> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/azure/az_has_arm_role.md). # AZ\_HAS\_ARM\_ROLE ## Summary | | | | -------------------------- | --------------------------------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | AZ\_HAS\_ARM\_ROLE | | **Azure Alias** | ARM Role Assignment | | **Affected Object Types** | Users, Groups, Service Principals | | **Exploitation Certainty** | Informational | | **Azure RBAC Role** | Any ARM RBAC role (Owner, Contributor, Reader, VM Contributor, Key Vault Contributor, custom roles, etc.) | ## Description `AZ_HAS_ARM_ROLE` represents a **role assignment** relationship in Azure Resource Manager (ARM) RBAC. This edge connects a principal (User, Group, or Service Principal) to an **ARM role assignment node** (`AZARMRole`), indicating that the principal holds a specific ARM RBAC role. Every ARM RBAC role assignment consists of three components: | Component | Description | Example | | ------------------- | -------------------------------------------- | ---------------------------------------------------- | | **Principal** | The identity receiving the role | A User, Group, or Service Principal | | **Role Definition** | The set of permissions being granted | Owner, Contributor, Reader, VM Contributor, etc. | | **Scope** | The resource boundary where the role applies | Subscription, Resource Group, or individual resource | ## Identification ### PowerShell (Az Module) ```powershell Connect-AzAccount # List all ARM role assignments in the current subscription Get-AzRoleAssignment | Select-Object DisplayName, SignInName, ObjectType, RoleDefinitionName, Scope | Sort-Object RoleDefinitionName | Format-Table -AutoSize # List role assignments for a specific principal Get-AzRoleAssignment -SignInName "user@contoso.com" | Select-Object RoleDefinitionName, Scope, ObjectType | Format-Table -AutoSize # List role assignments for a specific service principal Get-AzRoleAssignment -ObjectId "" | Select-Object RoleDefinitionName, Scope, ObjectType | Format-Table -AutoSize # List all role assignments at a specific scope (subscription) Get-AzRoleAssignment -Scope "/subscriptions/" | Select-Object DisplayName, RoleDefinitionName, ObjectType, Scope | Format-Table -AutoSize # List all privileged role assignments (Owner, Contributor, User Access Administrator) Get-AzRoleAssignment | Where-Object { $_.RoleDefinitionName -in @("Owner", "Contributor", "User Access Administrator") } | Select-Object DisplayName, RoleDefinitionName, ObjectType, Scope | Sort-Object RoleDefinitionName | Format-Table -AutoSize ``` ### Azure GUI 1. Open **Azure Portal** → navigate to any **Subscription**, **Resource Group**, or **Resource**. 2. Go to **Access control (IAM)** → **Role assignments**. 3. Review all assignments — each row represents an `AZ_HAS_ARM_ROLE` relationship between the listed principal and the assigned role at the displayed scope. 4. Use **Check access** to see all role assignments for a specific principal. ## Exploitation This edge itself is structural/informational — it documents that a principal holds an ARM role. The actual attack impact depends on **which role** is assigned and at **what scope**: | Role Assignment | Impact | | ------------------------------ | ---------------------------------------------------------------- | | **Owner** at any scope | Full control + can assign roles to others (privilege escalation) | | **Contributor** at any scope | Full resource management (no role assignment) | | **User Access Administrator** | Can assign roles — privilege escalation path | | **VM Contributor** | Execute commands on VMs as SYSTEM | | **Key Vault Contributor** | Modify Key Vault access policies, read secrets/keys/certs | | **Automation Contributor** | Create/modify runbooks, execute code as automation identity | | **Custom Roles with wildcard** | Varies — may include dangerous permissions | > **Related Attack Paths:** > > * [AZ\_ARM\_OWNER](https://docs.forestall.io/fsprotect/edges/azure/az_arm_owner) — Owner role assignment over ARM resources. > * [AZ\_CONTRIBUTOR](https://docs.forestall.io/fsprotect/edges/azure/az_contributor) — Contributor role at any scope. > * [AZ\_VM\_CONTRIBUTOR](https://docs.forestall.io/fsprotect/edges/azure/az_vm_contributor) — VM Contributor scoped to VMs or RGs. > * [AZ\_KEY\_VAULT\_CONTRIBUTOR](https://docs.forestall.io/fsprotect/edges/azure/az_key_vault_contributor) — Key Vault Contributor scoped to vaults. > * [AZ\_ARM\_ROLE\_SCOPED\_TO](https://docs.forestall.io/fsprotect/edges/azure/az_arm_role_scoped_to) — Scope of the ARM role assignment. > * [AZ\_PARENT\_SUBSCRIPTION](https://docs.forestall.io/fsprotect/edges/azure/az_parent_subscription) — Resource containment in subscriptions. > * [AZ\_PARENT\_RESOURCE\_GROUP](https://docs.forestall.io/fsprotect/edges/azure/az_parent_resource_group) — Resource containment in resource groups. > * [AZ\_PARENT\_MANAGEMENT\_GROUP](https://docs.forestall.io/fsprotect/edges/azure/az_parent_management_group) — Subscription containment in management groups. ## Mitigation 1. **Apply least privilege** * Assign the most specific role possible instead of broad roles like Owner or Contributor. * Use resource-level scoping instead of subscription-level where possible. 2. **Use Privileged Identity Management (PIM) for just-in-time access** * Go to **Entra ID** → **Privileged Identity Management** → **Azure resources**. * Configure eligible (not permanent) assignments for privileged ARM roles. * Require approval and MFA for activation. 3. **Regularly review role assignments** * Go to **Azure Portal** → target scope → **Access control (IAM)** → **Role assignments**. * Remove stale or unnecessary assignments, especially for service principals and guest accounts. * Use **Access Reviews** to automate periodic review of ARM role assignments. 4. **Restrict role assignment permissions** * Limit the number of principals with Owner or User Access Administrator roles. * Use Azure Policy to restrict which roles can be assigned and by whom. 5. **Monitor group-based assignments** * ARM roles assigned to groups apply to all group members. Review group membership regularly, especially for dynamic groups. ## Detection Monitor ARM role assignment changes in **Azure Activity Log**. * Go to **Azure Portal** → **Monitor** → **Activity log**. * Filter by **Operation name**: `Microsoft.Authorization/roleAssignments/write`. * Alert on: * New role assignments for privileged roles (Owner, Contributor, User Access Administrator). * Role assignments to service principals or guest accounts. * Role assignments at broad scopes (subscription or management group level). * Bulk role assignment changes outside change management windows. ## References * * * * * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/azure/az_has_arm_role.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.