Редактиране

Споделяне чрез


Azure built-in roles for Storage

This article lists the Azure built-in roles in the Storage category.

Avere Contributor

Can create and manage an Avere vFXT cluster.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Compute/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/proximityPlacementGroups/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/disks/*
Microsoft.Network/*/read
Microsoft.Network/networkInterfaces/*
Microsoft.Network/virtualNetworks/read Get the virtual network definition
Microsoft.Network/virtualNetworks/subnets/read Gets a virtual network subnet definition
Microsoft.Network/virtualNetworks/subnets/join/action Joins a virtual network. Not Alertable.
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Not alertable.
Microsoft.Network/networkSecurityGroups/join/action Joins a network security group. Not Alertable.
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Storage/*/read
Microsoft.Storage/storageAccounts/* Create and manage storage accounts
Microsoft.Support/* Create and update a support ticket
Microsoft.Resources/subscriptions/resourceGroups/resources/read Gets the resources for the resource group.
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Returns the result of deleting a blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Returns a blob or a list of blobs
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Returns the result of writing a blob
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can create and manage an Avere vFXT cluster.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a",
  "name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Compute/*/read",
        "Microsoft.Compute/availabilitySets/*",
        "Microsoft.Compute/proximityPlacementGroups/*",
        "Microsoft.Compute/virtualMachines/*",
        "Microsoft.Compute/disks/*",
        "Microsoft.Network/*/read",
        "Microsoft.Network/networkInterfaces/*",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/*/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*",
        "Microsoft.Resources/subscriptions/resourceGroups/resources/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Avere Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Avere Operator

Used by the Avere vFXT cluster to manage the cluster

Learn more

Actions Description
Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine
Microsoft.Network/networkInterfaces/read Gets a network interface definition.
Microsoft.Network/networkInterfaces/write Creates a network interface or updates an existing network interface.
Microsoft.Network/virtualNetworks/read Get the virtual network definition
Microsoft.Network/virtualNetworks/subnets/read Gets a virtual network subnet definition
Microsoft.Network/virtualNetworks/subnets/join/action Joins a virtual network. Not Alertable.
Microsoft.Network/networkSecurityGroups/join/action Joins a network security group. Not Alertable.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Storage/storageAccounts/blobServices/containers/delete Returns the result of deleting a container
Microsoft.Storage/storageAccounts/blobServices/containers/read Returns list of containers
Microsoft.Storage/storageAccounts/blobServices/containers/write Returns the result of put blob container
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Returns the result of deleting a blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Returns a blob or a list of blobs
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Returns the result of writing a blob
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Used by the Avere vFXT cluster to manage the cluster",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
  "name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
  "permissions": [
    {
      "actions": [
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Avere Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Backup Contributor

Lets you manage backup service, but can't create vaults and give access to others

