AZ_ARM_OWNER
Summary
FSProtect ACL Alias
AZ_ARM_OWNER
Azure Alias
Owner (Azure RBAC)
Affected Object Types
Subscriptions, Resource Groups, VMs, Key Vaults, Automation Accounts, and other ARM resources
Exploitation Certainty
Certain
Azure RBAC Role
Owner (8e3af657-a8ff-443c-a75c-2fe8c4bcb635) — full access to all resources including the ability to assign roles in Azure RBAC
Note:
AZ_ARM_OWNERrepresents the Azure Resource Manager (ARM) RBAC Owner role assignment over an ARM resource. This is distinct from AZ_OWNER, which represents Entra ID object-level ownership with different mechanics, abuse primitives, and remediation steps.
Description
AZ_ARM_OWNER represents the Azure Resource Manager Owner role assignment. The Owner role grants full control over the target resource, including:
All data-plane and management-plane operations on the resource.
The ability to assign Azure RBAC roles to other principals — this is the key differentiator from the Contributor role.
Delegation of access to subscriptions, resource groups, and individual resources.
Because the Owner role includes the Microsoft.Authorization/roleAssignments/write permission, a principal with this role can escalate privileges by granting themselves or others any other role (including Owner) on any child scope. This makes it the most powerful RBAC role in Azure.
Attack impact depends on the target scope:
Subscription
Full control of all resources in the subscription; ability to assign roles to any resource
Resource Group
Full control of all resources in the RG; lateral movement to VMs, Key Vaults, etc.
Virtual Machine
Run SYSTEM commands, exfiltrate data, deploy malware
Key Vault
Read all secrets, keys, and certificates; modify access policies
Automation Account
Create/edit runbooks; authenticate as the Automation Account
Identification
PowerShell (Az Module)
Azure GUI
Open Azure Portal → Subscriptions (or the target resource).
Go to Access control (IAM) → Role assignments.
Filter by Role = Owner.
Review all principals listed — these have full control including role assignment.
Exploitation
Everything a Contributor can do, with the addition of assigning roles to resources. The Owner role includes Microsoft.Authorization/roleAssignments/write, allowing the principal to grant themselves or others any role at the target scope — including Owner — enabling full privilege escalation.
Related Attack Paths:
AZ_EXECUTE_COMMAND — Owner over VMs can execute commands as SYSTEM.
AZ_GET_SECRETS — Owner over Key Vaults can read secrets.
AZ_GET_KEYS — Owner over Key Vaults can read keys.
AZ_GET_CERTIFICATES — Owner over Key Vaults can read certificates.
Mitigation
Minimize Owner assignments
Go to Azure Portal → target resource → Access control (IAM) → Role assignments.
Filter by Owner and remove any principal that does not strictly require this level of access.
Prefer Contributor (cannot assign roles) or more specific roles where possible.
Use Privileged Identity Management (PIM) for just-in-time access
Go to Entra ID → Privileged Identity Management → Azure resources.
Configure eligible (not permanent) assignments for the Owner role.
Require approval and MFA for activation.
Apply resource locks
Use CanNotDelete or ReadOnly resource locks to prevent accidental or malicious changes even by Owners.
Enable Azure Policy
Use Azure Policy to restrict role assignments and enforce guardrails.
Detection
Monitor Owner role assignments and privileged actions in Azure Activity Log.
Go to Azure Portal → Monitor → Activity log.
Filter by Operation name:
Microsoft.Authorization/roleAssignments/write.Alert on:
New Owner role assignments, especially at subscription scope.
Owner assignments to service principals or unknown identities.
Role assignments outside change management windows.
References
Last updated
Was this helpful?