Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Azure
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Event
Assigns a user-assigned managed identity to an Azure resource, enabling it to authenticate to other Azure services.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
- Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
Log Source
Azure Activity Log
Sample Event
Adversarial. draco@fantasticlogs.cloud assigns the existing user-assigned managed identity umi-graphorn-admin (which Hermione previously created and granted broad RBAC) to a VM Draco controls (vm-demiguise-infer-001). Once assigned, Draco can request tokens for that MI from inside the VM via IMDS and act with its permissions — a classic Azure privilege-escalation chain.
{ "authorization": { "action": "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/umi-graphorn-admin" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "miAssign205ExampleUti", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100001100", "description": "", "eventDataId": "90000000-0000-4000-8000-000100001101", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T18:23:55.4118062Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/umi-graphorn-admin/events/90000000-0000-4000-8000-000100001101/ticks/638798247954118062", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100001110", "operationName": { "value": "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "localizedValue": "RBAC action for assigning an existing user assigned identity to a resource" }, "resourceGroupName": "rg-fantasticlogs-prod", "resourceProviderName": { "value": "Microsoft.ManagedIdentity", "localizedValue": "Microsoft.ManagedIdentity" }, "resourceType": { "value": "Microsoft.ManagedIdentity/userAssignedIdentities", "localizedValue": "Microsoft.ManagedIdentity/userAssignedIdentities" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/umi-graphorn-admin", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T18:23:56.0091284Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/umi-graphorn-admin", "message": "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001", "requestbody": "{\"properties\":{\"identity\":{\"type\":\"UserAssigned\",\"userAssignedIdentities\":{\"/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.ManagedIdentity/userAssignedIdentities/umi-graphorn-admin\":{}}}},\"targetResource\":\"/subscriptions/20000000-0000-4000-8000-000000000001/resourceGroups/rg-fantasticlogs-prod/providers/Microsoft.Compute/virtualMachines/vm-demiguise-infer-001\"}" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...