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Network/virtualNetworks/read Get the virtual network definition
Microsoft.RecoveryServices/locations/*
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* Manage results of operation on backup management
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* Create and manage backup containers inside backup fabrics of Recovery Services vault
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action Refreshes the container list
Microsoft.RecoveryServices/Vaults/backupJobs/* Create and manage backup jobs
Microsoft.RecoveryServices/Vaults/backupJobsExport/action Export Jobs
Microsoft.RecoveryServices/Vaults/backupOperationResults/* Create and manage Results of backup management operations
Microsoft.RecoveryServices/Vaults/backupPolicies/* Create and manage backup policies
Microsoft.RecoveryServices/Vaults/backupProtectableItems/* Create and manage items which can be backed up
Microsoft.RecoveryServices/Vaults/backupProtectedItems/* Create and manage backed up items
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* Create and manage containers holding backup items
Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Returns summaries for Protected Items and Protected Servers for a Recovery Services .
Microsoft.RecoveryServices/Vaults/certificates/* Create and manage certificates related to backup in Recovery Services vault
Microsoft.RecoveryServices/Vaults/extendedInformation/* Create and manage extended info related to vault
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Gets the alerts for the Recovery services vault.
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault'
Microsoft.RecoveryServices/Vaults/registeredIdentities/* Create and manage registered identities
Microsoft.RecoveryServices/Vaults/usages/* Create and manage usage of Recovery Services vault
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account.
Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
Microsoft.RecoveryServices/Vaults/backupconfig/*
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action Validate Operation on Protected Item
Microsoft.RecoveryServices/Vaults/write Create Vault operation creates an Azure resource of type 'vault'
Microsoft.RecoveryServices/Vaults/backupOperations/read Returns Backup Operation Status for Recovery Services Vault.
Microsoft.RecoveryServices/Vaults/backupEngines/read Returns all the backup management servers registered with vault.
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read Get all protectable containers
Microsoft.RecoveryServices/vaults/operationStatus/read Gets Operation Status for a given Operation
Microsoft.RecoveryServices/vaults/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation
Microsoft.RecoveryServices/locations/backupStatus/action Check Backup Status for Recovery Services Vaults
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
Microsoft.RecoveryServices/locations/backupValidateFeatures/action Validate Features
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Resolves the alert.
Microsoft.RecoveryServices/operations/read Operation returns the list of Operations for a Resource Provider
Microsoft.RecoveryServices/locations/operationStatus/read Gets Operation Status for a given Operation
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read List all backup Protection Intents
Microsoft.Support/* Create and update a support ticket
Microsoft.DataProtection/locations/getBackupStatus/action Check Backup Status for Recovery Services Vaults
Microsoft.DataProtection/backupVaults/backupInstances/write Creates a Backup Instance
Microsoft.DataProtection/backupVaults/backupInstances/delete Deletes the Backup Instance
Microsoft.DataProtection/backupVaults/backupInstances/read Returns all Backup Instances
Microsoft.DataProtection/backupVaults/backupInstances/read Returns all Backup Instances
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read List soft-deleted Backup Instances in a Backup Vault.
Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action Perform undelete of soft-deleted Backup Instance. Backup Instance moves from SoftDeleted to ProtectionStopped state.
Microsoft.DataProtection/backupVaults/backupInstances/backup/action Performs Backup on the Backup Instance
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action Validates for Restore of the Backup Instance
Microsoft.DataProtection/backupVaults/backupInstances/restore/action Triggers restore on the Backup Instance
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action Triggers cross region restore operation on given backup instance.
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action Performs validations for cross region restore operation.
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action List cross region restore jobs of backup instance from secondary region.
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action Get cross region restore job details from secondary region.
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action Returns recovery points from secondary region for cross region restore enabled Backup Vaults.
Microsoft.DataProtection/backupVaults/backupPolicies/write Creates Backup Policy
Microsoft.DataProtection/backupVaults/backupPolicies/delete Deletes the Backup Policy
Microsoft.DataProtection/backupVaults/backupPolicies/read Returns all Backup Policies
Microsoft.DataProtection/backupVaults/backupPolicies/read Returns all Backup Policies
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action Finds Restorable Time Ranges
Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read Returns Backup Operation Result for Backup Vault.
Microsoft.DataProtection/backupVaults/write Update BackupVault operation updates an Azure resource of type 'Backup Vault'
Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group
Microsoft.DataProtection/backupVaults/operationResults/read Gets Operation Result of a Patch Operation for a Backup Vault
Microsoft.DataProtection/backupVaults/operationStatus/read Returns Backup Operation Status for Backup Vault.
Microsoft.DataProtection/locations/checkNameAvailability/action Checks if the requested BackupVault Name is Available
Microsoft.DataProtection/locations/checkFeatureSupport/action Validates if a feature is supported
Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group
Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group
Microsoft.DataProtection/locations/operationStatus/read Returns Backup Operation Status for Backup Vault.
Microsoft.DataProtection/locations/operationResults/read Returns Backup Operation Result for Backup Vault.
Microsoft.DataProtection/backupVaults/validateForBackup/action Validates for backup of Backup Instance
Microsoft.DataProtection/operations/read Operation returns the list of Operations for a Resource Provider
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy'
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read Get the list of ResourceGuard proxies for a resource
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy'
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy'
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy'
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy'
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage backups, but can't delete vaults and give access to others",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b",
  "name": "5e467623-bb1f-42f4-a55d-6e525e11384b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/locations/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
        "Microsoft.RecoveryServices/Vaults/backupJobs/*",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*",
        "Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/certificates/*",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/*",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
        "Microsoft.RecoveryServices/Vaults/usages/*",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/write",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
        "Microsoft.RecoveryServices/vaults/operationStatus/read",
        "Microsoft.RecoveryServices/vaults/operationResults/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.Support/*",
        "Microsoft.DataProtection/locations/getBackupStatus/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/write",
        "Microsoft.DataProtection/backupVaults/backupInstances/delete",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
        "Microsoft.DataProtection/backupVaults/backupPolicies/write",
        "Microsoft.DataProtection/backupVaults/backupPolicies/delete",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read",
        "Microsoft.DataProtection/backupVaults/write",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/backupVaults/operationStatus/read",
        "Microsoft.DataProtection/locations/checkNameAvailability/action",
        "Microsoft.DataProtection/locations/checkFeatureSupport/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/backupVaults/validateForBackup/action",
        "Microsoft.DataProtection/operations/read",
        "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete",
        "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read",
        "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action",
        "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Backup MUA Admin

