> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_arm_owner.md).

# AZ\_ARM\_OWNER

## Summary

|                            |                                                                                                                                   |
| -------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
| **FSProtect ACL Alias**    | AZ\_ARM\_OWNER                                                                                                                    |
| **Azure Alias**            | Owner (Azure RBAC)                                                                                                                |
| **Affected Object Types**  | Subscriptions, Resource Groups, VMs, Key Vaults, Automation Accounts, and other ARM resources                                     |
| **Exploitation Certainty** | Certain                                                                                                                           |
| **Azure RBAC Role**        | Owner (`8e3af657-a8ff-443c-a75c-2fe8c4bcb635`) — full access to all resources including the ability to assign roles in Azure RBAC |

> **Note:** `AZ_ARM_OWNER` represents the Azure Resource Manager (ARM) RBAC **Owner** role assignment over an ARM resource. This is distinct from [AZ\_OWNER](https://docs.forestall.io/fsprotect/edges/azure/az_owner), which represents Entra ID object-level ownership with different mechanics, abuse primitives, and remediation steps.

## Description

`AZ_ARM_OWNER` represents the Azure Resource Manager **Owner** role assignment. The Owner role grants **full control** over the target resource, including:

* **All data-plane and management-plane operations** on the resource.
* **The ability to assign Azure RBAC roles** to other principals — this is the key differentiator from the Contributor role.
* **Delegation of access** to subscriptions, resource groups, and individual resources.

Because the Owner role includes the `Microsoft.Authorization/roleAssignments/write` permission, a principal with this role can escalate privileges by granting themselves or others any other role (including Owner) on any child scope. This makes it the most powerful RBAC role in Azure.

Attack impact depends on the target scope:

| Scope                  | Impact                                                                                     |
| ---------------------- | ------------------------------------------------------------------------------------------ |
| **Subscription**       | Full control of all resources in the subscription; ability to assign roles to any resource |
| **Resource Group**     | Full control of all resources in the RG; lateral movement to VMs, Key Vaults, etc.         |
| **Virtual Machine**    | Run SYSTEM commands, exfiltrate data, deploy malware                                       |
| **Key Vault**          | Read all secrets, keys, and certificates; modify access policies                           |
| **Automation Account** | Create/edit runbooks; authenticate as the Automation Account                               |

## Identification

### PowerShell (Az Module)

```powershell
Connect-AzAccount

# List all Owner role assignments across the subscription
Get-AzRoleAssignment -RoleDefinitionName "Owner" |
    Select-Object DisplayName, SignInName, ObjectType, Scope |
    Format-Table -AutoSize

# List Owner assignments at a specific scope
Get-AzRoleAssignment -RoleDefinitionName "Owner" -Scope "/subscriptions/<SubscriptionId>" |
    Select-Object DisplayName, SignInName, ObjectType, Scope |
    Format-Table -AutoSize

# Check if a specific principal has Owner
Get-AzRoleAssignment -SignInName "user@contoso.com" |
    Where-Object { $_.RoleDefinitionName -eq "Owner" } |
    Select-Object DisplayName, RoleDefinitionName, Scope |
    Format-Table -AutoSize
```

### Azure GUI

1. Open **Azure Portal** → **Subscriptions** (or the target resource).
2. Go to **Access control (IAM)** → **Role assignments**.
3. Filter by **Role = Owner**.
4. Review all principals listed — these have full control including role assignment.

## Exploitation

Everything a Contributor can do, with the addition of **assigning roles to resources**. The Owner role includes `Microsoft.Authorization/roleAssignments/write`, allowing the principal to grant themselves or others any role at the target scope — including Owner — enabling full privilege escalation.

> **Related Attack Paths:**
>
> * [AZ\_EXECUTE\_COMMAND](https://docs.forestall.io/fsprotect/edges/azure/az_execute_command) — Owner over VMs can execute commands as SYSTEM.
> * [AZ\_GET\_SECRETS](https://docs.forestall.io/fsprotect/edges/azure/az_get_secrets) — Owner over Key Vaults can read secrets.
> * [AZ\_GET\_KEYS](https://docs.forestall.io/fsprotect/edges/azure/az_get_keys) — Owner over Key Vaults can read keys.
> * [AZ\_GET\_CERTIFICATES](https://docs.forestall.io/fsprotect/edges/azure/az_get_certificates) — Owner over Key Vaults can read certificates.

## Mitigation

1. **Minimize Owner assignments**
   * Go to **Azure Portal** → target resource → **Access control (IAM)** → **Role assignments**.
   * Filter by **Owner** and remove any principal that does not strictly require this level of access.
   * Prefer **Contributor** (cannot assign roles) or more specific roles where possible.
2. **Use Privileged Identity Management (PIM) for just-in-time access**
   * Go to **Entra ID** → **Privileged Identity Management** → **Azure resources**.
   * Configure eligible (not permanent) assignments for the Owner role.
   * Require approval and MFA for activation.
3. **Apply resource locks**
   * Use **CanNotDelete** or **ReadOnly** resource locks to prevent accidental or malicious changes even by Owners.
4. **Enable Azure Policy**
   * Use Azure Policy to restrict role assignments and enforce guardrails.

## Detection

Monitor Owner role assignments and privileged actions in **Azure Activity Log**.

* Go to **Azure Portal** → **Monitor** → **Activity log**.
* Filter by **Operation name**: `Microsoft.Authorization/roleAssignments/write`.
* Alert on:
  * New Owner role assignments, especially at subscription scope.
  * Owner assignments to service principals or unknown identities.
  * Role assignments outside change management windows.

## References

* <https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner>
* <https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal>
* <https://blog.netspi.com/attacking-azure-with-custom-script-extensions/>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/az_arm_owner.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.