Skip to content

Microsoft.Authorization/roleAssignments/write

Azure

Microsoft.Authorization/roleAssignments/write

service: Azure - Authorization
techniques:

Event

Creates or updates an Azure RBAC role assignment, granting a principal specific permissions on a resource or scope.

Security Context

  • Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.

Log Source

Azure Activity Log

Sample Event

Adversarial. Compromised user draco@fantasticlogs.cloud assigns the Owner role to the BoggartImpersonator service principal at the production subscription scope. Owner is the most powerful subscription-level role and grants full read/write/delete on every resource in the sub plus the ability to manage role assignments (i.e. self-perpetuating). This persists Draco’s access via the SP even if his user account is later disabled.

{
"authorization": {
"action": "Microsoft.Authorization/roleAssignments/write",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"aud": "https://management.core.windows.net/",
"iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/",
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814"
},
"correlationId": "90000000-0000-4000-8000-000010000000",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000010000001",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T20:48:42.5172938Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000/events/90000000-0000-4000-8000-000010000001/ticks/638798215225172938",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000010000010",
"operationName": {
"value": "Microsoft.Authorization/roleAssignments/write",
"localizedValue": "Create role assignment"
},
"resourceGroupName": "",
"resourceProviderName": {
"value": "Microsoft.Authorization",
"localizedValue": "Microsoft.Authorization"
},
"resourceType": {
"value": "Microsoft.Authorization/roleAssignments",
"localizedValue": "Microsoft.Authorization/roleAssignments"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "Created",
"localizedValue": "Created (HTTP Status Code: 201)"
},
"submissionTimestamp": "2026-04-15T20:48:43.0184272Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "Created",
"serviceRequestId": null,
"responseBody": "{\"properties\":{\"roleDefinitionId\":\"/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\",\"principalId\":\"40000000-0000-4000-8000-001010011011\",\"principalType\":\"ServicePrincipal\",\"scope\":\"/subscriptions/20000000-0000-4000-8000-000000000001\",\"createdOn\":\"2026-04-15T20:48:42.5172938Z\",\"updatedOn\":\"2026-04-15T20:48:42.5172938Z\",\"createdBy\":\"30000000-0000-4000-8000-001010011010\",\"updatedBy\":\"30000000-0000-4000-8000-001010011010\"},\"id\":\"/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000\",\"type\":\"Microsoft.Authorization/roleAssignments\",\"name\":\"60000000-0000-4000-8000-000010000000\"}",
"requestbody": "{\"properties\":{\"roleDefinitionId\":\"/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\",\"principalId\":\"40000000-0000-4000-8000-001010011011\",\"principalType\":\"ServicePrincipal\"}}",
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000",
"message": "Microsoft.Authorization/roleAssignments/write",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001"
},
"relatedEvents": [],
"httpRequest": {
"clientRequestId": "90000000-0000-4000-8000-000010000011",
"clientIpAddress": "203.0.113.66",
"method": "PUT",
"url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000?api-version=2022-04-01"
},
"identity": null
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...