Backup MultiUser-Authorization. Can create/delete ResourceGuard

Learn more

Actions Description
Microsoft.DataProtection/*/read
Microsoft.DataProtection/*/resourceGuards/write
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write Update ResouceGuard operation updates an Azure resource of type 'ResourceGuard'
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete The Delete ResourceGuard operation deletes the specified Azure resource of type 'ResourceGuard'
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read Gets list of ResourceGuards in a Resource Group
Microsoft.DataProtection/locations/operationResults/read Returns Backup Operation Result for Backup Vault.
Microsoft.DataProtection/locations/operationStatus/read Returns Backup Operation Status for Backup Vault.
Microsoft.DataProtection/locations/getBackupStatus/action Check Backup Status for Recovery Services Vaults
Microsoft.DataProtection/locations/checkFeatureSupport/action Validates if a feature is supported
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read Returns Backup Operation Status for Backup Vault.
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Features/features/read Gets the features of a subscription.
Microsoft.Features/providers/features/read Gets the feature of a subscription in a given resource provider.
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results.
Microsoft.Resources/subscriptions/read Gets the list of subscriptions.
Microsoft.Resources/subscriptions/resourcegroups/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy'
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy'
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy'
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation
Microsoft.DataProtection/subscriptions/providers/resourceGuards/read Gets list of ResourceGuards in a Subscription
Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read Gets ResourceGuard default operation request info
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Backup MultiUser-Authorization. Can create/delete ResourceGuard ",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8",
  "name": "c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8",
  "permissions": [
    {
      "actions": [
        "Microsoft.DataProtection/*/read",
        "Microsoft.DataProtection/*/resourceGuards/write",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/getBackupStatus/action",
        "Microsoft.DataProtection/locations/checkFeatureSupport/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action",
        "Microsoft.DataProtection/subscriptions/providers/resourceGuards/read",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup MUA Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Backup MUA Operator

Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard

Learn more

Actions Description
Microsoft.DataProtection/*/action
Microsoft.DataProtection/*/read
Microsoft.Authorization/*/read Read roles and role assignments
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/f54b6d04-23c6-443e-b462-9c16ab7b4a52",
  "name": "f54b6d04-23c6-443e-b462-9c16ab7b4a52",
  "permissions": [
    {
      "actions": [
        "Microsoft.DataProtection/*/action",
        "Microsoft.DataProtection/*/read",
        "Microsoft.Authorization/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup MUA Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Backup Operator

Lets you manage backup services, except removal of backup, vault creation and giving access to others

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Network/virtualNetworks/read Get the virtual network definition
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read Returns status of the operation
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read Gets result of Operation performed on Protection Container.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action Performs Backup for Protected Item.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read Gets Result of Operation Performed on Protected Items.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read Returns the status of Operation performed on Protected Items.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Returns object details of the Protected Item
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action Provision Instant Item Recovery for Protected Item
Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action Get AccessToken for Cross Region Restore.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read Get Recovery Points for Protected Items.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action Restore Recovery Points for Protected Items.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action Revoke Instant Item Recovery for Protected Item
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write Create a backup Protected Item
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read Returns all registered containers
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action Refreshes the container list
Microsoft.RecoveryServices/Vaults/backupJobs/* Create and manage backup jobs
Microsoft.RecoveryServices/Vaults/backupJobsExport/action Export Jobs
Microsoft.RecoveryServices/Vaults/backupOperationResults/* Create and manage Results of backup management operations
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read Get Results of Policy Operation.
Microsoft.RecoveryServices/Vaults/backupPolicies/read Returns all Protection Policies
Microsoft.RecoveryServices/Vaults/backupProtectableItems/* Create and manage items which can be backed up
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read Returns the list of all Protected Items.
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read Returns all containers belonging to the subscription
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Returns summaries for Protected Items and Protected Servers for a Recovery Services .
Microsoft.RecoveryServices/Vaults/certificates/write The Update Resource Certificate operation updates the resource/vault credential certificate.
Microsoft.RecoveryServices/Vaults/extendedInformation/read The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault?
Microsoft.RecoveryServices/Vaults/extendedInformation/write The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault?
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Gets the alerts for the Recovery services vault.
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault'
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation
Microsoft.RecoveryServices/Vaults/registeredIdentities/read The Get Containers operation can be used get the containers registered for a resource.
Microsoft.RecoveryServices/Vaults/registeredIdentities/write The Register Service Container operation can be used to register a container with Recovery Service.
Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services Vault.
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account.
Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action Validate Operation on Protected Item
Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action Validate Operation on Protected Item
Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read Validate Operation on Protected Item
Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read Validate Operation on Protected Item
Microsoft.RecoveryServices/Vaults/backupOperations/read Returns Backup Operation Status for Recovery Services Vault.
