Skip to content

Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

Azure

Microsoft.ManagedIdentity/userAssignedIdentities/assign/action

service: Azure - Managed Identity
techniques:

Event

Assigns a user-assigned managed identity to an Azure resource, enabling it to authenticate to other Azure services.

Security Context

  • Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
  • Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud assigns the existing user-assigned managed identity umi-graphorn-admin (which Hermione previously created and granted broad RBAC) to a VM Draco controls (vm-demiguise-infer-001). Once assigned, Draco can request tokens for that MI from inside the VM via IMDS and act with its permissions — a classic Azure privilege-escalation chain.

{
"authorization": {
"action": "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/umi-graphorn-admin"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "miAssign205ExampleUti",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100001100",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100001101",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T18:23:55.4118062Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/umi-graphorn-admin/events/90000000-0000-4000-8000-000100001101/ticks/638798247954118062",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100001110",
"operationName": {
"value": "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"localizedValue": "RBAC action for assigning an existing user assigned identity to a resource"
},
"resourceGroupName": "rg-fantasticlogs-prod",
"resourceProviderName": {
"value": "Microsoft.ManagedIdentity",
"localizedValue": "Microsoft.ManagedIdentity"
},
"resourceType": {
"value": "Microsoft.ManagedIdentity/userAssignedIdentities",
"localizedValue": "Microsoft.ManagedIdentity/userAssignedIdentities"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/umi-graphorn-admin",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T18:23:56.0091284Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/umi-graphorn-admin",
"message": "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001",
"requestbody": "{\"properties\":{\"identity\":{\"type\":\"UserAssigned\",\"userAssignedIdentities\":{\"/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/umi-graphorn-admin\":{}}}},\"targetResource\":\"/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001\"}"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...
  • T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...