Microsoft.Authorization/roleAssignments/delete
Azure
Microsoft.Authorization/roleAssignments/delete
Event
Deletes a role assignment, removing access for legitimate users and disrupting operations.
Security Context
- Deleting role assignments revokes access for legitimate users and service principals, disrupting operations and potentially locking out administrators during an active incident.
- Adversaries remove role assignments to deny defenders access to compromised resources, buying time to complete their objectives before remediation can begin.
Log Source
Azure Activity Log
Sample Event
Compromised user draco@fantasticlogs.cloud (User Access Administrator at root) deletes the role assignment that grants neville@fantasticlogs.cloud the Reader role on the production subscription. With Neville’s read access removed, the security team loses visibility into ongoing changes during the active incident — buying Draco time. Maps to T1531 (Account Access Removal).
{ "authorization": { "action": "Microsoft.Authorization/roleAssignments/delete", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/", "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" }, "correlationId": "90000000-0000-4000-8000-000001111100", "description": "", "eventDataId": "90000000-0000-4000-8000-000001111101", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T20:32:18.4172593Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100/events/90000000-0000-4000-8000-000001111101/ticks/638798205384172593", "level": "Informational", "operationId": "90000000-0000-4000-8000-000001111110", "operationName": { "value": "Microsoft.Authorization/roleAssignments/delete", "localizedValue": "Delete role assignment" }, "resourceGroupName": "", "resourceProviderName": { "value": "Microsoft.Authorization", "localizedValue": "Microsoft.Authorization" }, "resourceType": { "value": "Microsoft.Authorization/roleAssignments", "localizedValue": "Microsoft.Authorization/roleAssignments" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T20:32:18.9148229Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "responseBody": "{\"properties\":{\"roleDefinitionId\":\"/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7\",\"principalId\":\"30000000-0000-4000-8000-000000000100\",\"principalType\":\"User\",\"scope\":\"/subscriptions/20000000-0000-4000-8000-000000000001\",\"createdOn\":\"2025-09-12T08:14:03.0184217Z\",\"updatedOn\":\"2025-09-12T08:14:03.0184217Z\",\"createdBy\":\"30000000-0000-4000-8000-000000000001\",\"updatedBy\":\"30000000-0000-4000-8000-001010011010\"},\"id\":\"/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100\",\"type\":\"Microsoft.Authorization/roleAssignments\",\"name\":\"60000000-0000-4000-8000-000000000100\"}", "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100", "message": "Microsoft.Authorization/roleAssignments/delete", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": [], "httpRequest": { "clientRequestId": "90000000-0000-4000-8000-000001111111", "clientIpAddress": "203.0.113.66", "method": "DELETE", "url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100?api-version=2022-04-01" }, "identity": null}MITRE ATT&CK Mapping
Tactics: Impact
Techniques:
- T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts....