diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
index 98a90907..3f80e767 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
index bb09b03d..f6d18d8a 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Iaas:Azure)","description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[]}
\ No newline at end of file
+{"version":"4.3","name":"Atomic Red Team (Iaas:Azure)","description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 62af702d..e2e3e944 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -593,6 +593,10 @@ persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934
persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
+persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
persistence,T1137.006,Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index b0932252..7e5abce4 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -202,6 +202,10 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
+persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
+persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
+persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 8c6277f2..458ecd7d 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -948,6 +948,10 @@
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
+ - Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
+ - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
+ - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
+ - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1137.006 Add-ins](../../T1137.006/T1137.006.md)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 8e3013e0..28482975 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -458,6 +458,10 @@
# persistence
- [T1098 Account Manipulation](../../T1098/T1098.md)
- Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
+ - Atomic Test #4: Azure - adding user to Azure AD role [azure-ad]
+ - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
+ - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
+ - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
- T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.006 Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 7d72b915..d95b145a 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -40229,6 +40229,300 @@ persistence:
aws iam remove-user-from-group --user-name #{username} --group-name #{username}
aws iam delete-group --group-name #{username}
name: sh
+ - name: Azure - adding user to Azure AD role
+ auto_generated_guid: 0e65ae27-5385-46b4-98ac-607a8ee82261
+ description: "The adversarie want to add user to some Azure AD role. Threat
+ actor \nmay be interested primarily in highly privileged roles, e.g. Global
+ Administrator, Application Administrator, \nPrivileged authentication administrator
+ (this role can reset Global Administrator password!).\nBy default, the role
+ Global Reader is assigned to service principal in this test.\n\nThe account
+ you use to run the PowerShell command should have Privileged Role Administrator
+ or Global Administrator role in your Azure AD.\n\nDetection hint - check Activity
+ \"Add member to role\" in Azure AD Audit Logs. In targer you will also see
+ User as a type.\n"
+ supported_platforms:
+ - azure-ad
+ input_arguments:
+ username:
+ description: Azure AD username
+ type: String
+ default: jonh@contoso.com
+ password:
+ description: Azure AD password
+ type: String
+ default: p4sswd
+ user_principal_name:
+ description: Name of the targeted user (user principal)
+ type: String
+ default: SuperUser
+ role_name:
+ description: Name of the targed Azure AD role
+ type: String
+ default: Global Reader
+ dependencies:
+ - description: 'AzureAD module must be installed.
+
+'
+ prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+ {exit 0} else {exit 1}} catch {exit 1}
+
+'
+ get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+ executor:
+ command: |
+ Import-Module -Name AzureAD
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzureAD -Credential $Credential
+
+ $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+ if ($user -eq $null) { Write-Warning "User not found"; exit }
+ $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+ if ($role -eq $null) { Write-Warning "Role not found"; exit }
+ Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
+ Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
+ cleanup_command: |
+ Import-Module -Name AzureAD -ErrorAction Ignore
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+ $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+ if ($user -eq $null) { Write-Warning "User not found"; exit }
+ $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+ if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+ Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
+ Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
+ name: powershell
+ elevation_required: false
+ - name: Azure - adding service principal to Azure AD role
+ auto_generated_guid: 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
+ description: "The adversarie want to add service principal to some Azure AD
+ role. Threat actor \nmay be interested primarily in highly privileged roles,
+ e.g. Global Administrator, Application Administrator, \nPrivileged authentication
+ administrator (this role can reset Global Administrator password!).\nBy default,
+ the role Global Reader is assigned to service principal in this test.\n\nThe
+ account you use to run the PowerShell command should have Privileged Role
+ Administrator or Global Administrator role in your Azure AD.\n\nDetection
+ hint - check Activity \"Add member to role\" in Azure AD Audit Logs. In targer
+ you will also see Service Principal as a type.\n"
+ supported_platforms:
+ - azure-ad
+ input_arguments:
+ username:
+ description: Azure AD username
+ type: String
+ default: jonh@contoso.com
+ password:
+ description: Azure AD password
+ type: String
+ default: p4sswd
+ service_principal_name:
+ description: Name of the service principal
+ type: String
+ default: SuperSP
+ role_name:
+ description: Name of the targed Azure AD role
+ type: String
+ default: Global Reader
+ dependencies:
+ - description: 'AzureAD module must be installed.
