DEV Community

lee-jasaispace
lee-jasaispace

Posted on • Edited on

Building an Azure Misconfiguration Scanner: Starting Over

#azure #security

I am learning Azure security architecture, IAM, and policy-driven detection by completing a 90-Day challenge to build an Azure Misconfiguration Scanner.

I'm breaking things, detecting misconfigurations, and building a tool to find them. Until I really broke something—my Azure account.

What Happened

At the end of July, I hit a wall working on day 8 tasks. What started out as a learning exercise quickly turned into an Azure tenant lockout.

After completing most of the tasks for day 8, my Azure account hit a critical issue. I attempted to clean up some identify settings in Entra ID which led to me accidentally removing my access and changing the login identify. While I can login to the account, I can no longer:

  • Assign permissions
  • Contact support through the portal
  • Disable or modify active, assigned policies

It feels like a ghost tenant.

Starting Over

Rather than waste time contacting support (which I will eventually have to do), I created a new Azure account where I have a new subscription and tenant. I rebuilt everything I had done in the first eight days in one focused sprint.

I have successfully:

  • Assigned Audit NICs with Public IPs policy and Audit Storage Public Network Access policy
  • Created Test Resource Groups with and without policy and a public storage account
  • Deployed a non-compliant NIC to validate detection
  • Verified results using 'az policy state list' and CLI filters
  • Detected and confirmed compliance using CLI outpu t 
az policy assignment create \
    --name "AuditStorage PublicAccess" \
    --policy "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf801975c4c" \
    --params "{ \"listOfAllowedLocations\": { \"value\": [\"eastus\"] } }" \
    --scope "/subscriptions/<new-sub-id>/resourceGroups/RG-SecureAccess"
Enter fullscreen mode Exit fullscreen mode

Changes

I decided to make and stick to a few changes that will help this second time around. I am designating a review day after 1 full week is completed. I will not edit user principal names and now confirm Owner access on correct subscriptions before assignments. Lastly, I keep a dedicated RG-PolicyExempt group to simulate misconfigs freely. These changes exposed a few lessons I needed to learn about myself while working on this project which includes policy fatigue, avoid lockouts, role clarity, and testing safely.

Have you ever completely locked yourself out of a cloud environment? Or made any critical mistakes on a production level environment? Did it set you back or push you forward? Comment below.

Top comments (0)