-
Notifications
You must be signed in to change notification settings - Fork 0
Permissions
permissions is the fast triage command for powerful Azure identities.
Use it when you want to know which visible principals should be reviewed first because they hold the most operationally important RBAC access.
- Which principals have the strongest visible Azure roles?
- Which ones have the broadest scope?
- Which identities combine strong roles with repeated privilege signals?
azurefox permissions --output tableFor a saved artifact you can sort or correlate later:
azurefox permissions --output json| principal | type | high-impact roles | scopes | operator signal | next review |
|---|---|---|---|---|---|
azurefox-lab-sp |
ServicePrincipal |
Owner |
1 |
Direct control visible; current foothold. | Check privesc for the direct abuse or escalation path. |
operator@lab.local |
User |
1 |
Direct control not confirmed. | Check rbac for the exact assignment evidence. |
- after Principals gives you the visible identity inventory
- when the environment has too many assignments to rank manually
- when you need the shortest path to the principals that matter most first
-
Owner,User Access Administrator, and other high-impact roles - subscription-level or otherwise broad scopes
- principals with multiple strong assignments
- the current identity if it is also highly privileged
In most environments, only a small number of principals can significantly change the control story.
permissions puts those identities near the top so you do not have to read every RBAC row to
discover which service principal, user, or managed identity could actually take over or reshape the
environment.
-
Owner,User Access Administrator, and similar high-impact roles - broader scopes before narrower ones
- principals with multiple impactful assignments
- the current identity when it is also privileged
- If you see
is_current_identity=trueon a privileged row, go next to Privesc because it shows whether the current foothold already has a direct abuse or escalation path. - If you see a privileged service principal or workload identity, go next to Managed-Identities and Role-Trusts because one shows where the identity runs and the other shows who can control it.
- If you see a high-impact role summary that looks surprising, go next to RBAC because it shows the exact assignment evidence and scope behind the summary row.
- Use RBAC to inspect the underlying role and scope evidence.
- Use Privesc when a privileged principal may also create a likely escalation path.
- Use Managed Identities if the powerful principal is workload-linked.
permissions is a principal-first triage command.
It should identify the powerful principals quickly. It is not meant to replace raw assignment evidence or model every effective permission in Azure.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)