Skip to content

Microsoft.Authorization/roleAssignments/delete

Azure

Microsoft.Authorization/roleAssignments/delete

service: Azure - Authorization
tactics:
techniques:

Event

Deletes a role assignment, removing access for legitimate users and disrupting operations.

Security Context

  • Deleting role assignments revokes access for legitimate users and service principals, disrupting operations and potentially locking out administrators during an active incident.
  • Adversaries remove role assignments to deny defenders access to compromised resources, buying time to complete their objectives before remediation can begin.

Log Source

Azure Activity Log

Sample Event

Compromised user draco@fantasticlogs.cloud (User Access Administrator at root) deletes the role assignment that grants neville@fantasticlogs.cloud the Reader role on the production subscription. With Neville’s read access removed, the security team loses visibility into ongoing changes during the active incident — buying Draco time. Maps to T1531 (Account Access Removal).

{
"authorization": {
"action": "Microsoft.Authorization/roleAssignments/delete",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"
},
"correlationId": "90000000-0000-4000-8000-000001111100",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000001111101",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T20:32:18.4172593Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100/events/90000000-0000-4000-8000-000001111101/ticks/638798205384172593",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000001111110",
"operationName": {
"value": "Microsoft.Authorization/roleAssignments/delete",
"localizedValue": "Delete role assignment"
},
"resourceGroupName": "",
"resourceProviderName": {
"value": "Microsoft.Authorization",
"localizedValue": "Microsoft.Authorization"
},
"resourceType": {
"value": "Microsoft.Authorization/roleAssignments",
"localizedValue": "Microsoft.Authorization/roleAssignments"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T20:32:18.9148229Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"responseBody": "{\"properties\":{\"roleDefinitionId\":\"/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7\",\"principalId\":\"30000000-0000-4000-8000-000000000100\",\"principalType\":\"User\",\"scope\":\"/subscriptions/20000000-0000-4000-8000-000000000001\",\"createdOn\":\"2025-09-12T08:14:03.0184217Z\",\"updatedOn\":\"2025-09-12T08:14:03.0184217Z\",\"createdBy\":\"30000000-0000-4000-8000-000000000001\",\"updatedBy\":\"30000000-0000-4000-8000-001010011010\"},\"id\":\"/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100\",\"type\":\"Microsoft.Authorization/roleAssignments\",\"name\":\"60000000-0000-4000-8000-000000000100\"}",
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100",
"message": "Microsoft.Authorization/roleAssignments/delete",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": [],
"httpRequest": {
"clientRequestId": "90000000-0000-4000-8000-000001111111",
"clientIpAddress": "203.0.113.66",
"method": "DELETE",
"url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000000000100?api-version=2022-04-01"
},
"identity": null
}

MITRE ATT&CK Mapping

Tactics: Impact

Techniques:
  • T1531 — Account Access Removal — Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts....