Azure built-in roles
Azure role-based access control (Azure RBAC) has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources. If the built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles. For information about how to assign roles, see Steps to assign an Azure role.
This article lists the Azure built-in roles. If you are looking for administrator roles for Azure Active Directory (Azure AD), see Azure AD built-in roles.
The following table provides a brief description of each built-in role. Click the role name to see the list of Actions, NotActions, DataActions, and NotDataActions for each role. For information about what these actions mean and how they apply to the control and data planes, see Understand Azure role definitions.
All
| Built-in role | Description | ID |
|---|---|---|
| General | ||
| Contributor | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. | b24988ac-6180-42a0-ab88-20f7382dd24c |
| Owner | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. | 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 |
| Reader | View all resources, but does not allow you to make any changes. | acdd72a7-3385-48ef-bd42-f606fba81ae7 |
| Role Based Access Control Administrator | Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. | f58310d9-a9f6-439a-9e8d-f62e7b41a168 |
| User Access Administrator | Lets you manage user access to Azure resources. | 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 |
| Compute | ||
| Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | d73bb868-a0df-4d4d-bd69-98a00b01fccb |
| Data Operator for Managed Disks | Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. | 959f8984-c045-4866-89c7-12bf9737be2e |
| Disk Backup Reader | Provides permission to backup vault to perform disk backup. | 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 |
| Disk Pool Operator | Provide permission to StoragePool Resource Provider to manage disks added to a disk pool. | 60fc6e62-5479-42d4-8bf4-67625fcc2840 |
| Disk Restore Operator | Provides permission to backup vault to perform disk restore. | b50d9833-a0cb-478e-945f-707fcc997c13 |
| Disk Snapshot Contributor | Provides permission to backup vault to manage disk snapshots. | 7efff54f-a5b4-42b5-a1c5-5411624893ce |
| Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator | 1c0163c0-47e6-4577-8991-ea5c82e286e4 |
| Virtual Machine Contributor | Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. | 9980e02c-c2be-4d73-94e8-173b1dc7cf3c |
| Virtual Machine Data Access Administrator (preview) | Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. | 66f75aeb-eabe-4b70-9f1e-c350c4c9ad04 |
| Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. | fb879df8-f326-4884-b1cf-06f3ad86be52 |
| Windows Admin Center Administrator Login | Let's you manage the OS of your resource via Windows Admin Center as an administrator. | a6333a3e-0164-44c3-b281-7a577aff287f |
| Networking | ||
| Azure Front Door Domain Contributor | Can manage Azure Front Door domains, but can't grant access to other users. | 0ab34830-df19-4f8c-b84e-aa85b8afa6e8 |
| Azure Front Door Domain Reader | Can view Azure Front Door domains, but can't make changes. | 0f99d363-226e-4dca-9920-b807cf8e1a5f |
| Azure Front Door Profile Reader | Can view AFD standard and premium profiles and their endpoints, but can't make changes. | 662802e2-50f6-46b0-aed2-e834bacc6d12 |
| Azure Front Door Secret Contributor | Can manage Azure Front Door secrets, but can't grant access to other users. | 3f2eb865-5811-4578-b90a-6fc6fa0df8e5 |
| Azure Front Door Secret Reader | Can view Azure Front Door secrets, but can't make changes. | 0db238c4-885e-4c4f-a933-aa2cef684fca |
| CDN Endpoint Contributor | Can manage CDN endpoints, but can't grant access to other users. | 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 |
| CDN Endpoint Reader | Can view CDN endpoints, but can't make changes. | 871e35f6-b5c1-49cc-a043-bde969a0f2cd |
| CDN Profile Contributor | Can manage CDN profiles and their endpoints, but can't grant access to other users. | ec156ff8-a8d1-4d15-830c-5b80698ca432 |
| CDN Profile Reader | Can view CDN profiles and their endpoints, but can't make changes. | 8f96442b-4075-438f-813d-ad51ab4019af |
| Classic Network Contributor | Lets you manage classic networks, but not access to them. | b34d265f-36f7-4a0d-a4d4-e158ca92e90f |
| DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. | befefa01-2a29-4197-83a8-272ff33ce314 |
| Network Contributor | Lets you manage networks, but not access to them. | 4d97b98b-1d4f-4787-a291-c67834d212e7 |
| Private DNS Zone Contributor | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. | b12aa53e-6015-4669-85d0-8515ebb3ae7f |
| Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. | a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 |
| Storage | ||
| Avere Contributor | Can create and manage an Avere vFXT cluster. | 4f8fab4f-1852-4a58-a46a-8eaf358af14a |
| Avere Operator | Used by the Avere vFXT cluster to manage the cluster | c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 |
| Backup Contributor | Lets you manage backup service, but can't create vaults and give access to others | 5e467623-bb1f-42f4-a55d-6e525e11384b |
| Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others | 00c29273-979b-4161-815c-10b084fb9324 |
| Backup Reader | Can view backup services, but can't make changes | a795c7a0-d4a2-40c1-ae25-d81f01202912 |
| Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. | 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 |
| Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts | 985d6b00-f706-48f5-a6fe-d0ca12fb668d |
| Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. | add466c9-e687-43fc-8d98-dfcf8d720be5 |
| Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. | 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 |
| Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | 47b7735b-770e-4598-a7da-8b91488b4c88 |
| Defender for Storage Data Scanner | Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. | 1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 |
| Elastic SAN Owner | Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access | 80dcbedb-47ef-405d-95bd-188a1b4ac406 |
| Elastic SAN Reader | Allows for control path read access to Azure Elastic SAN | af6a70f8-3c9f-4105-acf1-d719e9fca4ca |
| Elastic SAN Volume Group Owner | Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access | a8281131-f312-4f34-8d98-ae12be9f0d23 |
| Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | c12c1c16-33a1-487b-954d-41c89c60f349 |
| Storage Account Backup Contributor | Lets you perform backup and restore operations using Azure Backup on the storage account. | e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 |
| Storage Account Contributor | Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. | 17d1049b-9a84-46fb-8f53-869881c3d3ab |
| Storage Account Key Operator Service Role | Permits listing and regenerating storage account access keys. | 81a9662b-bebf-436f-a333-f67b29880f12 |
| Storage Blob Data Contributor | Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | ba92f5b4-2d11-453d-a403-e96b0029c9fe |
| Storage Blob Data Owner | Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | b7e6dc6d-f1e8-4753-8033-0f276bb0955b |
| Storage Blob Data Reader | Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 |
| Storage Blob Delegator | Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see Create a user delegation SAS. | db58b8e5-c6ad-4a2a-8342-4190687cbf4a |
| Storage File Data Privileged Contributor | Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. | 69566ab7-960f-475b-8e7c-b3118f30c6bd |
| Storage File Data Privileged Reader | Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. | b8eda974-7b85-4f76-af95-65846b26df6d |
| Storage File Data SMB Share Contributor | Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers. | 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb |
| Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers. | a7264617-510b-434b-a828-9731dc254ea7 |
| Storage File Data SMB Share Reader | Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers. | aba4ae5f-2193-4029-9191-0cb91df5e314 |
| Storage Queue Data Contributor | Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | 974c5e8b-45b9-4653-ba55-5f855dd0fb88 |
| Storage Queue Data Message Processor | Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | 8a0f0c08-91a1-4084-bc3d-661d67233fed |
| Storage Queue Data Message Sender | Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | c6a89b2d-59bc-44d0-9896-0f6e12d7b80a |
| Storage Queue Data Reader | Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. | 19e7f393-937e-4f77-808e-94535e297925 |
| Storage Table Data Contributor | Allows for read, write and delete access to Azure Storage tables and entities | 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 |
| Storage Table Data Reader | Allows for read access to Azure Storage tables and entities | 76199698-9eea-4c19-bc75-cec21354c6b6 |
| Web | ||
| Azure Maps Data Contributor | Grants access to read, write, and delete access to map related data from an Azure maps account. | 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 |
| Azure Maps Data Reader | Grants access to read map related data from an Azure maps account. | 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa |
| Azure Spring Cloud Config Server Contributor | Allow read, write and delete access to Azure Spring Cloud Config Server | a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b |
| Azure Spring Cloud Config Server Reader | Allow read access to Azure Spring Cloud Config Server | d04c6db6-4947-4782-9e91-30a88feb7be7 |
| Azure Spring Cloud Data Reader | Allow read access to Azure Spring Cloud Data | b5537268-8956-4941-a8f0-646150406f0c |
| Azure Spring Cloud Service Registry Contributor | Allow read, write and delete access to Azure Spring Cloud Service Registry | f5880b48-c26d-48be-b172-7927bfa1c8f1 |
| Azure Spring Cloud Service Registry Reader | Allow read access to Azure Spring Cloud Service Registry | cff1b556-2399-4e7e-856d-a8f754be7b65 |
| Media Services Account Administrator | Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. | 054126f8-9a2b-4f1c-a9ad-eca461f08466 |
| Media Services Live Events Administrator | Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. | 532bc159-b25e-42c0-969e-a1d439f60d77 |
| Media Services Media Operator | Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. | e4395492-1534-4db2-bedf-88c14621589c |
| Media Services Policy Administrator | Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. | c4bba371-dacd-4a26-b320-7250bca963ae |
| Media Services Streaming Endpoints Administrator | Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. | 99dba123-b5fe-44d5-874c-ced7199a5804 |
| Search Index Data Contributor | Grants full access to Azure Cognitive Search index data. | 8ebe5a00-799e-43f5-93ac-243d3dce84a7 |
| Search Index Data Reader | Grants read access to Azure Cognitive Search index data. | 1407120a-92aa-4202-b7e9-c0e197c71c8f |
| Search Service Contributor | Lets you manage Search services, but not access to them. | 7ca78c08-252a-4471-8644-bb5ff32d4ba0 |
| SignalR AccessKey Reader | Read SignalR Service Access Keys | 04165923-9d83-45d5-8227-78b77b0a687e |
| SignalR App Server | Lets your app server access SignalR Service with AAD auth options. | 420fcaa2-552c-430f-98ca-3264be4806c7 |
| SignalR REST API Owner | Full access to Azure SignalR Service REST APIs | fd53cd77-2268-407a-8f46-7e7863d0f521 |
| SignalR REST API Reader | Read-only access to Azure SignalR Service REST APIs | ddde6b66-c0df-4114-a159-3618637b3035 |
| SignalR Service Owner | Full access to Azure SignalR Service REST APIs | 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 |
| SignalR/Web PubSub Contributor | Create, Read, Update, and Delete SignalR service resources | 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 |
| Web Plan Contributor | Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC. | 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b |
| Website Contributor | Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC. | de139f84-1756-47ae-9be6-808fbbe84772 |
| Containers | ||
| AcrDelete | Delete repositories, tags, or manifests from a container registry. | c2f4ef07-c644-48eb-af81-4b1b4947fb11 |
| AcrImageSigner | Push trusted images to or pull trusted images from a container registry enabled for content trust. | 6cef56e8-d556-48e5-a04f-b8e64114680f |
| AcrPull | Pull artifacts from a container registry. | 7f951dda-4ed3-4680-a7ca-43fe172d538d |
| AcrPush | Push artifacts to or pull artifacts from a container registry. | 8311e382-0749-4cb8-b61a-304f252e45ec |
| AcrQuarantineReader | Pull quarantined images from a container registry. | cdda3590-29a3-44f6-95f2-9f980659eb04 |
| AcrQuarantineWriter | Push quarantined images to or pull quarantined images from a container registry. | c8d4ff99-41c3-41a8-9f60-21dfdad59608 |
| Azure Kubernetes Fleet Manager RBAC Admin | This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. | 434fb43a-c01c-447e-9f67-c3ad923cfaba |
| Azure Kubernetes Fleet Manager RBAC Cluster Admin | Lets you manage all resources in the fleet manager cluster. | 18ab4d3d-a1bf-4477-8ad9-8359bc988f69 |
| Azure Kubernetes Fleet Manager RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 30b27cfc-9c84-438e-b0ce-70e35255df80 |
| Azure Kubernetes Fleet Manager RBAC Writer | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | 5af6afb3-c06c-4fa4-8848-71a8aee05683 |
| Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. | 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 |
| Azure Kubernetes Service Cluster Monitoring User | List cluster monitoring user credential action. | 1afdec4b-e479-420e-99e7-f82237c7c5e6 |
| Azure Kubernetes Service Cluster User Role | List cluster user credential action. | 4abbcc35-e782-43d8-92c5-2d3f1bd2253f |
| Azure Kubernetes Service Contributor Role | Grants access to read and write Azure Kubernetes Service clusters | ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 |
| Azure Kubernetes Service RBAC Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | 3498e952-d568-435e-9b2c-8d77e338d7f7 |
| Azure Kubernetes Service RBAC Cluster Admin | Lets you manage all resources in the cluster. | b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b |
| Azure Kubernetes Service RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 7f6c6a51-bcf8-42ba-9220-52d62157d7db |
| Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb |
| Databases | ||
| Azure Connected SQL Server Onboarding | Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. | e8113dce-c529-4d33-91fa-e9b972617508 |
| Cosmos DB Account Reader Role | Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. | fbdf93bf-df7d-467e-a4d2-9458aa1360c8 |
| Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. | 230815da-be43-4aae-9cb4-875f7bd000aa |
| CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account | db7b14f2-5adf-42da-9f96-f2ee17bab5cb |
| CosmosRestoreOperator | Can perform restore action for Cosmos DB database account with continuous backup mode | 5432c526-bc82-444a-b7ba-57c5b0b5b34f |
| DocumentDB Account Contributor | Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. | 5bd9cd88-fe45-4216-938b-f97437e15450 |
| Redis Cache Contributor | Lets you manage Redis caches, but not access to them. | e0f68234-74aa-48ed-b826-c38b57376e17 |
| SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. | 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec |
| SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. | 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d |
| SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. | 056cd41c-7e88-42e1-933e-88ba6a50c9c3 |
| SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. | 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 |
| Analytics | ||
| Azure Event Hubs Data Owner | Allows for full access to Azure Event Hubs resources. | f526a384-b230-433a-b45c-95f59c4a2dec |
| Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. | a638d3c7-ab3a-418d-83e6-5f17a39d4fde |
| Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. | 2b629674-e913-4c01-ae53-ef4638d8f975 |
| Data Factory Contributor | Create and manage data factories, as well as child resources within them. | 673868aa-7521-48a0-acc6-0f60742d39f5 |
| Data Purger | Delete private data from a Log Analytics workspace. | 150f5e0c-0603-4f03-8c7f-cf70034c4e90 |
| HDInsight Cluster Operator | Lets you read and modify HDInsight cluster configurations. | 61ed4efc-fab3-44fd-b111-e24485cc132a |
| HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | 8d8d5a11-05d3-4bda-a417-a08778121c7c |
| Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. | 92aaf0da-9dab-42b6-94a3-d43ce8d16293 |
| Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | 73c42c96-874c-492b-b04d-ab87d138a893 |
| Schema Registry Contributor (Preview) | Read, write, and delete Schema Registry groups and schemas. | 5dffeca3-4936-4216-b2bc-10343a5abb25 |
| Schema Registry Reader (Preview) | Read and list Schema Registry groups and schemas. | 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 |
| Stream Analytics Query Tester | Lets you perform query testing without creating a stream analytics job first | 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf |
| AI + machine learning | ||
| AzureML Compute Operator | Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). | e503ece1-11d0-4e8e-8e2c-7a6c3bf38815 |
| AzureML Data Scientist | Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. | f6c7c914-8db3-469d-8ca1-694a8f32e121 |
| Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. | 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 |
| Cognitive Services Custom Vision Contributor | Full access to the project, including the ability to view, create, edit, or delete projects. | c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 |
| Cognitive Services Custom Vision Deployment | Publish, unpublish or export models. Deployment can view the project but can't update. | 5c4089e1-6d96-4d2f-b296-c1bc7137275f |
| Cognitive Services Custom Vision Labeler | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. | 88424f51-ebe7-446f-bc41-7fa16989e96c |
| Cognitive Services Custom Vision Reader | Read-only actions in the project. Readers can't create or update the project. | 93586559-c37d-4a6b-ba08-b9f0940c2d73 |
| Cognitive Services Custom Vision Trainer | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. | 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b |
| Cognitive Services Data Reader (Preview) | Lets you read Cognitive Services data. | b59867f0-fa02-499b-be73-45a86b5b3e1c |
| Cognitive Services Face Recognizer | Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. | 9894cab4-e18a-44aa-828b-cb588cd6f2d7 |
| Cognitive Services Metrics Advisor Administrator | Full access to the project, including the system level configuration. | cb43c632-a144-4ec5-977c-e80c4affc34a |
| Cognitive Services OpenAI Contributor | Full access including the ability to fine-tune, deploy and generate text | a001fd3d-188f-4b5d-821b-7da978bf7442 |
| Cognitive Services OpenAI User | Read access to view files, models, deployments. The ability to create completion and embedding calls. | 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd |
| Cognitive Services QnA Maker Editor | Let's you create, edit, import and export a KB. You cannot publish or delete a KB. | f4cc2bf9-21be-47a1-bdf1-5c5804381025 |
| Cognitive Services QnA Maker Reader | Let's you read and test a KB only. | 466ccd10-b268-4a11-b098-b4849f024126 |
| Cognitive Services Usages Reader | Minimal permission to view Cognitive Services usages. | bba48692-92b0-4667-a9ad-c31c7b334ac2 |
| Cognitive Services User | Lets you read and list keys of Cognitive Services. | a97b65f3-24c7-4388-baec-2e87135dc908 |
| Internet of things | ||
| Device Update Administrator | Gives you full access to management and content operations | 02ca0879-e8e4-47a5-a61e-5c618b76e64a |
| Device Update Content Administrator | Gives you full access to content operations | 0378884a-3af5-44ab-8323-f5b22f9f3c98 |
| Device Update Content Reader | Gives you read access to content operations, but does not allow making changes | d1ee9a80-8b14-47f0-bdc2-f4a351625a7b |
| Device Update Deployments Administrator | Gives you full access to management operations | e4237640-0e3d-4a46-8fda-70bc94856432 |
| Device Update Deployments Reader | Gives you read access to management operations, but does not allow making changes | 49e2f5d2-7741-4835-8efa-19e1fe35e47f |
| Device Update Reader | Gives you read access to management and content operations, but does not allow making changes | e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f |
