Azure Cloud Penetration Testing
Entra ID misconfigurations are the leading cause of Azure compromise. Our CREST-accredited testers exploit Conditional Access bypass paths, hybrid identity attack chains via AD Connect, Azure RBAC over-permissioning, and AKS workload identity abuse to show you what a real adversary would do in your Azure environment.
What we test.
How we exploit it.
Six Azure-specific attack domains. Every assessment covers the full chain from initial enumeration to cross-subscription privilege escalation.
Entra ID & Conditional Access
Conditional Access is the crown jewel of Azure identity security and the most commonly misconfigured control. We test every bypass path: legacy authentication via IMAP/SMTP/POP3, named location spoofing, compliant device exemptions, and guest account policy gaps. Hybrid identity attack chains via AD Connect are assessed end-to-end, including Password Hash Sync exposure and Seamless SSO token theft. Privileged Identity Management misconfiguration, standing global administrator assignments, and stale emergency access accounts are enumerated and validated.
Azure RBAC & Management Groups
Over-permissioning at the management group scope is the fastest path to cross-subscription compromise. We enumerate every Owner and Contributor assignment at management group, subscription, and resource scope. Custom role definitions are reviewed for privilege escalation paths including Microsoft.Authorization/*/write and deployment template injection vectors.
Blob Storage & Data Protection
Public blob access is still enabled by default in many Azure tenants. We test every storage account for anonymous read access, SAS token overpermissioning and expiry, shared key authentication versus Azure AD-based access, and whether customer-managed key CMK encryption is enforced for data classification requirements.
Azure Functions & Serverless
Managed identity is the right pattern for Azure Functions, but misconfigured bindings and secrets left in application settings expose the same attack surface as hard-coded credentials. We audit every Function App for WEBSITE_AUTH_ENCRYPTION_KEY and similar secrets, evaluate whether managed identities carry excessive RBAC permissions, and test input binding exploitation paths where external data is processed without sanitisation. Anonymous HTTP trigger exposure and function-level authentication bypass are also assessed.
AKS & Container Security
AKS clusters configured with --enable-aad still rely on Azure RBAC for cluster access, and misconfigured ClusterRole bindings enable lateral movement from compromised pods. We review Kubernetes RBAC configuration, pod security standards, workload identity federation, node pool access controls, and the attack surface presented by misconfigured admission controllers.
Defender for Cloud & Detection
A high Secure Score does not mean exploitable misconfigurations are absent. We contextualise your Defender for Cloud Secure Score against actual exploitability, identify NSG rules that permit lateral movement despite appearing restrictive, and flag alert coverage gaps where attack techniques used during the engagement generated no detections.
The Azure risk landscape.
Real-world Azure compromise statistics from industry sources. The numbers inform our testing priority and attack chain design.
Valid Account Abuse
of cloud breaches involved valid account compromise via stolen or leaked credentials. Entra ID is the primary target.
Source: CrowdStrike Global Threat Report
Conditional Access Gaps
of Azure tenants have at least one Conditional Access bypass path, typically via legacy authentication protocols left unblocked.
Source: Precursor Security client data
Industry Benchmark Mapping
Every finding in our report is mapped to industry standard security benchmark controls, enabling direct submission to auditors and compliance teams.
Included in all Azure assessment reports
Mapped Controls
Compliance frameworks
Industry Benchmarks
Full benchmark mapping
ISO 27001
Annex A.12.6, A.18.2
SOC 2 Type II
CC7.1, CC6.6
DORA
Article 25 resilience testing
What we find in Azure environments.
Anonymised findings from recent Azure penetration testing engagements. Both findings were confirmed exploitable in production.
Entra ID Service Principal Key Vault Access
Entra ID service principal with Contributor role at subscription scope was accessible via exposed client secret in a public repository. Cross-service-principal trust allowed read access to all Key Vault secrets across three Azure subscriptions.
Production secrets, API keys, and certificates exposed across the entire Azure estate.
Conditional Access Bypass via Legacy Authentication
Legacy authentication protocols (IMAP, SMTP, POP3) were not blocked by Conditional Access policies. An attacker with valid credentials could bypass MFA enforcement entirely using legacy mail clients, gaining full mailbox access and lateral movement capabilities.
