By Alon Klayman and Eliraz Levi, Team AXON
Azure Managed Identities (MIs)—a type of Azure's Non-Human Identities (NHIs)—streamline credential management for developers, significantly enhancing cloud security posture. However, despite these security advantages, MIs are increasingly becoming a critical attack vector exploited by threat actors.
As enterprises accelerate their adoption of cloud solutions, managing authentication and credential security has become paramount. Azure MIs, previously known as Managed Service Identities (MSI), aim to address the complexities associated with credential management by providing automated, secure authentication methods. These identities, while robust, are not immune to exploitation.
Our latest research uncovers how attackers can abuse MIs tied to common Azure services, such as Virtual Machines (VMs), to impact various components of Microsoft’s cloud infrastructure. This includes widely used services like Key Vault, Storage Accounts, Entra ID, and even Microsoft 365, highlighting the potentially significant blast radius of such abuse. In this research paper, you'll learn:
- In-depth overview on how Managed Identities work behind the scenes.
- How attackers exploit System-Assigned (SAMI) and User-Assigned (UAMI) Managed Identities.
- Real-world attack scenarios demonstrating how Managed Identities can be abused for privilege escalation, lateral movement, and unauthorized access to sensitive Azure resources (e.g., Key Vault), as well as Microsoft 365 services such as Exchange Online, and more.
The potential blast radius of a compromised Managed Identity
Understanding these threat vectors is essential for defenders to anticipate attacker movements and secure cloud infrastructure effectively.
Read the full technical breakdown on how attackers exploit Azure Managed Identities.
To stay updated on threat-hunting research, activities, and queries, follow Team Axon’s X/Twitter account (@team__axon).