+
+'
+ prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+ {exit 0} else {exit 1}} catch {exit 1}
+
+'
+ get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+ executor:
+ command: |
+ Import-Module -Name AzureAD
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzureAD -Credential $Credential
+
+ $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+ if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+ $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+ if ($role -eq $null) { Write-Warning "Role not found"; exit }
+ Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
+ Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
+ cleanup_command: |
+ Import-Module -Name AzureAD -ErrorAction Ignore
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+ $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+ if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+ $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+ if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+ Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
+ Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
+ name: powershell
+ elevation_required: false
+ - name: Azure - adding user to Azure role in subscription
+ auto_generated_guid: 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
+ description: "The adversarie want to add user to some Azure role, also called
+ Azure resource role. Threat actor \nmay be interested primarily in highly
+ privileged roles, e.g. Owner, Contributor.\nBy default, the role Reader is
+ assigned to user in this test.\n\nNew-AzRoleAssignment cmdlet could be also
+ use to assign user/service principal to resource, resource group and management
+ group.\n\nThe account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
+ \n(e.g. such as User Access Administrator or Owner) and the Azure Active Directory
+ Graph Directory.Read.All \nand Microsoft Graph Directory.Read.All permissions.\n\nDetection
+ hint - check Operation Name \"Create role assignment\" in subscriptions Activity
+ Logs.\n"
+ supported_platforms:
+ - iaas:azure
+ input_arguments:
+ username:
+ description: Azure AD username
+ type: String
+ default: jonh@contoso.com
+ password:
+ description: Azure AD password
+ type: String
+ default: p4sswd
+ user_principal_name:
+ description: Name of the targeted user (user principal)
+ type: String
+ default: SuperUser
+ role_name:
+ description: Name of the targed Azure role
+ type: String
+ default: Reader
+ subscription:
+ description: Name of the targed subscription
+ type: String
+ default: Azure subscription 1
+ dependencies:
+ - description: 'Az.Resources module must be installed.
+
+'
+ prereq_command: 'try {if (Get-InstalledModule -Name Az.Resources -ErrorAction
+ SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+'
+ get_prereq_command: 'Install-Module -Name Az.Resources -Force
+
+'
+ executor:
+ command: |
+ Import-Module -Name Az.Resources
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzAccount -Credential $Credential
+
+ $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+ if ($user -eq $null) { Write-Warning "User not found"; exit }
+ $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+ if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+ $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+ if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+ New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+ Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+ cleanup_command: |
+ Import-Module -Name AzureAD -ErrorAction Ignore
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+ Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+
+ $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+ if ($user -eq $null) { Write-Warning "User not found"; exit }
+ $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+ if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+ $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+ if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+ Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+ Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
+ name: powershell
+ elevation_required: false
+ - name: Azure - adding service principal to Azure role in subscription
+ auto_generated_guid: c8f4bc29-a151-48da-b3be-4680af56f404
+ description: "The adversarie want to add service principal to some Azure role,
+ also called Azure resource role. Threat actor \nmay be interested primarily
+ in highly privileged roles, e.g. Owner, Contributor.\nBy default, the role
+ Reader is assigned to service principal in this test.\n\nNew-AzRoleAssignment
+ cmdlet could be also use to assign user/service principal to resource, resource
+ group and management group.\n\nThe account you use to run the PowerShell command
+ must have Microsoft.Authorization/roleAssignments/write \n(e.g. such as User
+ Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
+ \nand Microsoft Graph Directory.Read.All permissions.\n\nDetection hint -
+ check Operation Name \"Create role assignment\" in subscriptions Activity
+ Logs.\n"
+ supported_platforms:
+ - iaas:azure
+ input_arguments:
+ username:
+ description: Azure AD username
+ type: String
+ default: jonh@contoso.com
+ password:
+ description: Azure AD password
+ type: String
+ default: p4sswd
+ service_principal_name:
+ description: Name of the service principal
+ type: String
+ default: SuperSP
+ role_name:
+ description: Name of the targed Azure role
+ type: String
+ default: Reader
+ subscription:
+ description: Name of the targed subscription
+ type: String
+ default: Azure subscription 1
+ dependencies:
+ - description: 'Az.Resources module must be installed.