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read Get Status of Policy Operation.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write Creates a registered container
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action Do inquiry for workloads within a container
Microsoft.RecoveryServices/Vaults/backupEngines/read Returns all the backup management servers registered with vault.
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write Create a backup Protection Intent
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read Get a backup Protection Intent
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read Get all protectable containers
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read Get all items in a container
Microsoft.RecoveryServices/locations/backupStatus/action Check Backup Status for Recovery Services Vaults
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
Microsoft.RecoveryServices/locations/backupValidateFeatures/action Validate Features
Microsoft.RecoveryServices/locations/backupAadProperties/read Get AAD Properties for authentication in the third region for Cross Region Restore.
Microsoft.RecoveryServices/locations/backupCrrJobs/action List Cross Region Restore Jobs in the secondary region for Recovery Services Vault.
Microsoft.RecoveryServices/locations/backupCrrJob/action Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault.
Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action Trigger Cross region restore.
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read Returns CRR Operation Result for Recovery Services Vault.
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read Returns CRR Operation Status for Recovery Services Vault.
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Resolves the alert.
Microsoft.RecoveryServices/operations/read Operation returns the list of Operations for a Resource Provider
Microsoft.RecoveryServices/locations/operationStatus/read Gets Operation Status for a given Operation
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read List all backup Protection Intents
Microsoft.Support/* Create and update a support ticket
Microsoft.DataProtection/backupVaults/backupInstances/read Returns all Backup Instances
Microsoft.DataProtection/backupVaults/backupInstances/read Returns all Backup Instances
Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read Returns Backup Operation Result for Backup Vault.
Microsoft.DataProtection/backupVaults/backupInstances/write Creates a Backup Instance
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read List soft-deleted Backup Instances in a Backup Vault.
Microsoft.DataProtection/backupVaults/backupPolicies/read Returns all Backup Policies
Microsoft.DataProtection/backupVaults/backupPolicies/read Returns all Backup Policies
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action Finds Restorable Time Ranges
Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group
Microsoft.DataProtection/backupVaults/operationResults/read Gets Operation Result of a Patch Operation for a Backup Vault
Microsoft.DataProtection/backupVaults/operationStatus/read Returns Backup Operation Status for Backup Vault.
Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group
Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group
Microsoft.DataProtection/locations/operationStatus/read Returns Backup Operation Status for Backup Vault.
Microsoft.DataProtection/locations/operationResults/read Returns Backup Operation Result for Backup Vault.
Microsoft.DataProtection/operations/read Operation returns the list of Operations for a Resource Provider
Microsoft.DataProtection/backupVaults/validateForBackup/action Validates for backup of Backup Instance
Microsoft.DataProtection/backupVaults/backupInstances/backup/action Performs Backup on the Backup Instance
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action Validates for Restore of the Backup Instance
Microsoft.DataProtection/backupVaults/backupInstances/restore/action Triggers restore on the Backup Instance
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action Triggers cross region restore operation on given backup instance.
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action Performs validations for cross region restore operation.
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action List cross region restore jobs of backup instance from secondary region.
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action Get cross region restore job details from secondary region.
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action Returns recovery points from secondary region for cross region restore enabled Backup Vaults.
Microsoft.DataProtection/locations/checkFeatureSupport/action Validates if a feature is supported
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy'
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read Get the list of ResourceGuard proxies for a resource
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation
Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy'
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read Get ResourceGuard proxy operation gets an object representing the Azure resource of type 'ResourceGuard proxy'
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write Create ResourceGuard proxy operation creates an Azure resource of type 'ResourceGuard Proxy'
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete The Delete ResourceGuard proxy operation deletes the specified Azure resource of type 'ResourceGuard proxy'
Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action Unlock delete ResourceGuard proxy operation unlocks the next delete critical operation
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324",
  "name": "00c29273-979b-4161-815c-10b084fb9324",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action",
        "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
        "Microsoft.RecoveryServices/Vaults/backupJobs/*",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/certificates/write",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/write",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/write",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/locations/backupAadProperties/read",
        "Microsoft.RecoveryServices/locations/backupCrrJobs/action",
        "Microsoft.RecoveryServices/locations/backupCrrJob/action",
        "Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action",
        "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
        "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.Support/*",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/write",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/backupVaults/operationStatus/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/operations/read",
        "Microsoft.DataProtection/backupVaults/validateForBackup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
        "Microsoft.DataProtection/locations/checkFeatureSupport/action",
        "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete",
        "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read",
        "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action",
        "Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",
        "Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Operator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Backup Reader