| IoT Hub Data Contributor | Allows for full access to IoT Hub data plane operations. | 4fc6c259-987e-4a07-842e-c321cc9d413f |
| IoT Hub Data Reader | Allows for full read access to IoT Hub data-plane properties | b447c946-2db7-41ec-983d-d8bf3b1c77e3 |
| IoT Hub Registry Contributor | Allows for full access to IoT Hub device registry. | 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 |
| IoT Hub Twin Contributor | Allows for read and write access to all IoT Hub device and module twins. | 494bdba2-168f-4f31-a0a1-191d2f7c028c |
| Mixed reality | ||
| Remote Rendering Administrator | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | 3df8b902-2a6f-47c7-8cc5-360e9b272a7e |
| Remote Rendering Client | Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. | d39065c4-c120-43c9-ab0a-63eed9795f0a |
| Spatial Anchors Account Contributor | Lets you manage spatial anchors in your account, but not delete them | 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 |
| Spatial Anchors Account Owner | Lets you manage spatial anchors in your account, including deleting them | 70bbe301-9835-447d-afdd-19eb3167307c |
| Spatial Anchors Account Reader | Lets you locate and read properties of spatial anchors in your account | 5d51204f-eb77-4b1c-b86a-2ec626c49413 |
| Integration | ||
| API Management Service Contributor | Can manage service and the APIs | 312a565d-c81f-4fd8-895a-4e21e48d571c |
| API Management Service Operator Role | Can manage service but not the APIs | e022efe7-f5ba-4159-bbe4-b44f577e9b61 |
| API Management Service Reader Role | Read-only access to service and APIs | 71522526-b88f-4d52-b57f-d31fc3546d0d |
| API Management Service Workspace API Developer | Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. | 9565a273-41b9-4368-97d2-aeb0c976a9b3 |
| API Management Service Workspace API Product Manager | Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. | d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da |
| API Management Workspace API Developer | Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. | 56328988-075d-4c6a-8766-d93edd6725b6 |
| API Management Workspace API Product Manager | Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. | 73c2c328-d004-4c5e-938c-35c6f5679a1f |
| API Management Workspace Contributor | Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. | 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 |
| API Management Workspace Reader | Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. | ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2 |
| App Configuration Data Owner | Allows full access to App Configuration data. | 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b |
| App Configuration Data Reader | Allows read access to App Configuration data. | 516239f1-63e1-4d78-a4de-a74fb236a071 |
| Azure Relay Listener | Allows for listen access to Azure Relay resources. | 26e0b698-aa6d-4085-9386-aadae190014d |
| Azure Relay Owner | Allows for full access to Azure Relay resources. | 2787bf04-f1f5-4bfe-8383-c8a24483ee38 |
| Azure Relay Sender | Allows for send access to Azure Relay resources. | 26baccc8-eea7-41f1-98f4-1762cc7f685d |
| Azure Service Bus Data Owner | Allows for full access to Azure Service Bus resources. | 090c5cfd-751d-490a-894a-3ce6f1109419 |
| Azure Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 |
| Azure Service Bus Data Sender | Allows for send access to Azure Service Bus resources. | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 |
| Azure Stack Registration Owner | Lets you manage Azure Stack registrations. | 6f12a6df-dd06-4f3e-bcb1-ce8be600526a |
| EventGrid Contributor | Lets you manage EventGrid operations. | 1e241071-0855-49ea-94dc-649edcd759de |
| EventGrid Data Sender | Allows send access to event grid events. | d5a91429-5739-47e2-a06b-3470a27159e7 |
| EventGrid EventSubscription Contributor | Lets you manage EventGrid event subscription operations. | 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 |
| EventGrid EventSubscription Reader | Lets you read EventGrid event subscriptions. | 2414bbcf-6497-4faf-8c65-045460748405 |
| FHIR Data Contributor | Role allows user or principal full access to FHIR Data | 5a1fc7df-4bf1-4951-a576-89034ee01acd |
| FHIR Data Exporter | Role allows user or principal to read and export FHIR Data | 3db33094-8700-4567-8da5-1501d4e7e843 |
| FHIR Data Importer | Role allows user or principal to read and import FHIR Data | 4465e953-8ced-4406-a58e-0f6e3f3b530b |
| FHIR Data Reader | Role allows user or principal to read FHIR Data | 4c8d0bbc-75d3-4935-991f-5f3c56d81508 |
| FHIR Data Writer | Role allows user or principal to read and write FHIR Data | 3f88fce4-5892-4214-ae73-ba5294559913 |
| Integration Service Environment Contributor | Lets you manage integration service environments, but not access to them. | a41e2c5b-bd99-4a07-88f4-9bf657a760b8 |
| Integration Service Environment Developer | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | c7aa55d3-1abb-444a-a5ca-5e51e485d6ec |
| Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. | 03a6d094-3444-4b3d-88af-7477090a9e5e |
| Logic App Contributor | Lets you manage logic apps, but not change access to them. | 87a39d53-fc1b-424a-814c-f7e04687dc9e |
| Logic App Operator | Lets you read, enable, and disable logic apps, but not edit or update them. | 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe |
| Identity | ||
| Domain Services Contributor | Can manage Azure AD Domain Services and related network configurations | eeaeda52-9324-47f6-8069-5d5bade478b2 |
| Domain Services Reader | Can view Azure AD Domain Services and related network configurations | 361898ef-9ed1-48c2-849c-a832951106bb |
| Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity | e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 |
| Managed Identity Operator | Read and Assign User Assigned Identity | f1a07417-d97a-45cb-824c-7a7467783830 |
| Security | ||
| App Compliance Automation Administrator | Create, read, download, modify and delete reports objects and related other resource objects. | 0f37683f-2463-46b6-9ce7-9b788b988ba2 |
| App Compliance Automation Reader | Read, download the reports objects and related other resource objects. | ffc6bbe0-e443-4c3b-bf54-26581bb2f78e |
| Attestation Contributor | Can read write or delete the attestation provider instance | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e |
| Attestation Reader | Can read the attestation provider properties | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 |
| Key Vault Administrator | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | 00482a5a-887f-4fb3-b363-3b7fe8e74483 |
| Key Vault Certificates Officer | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | a4417e6f-fecd-4de8-b567-7b0420556985 |
| Key Vault Contributor | Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. | f25e0fa2-a7c8-4377-a976-54943a77a395 |
| Key Vault Crypto Officer | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 |
| Key Vault Crypto Service Encryption User | Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. | e147488a-f6f5-4113-8e2d-b22465e65bf6 |
| Key Vault Crypto User | Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | 12338af0-0e69-4776-bea7-57ae8d297424 |
| Key Vault Data Access Administrator (preview) | Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments. | 8b54135c-b56d-4d72-a534-26097cfdc8d8 |
| Key Vault Reader | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. | 21090545-7ca7-4776-b22c-e363652d74d2 |
| Key Vault Secrets Officer | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | b86a8fe4-44ce-4948-aee5-eccb2c155cd7 |
| Key Vault Secrets User | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | 4633458b-17de-408a-b874-0445c86b69e6 |
| Managed HSM contributor | Lets you manage managed HSM pools, but not access to them. | 18500a29-7fe2-46b2-a342-b16a415e101d |
| Microsoft Sentinel Automation Contributor | Microsoft Sentinel Automation Contributor | f4c81013-99ee-4d62-a7ee-b3f1f648599a |
| Microsoft Sentinel Contributor | Microsoft Sentinel Contributor | ab8e14d6-4a74-4a29-9ba8-549422addade |
| Microsoft Sentinel Playbook Operator | Microsoft Sentinel Playbook Operator | 51d6186e-6489-4900-b93f-92e23144cca5 |
| Microsoft Sentinel Reader | Microsoft Sentinel Reader | 8d289c81-5878-46d4-8554-54e1e3d8b5cb |
| Microsoft Sentinel Responder | Microsoft Sentinel Responder | 3e150937-b8fe-4cfb-8069-0eaf05ecd056 |
| Security Admin | View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations. For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT monitoring. |
fb1c8493-542b-48eb-b624-b4c8fea62acd |
| Security Assessment Contributor | Lets you push assessments to Microsoft Defender for Cloud | 612c2aa1-cb24-443b-ac28-3ab7272de6f5 |
| Security Manager (Legacy) | This is a legacy role. Please use Security Admin instead. | e3d13bf0-dd5a-482e-ba6b-9b8433878d10 |
| Security Reader | View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes. For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT monitoring. |
39bc4728-0917-49c7-9d2c-d95423bc2eb4 |
| DevOps | ||
| DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | 76283e04-6283-4c54-8f91-bcf1374a3c64 |
| Lab Assistant | Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab. | ce40b423-cede-4313-a93f-9b28290b72e1 |
| Lab Contributor | Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs. | 5daaa2af-1fe8-407c-9122-bba179798270 |
| Lab Creator | Lets you create new labs under your Azure Lab Accounts. | b97fb8bc-a8b2-4522-a38b-dd33c7e65ead |
| Lab Operator | Gives you limited ability to manage existing labs. | a36e6959-b6be-4b12-8e9f-ef4b474d304d |
| Lab Services Contributor | Enables you to fully control all Lab Services scenarios in the resource group. | f69b8690-cc87-41d6-b77a-a4bc3c0a966f |
| Lab Services Reader | Enables you to view, but not change, all lab plans and lab resources. | 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc |
| Monitor | ||
| Application Insights Component Contributor | Can manage Application Insights components | ae349356-3a1b-4a5e-921d-050484c6347e |
| Application Insights Snapshot Debugger | Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the Owner or Contributor roles. When giving users the Application Insights Snapshot Debugger role, you must grant the role directly to the user. The role is not recognized when it is added to a custom role. | 08954f03-6346-4c2e-81c0-ec3a5cfae23b |
| Monitoring Contributor | Can read all monitoring data and edit monitoring settings. See also Get started with roles, permissions, and security with Azure Monitor. | 749f88d5-cbae-40b8-bcfc-e573ddc772fa |
| Monitoring Metrics Publisher | Enables publishing metrics against Azure resources | 3913510d-42f4-4e42-8a64-420c390055eb |
| Monitoring Reader | Can read all monitoring data (metrics, logs, etc.). See also Get started with roles, permissions, and security with Azure Monitor. | 43d0d8ad-25c7-4714-9337-8ba259a9fe05 |
| Workbook Contributor | Can save shared workbooks. | e8ddcd69-c73f-4f9f-9844-4100522f16ad |
| Workbook Reader | Can read workbooks. | b279062a-9be3-42a0-92ae-8b3cf002ec4d |
| Management and governance | ||
| Automation Contributor | Manage Azure Automation resources and other resources using Azure Automation. | f353d9bd-d4a6-484e-a77a-8050b599b867 |
| Automation Job Operator | Create and Manage Jobs using Automation Runbooks. | 4fe576fe-1146-4730-92eb-48519fa6bf9f |
| Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs | d3881f73-407a-4167-8283-e981cbba0404 |
| Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. | 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 |
| Azure Arc Enabled Kubernetes Cluster User Role | List cluster user credentials action. | 00493d72-78f6-4148-b6c5-d3ce8e4799dd |
| Azure Arc Kubernetes Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | dffb1e0c-446f-4dde-a09f-99eb5cc68b96 |
| Azure Arc Kubernetes Cluster Admin | Lets you manage all resources in the cluster. | 8393591c-06b9-48a2-a542-1bd6b377f6a2 |
| Azure Arc Kubernetes Viewer | Lets you view all resources in cluster/namespace, except secrets. | 63f0a09d-1495-4db4-a681-037d84835eb4 |
| Azure Arc Kubernetes Writer | Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. | 5b999177-9696-4545-85c7-50de3797e5a1 |
| Azure Connected Machine Onboarding | Can onboard Azure Connected Machines. | b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 |
| Azure Connected Machine Resource Administrator | Can read, write, delete and re-onboard Azure Connected Machines. | cd570a14-e51a-42ad-bac8-bafd67325302 |
| Billing Reader | Allows read access to billing data | fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 |
| Blueprint Contributor | Can manage blueprint definitions, but not assign them. | 41077137-e803-4205-871c-5a86e6a753b4 |
| Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. Note that this only works if the assignment is done with a user-assigned managed identity. | 437d2ced-4a38-4302-8479-ed2bcb43d090 |
| Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) | 434105ed-43f6-45c7-a02f-909b2ba83430 |
| Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) | 72fafb9e-0641-4937-9268-a91bfd8191a3 |
| Hierarchy Settings Administrator | Allows users to edit and delete Hierarchy Settings | 350f8d15-c687-4448-8ae1-157740a3936d |
| Kubernetes Cluster - Azure Arc Onboarding | Role definition to authorize any user/service to create connectedClusters resource | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 |
| Kubernetes Extension Contributor | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | 85cb6faf-e071-4c9b-8136-154b5a04f717 |
| Managed Application Contributor Role | Allows for creating managed application resources. | 641177b8-a67a-45b9-a033-47bc880bb21e |
| Managed Application Operator Role | Lets you read and perform actions on Managed Application resources | c7393b34-138c-406f-901b-d8cf2b17e6ae |
| Managed Applications Reader | Lets you read resources in a managed app and request JIT access. | b9331d33-8a36-4f8c-b097-4f54124fdb44 |
| Managed Services Registration assignment Delete Role | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. | 91c1777a-f3dc-4fae-b103-61d183457e46 |
| Management Group Contributor | Management Group Contributor Role | 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c |
| Management Group Reader | Management Group Reader Role | ac63b705-f282-497d-ac71-919bf39d939d |
| New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | 5d28c62d-5b37-4476-8438-e587778df237 |
| Policy Insights Data Writer (Preview) | Allows read access to resource policies and write access to resource component policy events. | 66bb4e9e-b016-4a94-8249-4c0511c2be84 |
| Quota Request Operator | Read and create quota requests, get quota request status, and create support tickets. | 0e5f05e5-9ab9-446b-b98d-1e2157c94125 |
| Reservation Purchaser | Lets you purchase reservations | f7b75c60-3036-4b75-91c3-6b41c27c1689 |
| Resource Policy Contributor | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | 36243c78-bf99-498c-9df9-86d9f8d28608 |
| Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment | 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 |
| Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations | 494ae006-db33-4328-bf46-533a6560a3ca |
| Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations | dbaa88c4-0c30-4179-9fb3-46319faa6149 |
| Support Request Contributor | Lets you create and manage Support requests | cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e |
| Tag Contributor | Lets you manage tags on entities, without providing access to the entities themselves. | 4a9ae827-6dc8-4573-8ac7-8239d42aa03f |
| Template Spec Contributor | Allows full access to Template Spec operations at the assigned scope. | 1c9b6475-caf0-4164-b5a1-2142a7116f4b |
| Template Spec Reader | Allows read access to Template Specs at the assigned scope. | 392ae280-861d-42bd-9ea5-08ee6d83b80e |
| Virtual desktop infrastructure | ||
| Desktop Virtualization Application Group Contributor | Contributor of the Desktop Virtualization Application Group. | 86240b0e-9422-4c43-887b-b61143f32ba8 |
| Desktop Virtualization Application Group Reader | Reader of the Desktop Virtualization Application Group. | aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 |
| Desktop Virtualization Contributor | Contributor of Desktop Virtualization. | 082f0a83-3be5-4ba1-904c-961cca79b387 |
| Desktop Virtualization Host Pool Contributor | Contributor of the Desktop Virtualization Host Pool. | e307426c-f9b6-4e81-87de-d99efb3c32bc |
| Desktop Virtualization Host Pool Reader | Reader of the Desktop Virtualization Host Pool. | ceadfde2-b300-400a-ab7b-6143895aa822 |
| Desktop Virtualization Reader | Reader of Desktop Virtualization. | 49a72310-ab8d-41df-bbb0-79b649203868 |
| Desktop Virtualization Session Host Operator | Operator of the Desktop Virtualization Session Host. | 2ad6aaab-ead9-4eaa-8ac5-da422f562408 |
| Desktop Virtualization User | Allows user to use the applications in an application group. | 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 |
| Desktop Virtualization User Session Operator | Operator of the Desktop Virtualization User Session. | ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 |
| Desktop Virtualization Workspace Contributor | Contributor of the Desktop Virtualization Workspace. | 21efdde3-836f-432b-bf3d-3e8e734d4b2b |
| Desktop Virtualization Workspace Reader | Reader of the Desktop Virtualization Workspace. | 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d |
| Other | ||
| Azure Digital Twins Data Owner | Full access role for Digital Twins data-plane | bcd981a7-7f74-457b-83e1-cceb9e632ffe |
| Azure Digital Twins Data Reader | Read-only role for Digital Twins data-plane properties | d57506d4-4c8d-48b1-8587-93c323f6a5a3 |
| BizTalk Contributor | Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac73342 |
| Grafana Admin | Perform all Grafana operations, including the ability to manage data sources, create dashboards, and manage role assignments within Grafana. | 22926164-76b3-42b3-bc55-97df8dab3e41 |
| Grafana Editor | View and edit a Grafana instance, including its dashboards and alerts. | a79a5197-3a5c-4973-a920-486035ffd60f |
| Grafana Viewer | View a Grafana instance, including its dashboards and alerts. | 60921a7e-fef1-4a43-9b16-a26c52ad4769 |
| Load Test Contributor | View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. | 749a398d-560b-491b-bb21-08924219302e |
| Load Test Owner | Execute all operations on load test resources and load tests | 45bb0b16-2f0c-4e78-afaa-a07599b003f6 |
| Load Test Reader | View and list all load tests and load test resources but can not make any changes | 3ae3fb29-0000-4ccd-bf80-542e7b26e081 |
| Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. | 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 |
| Services Hub Operator | Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. | 82200a5b-e217-47a5-b665-6d8765ee745b |
General
Contributor
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. Learn more
| Actions | Description |
|---|---|
| * | Create and manage resources of all types |
| NotActions | |
| Microsoft.Authorization/*/Delete | Delete roles, policy assignments, policy definitions and policy set definitions |
| Microsoft.Authorization/*/Write | Create roles, role assignments, policy assignments, policy definitions and policy set definitions |
| Microsoft.Authorization/elevateAccess/Action | Grants the caller User Access Administrator access at the tenant scope |
| Microsoft.Blueprint/blueprintAssignments/write | Create or update any blueprint assignments |
| Microsoft.Blueprint/blueprintAssignments/delete | Delete any blueprint assignments |
| Microsoft.Compute/galleries/share/action | Shares a Gallery to different scopes |
| Microsoft.Purview/consents/write | Create or Update a Consent Resource. |
| Microsoft.Purview/consents/delete | Delete the Consent Resource. |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Purview/consents/write",
"Microsoft.Purview/consents/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Owner
Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. Learn more
| Actions | Description |
|---|---|
| * | Create and manage resources of all types |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"permissions": [
{
"actions": [
"*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Reader
View all resources, but does not allow you to make any changes. Learn more
| Actions | Description |
|---|---|
| */read | Read resources of all types, except secrets. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "View all resources, but does not allow you to make any changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Role Based Access Control Administrator
Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.
