services / Azure / Azure deny assignments
A deny assignment is an RBAC primitive that explicitly blocks specified principals from performing specified actions at a scope, overriding any Allow role assignments. Deny assignments are created by Azure (e.g. Blueprints/managed apps) and govern the access-control fabric.
Deny assignments override role grants and are a tenant access-control control; creating/removing them reshapes who can do what across a scope.
Microsoft.Authorization/denyAssignments/delete
Deleting a deny assignment removes an explicit-deny rule that was overriding Allow grants and blocking actions; lifting it unblocks the attacker's otherwise-denied actions, effectively escalating their access.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security