services / Azure / Azure SQL Database import/export extension
The database extensions endpoint that drives import/export (BACPAC) operations against an Azure SQL Database, moving the full contents of a production database in or out.
Touches the entire data plane of a production database via bulk import/export.
Microsoft.Sql/servers/databases/extensions/write
A write triggers a BACPAC export of the full database to attacker-controlled storage (exfiltration) or an import that overwrites/loads database contents (manipulation).
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog