an artist s illustration of artificial intelligence ai this image depicts the process used by text to image diffusion models it was created by linus zoll as part of the visualising ai
Azure Cloud Security: 2 Real-World Fixes

Applied Zero-trust: Two Real World Security Challenges with CLI Based Fixes


In this nugget, we cover two real-world Azure security issues that often go unnoticed and show how to fix them using native tools and scripting. If you’re managing identity or infrastructure in Azure, these walk-throughs could save your team from exposure.

Challenge #1: Over-Permissive Role Assignments


Scenario: A user was assigned the “Owner” role at the subscription level during an outage but was never downgraded. This violates least-privilege principles.

Risk: Broad access increases the attack surface and enables privilege escalation or data exfiltration.



🔧 Fix: Identify and Remove Excessive Role Assignments

Step 1: Find All ‘Owner’ Assignments

az role assignment list --all --query "[?roleDefinitionName=='Owner']"

Step 2: Downgrade or Remove User

az role assignment delete \
  --assignee "user@domain.com" \
  --role "Owner" \
  --scope "/subscriptions/<sub-id>"

Recommended: Reassign only the needed RBAC role (e.g., Reader or Contributor). Example:

az role assignment create \
  --assignee "user@domain.com" \
  --role "Reader" \
  --scope "/subscriptions/<sub-id>"
Security illustration

Challenge #2: Insecure Public IP Exposure on Virtual Machines


Scenario: Several Azure VMs in a production environment have public IPs and open RDP/SSH ports, discovered during a routine exposure audit.

Risk: Brute-force attacks and direct VM compromise due to exposed ports.



🔧 Fix: Audit and Lock Down Network Security Groups (NSGs)

Step 1: List NSG Rules Exposing Ports

This command lists all inbound rules in the specified Network Security Group (NSG) that allow traffic. The filter ensures you’re only seeing rules that could expose your VMs to the public internet.

az network nsg rule list \
  --nsg-name myNsg \
  --resource-group myRG \
  --query "[?access=='Allow' && direction=='Inbound']"

Step 2: Remove Public RDP/SSH Rule

This command deletes the rule named “Allow-RDP” from the given NSG. Removing this rule blocks RDP traffic from the public internet, reducing brute-force attack risk.

az network nsg rule delete \
  --name "Allow-RDP" \
  --nsg-name "myNsg" \
  --resource-group "myRG"

Best Practice: Replace public access with Azure Bastion or Just-in-Time (JIT) VM Access via Defender for Cloud.

✅ Final Thoughts

These two challenges, open permissions and public exposure, show up frequently in Azure security audits. Use the CLI to quickly enforce least-privilege and lock down exposed surfaces. This allows for federated compliance (handling multiple accounts at once) and for automation. Automation of policies can also be implemented using Azure Policy or Defender for Cloud alerts.