AZ_ARM_ROLE_SCOPED_TO

Summary

FSProtect ACL Alias

Azure Alias

Scope (ARM RBAC)

Affected Object Types

Subscriptions, Resource Groups, VMs, Key Vaults, and all other ARM resources

Exploitation Certainty

Informational

Azure RBAC Role

Any ARM RBAC role (Owner, Contributor, Reader, VM Contributor, Key Vault Contributor, custom roles, etc.)

Description

AZ_ARM_ROLE_SCOPED_TO represents the scoping relationship for Azure Resource Manager (ARM) RBAC role assignments. Every ARM role assignment has a scope that determines which resources the role's permissions apply to.

ARM RBAC scopes are hierarchical and inherit downward:

Scope Level

Example

Inheritance

Management Group

/providers/Microsoft.Management/managementGroups/{mgId}

All subscriptions, resource groups, and resources underneath

Subscription

/subscriptions/{subId}

All resource groups and resources in the subscription

Resource Group

/subscriptions/{subId}/resourceGroups/{rgName}

All resources in the resource group

Resource

/subscriptions/{subId}/resourceGroups/{rgName}/providers/{rp}/{type}/{name}

Only the specific resource

This edge connects a role assignment to its scope target (subscription, resource group, or resource). Understanding scope is critical for attack path analysis because:

Higher scopes = broader blast radius — an Owner at subscription scope controls everything in the subscription.
RBAC inheritance means a single role assignment can affect thousands of resources.
Defenders may overlook inherited permissions when auditing resource-level access.

Note: This edge is distinct from AZ_ROLE_SCOPED_TO, which handles Entra ID directory role scoping (Application Administrator scoped to specific apps). AZ_ARM_ROLE_SCOPED_TO applies specifically to ARM RBAC role assignments.

Identification

PowerShell (Az Module)

Connect-AzAccount

# List all role assignments in a subscription (shows scope for each)
Get-AzRoleAssignment -Scope "/subscriptions/<SubscriptionId>" |
    Select-Object DisplayName, RoleDefinitionName, ObjectType, Scope |
    Sort-Object Scope |
    Format-Table -AutoSize

# Filter for subscription-scoped assignments only (not inherited from MG)
Get-AzRoleAssignment -Scope "/subscriptions/<SubscriptionId>" |
    Where-Object { $_.Scope -eq "/subscriptions/<SubscriptionId>" } |
    Select-Object DisplayName, RoleDefinitionName, ObjectType |
    Format-Table -AutoSize

# List all role assignments at a specific resource group scope
Get-AzRoleAssignment -ResourceGroupName "<ResourceGroupName>" |
    Select-Object DisplayName, RoleDefinitionName, ObjectType, Scope |
    Format-Table -AutoSize

Azure GUI

Open Azure Portal → navigate to any Subscription, Resource Group, or Resource.
Go to Access control (IAM) → Role assignments.
The Scope column shows where each role assignment is applied.
Assignments inherited from a higher scope display (Inherited) next to the scope.

Exploitation

Related Attack Paths:
AZ_ARM_OWNER — Subscription/RG Owner role.
AZ_CONTRIBUTOR — Contributor at any scope.
AZ_VM_CONTRIBUTOR — VM Contributor scoped to RGs or VMs.
AZ_KEY_VAULT_CONTRIBUTOR — Key Vault Contributor scoped to vaults.
AZ_PARENT_SUBSCRIPTION — Resource containment in subscriptions.
AZ_PARENT_RESOURCE_GROUP — Resource containment in resource groups.
AZ_PARENT_MANAGEMENT_GROUP — Subscription containment in management groups.

Mitigation

This is a structural relationship (not directly abusable) indicating ARM RBAC role assignment scope. Mitigation focuses on the specific role edges referenced above.

Detection

Monitor for role assignment changes at broad scopes:

Azure GUI

Open Azure Portal → Monitor → Activity log.
Filter by Operation: Create role assignment.
Review the Scope field to identify broad-scope assignments.

References

PreviousAZ_ARM_OWNER NextAZ_ASSIGNED_MANAGED_IDENTITY

Last updated 1 hour ago

Was this helpful?