Book a Demo

When ‘Contributor’ Means Control: The Hidden Risk in Azure RBAC

cropped-avatar-fallback.jpg

Cyngular Research Team

  • 4 min read

Introduction

In Azure, role-based access control (RBAC) is central to managing resource-level security. Roles like "Owner", "Contributor", and "Reader" are designed to simplify permission delegation and help enforce least privilege. But assumptions about these roles, particularly Contributor, can introduce critical blind spots.

Most organizations view the Contributor role as "safe enough" because it lacks permissions to assign roles or manage RBAC. But in practice, a user with Contributor access to a subscription or resource group can escalate privileges and even grant themselves Owner-level access through resource abuse and identity manipulation.

This blog dissects how Contributor can equal Owner, explores real-world escalation scenarios, and presents actionable mitigation and investigation strategies.

 

Why This Happens: Role Composition in Azure

Azure RBAC roles are composed of granular permissions (actions, not logic). While Owner includes Microsoft.Authorization/*, which allows role assignments, Contributor includes everything except RBAC management.

However, many Azure resources allow identities to be assigned and execute privileged actions via automation (Function Apps, Automation Accounts, VMs). If an attacker can assign a resource to a privileged Managed Identity, they can execute actions under its context-bypassing their own limited RBAC role.

In effect, Contributor becomes a launchpad for privilege escalation.

 

Practical Example: Contributor -> Function App -> Privileged Code Execution

Scenario:

A user has Contributor rights on a resource group. An attacker deploys a Function App and binds it to an existing User-Assigned Managed Identity (UAMI) that holds Owner permissions.

Steps:

1. Create a Function App

az functionapp create \

  --resource-group attack-rg \

  --consumption-plan-location eastus \

  --name attacker-func \

  --storage-account mystorageacct \

  --runtime python

 

2. Assign an Existing UAMI with Owner Rights

az functionapp identity assign \

  --resource-group attack-rg \

  --name attacker-func \

  --identities <uami-resource-id>

 

3. Upload Function Code That Grants RBAC Access

Python code uses azure.identity to get a token and assigns the Owner role to the attacker’s user account.

 

4. Trigger the Function

Via browser or curl:

curl https://attacker-func.azurewebsites.net/api/HttpTrigger1

 

Result:

The attacker, previously limited by Contributor rights, now has full Owner access.

 

Detection Challenges

Detecting this form of privilege escalation is difficult because the attacker operates within allowed API boundaries. There are no explicit "escalation" logs-only valid deployments, identity assignments, and executions. Moreover, actions taken via a managed identity don’t always tie back clearly to the original user, making correlation between resource creator and executor non-trivial in audit trails.

 

  • RBAC logs only show role assignment events, not identity usage context.
  • Cloud-native privilege escalation often occurs within valid API calls: deploying resources, assigning identities, invoking functions.
  • You won’t see "escalation" as a discrete action-only the result.

 

Mitigation Techniques

Preventing Contributor-to-Owner escalation requires enforcing least privilege with a deeper understanding of how permissions interact across identity, deployment, and execution layers. By controlling access to identity assignment actions, isolating high-privilege identities, and scoping Contributor permissions narrowly, organizations can shut down this lateral movement vector before it's exploited.

 

  1. Audit UAMI Assignments
    • Restrict who can assign managed identities (Microsoft.ManagedIdentity/*, Microsoft.Web/sites/assignUserAssignedIdentities).
  2. Use Conditional Access Policies
    • Limit token issuance based on trusted locations or device compliance.
  3. Avoid Assigning Contributor at Broad Scope
    • Use resource-scoped roles or custom roles with minimal action sets.
  4. Isolate High-Privilege Managed Identities
    • Don’t reuse Owner-level UAMIs across environments. Assign tightly scoped roles.
  5. Monitor Deployment API Activity
    • Look for services being created and immediately invoking privileged actions.

 

How to Investigate

When suspicious role assignments or resource deployments occur, it's critical to trace execution back to the initiating identity. Investigations should focus on identifying whether a newly created service (e.g., Function App, Automation Account) was used as an execution vector. Correlating role assignment timestamps with recent deployments and managed identity usage is key to uncovering hidden privilege escalation paths.

 

  1. Start with Role Assignments
    • Look for new Microsoft.Authorization/roleAssignments/write events in the logs.
  2. Trace Back Execution Context
    • Correlate the caller identity with a Function App, Automation Account, or VM MSI.
  3. Examine Recently Created Resources
    • Was a Function App or Automation Account created shortly before the assignment?
  4. Audit Managed Identity Usage
    • Look at identity assignments to web apps or compute resources. Did they use an unexpected or highly privileged UAMI?

 

Conclusion

The "Contributor" role in Azure is not safe by default. While it lacks direct RBAC control, it can enable privilege escalation through Azure’s flexible but dangerous identity and resource delegation model.

Security teams must understand not just what a role explicitly allows, but what it implicitly enables through API chains, identity bridging, and control over execution paths.

 

Cyngular Security's CIRA Platform

To further secure your cloud environment, consider integrating Cyngular Security's CIRA platform. It enhances your security posture by providing advanced investigation and response capabilities, enabling your team to address threats swiftly and effectively. By adopting Cyngular Security's CIRA, you empower your organization with proactive and automated security measures that protect your cloud assets.

Get a Free Breach Assessment

Protect your cybersecurity infrastructure with a complimentary breach assessment from Cyngular:

  • Safe and Non-disruptive: Conducted with read-only access to ensure no operational disruption.
  • Easy Setup: Integrates seamlessly with your existing SIEM systems.
  • Deep Insights: Empowers your cybersecurity strategy with advanced threat hunting and proactive investigation capabilities.

 

Request your free Proof-of-Value today and lead the way in cybersecurity innovation with Cyngular.

 

Learn More

Recent

See All
image (38)

ConsentFix: Abusing Azure OAuth Consent to Take Over Microsoft Accounts

ConsentFix is a browser-native phishing technique that compromises Microsoft accounts by abusing legitimate Mi
Microsoft Azure
event

The One-Line Backdoor: How a Single EventBridge Rule Becomes an Attacker’s Control Channel

Your security dashboard is clean. No suspicious EC2 instances. No rogue Lambda functions. No unauthorized S3 a
Amazon AWS
gcp sa

Lateral Movement via External GCP Service Accounts

In Google Cloud Platform (GCP), Service Accounts (SAs) are designed as non-human identities for workloads like
Google Cloud Services
FederatedUser

Shadow Access in AWS - Federation Attacks with Temporary STS Tokens

Throughout 2025, incident-response teams across finance, healthcare, and tech uncovered a growing pattern
Amazon AWS
saas

Forgotten Keys, Open Clouds: The Danger of Credentials Lost in SaaS

In cloud-native organizations, identity is the new perimeter. The credentials that represent those identities,
Amazon AWS Microsoft Azure
refresh_token

The Ghost Session Problem: The Real Persistence Threat in Azure AD

Password resets, MFA prompts, and user deactivation can feel like a full stop, but in Azure AD the real gap
Microsoft Azure
Request demo
Cyngular
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.