Can view backup services, but can't make changes

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.RecoveryServices/locations/allocatedStamp/read GetAllocatedStamp is internal operation used by service
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read Returns status of the operation
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read Gets result of Operation performed on Protection Container.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read Gets Result of Operation Performed on Protected Items.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read Returns the status of Operation performed on Protected Items.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Returns object details of the Protected Item
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read Get Recovery Points for Protected Items.
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read Returns all registered containers
Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read Returns the Result of Job Operation.
Microsoft.RecoveryServices/Vaults/backupJobs/read Returns all Job Objects
Microsoft.RecoveryServices/Vaults/backupJobsExport/action Export Jobs
Microsoft.RecoveryServices/Vaults/backupOperationResults/read Returns Backup Operation Result for Recovery Services Vault.
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read Get Results of Policy Operation.
Microsoft.RecoveryServices/Vaults/backupPolicies/read Returns all Protection Policies
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read Returns the list of all Protected Items.
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read Returns all containers belonging to the subscription
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Returns summaries for Protected Items and Protected Servers for a Recovery Services .
Microsoft.RecoveryServices/Vaults/extendedInformation/read The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault?
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Gets the alerts for the Recovery services vault.
Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault'
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation
Microsoft.RecoveryServices/Vaults/registeredIdentities/read The Get Containers operation can be used get the containers registered for a resource.
Microsoft.RecoveryServices/Vaults/backupstorageconfig/read Returns Storage Configuration for Recovery Services Vault.
Microsoft.RecoveryServices/Vaults/backupconfig/read Returns Configuration for Recovery Services Vault.
Microsoft.RecoveryServices/Vaults/backupOperations/read Returns Backup Operation Status for Recovery Services Vault.
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read Get Status of Policy Operation.
Microsoft.RecoveryServices/Vaults/backupEngines/read Returns all the backup management servers registered with vault.
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read Get a backup Protection Intent
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read Get all items in a container
Microsoft.RecoveryServices/locations/backupStatus/action Check Backup Status for Recovery Services Vaults
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Resolves the alert.
Microsoft.RecoveryServices/operations/read Operation returns the list of Operations for a Resource Provider
Microsoft.RecoveryServices/locations/operationStatus/read Gets Operation Status for a given Operation
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read List all backup Protection Intents
Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services Vault.
Microsoft.RecoveryServices/locations/backupValidateFeatures/action Validate Features
Microsoft.RecoveryServices/locations/backupCrrJobs/action List Cross Region Restore Jobs in the secondary region for Recovery Services Vault.
Microsoft.RecoveryServices/locations/backupCrrJob/action Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault.
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read Returns CRR Operation Result for Recovery Services Vault.
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read Returns CRR Operation Status for Recovery Services Vault.
Microsoft.DataProtection/locations/getBackupStatus/action Check Backup Status for Recovery Services Vaults
Microsoft.DataProtection/backupVaults/backupInstances/write Creates a Backup Instance
Microsoft.DataProtection/backupVaults/backupInstances/read Returns all Backup Instances
Microsoft.DataProtection/backupVaults/deletedBackupInstances/read List soft-deleted Backup Instances in a Backup Vault.
Microsoft.DataProtection/backupVaults/backupInstances/backup/action Performs Backup on the Backup Instance
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action Validates for Restore of the Backup Instance
Microsoft.DataProtection/backupVaults/backupInstances/restore/action Triggers restore on the Backup Instance
Microsoft.DataProtection/backupVaults/backupPolicies/read Returns all Backup Policies
Microsoft.DataProtection/backupVaults/backupPolicies/read Returns all Backup Policies
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points
Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read Returns Backup Operation Result for Backup Vault.
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action Finds Restorable Time Ranges
Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group
Microsoft.DataProtection/backupVaults/operationResults/read Gets Operation Result of a Patch Operation for a Backup Vault
Microsoft.DataProtection/backupVaults/operationStatus/read Returns Backup Operation Status for Backup Vault.
Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group
Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group
Microsoft.DataProtection/locations/operationStatus/read Returns Backup Operation Status for Backup Vault.
Microsoft.DataProtection/locations/operationResults/read Returns Backup Operation Result for Backup Vault.
Microsoft.DataProtection/backupVaults/validateForBackup/action Validates for backup of Backup Instance
Microsoft.DataProtection/operations/read Operation returns the list of Operations for a Resource Provider
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action List cross region restore jobs of backup instance from secondary region.
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action Get cross region restore job details from secondary region.
Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action Returns recovery points from secondary region for cross region restore enabled Backup Vaults.
Microsoft.DataProtection/locations/checkFeatureSupport/action Validates if a feature is supported
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Can view backup services, but can't make changes",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
  "name": "a795c7a0-d4a2-40c1-ae25-d81f01202912",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.RecoveryServices/locations/allocatedStamp/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupJobs/read",
        "Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
        "Microsoft.RecoveryServices/Vaults/backupOperationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
        "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
        "Microsoft.RecoveryServices/Vaults/extendedInformation/read",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
        "Microsoft.RecoveryServices/Vaults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
        "Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
        "Microsoft.RecoveryServices/Vaults/backupstorageconfig/read",
        "Microsoft.RecoveryServices/Vaults/backupconfig/read",
        "Microsoft.RecoveryServices/Vaults/backupOperations/read",
        "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
        "Microsoft.RecoveryServices/Vaults/backupEngines/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
        "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
        "Microsoft.RecoveryServices/locations/backupStatus/action",
        "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
        "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
        "Microsoft.RecoveryServices/operations/read",
        "Microsoft.RecoveryServices/locations/operationStatus/read",
        "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
        "Microsoft.RecoveryServices/Vaults/usages/read",
        "Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
        "Microsoft.RecoveryServices/locations/backupCrrJobs/action",
        "Microsoft.RecoveryServices/locations/backupCrrJob/action",
        "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
        "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
        "Microsoft.DataProtection/locations/getBackupStatus/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/write",
        "Microsoft.DataProtection/backupVaults/backupInstances/read",
        "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
        "Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupPolicies/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read",
        "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/operationResults/read",
        "Microsoft.DataProtection/backupVaults/operationStatus/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/backupVaults/read",
        "Microsoft.DataProtection/locations/operationStatus/read",
        "Microsoft.DataProtection/locations/operationResults/read",
        "Microsoft.DataProtection/backupVaults/validateForBackup/action",
        "Microsoft.DataProtection/operations/read",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
        "Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
        "Microsoft.DataProtection/locations/checkFeatureSupport/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Backup Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Classic Storage Account Contributor

Lets you manage classic storage accounts, but not access to them.

