> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_contributor.md).

# AZ\_CONTRIBUTOR

## Summary

|                            |                                                                                                            |
| -------------------------- | ---------------------------------------------------------------------------------------------------------- |
| **FSProtect ACL Alias**    | AZ\_CONTRIBUTOR                                                                                            |
| **Azure Alias**            | Contributor (Azure RBAC)                                                                                   |
| **Affected Object Types**  | Subscriptions, Resource Groups, VMs, Key Vaults, Automation Accounts, and other ARM resources              |
| **Exploitation Certainty** | Certain                                                                                                    |
| **Azure RBAC Role**        | Contributor (`b24988ac-6180-42a0-ab88-20f7382dd24c`) — full resource write access, but cannot assign roles |

## Description

`AZ_CONTRIBUTOR` represents the Azure Resource Manager **Contributor** role assignment. The Contributor role grants almost all abusable privileges in all circumstances, with some exceptions:

* **Full management-plane access** to the target resource (create, update, delete).
* **Cannot assign roles** — unlike Owner, the Contributor role does not include `Microsoft.Authorization/roleAssignments/write`.
* **Cannot manage access policies** on some resources directly, but can often bypass this through other means.

The Contributor role is highly dangerous because it enables direct abuse of many resource types:

| Target Resource            | Abuse                                                                              |
| -------------------------- | ---------------------------------------------------------------------------------- |
| **Key Vault**              | Read secrets and alter access policies (grant yourself access to read secrets)     |
| **Automation Account**     | Create/edit runbooks that run as the Automation Account; gather RunAs certificates |
| **Virtual Machine**        | Run SYSTEM commands on the VM via RunCommand                                       |
| **Web App / Function App** | Deploy code, access managed identity tokens                                        |
| **Storage Account**        | Read/write blobs, tables, queues                                                   |

## Identification

### PowerShell (Az Module)

```powershell
Connect-AzAccount

# List all Contributor role assignments
Get-AzRoleAssignment -RoleDefinitionName "Contributor" |
    Select-Object DisplayName, SignInName, ObjectType, Scope |
    Format-Table -AutoSize

# List Contributor at a specific scope
Get-AzRoleAssignment -RoleDefinitionName "Contributor" -Scope "/subscriptions/<SubscriptionId>" |
    Select-Object DisplayName, SignInName, ObjectType, Scope |
    Format-Table -AutoSize

# Check if a specific principal has Contributor
Get-AzRoleAssignment -SignInName "user@contoso.com" |
    Where-Object { $_.RoleDefinitionName -eq "Contributor" } |
    Select-Object DisplayName, RoleDefinitionName, Scope |
    Format-Table -AutoSize
```

### Azure GUI

1. Open **Azure Portal** → **Subscriptions** (or the target resource).
2. Go to **Access control (IAM)** → **Role assignments**.
3. Filter by **Role = Contributor**.
4. Review all principals listed.

## Exploitation

The Contributor role grants almost all abusable privileges in all circumstances. Unlike Owner, it cannot assign roles — but it can directly abuse resources at the target scope.

> **Related Attack Paths:**
>
> * [AZ\_EXECUTE\_COMMAND](https://docs.forestall.io/fsprotect/edges/azure/az_execute_command) — Contributor on VMs can execute commands as SYSTEM via RunCommand.
> * [AZ\_KEY\_VAULT\_CONTRIBUTOR](https://docs.forestall.io/fsprotect/edges/azure/az_key_vault_contributor) — Contributor on Key Vaults can modify access policies to grant data-plane access.
> * [AZ\_GET\_SECRETS](https://docs.forestall.io/fsprotect/edges/azure/az_get_secrets) — After modifying access policies, read Key Vault secrets.
> * [AZ\_GET\_KEYS](https://docs.forestall.io/fsprotect/edges/azure/az_get_keys) — After modifying access policies, read Key Vault keys.
> * [AZ\_GET\_CERTIFICATES](https://docs.forestall.io/fsprotect/edges/azure/az_get_certificates) — After modifying access policies, read Key Vault certificates.
> * [AZ\_VM\_CONTRIBUTOR](https://docs.forestall.io/fsprotect/edges/azure/az_vm_contributor) — Contributor on VMs enables the same VM abuses as VM Contributor.

## Mitigation

1. **Minimize Contributor assignments**
   * Go to **Azure Portal** → target resource → **Access control (IAM)** → **Role assignments**.
   * Filter by **Contributor** and remove any principal that does not strictly require broad access.
   * Prefer more specific built-in roles (e.g., **Reader**, **Virtual Machine User Login**, **Key Vault Secrets User**).
2. **Use Privileged Identity Management (PIM) for just-in-time access**
   * Configure eligible (not permanent) assignments for the Contributor role.
   * Require approval and MFA for activation.
3. **Scope assignments narrowly**
   * Assign Contributor at the **resource group** or **resource** level rather than subscription level.
4. **Monitor with Azure Policy**
   * Use Azure Policy to audit and restrict overly broad role assignments.

## Detection

Monitor Contributor role assignments and privileged actions in **Azure Activity Log**.

* Go to **Azure Portal** → **Monitor** → **Activity log**.
* Filter by **Operation name**: `Microsoft.Authorization/roleAssignments/write`.
* Alert on:
  * New Contributor role assignments at subscription scope.
  * RunCommand executions on VMs.
  * Access policy changes on Key Vaults.
  * Runbook creation/modification in Automation Accounts.

## References

* <https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor>
* <https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/>
* <https://blog.netspi.com/azure-automation-accounts-key-stores/>
* <https://blog.netspi.com/get-azurepasswords/>
* <https://blog.netspi.com/attacking-azure-cloud-shell/>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.forestall.io/fsprotect/edges/azure/az_contributor.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.