Broken Access Control on Azure

Scan your API now

How Broken Access Control Manifests in Azure

Broken Access Control in Azure environments typically emerges through misconfigured identity and access management (IAM) policies, improper role assignments, and flawed authorization checks in application code. Azure's extensive service catalog creates multiple attack surfaces where privilege escalation can occur.

One common pattern involves Azure Key Vault access control. Developers often grant overly permissive identities to applications, allowing them to retrieve secrets they shouldn't access. For example:

const keyVault = new KeyVaultClient(credentials);
const secret = await keyVault.getSecret('https://myvault.vault.azure.net/secrets/SuperSecret');

If the managed identity attached to this code has broader Key Vault permissions than required, an attacker who compromises the application could access all secrets in the vault. This violates the principle of least privilege.

Another Azure-specific manifestation occurs in Azure Storage accounts. The following code demonstrates a BOLA (Broken Object Level Authorization) vulnerability:

app.get('/files/:filename', async (req, res) => {
  const filename = req.params.filename;
  const blobService = AzureStorage.createBlobService();
  const stream = blobService.createReadStream('mycontainer', filename);
  stream.pipe(res);
});

This endpoint allows any authenticated user to download any file from the container, regardless of whether they own it. The application fails to verify that the requesting user has permission to access the specific file.

Azure App Service role misconfigurations create another attack vector. Consider this code that checks user roles:

const isAdmin = user.roles.includes('Admin');
if (isAdmin) {
  return await getAllUserData();
}
return await getUserData(user.id);

If role assignment in Azure Active Directory is compromised or if the role checking logic has flaws, a regular user could escalate to admin privileges and access all user data.

Azure Functions also present unique BFLA (Broken Function Level Authorization) scenarios. A function with HTTP trigger might look like:

module.exports = async function (context, req) {
  const userId = req.query.userId;
  const userData = await getUserFromDatabase(userId);
  context.res = { body: userData };
  return context.res;
};

Without verifying that the caller is authorized to view the requested user's data, this function enables horizontal privilege escalation.

Azure API Management services can inadvertently expose internal APIs if backend authentication isn't properly configured. A misconfigured policy might allow unauthenticated access to protected endpoints:

<policies>
  <inbound>
    <authentication-managed-identity resource=
Scan your API now Free API security scan

Related Pages

Broken Access Control in APIsLearn about broken access control vulnerabilities in APIs, how attackers exploit authorization flaws, and concrete preveAzure API SecurityAPI security considerations for Azure platforms including App Service, Functions, and API Management. Learn Azure-specifBroken Access Control with Basic AuthLearn how Broken Access Control manifests in Basic Auth systems, how to detect it with automated scanning, and implementBroken Access Control with Api KeysLearn how broken access control manifests in API keys through IDOR vulnerabilities, missing authorization checks, and prBroken Access Control with Bearer TokensLearn how Broken Access Control vulnerabilities manifest in Bearer Token implementations, how to detect them with automaBroken Access Control with Hmac SignaturesLearn how broken access control manifests in HMAC signature systems, from timestamp manipulation to missing authorizatioBroken Access Control in CockroachdbLearn how Broken Access Control manifests in CockroachDB applications, how to detect it with black-box scanning, and impBroken Access Control in CassandraLearn how broken access control appears in Cassandra, how to detect it with middleBrick, and how to fix it using native Gdpr: Broken Access ControlLearn how GDPR violations stem from Broken Access Control in APIs, with detection methods and code-specific remediation Iso 27001: Broken Access ControlLearn how ISO 27001 applies to Broken Access Control, including attack patterns, detection methods, and code-level remedCis: Broken Access ControlLearn how Confidentiality, Integrity, and Availability (Cis) relate to Broken Access Control in APIs, with real attack pHipaa: Broken Access ControlLearn how HIPAA requirements intersect with Broken Access Control in healthcare APIs, including attack patterns, detecti