Skip to content

Update Role Definition

Azure

Update Role Definition

service: Azure - Authorization
techniques:

Event

Modifies an existing custom Azure RBAC role definition, updating its allowed or denied actions.

Security Context

  • Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.

Log Source

Azure Activity Log

Sample Event

Adversarial. draco@fantasticlogs.cloud updates the existing custom role definition Demiguise-MLOps-Operator (which Newt previously created with narrow ML-pipeline permissions on a single resource group) to expand permissions[0].actions to ["*"] (wildcard, full control) and broaden assignableScopes to the entire production subscription. Anyone holding the role assignment now has subscription-wide owner-equivalent rights.

{
"authorization": {
"action": "Microsoft.Authorization/roleDefinitions/write",
"scope": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/50000000-0000-4000-8000-000011101110"
},
"caller": "draco@fantasticlogs.cloud",
"channels": "Operation",
"claims": {
"appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46",
"ipaddr": "203.0.113.66",
"name": "Draco Malfoy",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010",
"puid": "1003200000000666",
"http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud",
"http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814",
"uti": "rdUpd231ExampleUtid01",
"ver": "1.0"
},
"correlationId": "90000000-0000-4000-8000-000100100000",
"description": "",
"eventDataId": "90000000-0000-4000-8000-000100100001",
"eventName": {
"value": "EndRequest",
"localizedValue": "End request"
},
"category": {
"value": "Administrative",
"localizedValue": "Administrative"
},
"eventTimestamp": "2026-04-15T18:21:04.5128072Z",
"id": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/50000000-0000-4000-8000-000011101110/events/90000000-0000-4000-8000-000100100001/ticks/638798244645128072",
"level": "Informational",
"operationId": "90000000-0000-4000-8000-000100111100",
"operationName": {
"value": "Microsoft.Authorization/roleDefinitions/write",
"localizedValue": "Update role definition"
},
"resourceGroupName": "",
"resourceProviderName": {
"value": "Microsoft.Authorization",
"localizedValue": "Microsoft.Authorization"
},
"resourceType": {
"value": "Microsoft.Authorization/roleDefinitions",
"localizedValue": "Microsoft.Authorization/roleDefinitions"
},
"resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/50000000-0000-4000-8000-000011101110",
"status": {
"value": "Succeeded",
"localizedValue": "Succeeded"
},
"subStatus": {
"value": "OK",
"localizedValue": "OK (HTTP Status Code: 200)"
},
"submissionTimestamp": "2026-04-15T18:21:05.1288014Z",
"subscriptionId": "20000000-0000-4000-8000-000000000001",
"tenantId": "10000000-0000-4000-8000-000000000001",
"properties": {
"statusCode": "OK",
"serviceRequestId": null,
"eventCategory": "Administrative",
"entity": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/50000000-0000-4000-8000-000011101110",
"message": "Microsoft.Authorization/roleDefinitions/write",
"hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001",
"requestbody": "{\"name\":\"50000000-0000-4000-8000-000011101110\",\"properties\":{\"roleName\":\"Demiguise-MLOps-Operator\",\"description\":\"ML pipeline operator role\",\"assignableScopes\":[\"/subscriptions/20000000-0000-4000-8000-000000000001\"],\"permissions\":[{\"actions\":[\"*\"],\"notActions\":[],\"dataActions\":[],\"notDataActions\":[]}]}}"
},
"relatedEvents": []
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...