> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# AZOwner

> An Entra principal has been granted the Azure Resource Manager role called "Owner" over an Azure Resource Manager asset.

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

AZOwner targets resources in Azure Resource Manager (for example [AZResourceGroup](/resources/nodes/az-resource-group), [AZSubscription](/resources/nodes/az-subscription), and [AZVM](/resources/nodes/az-vm)) through role assignment called "Owner".

<Note>The edges [AZOwner](/resources/edges/az-owner) and [AZOwns](/resources/edges/az-owns) are distinct as they each apply their own distinct identity and access management platform (AzureRM and Entra ID respectively) with distinct mechanics, abuse primitives, and remediation steps.</Note>

## Abuse Info

Everything a Contributor can do, with the addition of assigning rights to resources. Object ownership means almost all abuses are possible against the target object.

## Opsec Considerations

This depends on which abuse you perform, but in general Azure will create a log for each abuse action.

## References

* [https://blog.netspi.com/attacking-azure-with-custom-script-extensions/](https://blog.netspi.com/attacking-azure-with-custom-script-extensions/)
* [https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#owner)