Azure: Application Registration credential abuse

In Microsoft Azure, applications use App Registrations to request permissions from Entra ID (Active Directory). During an audit, we analyze App Registration configurations. If a registration is configured with excessive permissions (such as Directory.ReadWrite.All) and its client secret is leaked in code, an attacker can hijack the credentials to modify user accounts or grant themselves admin rights:

// VULNERABLE Azure App Registration permissions setup
{
  "requiredResourceAccess": [
    {
      "resourceAppId": "00000003-0000-0000-c000-000000000000",
      "resourceAccess": [
        {
          "id": "7b220e84-aa36-4d04-9e79-88017c664b38",
          "type": "Role" // Directory.ReadWrite.All role granted directly to the app
        }
      ]
    }
  ]
}

The Fix: Implement fine-grained, delegated permissions instead of directory-wide application roles. Rotate client secrets every 90 days and use federated identities (Managed Identities) on Azure Virtual Machines to prevent local key storage.

GCP: Service Account key leaks and role bindings

Google Cloud uses Service Accounts to authorize microservices. When developers generate static JSON key files for these accounts and commit them to repositories or environments, the account is exposed. We scan your configurations to ensure no service keys are local, and audit the Role-Based Access Control (RBAC) bindings for excessive scopes:

# Audit check using gcloud CLI to check IAM policy bindings on project level
gcloud projects get-iam-policy your-gcp-project-id

The Exploit: If a service account is bound to the roles/editor or roles/owner role, an attacker who obtains the key file gains complete control over all VMs, databases, and buckets in the project.

GCP: Public Storage buckets

Google Cloud Storage (GCS) buckets hold database logs and uploads. A common finding is misconfiguring bucket permissions, assigning roles like roles/storage.objectViewer to allUsers (anonymous internet users). We check your GCS bucket configurations to verify that public access is blocked:

# Enforce uniform bucket-level access policy using gcloud
gcloud storage buckets update gs://sensitive-data-bucket --uniform-bucket-level-access
Example finding

GCP Service Account key committed to private repo

During a penetration test of a fintech client, we discovered a GCP Service Account JSON key file inside a private git repository. The service account had the Owner role on the project. By using the key with the gcloud CLI, we accessed the database server VM, extracted the database credentials, and accessed the production customer transaction database. Fix priority: critical. Remediated by revoking the key and restricting the service account permissions using minimal IAM roles.

Deploying production systems on Azure or Google Cloud? Secure your tenant configurations.

Book an Azure / GCP Cloud Audit

Frequently asked questions

What is privilege escalation in Microsoft Azure?

Privilege escalation in Azure occurs when a user or service principal holds permissions that allow them to modify app registrations, assign role definitions, or exploit subscription-level contributor access to compromise the tenant.

How do you audit Google Cloud Storage bucket access?

We verify if uniform bucket-level access is enabled, audit IAM policies for public exposure roles (like allUsers or allAuthenticatedUsers), and check if object versioning and encryption with customer-managed keys (CMEK) are configured.

Why is Azure Active Directory (Entra ID) configuration targeted?

Azure AD acts as the directory server for all enterprise resources. If application registrations have excessive permission consents or if guest user privileges are not restricted, attackers can pivot from a single compromised guest account to internal corporate networks.

Related reading

Blog: AWS cloud security audits · Fintech cloud security · Secrets management

Services: Secure architecture review · Penetration testing