Azure user access to resource access matrix

In securing user identity access to critical Azure resources, one of the useful things to understand are the many ways that a user identity can gain that access. Below are some of the paths. Let me know if there’s a path that I’ve missed.

• User can be granted permissions to a resource
• User may have permission to modify role assignment and use that to get access to a resource
• User may have access to a service principal (via ownership) that has permissions to a resource (via adding credentials to it OR via a DevOps pipeline that uses the service principal)
• User may be a member of a group which has permission to a resource
• User may have permission to modify membership of a group which has permission to a resource (by being assigned as a group manager OR via Azure AD RBAC)
• User may have permission a execute code on a resource that is assigned a managed identity which has permission to a resource
• User may have permission to a service like blueprint which can assume the owner role to modify permission to get access to a resource

And this is just talking about users identities! The paths are similar for other types of identities (federated identities, service principals, managed identities, on-prem attack vectors like on-premises AD) but there are unique paths in all those cases.