RBAC Privilege Escalation

Description

Misconfigured custom roles or assignments allow users to grant themselves or others higher privileges. Patterns include roles with Microsoft.Authorization/roleAssignments/write, roleDefinitions/write, users with User Access Administrator at broad scopes, or the ability to assign privileged Managed Identities. Combining Contributor with User Access Administrator effectively equals Owner.

Examples

Detect Escalation Permissions

az role definition list --query "[?permissions[?actions && contains(join('', actions), 'Microsoft.Authorization/roleAssignments/write')]]"
az role assignment list --assignee <objId> --all -o table

Attempt Assignment

az role assignment create --assignee <objId> --role 'Owner' --scope <scope>

If successful without intended controls, escalation exists.

Remediation

Remove roleAssignments/write from custom roles unless essential.
Limit assignment rights to privileged identities; require PIM and approval workflows; avoid granting User Access Administrator at subscription.
Monitor and prevent
- Alert on role definition/assignment changes; enforce least privilege via Azure Policy; review assignments for combined permission paths.

Haxoris Wiki

RBAC Privilege Escalation

Description

Examples

Detect Escalation Permissions

Attempt Assignment

Remediation