Can I perform penetration tests from Azure resources?

Question

Can I perform penetration tests from Azure resources?

Ali Yahia-Cherif 20

Can I perform penetration tests from Azure resources? I want to test a tool named "Sn1per" [Penetration testing tool]. This means I install Sn1per on an Azure machine to test my websites that are not in the Azure cloud.

Accepted answer

1 additional answer

Your answer

Answer 1

Hello, @Ali Yahia-Cherif ! We received your feedback and want to make sure that your question is answered.

Can I perform penetration tests from Azure resources?

The Azure penetration testing documentation does not include testing on external resources from Azure resources as an allowed action which is the extent of an official answer to this question:

The Azure Universal License Terms does include an Acceptable Use Policy which prohibits using Azure:

in a way prohibited by law, regulation, governmental order or decree;
to violate the rights of others;
to try to gain unauthorized access to or disrupt any service, device, data, account or network, including by intentionally evading or disrupting restrictions in Metaprompts;
to spam or distribute malware;
in a way that could harm the Online Service or impair anyone else’s use of it;

This creates a problem because it would take a verification process to ensure that the owner of the external website (you in this case) authorizes the activity. It would also require some very specific and granular exceptions (authorized types of penetration tests from your Azure resource that is limited to a verified external site during a specific time window).

As a result, I would not perform penetration testing from Azure resources on non-Azure resources. I realize this is not a black and white answer but hopefully it has provided the clarity you need.

I hope this has been helpful! Your feedback is important so please take a moment to accept answers to verify that your question has been addressed. Thank you for helping to improve Microsoft Q&A!

User's image

Answer 2

Sam Cogan 10,812 Microsoft Employee Volunteer Moderator

You can perform penetration testing in Azure, but you must follow the guidance here.

Ali Yahia-Cherif 20 Reputation points

2024-02-16T15:59:36.7033333+00:00

I read the link, it talks about testing Azure infrastructure and not about using Azure infrastructure to test non-Azure infrastructure
Ali Yahia-Cherif 20 Reputation points

2024-02-16T16:04:16.4666667+00:00

I find Microsoft links talking about pentesting on machines belonging to Azure, however, I cannot find in Microsoft's laws if I am allowed to use my own Azure virtual machines to perform pentesting on my clients' sites.Because currently, I have Kali Linux on Windows in WSL and I would like to migrate this machine to the cloud and then use it on sites that are not hosted by Azure.I find Microsoft links talking about pentesting on machines belonging to Azure, however, I cannot find in Microsoft's laws if I am allowed to use my own Azure virtual machines to perform pentesting on my clients' sites.

Because currently, I have Kali Linux on Windows in WSL and I would like to migrate this machine to the cloud and then use it on sites that are not hosted by Azure.
Ali Yahia-Cherif 20 Reputation points

2024-02-16T16:04:54.2433333+00:00

Do you have a response, please?
Sam Cogan 10,812 Reputation points Microsoft Employee Volunteer Moderator

2024-02-17T21:56:11.1533333+00:00

This is not spelt out anywhere, but I would say it is risky and may get you into trouble. There is no way for MS to know that any Pen Testing you do is not an actual attack on that client, and they will likely see this and shut you down.

Share via

Can I perform penetration tests from Azure resources?

1 additional answer

Your answer