services / Azure / Azure deny assignments
A deny assignment is an RBAC primitive that explicitly blocks specified principals from performing specified actions at a scope, overriding any Allow role assignments. Deny assignments are created by Azure (e.g. Blueprints/managed apps) and govern the access-control fabric.
Deny assignments override role grants and are a tenant access-control control; creating/removing them reshapes who can do what across a scope.
Microsoft.Authorization/denyAssignments/write
Creating a deny assignment blocks other principals' authorized actions even if they hold Owner, letting an attacker lock out legitimate administrators/defenders while exempting themselves to entrench access.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security