| Actions | Description |
|---|---|
| Microsoft.Authorization/roleAssignments/write | Create a role assignment at the specified scope. |
| Microsoft.Authorization/roleAssignments/delete | Delete a role assignment at the specified scope. |
| */read | Read resources of all types, except secrets. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-439a-9e8d-f62e7b41a168",
"name": "f58310d9-a9f6-439a-9e8d-f62e7b41a168",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"*/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Role Based Access Control Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
User Access Administrator
Lets you manage user access to Azure resources. Learn more
| Actions | Description |
|---|---|
| */read | Read resources of all types, except secrets. |
| Microsoft.Authorization/* | Manage authorization |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage user access to Azure resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Authorization/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "User Access Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Compute
Classic Virtual Machine Contributor
Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ClassicCompute/domainNames/* | Create and manage classic compute domain names |
| Microsoft.ClassicCompute/virtualMachines/* | Create and manage virtual machines |
| Microsoft.ClassicNetwork/networkSecurityGroups/join/action | |
| Microsoft.ClassicNetwork/reservedIps/link/action | Link a reserved Ip |
| Microsoft.ClassicNetwork/reservedIps/read | Gets the reserved Ips |
| Microsoft.ClassicNetwork/virtualNetworks/join/action | Joins the virtual network. |
| Microsoft.ClassicNetwork/virtualNetworks/read | Get the virtual network. |
| Microsoft.ClassicStorage/storageAccounts/disks/read | Returns the storage account disk. |
| Microsoft.ClassicStorage/storageAccounts/images/read | Returns the storage account image. (Deprecated. Use 'Microsoft.ClassicStorage/storageAccounts/vmImages') |
| Microsoft.ClassicStorage/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. |
| Microsoft.ClassicStorage/storageAccounts/read | Return the storage account with the given account. |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/domainNames/*",
"Microsoft.ClassicCompute/virtualMachines/*",
"Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
"Microsoft.ClassicNetwork/reservedIps/link/action",
"Microsoft.ClassicNetwork/reservedIps/read",
"Microsoft.ClassicNetwork/virtualNetworks/join/action",
"Microsoft.ClassicNetwork/virtualNetworks/read",
"Microsoft.ClassicStorage/storageAccounts/disks/read",
"Microsoft.ClassicStorage/storageAccounts/images/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Operator for Managed Disks
Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Compute/disks/download/action | Perform read data operations on Disk SAS Uri |
| Microsoft.Compute/disks/upload/action | Perform write data operations on Disk SAS Uri |
| Microsoft.Compute/snapshots/download/action | Perform read data operations on Snapshot SAS Uri |
| Microsoft.Compute/snapshots/upload/action | Perform write data operations on Snapshot SAS Uri |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e",
"name": "959f8984-c045-4866-89c7-12bf9737be2e",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Compute/disks/download/action",
"Microsoft.Compute/disks/upload/action",
"Microsoft.Compute/snapshots/download/action",
"Microsoft.Compute/snapshots/upload/action"
],
"notDataActions": []
}
],
"roleName": "Data Operator for Managed Disks",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Disk Backup Reader
Provides permission to backup vault to perform disk backup. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Compute/disks/read | Get the properties of a Disk |
| Microsoft.Compute/disks/beginGetAccess/action | Get the SAS URI of the Disk for blob access |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to perform disk backup.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
"name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/beginGetAccess/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Disk Pool Operator
Provide permission to StoragePool Resource Provider to manage disks added to a disk pool.
| Actions | Description |
|---|---|
| Microsoft.Compute/disks/write | Creates a new Disk or updates an existing one |
| Microsoft.Compute/disks/read | Get the properties of a Disk |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840",
"name": "60fc6e62-5479-42d4-8bf4-67625fcc2840",
"permissions": [
{
"actions": [
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Pool Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Disk Restore Operator
Provides permission to backup vault to perform disk restore. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Compute/disks/write | Creates a new Disk or updates an existing one |
| Microsoft.Compute/disks/read | Get the properties of a Disk |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to perform disk restore.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13",
"name": "b50d9833-a0cb-478e-945f-707fcc997c13",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Restore Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Disk Snapshot Contributor
Provides permission to backup vault to manage disk snapshots. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Compute/snapshots/delete | Delete a Snapshot |
| Microsoft.Compute/snapshots/write | Create a new Snapshot or update an existing one |
| Microsoft.Compute/snapshots/read | Get the properties of a Snapshot |
| Microsoft.Compute/snapshots/beginGetAccess/action | Get the SAS URI of the Snapshot for blob access |
| Microsoft.Compute/snapshots/endGetAccess/action | Revoke the SAS URI of the Snapshot |
| Microsoft.Compute/disks/beginGetAccess/action | Get the SAS URI of the Disk for blob access |
| Microsoft.Storage/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/write | Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.Storage/storageAccounts/delete | Deletes an existing storage account. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to manage disk snapshots.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce",
"name": "7efff54f-a5b4-42b5-a1c5-5411624893ce",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Snapshot Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Virtual Machine Administrator Login
View Virtual Machines in the portal and login as administrator Learn more
| Actions | Description |
|---|---|
| Microsoft.Network/publicIPAddresses/read | Gets a public ip address definition. |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/loadBalancers/read | Gets a load balancer definition |
| Microsoft.Network/networkInterfaces/read | Gets a network interface definition. |
| Microsoft.Compute/virtualMachines/*/read | |
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.HybridConnectivity/endpoints/listCredentials/action | List the endpoint access credentials to the resource. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Compute/virtualMachines/login/action | Log in to a virtual machine as a regular user |
| Microsoft.Compute/virtualMachines/loginAsAdmin/action | Log in to a virtual machine with Windows administrator or Linux root user privileges |
| Microsoft.HybridCompute/machines/login/action | Log in to a Azure Arc machine as a regular user |
| Microsoft.HybridCompute/machines/loginAsAdmin/action | Log in to a Azure Arc machine with Windows administrator or Linux root user privilege |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as administrator",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4",
"name": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.Compute/virtualMachines/loginAsAdmin/action",
"Microsoft.HybridCompute/machines/login/action",
"Microsoft.HybridCompute/machines/loginAsAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Virtual Machine Contributor
Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Compute/availabilitySets/* | Create and manage compute availability sets |
| Microsoft.Compute/locations/* | Create and manage compute locations |
| Microsoft.Compute/virtualMachines/* | Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. Execute scripts on virtual machines. |
| Microsoft.Compute/virtualMachineScaleSets/* | Create and manage virtual machine scale sets |
| Microsoft.Compute/cloudServices/* | |
| Microsoft.Compute/disks/write | Creates a new Disk or updates an existing one |
| Microsoft.Compute/disks/read | Get the properties of a Disk |
| Microsoft.Compute/disks/delete | Deletes the Disk |
| Microsoft.DevTestLab/schedules/* | |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Network/applicationGateways/backendAddressPools/join/action | Joins an application gateway backend address pool. Not Alertable. |
| Microsoft.Network/loadBalancers/backendAddressPools/join/action | Joins a load balancer backend address pool. Not Alertable. |
| Microsoft.Network/loadBalancers/inboundNatPools/join/action | Joins a load balancer inbound NAT pool. Not alertable. |
| Microsoft.Network/loadBalancers/inboundNatRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. |
| Microsoft.Network/loadBalancers/probes/join/action | Allows using probes of a load balancer. For example, with this permission healthProbe property of VM scale set can reference the probe. Not alertable. |
| Microsoft.Network/loadBalancers/read | Gets a load balancer definition |
| Microsoft.Network/locations/* | Create and manage network locations |
| Microsoft.Network/networkInterfaces/* | Create and manage network interfaces |
| Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. |
| Microsoft.Network/networkSecurityGroups/read | Gets a network security group definition |
| Microsoft.Network/publicIPAddresses/join/action | Joins a public ip address. Not Alertable. |
| Microsoft.Network/publicIPAddresses/read | Gets a public ip address definition. |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.RecoveryServices/locations/* | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item |
| Microsoft.RecoveryServices/Vaults/backupPolicies/read | Returns all Protection Policies |
| Microsoft.RecoveryServices/Vaults/backupPolicies/write | Creates Protection Policy |
| Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/usages/read | Returns usage details for a Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/write | Create Vault operation creates an Azure resource of type 'vault' |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.SerialConsole/serialPorts/connect/action | Connect to a serial port |
| Microsoft.SqlVirtualMachine/* | |
| Microsoft.Storage/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/cloudServices/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.DevTestLab/schedules/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/write",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.SerialConsole/serialPorts/connect/action",
"Microsoft.SqlVirtualMachine/*",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Virtual Machine Data Access Administrator (preview)
Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.
