AZUserAccessAdministrator

This article applies to BHCE and BHE

The User Access Admin role can edit roles against many other objects.

Abuse Info

This role can be used to grant yourself or another principal any privilege you want against Automation Accounts, VMs, Key Vaults, and Resource Groups. For example, you can make yourself an administrator of an Azure Subscription by assigning the Owner role at the Subscription scope.

The simplest way to execute this attack is to use the Azure portal to add a new, abusable role assignment against the target object for yourself.

If this role is assigned to a Service Principal, you won't be able to authenticate directly to the Azure portal. In this case:

You'll need to acquire a bearer token for the service principal with AzureRM as the audience. This can be done using BARK's Get-AzureRMTokenWithClientCredentials cmdlet.

Using that token, you can make a call to the AzureRM API to create a new role assignment on the target object, such as assigning yourself the Owner role. This can be done using BARK's New-AzureRMRoleAssignment cmdlet.

Opsec Considerations

Azure will log any role activation event for any object type.

Updated