-
Notifications
You must be signed in to change notification settings - Fork 0
Role Trusts
Colby Farley edited this page Apr 7, 2026
·
4 revisions
role-trusts is the indirect-control command for identity review.
Use it when direct RBAC does not fully explain who really controls a principal, an application, or an access path.
- Which ownership, federation, or app-trust relationships matter here?
- Which identity can influence another one even without an obvious direct RBAC path?
- Which trust edge deserves immediate follow-up?
azurefox role-trusts --output tableFor deeper correlation:
azurefox role-trusts --output json| trust | source | target | confidence | operator signal | next review |
|---|---|---|---|---|---|
federated-credential |
build-app |
build-sp |
confirmed |
Trust expansion visible; privilege confirmation next. | Check permissions for Azure control on build-sp. |
service-principal-owner |
automation-runner |
build-sp |
confirmed |
Indirect control visible; ownership review next. | Review ownership around build-sp, then confirm Azure control in permissions. |
app-owner |
ci-admin@lab.local |
build-app |
confirmed |
Indirect control visible; ownership review next. | Review ownership around build-app. |
- when a principal looks important but raw RBAC does not explain why
- when app ownership or federated identity may be the real control path
- after Permissions or Privesc points to a principal that may be controlled indirectly
- app ownership that could let one identity influence a stronger app or principal
- federated trust relationships that cross an important boundary
- trust edges pointing toward already-privileged principals
- relationships that are easier to validate or act on than a noisier set of metadata links
Not all real control shows up as a direct Azure role assignment.
In many environments, the deciding question is not just "who has access?" but "who can influence
the identity that has access?" role-trusts helps you see those indirect control paths before they
get buried under raw directory detail.
- trust edges that point toward already-powerful principals
- relationships that cross important boundaries such as tenant, app, or workload ownership
- edges that look more direct or easier to abuse than lower-signal metadata relationships
- both sides of the trust edge clearly enough to understand the path quickly
- If you see a
graph-federated-credentialrow, go next to Permissions because it shows whether the target application or service principal already has Azure roles worth caring about. - If you see a
graph-owneredge into a service principal or application, go next to RBAC because it shows what Azure access that target identity actually has.
- Use RBAC if you need to pair the trust edge with direct assignment evidence.
- Use Auth Policies if tenant-wide policy posture may make the trust edge easier to abuse.
- Escalate the interesting side of the trust edge into targeted follow-up instead of treating every app relationship as equally important.
role-trusts should surface meaningful trust edges that change control.
It is not a generic directory graph dump or a replacement for broader cross-tenant analysis.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)