Azure is a widely used cloud platform, supporting critical infrastructure for major organizations globally. Its Role-Based Access Control [RBAC] model simplifies identity and permissions management by offering predefined, built-in roles. However, managing permissions at scale is complex, and even seemingly trusted, built-in roles can introduce unexpected risks.

This session explores the Azure RBAC model and demonstrates the critical risks of over-privileged roles that grant excessive permissions beyond their intended scope, in addition to an Azure API vulnerability that attackers can exploit to leak secrets. We demonstrate how combining these issues can lead to cloud infrastructure breaches and on-premise network access, posing catastrophic consequences for organizations.

The session concludes with actionable strategies to fortify identity security, ensuring that organizations can maintain robust control over their cloud identities while mitigating the risks that are often overlooked.