Microsoft.Authorization/roleAssignments/write
Azure
Microsoft.Authorization/roleAssignments/write
Event
Creates or updates an Azure RBAC role assignment, granting a principal specific permissions on a resource or scope.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
Log Source
Azure Activity Log
Sample Event
Adversarial. Compromised user draco@fantasticlogs.cloud assigns the Owner role to the BoggartImpersonator service principal at the production subscription scope. Owner is the most powerful subscription-level role and grants full read/write/delete on every resource in the sub plus the ability to manage role assignments (i.e. self-perpetuating). This persists Draco’s access via the SP even if his user account is later disabled.
{ "authorization": { "action": "Microsoft.Authorization/roleAssignments/write", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/10000000-0000-4000-8000-000000000001/", "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814" }, "correlationId": "90000000-0000-4000-8000-000010000000", "description": "", "eventDataId": "90000000-0000-4000-8000-000010000001", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T20:48:42.5172938Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000/events/90000000-0000-4000-8000-000010000001/ticks/638798215225172938", "level": "Informational", "operationId": "90000000-0000-4000-8000-000010000010", "operationName": { "value": "Microsoft.Authorization/roleAssignments/write", "localizedValue": "Create role assignment" }, "resourceGroupName": "", "resourceProviderName": { "value": "Microsoft.Authorization", "localizedValue": "Microsoft.Authorization" }, "resourceType": { "value": "Microsoft.Authorization/roleAssignments", "localizedValue": "Microsoft.Authorization/roleAssignments" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "Created", "localizedValue": "Created (HTTP Status Code: 201)" }, "submissionTimestamp": "2026-04-15T20:48:43.0184272Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "Created", "serviceRequestId": null, "responseBody": "{\"properties\":{\"roleDefinitionId\":\"/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\",\"principalId\":\"40000000-0000-4000-8000-001010011011\",\"principalType\":\"ServicePrincipal\",\"scope\":\"/subscriptions/20000000-0000-4000-8000-000000000001\",\"createdOn\":\"2026-04-15T20:48:42.5172938Z\",\"updatedOn\":\"2026-04-15T20:48:42.5172938Z\",\"createdBy\":\"30000000-0000-4000-8000-001010011010\",\"updatedBy\":\"30000000-0000-4000-8000-001010011010\"},\"id\":\"/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000\",\"type\":\"Microsoft.Authorization/roleAssignments\",\"name\":\"60000000-0000-4000-8000-000010000000\"}", "requestbody": "{\"properties\":{\"roleDefinitionId\":\"/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635\",\"principalId\":\"40000000-0000-4000-8000-001010011011\",\"principalType\":\"ServicePrincipal\"}}", "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000", "message": "Microsoft.Authorization/roleAssignments/write", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001" }, "relatedEvents": [], "httpRequest": { "clientRequestId": "90000000-0000-4000-8000-000010000011", "clientIpAddress": "203.0.113.66", "method": "PUT", "url": "https://management.azure.com/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleAssignments/60000000-0000-4000-8000-000010000000?api-version=2022-04-01" }, "identity": null}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...