DEV Community

lee-jasaispace
lee-jasaispace

Posted on • Edited on

Building an Azure Misconfiguration Scanner: Week 1 of My 90-Day Challenge

#azure #security

TL;DR

“I wanted to learn Azure security in a way that certifications alone couldn’t teach me—by breaking things, detecting misconfigurations, and building a tool to find them.”

  • Week 1 was baseline setup + first policy detection
  • Hit CLI/PowerShell quirks and Azure Policy delays
  • Repo + workflow started coming together
  • Next week → storage misconfigurations + tenant chaos

This is Week 1 of my 90-Day challenge to build an Azure Misconfiguration Scanner while deeply learning Azure security architecture, IAM, and policy-driven detection. With the help of James Lee's AZ-104 Course, Microsoft Learn, and ChatGPT, I am learning and building.

Azure security concepts often make sense on paper, but in practice, misconfigurations happen fast. So instead of passively studying, I:

  • Created an Azure security lab from scratch
  • Intentionally misconfigured resources
  • Detected those misconfigs with Azure Policy + automation
  • Built toward a custom misconfiguration scanner by Day 90

Week 1 Goals

  • Set up a baseline Azure environment
  • Understand Azure Policy basics
  • Trigger the first noncompliance detection
  • Start organizing everything in a GitHub repo

What I Accomplished

  • ✅ Created Resource Group RG-SecureAccess as my main test scope
  • ✅ Built test users, groups, and a custom insecure RBAC role
  • ✅ Learned how to assign built-in Azure Policies
  • “Network interfaces should not have public IPs”
  • ✅ Created a misconfigured NIC to test detection
  • ✅ Saw Azure Policy deny a VM creation (cool moment!)
  • ✅ Started repo scaffolding with queries/nics-with-public-ips.cli

Early Struggles

  • Azure CLI vs PowerShell quoting: Multi-line CLI commands and JSON parameters broke constantly until I learned to use JSON files for parameters.
  • Azure Policy evaluation delay: I expected instant results but policies take ~5-10 minutes to evaluate resources.
  • Tenant confusion (EXT# accounts): Guest vs. internal accounts behave differently for RBAC & CLI. I hit weird auth issues early on but didn’t know they’d come back to bite me harder in Week 2.

Hands-On Example

Here’s the CLI command I used to create a policy that

 az policy assignment create `
   --name "AuditStoragePublicAccess" `
   --display-name "Audit public network access on storage accounts" `
   --policy e56962a6-4747-49cd-b67b-bf8b01975c4c `                                                       
   --params '{\"listOfAllowedLocations\":{\"value\":[\"eastus\"]}}' `      
   --scope "/subscriptions/5d4b8df0-f30a-4bc3-b350-1ace90d201b8/resourceGroups/RG-SecureAccess"
Enter fullscreen mode Exit fullscreen mode

Then, I had to create a storage account with public access enabled to trigger the policy violation

az storage account create `
  --name "publicstoragedemo$((Get-Random -Maximum 9999))" `
  --resource-group "RG-SecureAccess" `
  --location "eastus" `
  --sku "Standard_LRS" `
  --kind "StorageV2" `
  --allow-blob-public-access true `
  --public-network-access Enabled
Enter fullscreen mode Exit fullscreen mode

*Follow me here if you want to see how this experiment evolves weekly.
*

Series Index

  • Week 1: Baseline Setup & First Detection
  • Week 2: Learning Azure Security the Hard Way
  • (Week 3 coming soon: Key Vault misconfigurations)

Top comments (0)