| Actions | Description |
|---|---|
| Microsoft.Authorization/roleAssignments/write | Create a role assignment at the specified scope. |
| Microsoft.Authorization/roleAssignments/delete | Delete a role assignment at the specified scope. |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Management/managementGroups/read | List management groups for the authenticated user. |
| Microsoft.Network/publicIPAddresses/read | Gets a public ip address definition. |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/loadBalancers/read | Gets a load balancer definition |
| Microsoft.Network/networkInterfaces/read | Gets a network interface definition. |
| Microsoft.Compute/virtualMachines/*/read | |
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Condition | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) | Add or remove role assignments for the following roles: Virtual Machine Administrator Login Virtual Machine User Login |
{
"id": "/providers/Microsoft.Authorization/roleDefinitions/66f75aeb-eabe-4b70-9f1e-c350c4c9ad04",
"properties": {
"roleName": "Virtual Machine Data Access Administrator (preview)",
"description": "Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52}))"
}
]
}
}
Virtual Machine User Login
View Virtual Machines in the portal and login as a regular user. Learn more
| Actions | Description |
|---|---|
| Microsoft.Network/publicIPAddresses/read | Gets a public ip address definition. |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/loadBalancers/read | Gets a load balancer definition |
| Microsoft.Network/networkInterfaces/read | Gets a network interface definition. |
| Microsoft.Compute/virtualMachines/*/read | |
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.HybridConnectivity/endpoints/listCredentials/action | List the endpoint access credentials to the resource. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Compute/virtualMachines/login/action | Log in to a virtual machine as a regular user |
| Microsoft.HybridCompute/machines/login/action | Log in to a Azure Arc machine as a regular user |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as a regular user.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52",
"name": "fb879df8-f326-4884-b1cf-06f3ad86be52",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.HybridCompute/machines/login/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine User Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Windows Admin Center Administrator Login
Let's you manage the OS of your resource via Windows Admin Center as an administrator. Learn more
| Actions | Description |
|---|---|
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.HybridCompute/machines/extensions/* | |
| Microsoft.HybridCompute/machines/upgradeExtensions/action | Upgrades Extensions on Azure Arc machines |
| Microsoft.HybridCompute/operations/read | Read all Operations for Azure Arc for Servers |
| Microsoft.Network/networkInterfaces/read | Gets a network interface definition. |
| Microsoft.Network/loadBalancers/read | Gets a load balancer definition |
| Microsoft.Network/publicIPAddresses/read | Gets a public ip address definition. |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/networkSecurityGroups/read | Gets a network security group definition |
| Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | Gets a default security rule definition |
| Microsoft.Network/networkWatchers/securityGroupView/action | View the configured and effective network security group rules applied on a VM. |
| Microsoft.Network/networkSecurityGroups/securityRules/read | Gets a security rule definition |
| Microsoft.Network/networkSecurityGroups/securityRules/write | Creates a security rule or updates an existing security rule |
| Microsoft.HybridConnectivity/endpoints/write | Create or update the endpoint to the target resource. |
| Microsoft.HybridConnectivity/endpoints/read | Get or list of endpoints to the target resource. |
| Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action | Get managed proxy details for the resource. |
| Microsoft.Compute/virtualMachines/read | Get the properties of a virtual machine |
| Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read | Retrieves the summary of the latest patch assessment operation |
| Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read | Retrieves list of patches assessed during the last patch assessment operation |
| Microsoft.Compute/virtualMachines/patchInstallationResults/read | Retrieves the summary of the latest patch installation operation |
| Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read | Retrieves list of patches attempted to be installed during the last patch installation operation |
| Microsoft.Compute/virtualMachines/extensions/read | Get the properties of a virtual machine extension |
| Microsoft.Compute/virtualMachines/instanceView/read | Gets the detailed runtime status of the virtual machine and its resources |
| Microsoft.Compute/virtualMachines/runCommands/read | Get the properties of a virtual machine run command |
| Microsoft.Compute/virtualMachines/vmSizes/read | Lists available sizes the virtual machine can be updated to |
| Microsoft.Compute/locations/publishers/artifacttypes/types/read | Get the properties of a VMExtension Type |
| Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read | Get the properties of a VMExtension Version |
| Microsoft.Compute/diskAccesses/read | Get the properties of DiskAccess resource |
| Microsoft.Compute/galleries/images/read | Gets the properties of Gallery Image |
| Microsoft.Compute/images/read | Get the properties of the Image |
| Microsoft.AzureStackHCI/Clusters/Read | Gets clusters |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Read | Gets arc resource of HCI cluster |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read | Gets extension resource of HCI cluster |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write | Create or update extension resource of HCI cluster |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete | Delete extension resources of HCI cluster |
| Microsoft.AzureStackHCI/Operations/Read | Gets operations |
| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read | Read virtualmachines |
| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write | Write extension resource |
| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read | Gets extension resource |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.HybridCompute/machines/WACLoginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator. |
| Microsoft.Compute/virtualMachines/WACloginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator |
| Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action | Manage OS of HCI resource via Windows Admin Center as an administrator |
| Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action | Lets you manage the OS of your resource via Windows Admin Center as an administrator. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Let's you manage the OS of your resource via Windows Admin Center as an administrator.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f",
"name": "a6333a3e-0164-44c3-b281-7a577aff287f",
"permissions": [
{
"actions": [
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridCompute/machines/extensions/*",
"Microsoft.HybridCompute/machines/upgradeExtensions/action",
"Microsoft.HybridCompute/operations/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkWatchers/securityGroupView/action",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.HybridConnectivity/endpoints/write",
"Microsoft.HybridConnectivity/endpoints/read",
"Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read",
"Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read",
"Microsoft.Compute/virtualMachines/patchInstallationResults/read",
"Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Compute/locations/publishers/artifacttypes/types/read",
"Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
"Microsoft.Compute/diskAccesses/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/images/read",
"Microsoft.AzureStackHCI/Clusters/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete",
"Microsoft.AzureStackHCI/Operations/Read",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read"
],
"notActions": [],
"dataActions": [
"Microsoft.HybridCompute/machines/WACLoginAsAdmin/action",
"Microsoft.Compute/virtualMachines/WACloginAsAdmin/action",
"Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action",
"Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Windows Admin Center Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Networking
Azure Front Door Domain Contributor
Can manage Azure Front Door domains, but can't grant access to other users.
| Actions | Description |
|---|---|
| Microsoft.Cdn/operationresults/profileresults/customdomainresults/read | |
| Microsoft.Cdn/profiles/customdomains/read | |
| Microsoft.Cdn/profiles/customdomains/write | |
| Microsoft.Cdn/profiles/customdomains/delete | |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can manage Azure Front Door domains, but can't grant access to other users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-4f8c-b84e-aa85b8afa6e8",
"name": "0ab34830-df19-4f8c-b84e-aa85b8afa6e8",
"permissions": [
{
"actions": [
"Microsoft.Cdn/operationresults/profileresults/customdomainresults/read",
"Microsoft.Cdn/profiles/customdomains/read",
"Microsoft.Cdn/profiles/customdomains/write",
"Microsoft.Cdn/profiles/customdomains/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Domain Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Front Door Domain Reader
Can view Azure Front Door domains, but can't make changes.
| Actions | Description |
|---|---|
| Microsoft.Cdn/operationresults/profileresults/customdomainresults/read | |
| Microsoft.Cdn/profiles/customdomains/read | |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can view Azure Front Door domains, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-4dca-9920-b807cf8e1a5f",
"name": "0f99d363-226e-4dca-9920-b807cf8e1a5f",
"permissions": [
{
"actions": [
"Microsoft.Cdn/operationresults/profileresults/customdomainresults/read",
"Microsoft.Cdn/profiles/customdomains/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Domain Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Front Door Profile Reader
Can view AFD standard and premium profiles and their endpoints, but can't make changes.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Cdn/edgenodes/read | |
| Microsoft.Cdn/operationresults/* | |
| Microsoft.Cdn/profiles/*/read | |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action | |
| Microsoft.Cdn/profiles/queryloganalyticsmetrics/action | |
| Microsoft.Cdn/profiles/queryloganalyticsrankings/action | |
| Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action | |
| Microsoft.Cdn/profiles/querywafloganalyticsrankings/action | |
| Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can view AFD standard and premium profiles and their endpoints, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/662802e2-50f6-46b0-aed2-e834bacc6d12",
"name": "662802e2-50f6-46b0-aed2-e834bacc6d12",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action",
"Microsoft.Cdn/profiles/queryloganalyticsmetrics/action",
"Microsoft.Cdn/profiles/queryloganalyticsrankings/action",
"Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action",
"Microsoft.Cdn/profiles/querywafloganalyticsrankings/action",
"Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Profile Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Front Door Secret Contributor
Can manage Azure Front Door secrets, but can't grant access to other users.
| Actions | Description |
|---|---|
| Microsoft.Cdn/operationresults/profileresults/secretresults/read | |
| Microsoft.Cdn/profiles/secrets/read | |
| Microsoft.Cdn/profiles/secrets/write | |
| Microsoft.Cdn/profiles/secrets/delete | |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can manage Azure Front Door secrets, but can't grant access to other users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-4578-b90a-6fc6fa0df8e5",
"name": "3f2eb865-5811-4578-b90a-6fc6fa0df8e5",
"permissions": [
{
"actions": [
"Microsoft.Cdn/operationresults/profileresults/secretresults/read",
"Microsoft.Cdn/profiles/secrets/read",
"Microsoft.Cdn/profiles/secrets/write",
"Microsoft.Cdn/profiles/secrets/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Secret Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Front Door Secret Reader
Can view Azure Front Door secrets, but can't make changes.
