Azure is a widely used cloud platform, supporting critical infrastructure for major organizations globally. Its Role-Based Access Control (RBAC) model simplifies identity and permissions management by offering predefined, built-in roles. However, managing permissions at scale is complex, and even seemingly trusted, built-in roles can introduce unexpected risks.

This session explores the Azure RBAC model, and demonstrates the critical risks of over-privileged roles and a VPN password leak vulnerability. We demonstrate how combining these issues can lead to cloud infrastructure breaches and on-premises compromise, posing catastrophic consequences for organizations.

Our research uncovered multiple over-privileged Azure built-in roles, granting excessive permissions beyond their intended scope, which enable attackers to enumerate cloud resources, map attack paths, leak exposed secrets, and access critical configurations. Alarmingly, we identified a separate vulnerability allowing any identity with read permissions to leak Azure VPN keys, enabling unauthorized cloud infrastructure and on-premise network access. Combined, these flaws create a full attack chain, turning seemingly weak roles into pathways to sensitive assets.

The session concludes with actionable strategies to fortify identity security, such as leveraging custom roles and refining scopes, ensuring that organizations can maintain robust control over their cloud identities while mitigating the risks that are often overlooked.