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.ClassicStorage/storageAccounts/* Create and manage storage accounts
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Support/* Create and update a support ticket
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage classic storage accounts, but not access to them.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
  "name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ClassicStorage/storageAccounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Storage Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Classic Storage Account Key Operator Service Role

Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts

Learn more

Actions Description
Microsoft.ClassicStorage/storageAccounts/listkeys/action Lists the access keys for the storage accounts.
Microsoft.ClassicStorage/storageAccounts/regeneratekey/action Regenerates the existing access keys for the storage account.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d",
  "name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d",
  "permissions": [
    {
      "actions": [
        "Microsoft.ClassicStorage/storageAccounts/listkeys/action",
        "Microsoft.ClassicStorage/storageAccounts/regeneratekey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Classic Storage Account Key Operator Service Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Data Box Contributor

Lets you manage everything under Data Box Service except giving access to others.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Support/* Create and update a support ticket
Microsoft.Databox/*
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage everything under Data Box Service except giving access to others.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5",
  "name": "add466c9-e687-43fc-8d98-dfcf8d720be5",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*",
        "Microsoft.Databox/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Box Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Data Box Reader

Lets you manage Data Box Service except creating order or editing order details and giving access to others.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Databox/*/read
Microsoft.Databox/jobs/listsecrets/action
Microsoft.Databox/jobs/listcredentials/action Lists the unencrypted credentials related to the order.
Microsoft.Databox/locations/availableSkus/action This method returns the list of available skus.
Microsoft.Databox/locations/validateInputs/action This method does all type of validations.
Microsoft.Databox/locations/regionConfiguration/action This method returns the configurations for the region.
Microsoft.Databox/locations/validateAddress/action Validates the shipping address and provides alternate addresses if any.
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Support/* Create and update a support ticket
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
  "name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Databox/*/read",
        "Microsoft.Databox/jobs/listsecrets/action",
        "Microsoft.Databox/jobs/listcredentials/action",
        "Microsoft.Databox/locations/availableSkus/action",
        "Microsoft.Databox/locations/validateInputs/action",
        "Microsoft.Databox/locations/regionConfiguration/action",
        "Microsoft.Databox/locations/validateAddress/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Box Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Data Lake Analytics Developer

Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.BigAnalytics/accounts/*
Microsoft.DataLakeAnalytics/accounts/*
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Support/* Create and update a support ticket
NotActions
Microsoft.BigAnalytics/accounts/Delete
Microsoft.BigAnalytics/accounts/TakeOwnership/action
Microsoft.BigAnalytics/accounts/Write
Microsoft.DataLakeAnalytics/accounts/Delete Delete a DataLakeAnalytics account.
Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action Grant permissions to cancel jobs submitted by other users.
Microsoft.DataLakeAnalytics/accounts/Write Create or update a DataLakeAnalytics account.
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write Create or update a linked DataLakeStore account of a DataLakeAnalytics account.
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete Unlink a DataLakeStore account from a DataLakeAnalytics account.
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write Create or update a linked Storage account of a DataLakeAnalytics account.
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete Unlink a Storage account from a DataLakeAnalytics account.
Microsoft.DataLakeAnalytics/accounts/firewallRules/Write Create or update a firewall rule.
Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete Delete a firewall rule.
Microsoft.DataLakeAnalytics/accounts/computePolicies/Write Create or update a compute policy.
Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete Delete a compute policy.
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88",
  "name": "47b7735b-770e-4598-a7da-8b91488b4c88",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.BigAnalytics/accounts/*",
        "Microsoft.DataLakeAnalytics/accounts/*",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
      ],
      "notActions": [
        "Microsoft.BigAnalytics/accounts/Delete",
        "Microsoft.BigAnalytics/accounts/TakeOwnership/action",
        "Microsoft.BigAnalytics/accounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action",
        "Microsoft.DataLakeAnalytics/accounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write",
        "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete",
        "Microsoft.DataLakeAnalytics/accounts/firewallRules/Write",
        "Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete",
        "Microsoft.DataLakeAnalytics/accounts/computePolicies/Write",
        "Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete"
      ],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Data Lake Analytics Developer",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Defender for Storage Data Scanner

Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.

Actions Description
Microsoft.Storage/storageAccounts/blobServices/containers/read Returns list of containers
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Returns a blob or a list of blobs
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write Returns the result of writing blob tags
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read Returns the result of reading blob tags
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
  "name": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Defender for Storage Data Scanner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Elastic SAN Network Admin

Allows access to create Private Endpoints on SAN resources, and to read SAN resources

Learn more

Actions Description
Microsoft.ElasticSan/elasticSans/*/read
Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action
Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write
Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete
Microsoft.ElasticSan/locations/asyncoperations/read Polls the status of an asynchronous operation.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows access to create Private Endpoints on SAN resources, and to read SAN resources",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/fa6cecf6-5db3-4c43-8470-c540bcb4eafa",
  "name": "fa6cecf6-5db3-4c43-8470-c540bcb4eafa",
  "permissions": [
    {
      "actions": [
        "Microsoft.ElasticSan/elasticSans/*/read",
        "Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action",
        "Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write",
        "Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete",
        "Microsoft.ElasticSan/locations/asyncoperations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Elastic SAN Network Admin",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Elastic SAN Owner

Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.ElasticSan/elasticSans/*
Microsoft.ElasticSan/locations/*
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406",
  "name": "80dcbedb-47ef-405d-95bd-188a1b4ac406",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ElasticSan/elasticSans/*",
        "Microsoft.ElasticSan/locations/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Elastic SAN Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Elastic SAN Reader