| Actions | Description |
|---|---|
| Microsoft.Cdn/operationresults/profileresults/secretresults/read | |
| Microsoft.Cdn/profiles/secrets/read | |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can view Azure Front Door secrets, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-4c4f-a933-aa2cef684fca",
"name": "0db238c4-885e-4c4f-a933-aa2cef684fca",
"permissions": [
{
"actions": [
"Microsoft.Cdn/operationresults/profileresults/secretresults/read",
"Microsoft.Cdn/profiles/secrets/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Secret Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN Endpoint Contributor
Can manage CDN endpoints, but can't grant access to other users.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Cdn/edgenodes/read | |
| Microsoft.Cdn/operationresults/* | |
| Microsoft.Cdn/profiles/endpoints/* | |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can manage CDN endpoints, but can't grant access to other users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
"name": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/endpoints/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Endpoint Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN Endpoint Reader
Can view CDN endpoints, but can't make changes.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Cdn/edgenodes/read | |
| Microsoft.Cdn/operationresults/* | |
| Microsoft.Cdn/profiles/endpoints/*/read | |
| Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action | |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can view CDN endpoints, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd",
"name": "871e35f6-b5c1-49cc-a043-bde969a0f2cd",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/endpoints/*/read",
"Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Endpoint Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN Profile Contributor
Can manage CDN profiles and their endpoints, but can't grant access to other users. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Cdn/edgenodes/read | |
| Microsoft.Cdn/operationresults/* | |
| Microsoft.Cdn/profiles/* | |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can manage CDN profiles and their endpoints, but can't grant access to other users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432",
"name": "ec156ff8-a8d1-4d15-830c-5b80698ca432",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Profile Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CDN Profile Reader
Can view CDN profiles and their endpoints, but can't make changes.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Cdn/edgenodes/read | |
| Microsoft.Cdn/operationresults/* | |
| Microsoft.Cdn/profiles/*/read | |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can view CDN profiles and their endpoints, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af",
"name": "8f96442b-4075-438f-813d-ad51ab4019af",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Profile Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Classic Network Contributor
Lets you manage classic networks, but not access to them. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ClassicNetwork/* | Create and manage classic networks |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic networks, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
"name": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicNetwork/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Network Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DNS Zone Contributor
Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Network/dnsZones/* | Create and manage DNS zones and records |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314",
"name": "befefa01-2a29-4197-83a8-272ff33ce314",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/dnsZones/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DNS Zone Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Network Contributor
Lets you manage networks, but not access to them.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Network/* | Create and manage networks |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage networks, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
"name": "4d97b98b-1d4f-4787-a291-c67834d212e7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Network Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Private DNS Zone Contributor
Lets you manage private DNS zone resources, but not the virtual networks they are linked to. Learn more
| Actions | Description |
|---|---|
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Network/privateDnsZones/* | |
| Microsoft.Network/privateDnsOperationResults/* | |
| Microsoft.Network/privateDnsOperationStatuses/* | |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/virtualNetworks/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f",
"name": "b12aa53e-6015-4669-85d0-8515ebb3ae7f",
"permissions": [
{
"actions": [
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/privateDnsZones/*",
"Microsoft.Network/privateDnsOperationResults/*",
"Microsoft.Network/privateDnsOperationStatuses/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Private DNS Zone Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Traffic Manager Contributor
Lets you manage Traffic Manager profiles, but does not let you control who has access to them.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Network/trafficManagerProfiles/* | |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
"name": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/trafficManagerProfiles/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Traffic Manager Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage
Avere Contributor
Can create and manage an Avere vFXT cluster. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Compute/*/read | |
| Microsoft.Compute/availabilitySets/* | |
| Microsoft.Compute/proximityPlacementGroups/* | |
| Microsoft.Compute/virtualMachines/* | |
| Microsoft.Compute/disks/* | |
| Microsoft.Network/*/read | |
| Microsoft.Network/networkInterfaces/* | |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
| Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/*/read | |
| Microsoft.Storage/storageAccounts/* | Create and manage storage accounts |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Resources/subscriptions/resourceGroups/resources/read | Gets the resources for the resource group. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can create and manage an Avere vFXT cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a",
"name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/proximityPlacementGroups/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/disks/*",
"Microsoft.Network/*/read",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/deployments/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Avere Operator
Used by the Avere vFXT cluster to manage the cluster Learn more
| Actions | Description |
|---|---|
| Microsoft.Compute/virtualMachines/read | Get the properties of a virtual machine |
| Microsoft.Network/networkInterfaces/read | Gets a network interface definition. |
| Microsoft.Network/networkInterfaces/write | Creates a network interface or updates an existing network interface. |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/blobServices/containers/delete | Returns the result of deleting a container |
| Microsoft.Storage/storageAccounts/blobServices/containers/read | Returns list of containers |
| Microsoft.Storage/storageAccounts/blobServices/containers/write | Returns the result of put blob container |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Returns the result of deleting a blob |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Returns the result of writing a blob |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Used by the Avere vFXT cluster to manage the cluster",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
"name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Backup Contributor
Lets you manage backup service, but can't create vaults and give access to others Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.RecoveryServices/locations/* | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* | Manage results of operation on backup management |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* | Create and manage backup containers inside backup fabrics of Recovery Services vault |
| Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list |
| Microsoft.RecoveryServices/Vaults/backupJobs/* | Create and manage backup jobs |
| Microsoft.RecoveryServices/Vaults/backupJobsExport/action | Export Jobs |
| Microsoft.RecoveryServices/Vaults/backupOperationResults/* | Create and manage Results of backup management operations |
| Microsoft.RecoveryServices/Vaults/backupPolicies/* | Create and manage backup policies |
| Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | Create and manage items which can be backed up |
| Microsoft.RecoveryServices/Vaults/backupProtectedItems/* | Create and manage backed up items |
| Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* | Create and manage containers holding backup items |
| Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* | |
| Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
| Microsoft.RecoveryServices/Vaults/certificates/* | Create and manage certificates related to backup in Recovery Services vault |
| Microsoft.RecoveryServices/Vaults/extendedInformation/* | Create and manage extended info related to vault |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. |
| Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
| Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/* | Create and manage registered identities |
| Microsoft.RecoveryServices/Vaults/usages/* | Create and manage usage of Recovery Services vault |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
| Microsoft.RecoveryServices/Vaults/backupconfig/* | |
| Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/write | Create Vault operation creates an Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers |
| Microsoft.RecoveryServices/vaults/operationStatus/read | Gets Operation Status for a given Operation |
| Microsoft.RecoveryServices/vaults/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation |
| Microsoft.RecoveryServices/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |
| Microsoft.RecoveryServices/locations/backupPreValidateProtection/action | |
| Microsoft.RecoveryServices/locations/backupValidateFeatures/action | Validate Features |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | Resolves the alert. |
| Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.RecoveryServices/locations/operationStatus/read | Gets Operation Status for a given Operation |
| Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.DataProtection/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults |
| Microsoft.DataProtection/backupVaults/backupInstances/write | Creates a Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/delete | Deletes the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
| Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
| Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. |
| Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action | Perform undelete of soft-deleted Backup Instance. Backup Instance moves from SoftDeleted to ProtectionStopped state. |
| Microsoft.DataProtection/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. |
| Microsoft.DataProtection/backupVaults/backupPolicies/write | Creates Backup Policy |
| Microsoft.DataProtection/backupVaults/backupPolicies/delete | Deletes the Backup Policy |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges |
| Microsoft.DataProtection/backupVaults/write | Update BackupVault operation updates an Azure resource of type 'Backup Vault' |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault |
| Microsoft.DataProtection/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/locations/checkNameAvailability/action | Checks if the requested BackupVault Name is Available |
| Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. |
| Microsoft.DataProtection/backupVaults/validateForBackup/action | Validates for backup of Backup Instance |
| Microsoft.DataProtection/operations/read | Operation returns the list of Operations for a Resource Provider |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage backup service,but can't create vaults and give access to others",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b",
"name": "5e467623-bb1f-42f4-a55d-6e525e11384b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/*",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/*",
"Microsoft.RecoveryServices/Vaults/extendedInformation/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
"Microsoft.RecoveryServices/Vaults/usages/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
"Microsoft.RecoveryServices/vaults/operationStatus/read",
"Microsoft.RecoveryServices/vaults/operationResults/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/backupInstances/delete",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action",
"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/backupVaults/backupPolicies/write",
"Microsoft.DataProtection/backupVaults/backupPolicies/delete",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/write",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/locations/checkNameAvailability/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Backup Operator
Lets you manage backup services, except removal of backup, vault creation and giving access to others Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | Returns status of the operation |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action | Performs Backup for Protected Item. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action | Provision Instant Item Recovery for Protected Item |
| Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action | Get AccessToken for Cross Region Restore. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action | Restore Recovery Points for Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action | Revoke Instant Item Recovery for Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | Create a backup Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers |
| Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action | Refreshes the container list |
| Microsoft.RecoveryServices/Vaults/backupJobs/* | Create and manage backup jobs |
| Microsoft.RecoveryServices/Vaults/backupJobsExport/action | Export Jobs |
| Microsoft.RecoveryServices/Vaults/backupOperationResults/* | Create and manage Results of backup management operations |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/read | Returns all Protection Policies |
| Microsoft.RecoveryServices/Vaults/backupProtectableItems/* | Create and manage items which can be backed up |
| Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription |
| Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
| Microsoft.RecoveryServices/Vaults/certificates/write | The Update Resource Certificate operation updates the resource/vault credential certificate. |
| Microsoft.RecoveryServices/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
| Microsoft.RecoveryServices/Vaults/extendedInformation/write | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. |
| Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
| Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/write | The Register Service Container operation can be used to register a container with Recovery Service. |
| Microsoft.RecoveryServices/Vaults/usages/read | Returns usage details for a Recovery Services Vault. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.RecoveryServices/Vaults/backupstorageconfig/* | |
| Microsoft.RecoveryServices/Vaults/backupValidateOperation/action | Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action | Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read | Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read | Validate Operation on Protected Item |
| Microsoft.RecoveryServices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write | Creates a registered container |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action | Do inquiry for workloads within a container |
| Microsoft.RecoveryServices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | Create a backup Protection Intent |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read | Get all protectable containers |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container |
| Microsoft.RecoveryServices/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |
| Microsoft.RecoveryServices/locations/backupPreValidateProtection/action | |
| Microsoft.RecoveryServices/locations/backupValidateFeatures/action | Validate Features |
| Microsoft.RecoveryServices/locations/backupAadProperties/read | Get AAD Properties for authentication in the third region for Cross Region Restore. |
| Microsoft.RecoveryServices/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action | Trigger Cross region restore. |
| Microsoft.RecoveryServices/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | Resolves the alert. |
| Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.RecoveryServices/locations/operationStatus/read | Gets Operation Status for a given Operation |
| Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
| Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
| Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault |
| Microsoft.DataProtection/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. |
