Contributor Permissions

The built-in Contributor RBAC role grants full access to manage all resources at the scope of assignment (management group, subscription, or resource group), but it is restricted from assigning permissions to other users or identities.

IMPORTANT: Contributor access is similar to having a domain account with a local administrator on most of the systems. You have rights to manage infrastructure and make changes, but you don't have rights to add new users to the domain or make global changes at the domain administrator level.

Contributor user/role vectors we can use (IaaS):

Resetting local user passwords on VMs
Running commands as a privileged user on VMs
Installing and executing VM extensions
Exporting unencrypted operating system disks for analysis

Contributor user/role vectors we can use (PaaS):

Attacking storage accounts
Pillaging keys, secrets, and certificates from key vaults
Leveraging web apps for lateral movement and escalation
Extracting credentials from automation accounts

PreviousAzure Container App Code Execution NextDumping Azure storage keys

Last updated 8 months ago