Allows for control path read access to Azure Elastic SAN

Actions Description
Microsoft.Authorization/roleAssignments/read Get information about a role assignment.
Microsoft.Authorization/roleDefinitions/read Get information about a role definition.
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.ElasticSan/elasticSans/*/read
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for control path read access to Azure Elastic SAN",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
  "name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.ElasticSan/elasticSans/*/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Elastic SAN Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Elastic SAN Volume Group Owner

Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access

Actions Description
Microsoft.Authorization/roleAssignments/read Get information about a role assignment.
Microsoft.Authorization/roleDefinitions/read Get information about a role definition.
Microsoft.ElasticSan/elasticSans/volumeGroups/*
Microsoft.ElasticSan/locations/asyncoperations/read Polls the status of an asynchronous operation.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23",
  "name": "a8281131-f312-4f34-8d98-ae12be9f0d23",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleDefinitions/read",
        "Microsoft.ElasticSan/elasticSans/volumeGroups/*",
        "Microsoft.ElasticSan/locations/asyncoperations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Elastic SAN Volume Group Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Reader and Data Access

Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.

Actions Description
Microsoft.Storage/storageAccounts/listKeys/action Returns the access keys for the specified storage account.
Microsoft.Storage/storageAccounts/ListAccountSas/action Returns the Account SAS token for the specified storage account.
Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349",
  "name": "c12c1c16-33a1-487b-954d-41c89c60f349",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/listKeys/action",
        "Microsoft.Storage/storageAccounts/ListAccountSas/action",
        "Microsoft.Storage/storageAccounts/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Reader and Data Access",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Account Backup Contributor

Lets you perform backup and restore operations using Azure Backup on the storage account.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Authorization/locks/read Gets locks at the specified scope.
Microsoft.Authorization/locks/write Add locks at the specified scope.
Microsoft.Authorization/locks/delete Delete locks at the specified scope.
Microsoft.Features/features/read Gets the features of a subscription.
Microsoft.Features/providers/features/read Gets the feature of a subscription in a given resource provider.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Storage/operations/read Polls the status of an asynchronous operation.
Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete Delete object replication policy
Microsoft.Storage/storageAccounts/objectReplicationPolicies/read List object replication policies
Microsoft.Storage/storageAccounts/objectReplicationPolicies/write Create or update object replication policy
Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write Create object replication restore point marker
Microsoft.Storage/storageAccounts/blobServices/containers/read Returns list of containers
Microsoft.Storage/storageAccounts/blobServices/containers/write Returns the result of put blob container
Microsoft.Storage/storageAccounts/blobServices/read Returns blob service properties or statistics
Microsoft.Storage/storageAccounts/blobServices/write Returns the result of put blob service properties
Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account.
Microsoft.Storage/storageAccounts/restoreBlobRanges/action Restore blob ranges to the state of the specified time
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you perform backup and restore operations using Azure Backup on the storage account.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
  "name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Authorization/locks/read",
        "Microsoft.Authorization/locks/write",
        "Microsoft.Authorization/locks/delete",
        "Microsoft.Features/features/read",
        "Microsoft.Features/providers/features/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/operations/read",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/read",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/write",
        "Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/read",
        "Microsoft.Storage/storageAccounts/blobServices/write",
        "Microsoft.Storage/storageAccounts/read",
        "Microsoft.Storage/storageAccounts/restoreBlobRanges/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Account Backup Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Account Contributor

Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.

Learn more

Actions Description
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Insights/alertRules/* Create and manage a classic metric alert
Microsoft.Insights/diagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Not alertable.
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Storage/storageAccounts/* Create and manage storage accounts
Microsoft.Support/* Create and update a support ticket
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
  "name": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.Insights/diagnosticSettings/*",
        "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Storage/storageAccounts/*",
        "Microsoft.Support/*"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Account Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Account Key Operator Service Role

Permits listing and regenerating storage account access keys.

Learn more

Actions Description
Microsoft.Storage/storageAccounts/listkeys/action Returns the access keys for the specified storage account.
Microsoft.Storage/storageAccounts/regeneratekey/action Regenerates the access keys for the specified storage account.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
  "name": "81a9662b-bebf-436f-a333-f67b29880f12",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/listkeys/action",
        "Microsoft.Storage/storageAccounts/regeneratekey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Account Key Operator Service Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Blob Data Contributor

Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling data operations.

Learn more

Actions Description
Microsoft.Storage/storageAccounts/blobServices/containers/delete Delete a container.
Microsoft.Storage/storageAccounts/blobServices/containers/read Return a container or a list of containers.
Microsoft.Storage/storageAccounts/blobServices/containers/write Modify a container's metadata or properties.
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action Returns a user delegation key for the Blob service.
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Delete a blob.
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Return a blob or a list of blobs.
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Write to a blob.
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action Moves the blob from one path to another
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action Returns the result of adding blob content
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write and delete access to Azure Storage blob containers and data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
  "name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/write",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Blob Data Owner

Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see Permissions for calling data operations.

Learn more

Actions Description
Microsoft.Storage/storageAccounts/blobServices/containers/* Full permissions on containers.
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action Returns a user delegation key for the Blob service.
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* Full permissions on blobs.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
  "name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/*",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Blob Data Reader

Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling data operations.

Learn more

Actions Description
Microsoft.Storage/storageAccounts/blobServices/containers/read Return a container or a list of containers.
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action Returns a user delegation key for the Blob service.
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Return a blob or a list of blobs.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Storage blob containers and data",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
  "name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/read",
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Blob Delegator

Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see Create a user delegation SAS.

Learn more

Actions Description
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action Returns a user delegation key for the Blob service.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for generation of a user delegation key which can be used to sign SAS tokens",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
  "name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Blob Delegator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage File Data Privileged Contributor

Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers.

Actions Description
none
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read Returns a file/folder or a list of files/folders
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write Returns the result of writing a file or creating a folder
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete Returns the result of deleting a file/folder
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action Returns the result of modifying permission on a file/folder
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action Read File Backup Semantics Privilege
Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action Write File Backup Semantics Privilege
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/69566ab7-960f-475b-8e7c-b3118f30c6bd",
  "name": "69566ab7-960f-475b-8e7c-b3118f30c6bd",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action",
        "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action",
        "Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data Privileged Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage File Data Privileged Reader

Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers.

Actions Description
none
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read Returns a file/folder or a list of files/folders
Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action Read File Backup Semantics Privilege
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Customer has read access on Azure Storage file shares.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/b8eda974-7b85-4f76-af95-65846b26df6d",
  "name": "b8eda974-7b85-4f76-af95-65846b26df6d",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data Privileged Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage File Data SMB Share Contributor

Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers.

Learn more

Actions Description
none
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read Returns a file/folder or a list of files/folders.
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write Returns the result of writing a file or creating a folder.
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete Returns the result of deleting a file/folder.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
  "name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage File Data SMB Share Elevated Contributor

Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers.

Learn more

Actions Description
none
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read Returns a file/folder or a list of files/folders.
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write Returns the result of writing a file or creating a folder.
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete Returns the result of deleting a file/folder.
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action Returns the result of modifying permission on a file/folder.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7",
  "name": "a7264617-510b-434b-a828-9731dc254ea7",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Elevated Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage File Data SMB Share Reader

Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers.

Learn more

Actions Description
none
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read Returns a file/folder or a list of files/folders.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure File Share over SMB",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314",
  "name": "aba4ae5f-2193-4029-9191-0cb91df5e314",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Queue Data Contributor

Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling data operations.

Learn more

Actions Description
Microsoft.Storage/storageAccounts/queueServices/queues/delete Delete a queue.
Microsoft.Storage/storageAccounts/queueServices/queues/read Return a queue or a list of queues.
Microsoft.Storage/storageAccounts/queueServices/queues/write Modify queue metadata or properties.
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete Delete one or more messages from a queue.
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read Peek or retrieve one or more messages from a queue.
Microsoft.Storage/storageAccounts/queueServices/queues/messages/write Add a message to a queue.
Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action Returns the result of processing a message
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access to Azure Storage queues and queue messages",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88",
  "name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/delete",
        "Microsoft.Storage/storageAccounts/queueServices/queues/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/write"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Queue Data Message Processor

Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling data operations.

Learn more

Actions Description
none
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read Peek a message.
Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action Retrieve and delete a message.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for peek, receive, and delete access to Azure Storage queue messages",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed",
  "name": "8a0f0c08-91a1-4084-bc3d-661d67233fed",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Message Processor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Queue Data Message Sender

Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling data operations.

Learn more

Actions Description
none
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action Add a message to a queue.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for sending of Azure Storage queue messages",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
  "name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Message Sender",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Queue Data Reader

Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling data operations.

Learn more

Actions Description
Microsoft.Storage/storageAccounts/queueServices/queues/read Returns a queue or a list of queues.
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read Peek or retrieve one or more messages from a queue.
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Storage queues and queue messages",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925",
  "name": "19e7f393-937e-4f77-808e-94535e297925",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Queue Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Table Data Contributor

Allows for read, write and delete access to Azure Storage tables and entities

Actions Description
Microsoft.Storage/storageAccounts/tableServices/tables/read Query tables
Microsoft.Storage/storageAccounts/tableServices/tables/write Create tables
Microsoft.Storage/storageAccounts/tableServices/tables/delete Delete tables
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read Query table entities
Microsoft.Storage/storageAccounts/tableServices/tables/entities/write Insert, merge, or replace table entities
Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete Delete table entities
Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action Insert table entities
Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action Merge or update table entities
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write and delete access to Azure Storage tables and entities",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
  "name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/read",
        "Microsoft.Storage/storageAccounts/tableServices/tables/write",
        "Microsoft.Storage/storageAccounts/tableServices/tables/delete"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/write",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action",
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Table Data Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Storage Table Data Reader

Allows for read access to Azure Storage tables and entities

Actions Description
Microsoft.Storage/storageAccounts/tableServices/tables/read Query tables
NotActions
none
DataActions
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read Query table entities
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read access to Azure Storage tables and entities",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6",
  "name": "76199698-9eea-4c19-bc75-cec21354c6b6",
  "permissions": [
    {
      "actions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/read"
      ],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage Table Data Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Next steps