Complete MFA bypass for any user with legacy authentication enabled, exposing email and OneDrive data.
Every Azure service. Covered.
Our Azure penetration testing covers the eight service areas most commonly exploited in real-world Azure compromise scenarios.
- Conditional Access bypass
- PIM misconfiguration
- AD Connect sync security
- Password Hash Sync exposure
- Seamless SSO token theft
- Management group scope assignments
- Custom role escalation paths
- Subscription-level over-permissioning
- Resource group access control
- Classic administrator roles
- Public access configuration
- SAS token scope and expiry
- Access policy versus Azure AD
- CMK encryption enforcement
- Immutability policy review
- Managed identity RBAC review
- Anonymous HTTP trigger exposure
- Secrets in application settings
- Binding exploitation surface
- Function-level auth bypass
- Kubernetes RBAC configuration
- Pod security standards
- Workload identity federation
- Node pool access controls
- Admission controller review
- Secure Score contextualisation
- NSG effectiveness analysis
- Alert coverage gap mapping
- Policy compliance review
- Workload protection status
- Access policies versus RBAC mode
- CMK key management review
- Soft delete and purge protection
- Certificate lifecycle review
- Managed HSM configuration
- Private Endpoint configuration
- Azure Bastion access review
- VNet peering topology
- Network Security Groups
- Service endpoint policies
Is Azure penetration testing right for your organisation?
Six indicators that an Azure penetration test should be on your roadmap this quarter.
ISO 27001 or SOC 2 audit upcoming
Your auditor requires evidence of independent penetration testing for ISO 27001 Annex A.12.6 or SOC 2 CC7.1. Our report is structured for direct submission.
Recent Azure migration or expansion
You have migrated workloads to Azure or onboarded new subscriptions without a comprehensive security review. New tenant configurations carry inherited misconfigurations.
Hybrid identity environment
AD Connect synchronises your on-premises Active Directory to Entra ID. The AZUREADSSOACC account and Password Hash Sync add cloud attack surface to your on-premises estate.
Legacy applications using basic auth
You have applications or services using SMTP AUTH, IMAP, or POP3 that cannot be modernised immediately. These bypass Conditional Access MFA controls entirely, even with strong policies in place.
Defender for Cloud Secure Score below 80
Your Secure Score indicates misconfigurations are present. You need to understand which of those misconfigurations are actually exploitable and in what priority order to remediate them.
DORA or PCI DSS compliance requirement
DORA Article 25 mandates threat-led penetration testing for financial entities. PCI DSS v4.0 Requirement 11.4 requires penetration testing of CDE infrastructure, including cloud environments.
Audit-ready output.
Every report maps findings to the frameworks your auditors check. No manual cross-referencing required.
Framework coverage
Industry Standard Security Benchmarks
Full control mapping across all sections
ISO 27001:2022
Annex A.12.6 Technical Vulnerability Management, A.18.2
SOC 2 Type II
CC7.1 System Monitoring, CC6.6 Logical Access
DORA
Article 25 advanced threat-led penetration testing
NIST CSF v2.0
Identify, Protect, Detect subcategory alignment
Certifications
CREST Accredited
Penetration Testing firm accreditation
AZ-500
Microsoft Azure Security Technologies
DBS Checked
All consultants DBS-checked
Engagement Workflow
Four structured phases designed to minimise operational friction and maximise the depth of your Azure security assessment.
Scoping & Access
Define subscriptions in scope, provision Reader and Security Reader roles at subscription scope. Clarify hybrid identity topology and any production-sensitive resources requiring extra care.
Enumeration & Config Review
Entra ID tenant enumeration, RBAC assignment analysis, network topology review, storage account configuration, and Defender for Cloud Secure Score contextualisation.
Exploitation & Escalation
Active Conditional Access bypass testing, hybrid identity attack chain execution, cross-subscription privilege escalation pivots, and managed identity abuse. Critical findings reported immediately.
Report & Retest
PowerShell and Azure Portal remediation guidance, board-ready executive summary.
What you receive.
Every Azure penetration test engagement includes the following deliverables as standard.
Report deliverables
Executive Summary
Non-technical risk narrative for board and senior leadership, with risk-rated findings overview
Technical Report
CVSS v3.1 scored findings with reproduction steps, evidence screenshots, and attack chain diagrams
Industry Benchmark Mapping
Every finding cross-referenced against the full industry standard security benchmark control set
Remediation Guidance
Step-by-step fixes via PowerShell and Azure Portal
Compliance Mapping Annex
ISO 27001, SOC 2, DORA, and NIST CSF cross-reference table for auditor submission
Assessment Window Retesting
Free re-validation of remediated findings within the assessment window at no additional cost
Engagement SLAs
Fixed-price. From £3,750.
Single-subscription Azure environments. Multi-subscription quoted after scoping. No day-rate surprises.
Get a fixed-price quoteAzure pentesting surfaces vulnerabilities.
Cloud MDR stops them from being exploited.
A penetration test shows you the attack paths. Our Cloud Security Monitoring service watches for those same paths being traversed in real time. One fixed engagement. Continuous protection.
Explore Cloud MDRFull Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
The best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
Yes. Microsoft's penetration testing rules of engagement no longer require pre-approval for testing your own Azure resources. You are permitted to conduct penetration testing against Azure resources you own without notifying Microsoft, provided you comply with their Acceptable Use Policy and the testing does not target Microsoft's shared infrastructure. Certain activities remain prohibited, including denial-of-service attacks against Azure infrastructure and testing cross-tenant resources you do not own. We are familiar with all Microsoft penetration testing guidelines and structure every engagement to operate within them.
Our Azure penetration testing covers the full Azure estate typically present in enterprise environments: Entra ID (Conditional Access, Privileged Identity Management, AD Connect, Password Hash Sync, Seamless SSO), Azure RBAC (management group, subscription, resource group, and resource-level assignments), Blob Storage (access policies, SAS tokens, public access, CMK encryption), Azure Functions (managed identity, binding configuration, secrets in application settings), AKS (RBAC, pod security, workload identity, admission controllers), Defender for Cloud (Secure Score, NSG rules, alert coverage), Key Vault (access policies versus RBAC mode, CMK key management), and Virtual Networks (Private Endpoint configuration, Azure Bastion, peering topology).
We operate on a read-only access model. Our testers require Reader role and Security Reader role at subscription scope. For Entra ID assessment, we require the Security Reader directory role. These roles provide read access to all resource configurations, RBAC assignments, and security settings without the ability to make changes. We never request Owner, Contributor, or any write-capable role. For hybrid identity assessment involving AD Connect, we may request read access to the on-premises Active Directory synchronisation configuration. All access is provisioned for the duration of the engagement and revoked upon report delivery.
Azure penetration testing starts from £3,750 for a single subscription environment with a standard Entra ID configuration. Multi-subscription environments or complex hybrid identity topologies (multiple AD Connect instances, federated identity providers, PIM extensively configured) typically cost £7,000 to £12,000. Pricing is fixed and confirmed after a scoping call. We do not charge by the day for cloud assessments; pricing reflects the scope of services, subscriptions, and identity configuration complexity.
Defender for Cloud is a continuous configuration monitoring tool. It scans your Azure environment against a set of known-good configuration benchmarks and flags deviations as recommendations. It tells you that a storage account has public access enabled. It does not tell you whether that storage account contains sensitive data, whether an attacker could chain that misconfiguration with an over-permissioned managed identity to pivot to another subscription, or whether the Conditional Access bypass path through legacy authentication provides a route to that same storage account. Azure penetration testing chains these misconfigurations into realistic attack paths, demonstrates actual exploitability, and produces evidence that satisfies compliance auditors. Defender for Cloud Secure Score is an input to our engagement, not a substitute for it.
Yes. Entra ID and hybrid identity assessment is the core of every Azure penetration test we conduct. Entra ID misconfigurations are the leading cause of Azure compromise. We test Conditional Access bypass paths including legacy authentication, named location spoofing, and device compliance exemptions. We assess AD Connect synchronisation security, Password Hash Sync exposure, and Seamless SSO token theft vectors. Privileged Identity Management configuration, standing global administrator assignments, and guest account proliferation are all enumerated and validated as part of the standard engagement scope.