+
+'
+ prereq_command: 'try {if (Get-InstalledModule -Name Az.Resources -ErrorAction
+ SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+
+'
+ get_prereq_command: 'Install-Module -Name Az.Resources -Force
+
+'
+ executor:
+ command: "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString
+ -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
+ System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
+ $Pword\nConnect-AzAccount -Credential $Credential\n\n$sp = Get-AzADServicePrincipal
+ | where-object {$_.DisplayName -eq \"#{service_principal_name}\"}\nif ($sp
+ -eq $null) { Write-Warning \"Service Principal not found\"; exit }\n$subscription
+ = Get-AzSubscription | where-object {$_.Name -eq \"#{subscription}\"} \nif
+ ($subscription -eq $null) { Write-Warning \"Subscription not found\"; exit
+ }\n$role = Get-AzRoleDefinition | where-object {$_.Name -eq \"#{role_name}\"}\nif
+ ($role -eq $null) { Write-Warning \"Role not found\"; exit }\n\nNew-AzRoleAssignment
+ -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription\nWrite-Host
+ \"Service Principal $($sp.DisplayName) was added to $($role.Name) role in
+ subscriptions $($subscriptions.Name)\"\n"
+ cleanup_command: "Import-Module -Name AzureAD -ErrorAction Ignore\n$PWord
+ = ConvertTo-SecureString -String \"#{password}\" -AsPlainText -Force\n$Credential
+ = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList
+ \"#{username}\", $Pword\nConnect-AzAccount -Credential $Credential -ErrorAction
+ Ignore\n\n$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName
+ -eq \"#{service_principal_name}\"}\nif ($sp -eq $null) { Write-Warning \"Service
+ Principal not found\"; exit }\n$subscription = Get-AzSubscription | where-object
+ {$_.Name -eq \"#{subscription}\"} \nif ($subscription -eq $null) { Write-Warning
+ \"Subscription not found\"; exit }\n$role = Get-AzRoleDefinition | where-object
+ {$_.Name -eq \"#{role_name}\"}\nif ($role -eq $null) { Write-Warning \"Role
+ not found\"; exit }\n\nRemove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId
+ $role.id -Scope /subscriptions/$subscription\nWrite-Host \"Service Principal
+ $($sp.DisplayName) was removed from $($role.Name) role in subscriptions
+ $($subscriptions.Name)\"\n"
+ name: powershell
+ elevation_required: false
T1547.014:
technique:
external_references:
diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
index 08ccbe36..90d9ee6d 100644
--- a/atomics/T1098/T1098.md
+++ b/atomics/T1098/T1098.md
@@ -204,6 +204,7 @@ echo Please run atomic test T1136.003, before running this atomic test
+
## Atomic Test #4 - Azure - adding user to Azure AD role
@@ -211,7 +212,7 @@ The adversarie want to add user to some Azure AD role. Threat actor
may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator,
Privileged authentication administrator (this role can reset Global Administrator password!).
By default, the role Global Reader is assigned to service principal in this test.
-
+
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
@@ -219,46 +220,52 @@ Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In
**Supported Platforms:** Azure-ad
+**auto_generated_guid:** 0e65ae27-5385-46b4-98ac-607a8ee82261
+
+
+
+
+
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Azure AD username | String | jonh@contoso.com|
| password | Azure AD password | String | p4sswd|
| user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
-| role_name | Name of the targeted role | String | Global Reader|
-
+| role_name | Name of the targed Azure AD role | String | Global Reader|
#### Attack Commands: Run with `powershell`!
+
```powershell
Import-Module -Name AzureAD
- $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
- $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
- Connect-AzureAD -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
- $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
- if ($user -eq $null) { Write-Warning "User not found"; exit }
- $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
- if ($role -eq $null) { Write-Warning "Role not found"; exit }
- Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
- Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
+$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
+Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
```
#### Cleanup Commands:
```powershell
Import-Module -Name AzureAD -ErrorAction Ignore
- $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
- $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
- Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential -ErrorAction Ignore
- $user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
- if ($user -eq $null) { Write-Warning "User not found"; exit }
- $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
- if ($role -eq $null) { Write-Warning "Role not found"; exit }
-
- Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
- Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
+$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
+Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
```
@@ -274,59 +281,71 @@ try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit
Install-Module -Name AzureAD -Force
```
+
+
+
## Atomic Test #5 - Azure - adding service principal to Azure AD role
-The adversarie want to add service principal to some Azure AD role. Threat actor may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, Privileged authentication administrator (this role can reset Global Administrator password!).
+The adversarie want to add service principal to some Azure AD role. Threat actor
+may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator,
+Privileged authentication administrator (this role can reset Global Administrator password!).
By default, the role Global Reader is assigned to service principal in this test.
-
+
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
+
**Supported Platforms:** Azure-ad
+**auto_generated_guid:** 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
+
+
+
+
+
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Azure AD username | String | jonh@contoso.com|
| password | Azure AD password | String | p4sswd|
-| service_principal_name | Name of the targeted service principal | String | SuperSP|
-| role_name | Name of the targeted role | String | Global Reader|
-
+| service_principal_name | Name of the service principal | String | SuperSP|
+| role_name | Name of the targed Azure AD role | String | Global Reader|
#### Attack Commands: Run with `powershell`!
+
```powershell
Import-Module -Name AzureAD
- $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
- $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
- Connect-AzureAD -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
- $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
- if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
- $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
- if ($role -eq $null) { Write-Warning "Role not found"; exit }
- Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
- Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
+$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
+Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
```
#### Cleanup Commands:
```powershell
Import-Module -Name AzureAD -ErrorAction Ignore
- $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
- $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
- Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential -ErrorAction Ignore
- $sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
- if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
- $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
- if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
- Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
- Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
+Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
```
@@ -342,23 +361,32 @@ try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit
Install-Module -Name AzureAD -Force
```
+
+
+
## Atomic Test #6 - Azure - adding user to Azure role in subscription
-The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor may be
-interested primarily in highly privileged roles, e.g. Owner, Contributor.
+The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor
+may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
By default, the role Reader is assigned to user in this test.
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
-
+
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
and Microsoft Graph Directory.Read.All permissions.
Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
-**Supported Platforms:** iaas:azure
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
+
+
+
#### Inputs:
@@ -367,46 +395,46 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
| username | Azure AD username | String | jonh@contoso.com|
| password | Azure AD password | String | p4sswd|
| user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
-| role_name | Name of the targeted role | String | Reader|
+| role_name | Name of the targed Azure role | String | Reader|
| subscription | Name of the targed subscription | String | Azure subscription 1|
-
#### Attack Commands: Run with `powershell`!
+
```powershell
Import-Module -Name Az.Resources
- $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
- $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
- Connect-AzAccount -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential
- $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
- if ($user -eq $null) { Write-Warning "User not found"; exit }
- $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
- if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
- $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
- if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
- New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
- Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
```
#### Cleanup Commands:
```powershell
Import-Module -Name AzureAD -ErrorAction Ignore
- $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
- $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
- Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential -ErrorAction Ignore
- $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
- if ($user -eq $null) { Write-Warning "User not found"; exit }
- $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
- if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
- $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
- if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
- Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
- Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)"
+Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
```
@@ -422,23 +450,32 @@ try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {
Install-Module -Name Az.Resources -Force
```
+
+
+
## Atomic Test #7 - Azure - adding service principal to Azure role in subscription
-The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor may be
-interested primarily in highly privileged roles, e.g. Owner, Contributor.
+The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor
+may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
By default, the role Reader is assigned to service principal in this test.
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
-
+
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
and Microsoft Graph Directory.Read.All permissions.
Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
-**Supported Platforms:** iaas:azure
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** c8f4bc29-a151-48da-b3be-4680af56f404
+
+
+
#### Inputs:
@@ -446,47 +483,47 @@ Detection hint - check Operation Name "Create role assignment" in subscriptions
|------|-------------|------|---------------|
| username | Azure AD username | String | jonh@contoso.com|
| password | Azure AD password | String | p4sswd|
-| service_principal_name | Name of the targeted service principal | String | SuperSP|
-| role_name | Name of the targeted role | String | Reader|
+| service_principal_name | Name of the service principal | String | SuperSP|
+| role_name | Name of the targed Azure role | String | Reader|
| subscription | Name of the targed subscription | String | Azure subscription 1|
-
#### Attack Commands: Run with `powershell`!
+
```powershell
Import-Module -Name Az.Resources
- $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
- $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
- Connect-AzAccount -Credential $Credential
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential
- $sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
- if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
- $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
- if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
- $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
- if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
- New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
- Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
```
#### Cleanup Commands:
```powershell
Import-Module -Name AzureAD -ErrorAction Ignore
- $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
- $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
- Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential -ErrorAction Ignore
- $user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
- if ($user -eq $null) { Write-Warning "User not found"; exit }
- $subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
- if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
- $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
- if ($role -eq $null) { Write-Warning "Role not found"; exit }
+$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
- Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
- Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptionsName)"
+Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
```
@@ -502,5 +539,7 @@ try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {
Install-Module -Name Az.Resources -Force
```
-
+
+
+