that AD suited all their needs?
Anyhow, they seem to try to distance themselves with their rebranding to Entra.
> Roles fucking inherit??? Like are you kidding me?
What do you think is wrong with that?
null
patmorgan23
It definitely is built on AD in some form on the backend, just like Exchange Online is built on Exchange, and I believe EXO has its own AD infrastructure for each tenant that you sometimes have to wait for things to replicate to.
greenie_beans
yes i know the history and excuse me for misnaming, but AD came out in 1998 IIRC whenever i hate-researched it. and it makes perfect sense for a business to do that but it is a terrible engineering platform because of that. what you said was my exact thought process the first time i encountered that tragedy, and that doesn't make it right or good. and now the enterprise businesses waste a lot of money in time spent paying engineers to work with the frakenstein.
raffraffraff
This. Also try managing Gitlab permissions across a large org with lots of teams and lots of projects. Inheritance might seem like a good idea but it pollutes the hell out of everything once you're 3 levels deep in a org. I wrote some python scripts to generate a JSON dump of the whole org and from digging into it, some people have 30 different Access paths for some projects. Try locking that down without special tools.
bongodongobob
"Roles inherit"? No idea what you're talking about.
greenie_beans
> Lower levels inherit role permissions from higher levels...When you assign a role at a parent scope, those permissions are inherited to the child scopes
from the docs: https://learn.microsoft.com/en-us/azure/role-based-access-co...
bongodongobob
I don't understand what's surprising about this.
high_na_euv
>Roles fucking inherit??
Wdym?
greenie_beans
i designed an extremely tightly scoped managed identity to do a job. my azure admin created the resources, and now that identity shows an inheritance chain that tracks all the way to that admin (aka a very privileged identity). which seems insane.
i tested the identity to make sure it couldn't do privilege escalation...still, wtf? it might be my own fault where i'm doing something wrong, but that shouldn't even be possible for somebody to create a managed identity that would inherit from other identities. i don't trust that it's ok and i shouldn't be spending time figuring out if it is, i expect tightly scoped identities to just work...
fuzzy2
What inheritance chain? I'd say I'm quite proficient with Azure RBAC and I cannot understand what you're describing.
gxt
I'll take this opportunity to remind anyone on Azure that if you enable service endpoints on a subnet without applying service endpoint policies, anyone with the resourceid of an affected subnet can silently backdoor your network. Your NSGs do not matter for service endpoints.
guptadagger
Backdoora private network how? Or do you just mean that an NSG wont apply like you might have expected?
yolo007
Azure complainers here clearly have not tried GCP lol.
amysho144
This is crazy. Using HTTP methods to enforce API permissions? Only Microsoft could do something this lazy. No wonder their own developers are getting confused...
whoamii
It’s a combination of scope, resource types/operations and action type (similar to HTTP method, but somewhat normalized). Not that different from most ACL based systems.
The main problem raised by the article is a governance failure.
I’ve worked with Azure for a few years now, AWS and classic data centres for 15 years before that.
It’s pretty clear if you check github that Azure’s services and documentation are written by distributed teams with little coordination. We have a saying in-house that the info is all in their docs, but the sentences and paragraphs for even trivial things are split across ten or fifteen articles.
I see a problem like granting */read in an innocuously named role and am left wondering if it was pragmatism, because figuring out least privilege was tough, or a junior who didn’t know better and was just trying to make progress.
I’m on a phone and can’t search git effectively, but I’d swear there was a comment or note on the golang implementation of msal saying that it used non-idiomatic go with no real support for many of the auth flows in v1 because it was written by an enthusiastic junior dev and released with little review. The modern version looks better, but I felt like I got a window into Azure back when I read that.
Building large services is hard, my hat is off that Microsoft is making it work, but sometimes we get to see that it’s just teams of developers doing it for them and those teams look a lot like the teams we work with every day. There’s no secret sauce, except that MS has the resources to iterate until the thing mostly works most of the time.