services / Azure / Role assignment
An RBAC role assignment binds a principal (user, group, service principal, or managed identity) to a role definition at a given scope, granting that principal the role's permissions.
Role assignments are the core access-control bindings of Azure; the asset is tenant/subscription-wide identity and access-control data.
Microsoft.Authorization/roleAssignments/write
Creating a role assignment lets an attacker grant any role (including Owner) to themselves or a controlled principal/managed identity, the headline RBAC privilege-escalation and lateral-movement primitive, and establishes durable access.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security