> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_arm_role_scoped_to.md).

# AZ\_ARM\_ROLE\_SCOPED\_TO

## Summary

|                            |                                                                                                           |
| -------------------------- | --------------------------------------------------------------------------------------------------------- |
| **FSProtect ACL Alias**    | AZ\_ARM\_ROLE\_SCOPED\_TO                                                                                 |
| **Azure Alias**            | Scope (ARM RBAC)                                                                                          |
| **Affected Object Types**  | Subscriptions, Resource Groups, VMs, Key Vaults, and all other ARM resources                              |
| **Exploitation Certainty** | Informational                                                                                             |
| **Azure RBAC Role**        | Any ARM RBAC role (Owner, Contributor, Reader, VM Contributor, Key Vault Contributor, custom roles, etc.) |

## Description

`AZ_ARM_ROLE_SCOPED_TO` represents the **scoping relationship** for Azure Resource Manager (ARM) RBAC role assignments. Every ARM role assignment has a **scope** that determines which resources the role's permissions apply to.

ARM RBAC scopes are hierarchical and inherit downward:

| Scope Level          | Example                                                                       | Inheritance                                                  |
| -------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------ |
| **Management Group** | `/providers/Microsoft.Management/managementGroups/{mgId}`                     | All subscriptions, resource groups, and resources underneath |
| **Subscription**     | `/subscriptions/{subId}`                                                      | All resource groups and resources in the subscription        |
| **Resource Group**   | `/subscriptions/{subId}/resourceGroups/{rgName}`                              | All resources in the resource group                          |
| **Resource**         | `/subscriptions/{subId}/resourceGroups/{rgName}/providers/{rp}/{type}/{name}` | Only the specific resource                                   |

This edge connects a **role assignment** to its **scope target** (subscription, resource group, or resource). Understanding scope is critical for attack path analysis because:

* **Higher scopes = broader blast radius** — an Owner at subscription scope controls everything in the subscription.
* **RBAC inheritance means a single role assignment can affect thousands of resources.**
* **Defenders may overlook inherited permissions** when auditing resource-level access.

> **Note:** This edge is distinct from [AZ\_ROLE\_SCOPED\_TO](https://docs.forestall.io/fsprotect/edges/azure/az_role_scoped_to), which handles Entra ID directory role scoping (Application Administrator scoped to specific apps). `AZ_ARM_ROLE_SCOPED_TO` applies specifically to **ARM RBAC** role assignments.

## Identification

### PowerShell (Az Module)

```powershell
Connect-AzAccount

# List all role assignments in a subscription (shows scope for each)
Get-AzRoleAssignment -Scope "/subscriptions/<SubscriptionId>" |
    Select-Object DisplayName, RoleDefinitionName, ObjectType, Scope |
    Sort-Object Scope |
    Format-Table -AutoSize

# Filter for subscription-scoped assignments only (not inherited from MG)
Get-AzRoleAssignment -Scope "/subscriptions/<SubscriptionId>" |
    Where-Object { $_.Scope -eq "/subscriptions/<SubscriptionId>" } |
    Select-Object DisplayName, RoleDefinitionName, ObjectType |
    Format-Table -AutoSize

# List all role assignments at a specific resource group scope
Get-AzRoleAssignment -ResourceGroupName "<ResourceGroupName>" |
    Select-Object DisplayName, RoleDefinitionName, ObjectType, Scope |
    Format-Table -AutoSize

```

### Azure GUI

1. Open **Azure Portal** → navigate to any **Subscription**, **Resource Group**, or **Resource**.
2. Go to **Access control (IAM)** → **Role assignments**.
3. The **Scope** column shows where each role assignment is applied.
4. Assignments inherited from a higher scope display `(Inherited)` next to the scope.

## Exploitation

> **Related Attack Paths:**
>
> * [AZ\_ARM\_OWNER](https://docs.forestall.io/fsprotect/edges/azure/az_arm_owner) — Subscription/RG Owner role.
> * [AZ\_CONTRIBUTOR](https://docs.forestall.io/fsprotect/edges/azure/az_contributor) — Contributor at any scope.
> * [AZ\_VM\_CONTRIBUTOR](https://docs.forestall.io/fsprotect/edges/azure/az_vm_contributor) — VM Contributor scoped to RGs or VMs.
> * [AZ\_KEY\_VAULT\_CONTRIBUTOR](https://docs.forestall.io/fsprotect/edges/azure/az_key_vault_contributor) — Key Vault Contributor scoped to vaults.
> * [AZ\_PARENT\_SUBSCRIPTION](https://docs.forestall.io/fsprotect/edges/azure/az_parent_subscription) — Resource containment in subscriptions.
> * [AZ\_PARENT\_RESOURCE\_GROUP](https://docs.forestall.io/fsprotect/edges/azure/az_parent_resource_group) — Resource containment in resource groups.
> * [AZ\_PARENT\_MANAGEMENT\_GROUP](https://docs.forestall.io/fsprotect/edges/azure/az_parent_management_group) — Subscription containment in management groups.

## Mitigation

This is a structural relationship (not directly abusable) indicating ARM RBAC role assignment scope. Mitigation focuses on the specific role edges referenced above.

## Detection

Monitor for role assignment changes at broad scopes:

### Azure GUI

1. Open **Azure Portal** → **Monitor** → **Activity log**.
2. Filter by **Operation**: `Create role assignment`.
3. Review the **Scope** field to identify broad-scope assignments.

## References

* <https://learn.microsoft.com/en-us/azure/role-based-access-control/scope-overview>
* <https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal>
* <https://learn.microsoft.com/en-us/azure/role-based-access-control/overview>
* <https://learn.microsoft.com/en-us/azure/role-based-access-control/best-practices>
* <https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-portal>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/az_arm_role_scoped_to.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.