services / Azure / Subscription ownership acceptance

An action that completes an ownership/billing-transfer of an entire Azure subscription, making the accepting principal the subscription owner.

Subscription-wide control affecting all contained resources and identities; tenant-scope sensitivity.


Microsoft.​Subscription/​subscriptions/​acceptOwnership/​action

Accepting ownership grants the attacker owner-level control over an entire subscription (escalation:privilege), lateral access to all its resources and identities (escalation:lateral), and shifts billing responsibility enabling attacker-incurred spend (impact:spend).

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Subscription
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog