services / Azure / Azure deny assignments

A deny assignment is an RBAC primitive that explicitly blocks specified principals from performing specified actions at a scope, overriding any Allow role assignments. Deny assignments are created by Azure (e.g. Blueprints/managed apps) and govern the access-control fabric.

Deny assignments override role grants and are a tenant access-control control; creating/removing them reshapes who can do what across a scope.


Microsoft.​Authorization/​denyAssignments/​write

Creating a deny assignment blocks other principals' authorized actions even if they hold Owner, letting an attacker lock out legitimate administrators/defenders while exempting themselves to entrench access.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Authorization
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog