Skip to content

Azure Cloud Pentest

The NodeZero Azure Cloud Pentest is an assumed-breach, black-box assessment that combines Azure API enumeration with an Internal Pentest — letting you assess both your cloud resources and the workloads running on Azure VMs in a single test. NodeZero is deployed into your Azure subscription using a managed identity, which eliminates the need to provide or inject Azure credentials, however you can still inject Entra users as necessary. This pentest is cloud-to-cloud, so no on-prem infrastructure is required.

NodeZero conducts this pentest in compliance with Microsoft's Penetration Testing guidelines and Security Testing Rules of Engagement.

Before getting started, make sure you are logged into the NodeZero Portal.

Prerequisites

To run an Azure Cloud Pentest, you'll need to set up a connection to your Azure tenant and subscriptions. To do so, you will also need:

  • An Entra ID administrator with the role of either Global Admin or Privileged Role Admin, to grant admin consent.
  • The role of either Owner or User Access Administrator on all subscriptions you want to authorize.
  • The subnet you select at launch must have outbound internet connectivity. NodeZero validates this before the test starts and will block the run if an NSG or private-subnet setting prevents outbound traffic.

Helpful guides to get you started:

How NodeZero Simulates an Assumed Breach

When NodeZero runs an Azure Cloud Pentest, it deploys a temporary Standard_D4s_v3 VM into the subnet you select and uses a managed identity to authenticate against Azure APIs.

NodeZero creates a resource group named H3-NodeZero-rg-[suffix] containing four resources: a virtual machine, an OS disk, a network interface, and a user-assigned managed identity. Credentials for deploying and cleaning up these resources are generated just-in-time on the Cloud Connector — no long-lived secrets are stored. All four resources are automatically removed when the pentest completes.

Azure resource group listing four H3-NodeZero resources: a network interface, disk, managed identity, and virtual machine.

The managed identity receives two IAM assignments:

  • Global Reader at the Entra ID (tenant) level — for directory and identity enumeration.

Entra ID Global Reader Assignments page showing the H3-NodeZero managed identity as a service principal with an active assignment.

  • The role you select at launch (such as Contributor, Reader, or VM Contributor) at the subscription level — this determines the Azure API attack surface for the test.

Azure subscription Access control page showing the H3-NodeZero managed identity assigned the Contributor role.

During setup, a PowerShell script creates the "Horizon3 Cloud Connector Custom Role" with 28 permissions across Microsoft.Authorization, Microsoft.Compute, Microsoft.ManagedIdentity, Microsoft.Network, and Microsoft.Resources. These are the minimum permissions NodeZero needs to deploy and tear down the test VM.

Azure custom role panel showing the Horizon3 Cloud Connector Custom Role with all 28 permissions listed.

Test Configuration at Launch

Keep in mind the consequences of these decisions you make when launching the test:

  • The subnet you pick at launch is where NodeZero deploys — not what it tests. The internal portion of the test follows your allow/blocklist just like a standard Internal Pentest, and NodeZero will traverse peering connections if the target IPs fall within your allowed scope.
  • The subscription you pick at launch is the only subscription NodeZero enumerates for Azure resources. Entra ID is at the tenant level and is always in scope.
  • The role you assign at launch determines the Azure API attack surface. Use Reader to audit a read-only IAM posture, Contributor for deeper gray-box testing, or a custom role to test specific permission sets.