services / Azure / Azure deny assignments

A deny assignment is an RBAC primitive that explicitly blocks specified principals from performing specified actions at a scope, overriding any Allow role assignments. Deny assignments are created by Azure (e.g. Blueprints/managed apps) and govern the access-control fabric.

Deny assignments override role grants and are a tenant access-control control; creating/removing them reshapes who can do what across a scope.


Microsoft.​Authorization/​denyAssignments/​delete

Deleting a deny assignment removes an explicit-deny rule that was overriding Allow grants and blocking actions; lifting it unblocks the attacker's otherwise-denied actions, effectively escalating their access.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Authorization
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog