Microsoft.Authorization/roleAssignments/delete

CSP: Azure

Tactics:

Impact

Techniques:

T1531

Tags:

Azure Authorization

Event

Deletes a role assignment, removing access for legitimate users and disrupting operations.

Security Context

• Deleting role assignments revokes access for legitimate users and service principals, disrupting operations and potentially locking out administrators during an active incident.
• Adversaries remove role assignments to deny defenders access to compromised resources, buying time to complete their objectives before remediation can begin.

Log Source

Azure Activity Log

Sample Event

MITRE ATT&CK Mapping

Tactics: Impact

Techniques:

• T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts.