-
Notifications
You must be signed in to change notification settings - Fork 0
Auth Policies
auth-policies gives tenant-level identity policy context.
Use it when you need to understand whether guest access, app registration, consent, or related tenant controls make later identity findings more dangerous than they first appear.
- Does the tenant look permissive or restrictive?
- Are guest entry, app creation, or consent-driven growth easier than they should be?
- Which tenant-wide rules change how you should interpret later identity findings?
azurefox auth-policies --output tableFor a saved artifact:
azurefox auth-policies --output json| policy | state | scope | operator signal |
|---|---|---|---|
Security Defaults |
disabled |
tenant |
Security defaults are disabled for the tenant. |
Authorization Policy |
configured |
tenant |
guest invites: everyone; users can register apps; self-service permission grant policies assigned |
CA002: Block legacy auth |
disabled |
users:all, apps:all |
state: disabled; grants: block |
- early in identity review when tenant-wide policy posture matters
- after a suspicious trust or app path appears
- when you need to know whether a small foothold could grow because policy is too permissive
- broad guest or external access posture
- permissive app-registration settings
- consent posture that makes app-based access easier to land or extend
- plain-language findings that explain impact without forcing you to decode policy names
Tenant-wide policy settings change the meaning of many later findings.
An environment with loose guest controls, broad app creation, or permissive consent may turn a
small identity foothold into a much larger problem. auth-policies helps you interpret the rest of
the identity surface in the right policy context.
- broad guest and external access posture
- permissive app-registration and consent settings
- findings explained in plain language instead of raw policy names
- the settings that most change outside access or tenant growth
- If you see findings like
Guest invitations are broadly allowed, go next to Role-Trusts because outside access becomes more important when tenant policy is already permissive. - If you see findings like
Users can register applications, go next to Role-Trusts because it helps explain which application trust edges would matter most if that app-creation surface were abused.
- Use Role Trusts if permissive posture makes ownership or federation more important.
- Use Permissions if the policy posture makes a specific principal especially concerning.
- Treat weak tenant controls as context that raises the urgency of related identity findings.
auth-policies is a tenant-control context command.
It should explain which policy settings change identity risk. It is not a full Entra audit or a per-user sign-in review.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)