Update Role Definition
Azure
Update Role Definition
Event
Modifies an existing custom Azure RBAC role definition, updating its allowed or denied actions.
Security Context
- Account manipulation is a primary persistence technique, allowing adversaries to maintain access through modified permissions or credentials.
Log Source
Azure Activity Log
Sample Event
Adversarial. draco@fantasticlogs.cloud updates the existing custom role definition Demiguise-MLOps-Operator (which Newt previously created with narrow ML-pipeline permissions on a single resource group) to expand permissions[0].actions to ["*"] (wildcard, full control) and broaden assignableScopes to the entire production subscription. Anyone holding the role assignment now has subscription-wide owner-equivalent rights.
{ "authorization": { "action": "Microsoft.Authorization/roleDefinitions/write", "scope": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/50000000-0000-4000-8000-000011101110" }, "caller": "draco@fantasticlogs.cloud", "channels": "Operation", "claims": { "appid": "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "ipaddr": "203.0.113.66", "name": "Draco Malfoy", "http://schemas.microsoft.com/identity/claims/objectidentifier": "30000000-0000-4000-8000-001010011010", "puid": "1003200000000666", "http://schemas.microsoft.com/identity/claims/tenantid": "10000000-0000-4000-8000-000000000001", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "draco@fantasticlogs.cloud", "http://schemas.microsoft.com/identity/claims/wids": "e8611ab8-c189-46e8-94e1-60213ab1f814", "uti": "rdUpd231ExampleUtid01", "ver": "1.0" }, "correlationId": "90000000-0000-4000-8000-000100100000", "description": "", "eventDataId": "90000000-0000-4000-8000-000100100001", "eventName": { "value": "EndRequest", "localizedValue": "End request" }, "category": { "value": "Administrative", "localizedValue": "Administrative" }, "eventTimestamp": "2026-04-15T18:21:04.5128072Z", "id": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/50000000-0000-4000-8000-000011101110/events/90000000-0000-4000-8000-000100100001/ticks/638798244645128072", "level": "Informational", "operationId": "90000000-0000-4000-8000-000100111100", "operationName": { "value": "Microsoft.Authorization/roleDefinitions/write", "localizedValue": "Update role definition" }, "resourceGroupName": "", "resourceProviderName": { "value": "Microsoft.Authorization", "localizedValue": "Microsoft.Authorization" }, "resourceType": { "value": "Microsoft.Authorization/roleDefinitions", "localizedValue": "Microsoft.Authorization/roleDefinitions" }, "resourceId": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/50000000-0000-4000-8000-000011101110", "status": { "value": "Succeeded", "localizedValue": "Succeeded" }, "subStatus": { "value": "OK", "localizedValue": "OK (HTTP Status Code: 200)" }, "submissionTimestamp": "2026-04-15T18:21:05.1288014Z", "subscriptionId": "20000000-0000-4000-8000-000000000001", "tenantId": "10000000-0000-4000-8000-000000000001", "properties": { "statusCode": "OK", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/20000000-0000-4000-8000-000000000001/providers/Microsoft.Authorization/roleDefinitions/50000000-0000-4000-8000-000011101110", "message": "Microsoft.Authorization/roleDefinitions/write", "hierarchy": "10000000-0000-4000-8000-000000000001/20000000-0000-4000-8000-000000000001", "requestbody": "{\"name\":\"50000000-0000-4000-8000-000011101110\",\"properties\":{\"roleName\":\"Demiguise-MLOps-Operator\",\"description\":\"ML pipeline operator role\",\"assignableScopes\":[\"/subscriptions/20000000-0000-4000-8000-000000000001\"],\"permissions\":[{\"actions\":[\"*\"],\"notActions\":[],\"dataActions\":[],\"notDataActions\":[]}]}}" }, "relatedEvents": []}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...