services / Azure / Storage account
An Azure Storage account is a primary production data store holding blobs, files, queues, and tables, with control-plane configuration for networking, encryption, access keys, and custom domains.
Storage accounts back a single organizational function's data; their access keys and SAS tokens are full-control data-plane credentials, making key/SAS-returning operations effectively account-takeover primitives.
Microsoft.Storage/storageAccounts/write
Creates/updates the account, letting an attacker weaken network firewall/ACL and encryption settings, enable public/shared-key access, and add a custom domain to hijack traffic for that hostname.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security