AZ_HAS_ARM_ROLE

Summary

FSProtect ACL Alias

AZ_HAS_ARM_ROLE

Azure Alias

ARM Role Assignment

Affected Object Types

Users, Groups, Service Principals

Exploitation Certainty

Informational

Azure RBAC Role

Any ARM RBAC role (Owner, Contributor, Reader, VM Contributor, Key Vault Contributor, custom roles, etc.)

Description

AZ_HAS_ARM_ROLE represents a role assignment relationship in Azure Resource Manager (ARM) RBAC. This edge connects a principal (User, Group, or Service Principal) to an ARM role assignment node (AZARMRole), indicating that the principal holds a specific ARM RBAC role.

Every ARM RBAC role assignment consists of three components:

Component

Description

Example

Principal

The identity receiving the role

A User, Group, or Service Principal

Role Definition

The set of permissions being granted

Owner, Contributor, Reader, VM Contributor, etc.

Scope

The resource boundary where the role applies

Subscription, Resource Group, or individual resource

Identification

PowerShell (Az Module)

Connect-AzAccount

# List all ARM role assignments in the current subscription
Get-AzRoleAssignment |
    Select-Object DisplayName, SignInName, ObjectType, RoleDefinitionName, Scope |
    Sort-Object RoleDefinitionName |
    Format-Table -AutoSize

# List role assignments for a specific principal
Get-AzRoleAssignment -SignInName "[email protected]" |
    Select-Object RoleDefinitionName, Scope, ObjectType |
    Format-Table -AutoSize

# List role assignments for a specific service principal
Get-AzRoleAssignment -ObjectId "<ServicePrincipalObjectId>" |
    Select-Object RoleDefinitionName, Scope, ObjectType |
    Format-Table -AutoSize

# List all role assignments at a specific scope (subscription)
Get-AzRoleAssignment -Scope "/subscriptions/<SubscriptionId>" |
    Select-Object DisplayName, RoleDefinitionName, ObjectType, Scope |
    Format-Table -AutoSize

# List all privileged role assignments (Owner, Contributor, User Access Administrator)
Get-AzRoleAssignment |
    Where-Object { $_.RoleDefinitionName -in @("Owner", "Contributor", "User Access Administrator") } |
    Select-Object DisplayName, RoleDefinitionName, ObjectType, Scope |
    Sort-Object RoleDefinitionName |
    Format-Table -AutoSize

Azure GUI

Open Azure Portal → navigate to any Subscription, Resource Group, or Resource.
Go to Access control (IAM) → Role assignments.
Review all assignments — each row represents an AZ_HAS_ARM_ROLE relationship between the listed principal and the assigned role at the displayed scope.
Use Check access to see all role assignments for a specific principal.

Exploitation

This edge itself is structural/informational — it documents that a principal holds an ARM role. The actual attack impact depends on which role is assigned and at what scope:

Role Assignment

Impact

Owner at any scope

Full control + can assign roles to others (privilege escalation)

Contributor at any scope

Full resource management (no role assignment)

User Access Administrator

Can assign roles — privilege escalation path

VM Contributor

Execute commands on VMs as SYSTEM

Key Vault Contributor

Modify Key Vault access policies, read secrets/keys/certs

Automation Contributor

Create/modify runbooks, execute code as automation identity

Custom Roles with wildcard

Varies — may include dangerous permissions

Related Attack Paths:
AZ_ARM_OWNER — Owner role assignment over ARM resources.
AZ_CONTRIBUTOR — Contributor role at any scope.
AZ_VM_CONTRIBUTOR — VM Contributor scoped to VMs or RGs.
AZ_KEY_VAULT_CONTRIBUTOR — Key Vault Contributor scoped to vaults.
AZ_ARM_ROLE_SCOPED_TO — Scope of the ARM role assignment.
AZ_PARENT_SUBSCRIPTION — Resource containment in subscriptions.
AZ_PARENT_RESOURCE_GROUP — Resource containment in resource groups.
AZ_PARENT_MANAGEMENT_GROUP — Subscription containment in management groups.

Mitigation

Apply least privilege
- Assign the most specific role possible instead of broad roles like Owner or Contributor.
- Use resource-level scoping instead of subscription-level where possible.
Use Privileged Identity Management (PIM) for just-in-time access
- Go to Entra ID → Privileged Identity Management → Azure resources.
- Configure eligible (not permanent) assignments for privileged ARM roles.
- Require approval and MFA for activation.
Regularly review role assignments
- Go to Azure Portal → target scope → Access control (IAM) → Role assignments.
- Remove stale or unnecessary assignments, especially for service principals and guest accounts.
- Use Access Reviews to automate periodic review of ARM role assignments.
Restrict role assignment permissions
- Limit the number of principals with Owner or User Access Administrator roles.
- Use Azure Policy to restrict which roles can be assigned and by whom.
Monitor group-based assignments
- ARM roles assigned to groups apply to all group members. Review group membership regularly, especially for dynamic groups.

Detection

Monitor ARM role assignment changes in Azure Activity Log.

Go to Azure Portal → Monitor → Activity log.
Filter by Operation name: Microsoft.Authorization/roleAssignments/write.
Alert on:
- New role assignments for privileged roles (Owner, Contributor, User Access Administrator).
- Role assignments to service principals or guest accounts.
- Role assignments at broad scopes (subscription or management group level).
- Bulk role assignment changes outside change management windows.

References

PreviousAZ_GROUP_WRITEBACK NextAZ_IN_GROUP

Last updated 1 hour ago

Was this helpful?