Licensed under the Business Source License 1.1. Free for personal, development, testing, and internal use. Commercial hosting or reselling requires a separate license. Converts to Apache 2.0 on 2030-05-07. See LICENSE for full terms.
Crosswise is a CLI tool that detects toxic permission combinations in Microsoft Entra ID and Azure RBAC. A toxic combination is a set of permissions that, held together by a single identity, enables an outcome no individual permission in the set enables alone — privilege escalation, credential exfiltration, tenant takeover, or persistence. Crosswise scans role and permission assignments in your tenant and subscriptions, evaluates them against a library of known-dangerous patterns, and produces a findings report. It is entirely read-only: no data leaves your machine.
Microsoft Entra ID and Azure RBAC are large, layered permission systems. Individual permissions look benign in isolation. The Global Reader role sounds safe. The Application Administrator role sounds administrative. But Reader at the Azure tenant root scope is an effective reconnaissance platform for the entire Azure estate — every subscription, every resource group, every resource. Application Administrator alone — on the right service principal — enables privilege escalation via app credential injection without touching a single privileged directory role. Existing tools report what roles a principal holds; they don't evaluate what those roles mean in combination.
Crosswise is built specifically to detect combinations. Rule CW-003 flags the Privileged Authentication Administrator role, which sounds like a restricted variant of Authentication Administrator but is in fact functionally equivalent to Global Administrator: it can reset any user's password, including users holding the Global Admin role, enabling a silent tenant takeover. Rule CW-004 flags Application Administrator assigned to a service principal that has admin consent on sensitive Microsoft Graph permissions — a path to privilege escalation via credential injection that bypasses directory role checks entirely. These are the patterns Crosswise is built to find.
Crosswise evaluates findings across four categories:
- Entra-plane toxic configurations — directory roles, app registration permissions, and service principal assignments within Microsoft Entra ID
- Azure RBAC toxic configurations — role assignments at management group, subscription, and resource scope
- Cross-plane combinations — risks that arise from the interaction between Entra and Azure RBAC, where neither plane alone reveals the exposure
- AI agent specific risks — Application Administrator and equivalent permissions on service principals backing AI workloads, where credential injection can redirect or compromise AI agent behavior
Crosswise uses Microsoft's device code flow. When you run crosswise scan, a one-time code and a short URL are printed to your terminal. You open the URL in any browser and authenticate with your normal Entra credentials. That authentication transaction happens directly between you and Microsoft — Crosswise has no visibility into it and never sees your password or MFA response. Crosswise receives only the access token Microsoft issues, which is held in memory for the duration of the command and discarded on exit.
Crosswise requests three OAuth scopes: RoleManagement.Read.Directory, Directory.Read.All, and ARM user_impersonation. All three are read-only. RoleManagement.Read.Directory reads role definitions and assignments. Directory.Read.All reads the identities referenced in those assignments — users, service principals, groups. ARM user_impersonation reads Azure resource hierarchy and RBAC role assignments using your existing Azure RBAC permissions; no additional elevated access is granted. Crosswise cannot modify role assignments, create or delete users, change tenant configuration, or read mailboxes, files, or any Microsoft 365 content.
No telemetry. No phone-home. Snapshot files and reports stay on your local machine. HTML reports are self-contained: no external JavaScript, no CDN resources, no external fonts. A report file can be reviewed in a browser with no network access and is suitable for air-gapped environments.
For full details, see Architecture and Security.
Crosswise ships in two complementary forms, sharing the same rule engine:
- CLI (v0.1.1, available now) — a Go binary for full Microsoft Entra + Azure RBAC scans. Install via Homebrew, Scoop, Linux curl, or Docker — see docs/INSTALL.md.
- Browser Crosswise (v0.2, in design) — a browser-based UI at
crosswise.aboutcloud.io(or self-hosted) for users who prefer a guided web interface. Same rule engine compiled to WebAssembly. Entra-scoped in v1. See docs/browser-crosswise-design.md.
Both flavours use the same setup pattern (your own Entra app registration in your tenant) and produce findings in the same format. The Crosswise project operates no user-data infrastructure for either flavour.
From v0.1.3 onward, both flavours include an always-current Microsoft role catalog refreshed nightly via a self-healing pipeline — findings show authoritative role context inline without manual documentation lookups. See docs/role-enrichment-design.md.
Fast setup (~30 seconds, no subscription required):
# Linux/macOS — review and run
curl -fsSL https://raw.githubusercontent.com/arusso-aboutcloud/crosswise/main/deploy/scripts/create-app.sh -o create-app.sh
bash create-app.sh# Windows PowerShell
Invoke-WebRequest https://raw.githubusercontent.com/arusso-aboutcloud/crosswise/main/deploy/scripts/create-app.ps1 -OutFile create-app.ps1
.\create-app.ps1For Bicep / declarative IaC, see deploy/bicep/. For the full manual walkthrough or alternative setup options, see docs/INSTALL.md.
After app registration, install the Crosswise binary (Homebrew / Scoop / Linux curl / Docker) and run your first scan — full setup instructions in docs/INSTALL.md.
- docs/RULES.md — detection rule catalog (15 rules indexed by attack pattern)
- docs/ARCHITECTURE.md — security model, authentication flow, data flow, and threat model
- docs/INSTALL.md — app registration, binary install, first scan, and troubleshooting
- docs/scan-command.md — full scan command reference, flags, output formats, and exit codes
- docs/setup.md — Entra app registration walkthrough and permission model
- docs/rule-schema.md — rule definition schema reference
- docs/rule-authoring-guide.md — how to write and validate custom rules
- docs/ai-classification.md — how Crosswise identifies AI agent service principals
Crosswise is in early development. The current focus is the v0.1 release: a stable rule library covering Entra and Azure RBAC toxic combinations, validated against synthetic and real tenant data, with prebuilt binaries for Windows, macOS, and Linux.
All detection rules are derived exclusively from Microsoft official documentation and APIs:
- Microsoft Learn — official product documentation
- Microsoft Graph API
- Azure Resource Manager API
- Microsoft Security Response Center (MSRC)
No third-party blogs, community wikis, or non-Microsoft repositories are used as sources for rule definitions.
Crosswise scans its own container image and Go module dependencies with Trivy on every push to main and on a weekly cron. The build fails on any Critical-severity vulnerability. Full SARIF results are published to the GitHub Security tab.
Last scan: 2026-05-18 09:47 UTC · View workflow
| Severity | Image | Go modules | Total |
|---|---|---|---|
| 🔴 Critical | 0 | 0 | 0 |
| 🟠 High | 0 | 0 | 0 |
| 🟡 Medium | 0 | 0 | 0 |
| 🟢 Low | 0 | 0 | 0 |
Part of the aboutcloud.io platform.