| Microsoft.DataProtection/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.DataProtection/backupVaults/validateForBackup/action | Validates for backup of Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action | Triggers cross region restore operation on given backup instance. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action | Performs validations for cross region restore operation. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. |
| Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324",
"name": "00c29273-979b-4161-815c-10b084fb9324",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action",
"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/write",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/write",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/write",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read",
"Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/locations/backupAadProperties/read",
"Microsoft.RecoveryServices/locations/backupCrrJobs/action",
"Microsoft.RecoveryServices/locations/backupCrrJob/action",
"Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action",
"Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
"Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/operations/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Backup Reader
Can view backup services, but can't make changes Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.RecoveryServices/locations/allocatedStamp/read | GetAllocatedStamp is internal operation used by service |
| Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read | Returns status of the operation |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read | Gets result of Operation performed on Protection Container. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read | Gets Result of Operation Performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read | Returns the status of Operation performed on Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | Returns object details of the Protected Item |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read | Get Recovery Points for Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read | Returns all registered containers |
| Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read | Returns the Result of Job Operation. |
| Microsoft.RecoveryServices/Vaults/backupJobs/read | Returns all Job Objects |
| Microsoft.RecoveryServices/Vaults/backupJobsExport/action | Export Jobs |
| Microsoft.RecoveryServices/Vaults/backupOperationResults/read | Returns Backup Operation Result for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read | Get Results of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/read | Returns all Protection Policies |
| Microsoft.RecoveryServices/Vaults/backupProtectedItems/read | Returns the list of all Protected Items. |
| Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read | Returns all containers belonging to the subscription |
| Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read | Returns summaries for Protected Items and Protected Servers for a Recovery Services . |
| Microsoft.RecoveryServices/Vaults/extendedInformation/read | The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/read | Gets the alerts for the Recovery services vault. |
| Microsoft.RecoveryServices/Vaults/read | The Get Vault operation gets an object representing the Azure resource of type 'vault' |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read | The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation |
| Microsoft.RecoveryServices/Vaults/registeredIdentities/read | The Get Containers operation can be used get the containers registered for a resource. |
| Microsoft.RecoveryServices/Vaults/backupstorageconfig/read | Returns Storage Configuration for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupconfig/read | Returns Configuration for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupOperations/read | Returns Backup Operation Status for Recovery Services Vault. |
| Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read | Get Status of Policy Operation. |
| Microsoft.RecoveryServices/Vaults/backupEngines/read | Returns all the backup management servers registered with vault. |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read | Get a backup Protection Intent |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read | Get all items in a container |
| Microsoft.RecoveryServices/locations/backupStatus/action | Check Backup Status for Recovery Services Vaults |
| Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* | |
| Microsoft.RecoveryServices/Vaults/monitoringAlerts/write | Resolves the alert. |
| Microsoft.RecoveryServices/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.RecoveryServices/locations/operationStatus/read | Gets Operation Status for a given Operation |
| Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read | List all backup Protection Intents |
| Microsoft.RecoveryServices/Vaults/usages/read | Returns usage details for a Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupValidateFeatures/action | Validate Features |
| Microsoft.RecoveryServices/locations/backupCrrJobs/action | List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrJob/action | Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrOperationResults/read | Returns CRR Operation Result for Recovery Services Vault. |
| Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read | Returns CRR Operation Status for Recovery Services Vault. |
| Microsoft.DataProtection/locations/getBackupStatus/action | Check Backup Status for Recovery Services Vaults |
| Microsoft.DataProtection/backupVaults/backupInstances/write | Creates a Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/read | Returns all Backup Instances |
| Microsoft.DataProtection/backupVaults/deletedBackupInstances/read | List soft-deleted Backup Instances in a Backup Vault. |
| Microsoft.DataProtection/backupVaults/backupInstances/backup/action | Performs Backup on the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action | Validates for Restore of the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupInstances/restore/action | Triggers restore on the Backup Instance |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupPolicies/read | Returns all Backup Policies |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read | Returns all Recovery Points |
| Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action | Finds Restorable Time Ranges |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/operationResults/read | Gets Operation Result of a Patch Operation for a Backup Vault |
| Microsoft.DataProtection/backupVaults/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/backupVaults/read | Gets list of Backup Vaults in a Resource Group |
| Microsoft.DataProtection/locations/operationStatus/read | Returns Backup Operation Status for Backup Vault. |
| Microsoft.DataProtection/locations/operationResults/read | Returns Backup Operation Result for Backup Vault. |
| Microsoft.DataProtection/backupVaults/validateForBackup/action | Validates for backup of Backup Instance |
| Microsoft.DataProtection/operations/read | Operation returns the list of Operations for a Resource Provider |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action | List cross region restore jobs of backup instance from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action | Get cross region restore job details from secondary region. |
| Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action | Returns recovery points from secondary region for cross region restore enabled Backup Vaults. |
| Microsoft.DataProtection/locations/checkFeatureSupport/action | Validates if a feature is supported |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can view backup services, but can't make changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
"name": "a795c7a0-d4a2-40c1-ae25-d81f01202912",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupJobs/read",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/read",
"Microsoft.RecoveryServices/Vaults/backupconfig/read",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/locations/backupCrrJobs/action",
"Microsoft.RecoveryServices/locations/backupCrrJob/action",
"Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",
"Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",
"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action",
"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",
"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/operations/read",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Classic Storage Account Contributor
Lets you manage classic storage accounts, but not access to them.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ClassicStorage/storageAccounts/* | Create and manage storage accounts |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic storage accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicStorage/storageAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Classic Storage Account Key Operator Service Role
Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts Learn more
| Actions | Description |
|---|---|
| Microsoft.ClassicStorage/storageAccounts/listkeys/action | Lists the access keys for the storage accounts. |
| Microsoft.ClassicStorage/storageAccounts/regeneratekey/action | Regenerates the existing access keys for the storage account. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts",
"id": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"permissions": [
{
"actions": [
"Microsoft.ClassicStorage/storageAccounts/listkeys/action",
"Microsoft.ClassicStorage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Box Contributor
Lets you manage everything under Data Box Service except giving access to others. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Databox/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage everything under Data Box Service except giving access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5",
"name": "add466c9-e687-43fc-8d98-dfcf8d720be5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Databox/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Box Reader
Lets you manage Data Box Service except creating order or editing order details and giving access to others. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Databox/*/read | |
| Microsoft.Databox/jobs/listsecrets/action | |
| Microsoft.Databox/jobs/listcredentials/action | Lists the unencrypted credentials related to the order. |
| Microsoft.Databox/locations/availableSkus/action | This method returns the list of available skus. |
| Microsoft.Databox/locations/validateInputs/action | This method does all type of validations. |
| Microsoft.Databox/locations/regionConfiguration/action | This method returns the configurations for the region. |
| Microsoft.Databox/locations/validateAddress/action | Validates the shipping address and provides alternate addresses if any. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Databox/*/read",
"Microsoft.Databox/jobs/listsecrets/action",
"Microsoft.Databox/jobs/listcredentials/action",
"Microsoft.Databox/locations/availableSkus/action",
"Microsoft.Databox/locations/validateInputs/action",
"Microsoft.Databox/locations/regionConfiguration/action",
"Microsoft.Databox/locations/validateAddress/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Lake Analytics Developer
Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.BigAnalytics/accounts/* | |
| Microsoft.DataLakeAnalytics/accounts/* | |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| Microsoft.BigAnalytics/accounts/Delete | |
| Microsoft.BigAnalytics/accounts/TakeOwnership/action | |
| Microsoft.BigAnalytics/accounts/Write | |
| Microsoft.DataLakeAnalytics/accounts/Delete | Delete a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action | Grant permissions to cancel jobs submitted by other users. |
| Microsoft.DataLakeAnalytics/accounts/Write | Create or update a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write | Create or update a linked DataLakeStore account of a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete | Unlink a DataLakeStore account from a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write | Create or update a linked Storage account of a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete | Unlink a Storage account from a DataLakeAnalytics account. |
| Microsoft.DataLakeAnalytics/accounts/firewallRules/Write | Create or update a firewall rule. |
| Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete | Delete a firewall rule. |
| Microsoft.DataLakeAnalytics/accounts/computePolicies/Write | Create or update a compute policy. |
| Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete | Delete a compute policy. |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88",
"name": "47b7735b-770e-4598-a7da-8b91488b4c88",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.BigAnalytics/accounts/*",
"Microsoft.DataLakeAnalytics/accounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.BigAnalytics/accounts/Delete",
"Microsoft.BigAnalytics/accounts/TakeOwnership/action",
"Microsoft.BigAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action",
"Microsoft.DataLakeAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Write",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Write",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Lake Analytics Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Defender for Storage Data Scanner
Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/read | Returns list of containers |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Returns a blob or a list of blobs |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write | Returns the result of writing blob tags |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read | Returns the result of reading blob tags |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
"name": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read"
],
"notDataActions": []
}
],
"roleName": "Defender for Storage Data Scanner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Elastic SAN Owner
Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ElasticSan/elasticSans/* | |
| Microsoft.ElasticSan/locations/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access",
"id": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406",
"name": "80dcbedb-47ef-405d-95bd-188a1b4ac406",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Elastic SAN Reader
Allows for control path read access to Azure Elastic SAN
| Actions | Description |
|---|---|
| Microsoft.Authorization/roleAssignments/read | Get information about a role assignment. |
| Microsoft.Authorization/roleDefinitions/read | Get information about a role definition. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ElasticSan/elasticSans/*/read | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for control path read access to Azure Elastic SAN",
"id": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
"name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ElasticSan/elasticSans/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Elastic SAN Volume Group Owner
Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access
| Actions | Description |
|---|---|
| Microsoft.Authorization/roleAssignments/read | Get information about a role assignment. |
| Microsoft.Authorization/roleDefinitions/read | Get information about a role definition. |
| Microsoft.ElasticSan/elasticSans/volumeGroups/* | |
| Microsoft.ElasticSan/locations/asyncoperations/read | Polls the status of an asynchronous operation. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23",
"name": "a8281131-f312-4f34-8d98-ae12be9f0d23",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/locations/asyncoperations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Volume Group Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Reader and Data Access
Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/ListAccountSas/action | Returns the Account SAS token for the specified storage account. |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349",
"name": "c12c1c16-33a1-487b-954d-41c89c60f349",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/ListAccountSas/action",
"Microsoft.Storage/storageAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader and Data Access",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Account Backup Contributor
Lets you perform backup and restore operations using Azure Backup on the storage account. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Authorization/locks/read | Gets locks at the specified scope. |
| Microsoft.Authorization/locks/write | Add locks at the specified scope. |
| Microsoft.Authorization/locks/delete | Delete locks at the specified scope. |
| Microsoft.Features/features/read | Gets the features of a subscription. |
| Microsoft.Features/providers/features/read | Gets the feature of a subscription in a given resource provider. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/operations/read | Polls the status of an asynchronous operation. |
| Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete | Delete object replication policy |
| Microsoft.Storage/storageAccounts/objectReplicationPolicies/read | List object replication policies |
| Microsoft.Storage/storageAccounts/objectReplicationPolicies/write | Create or update object replication policy |
| Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write | Create object replication restore point marker |
| Microsoft.Storage/storageAccounts/blobServices/containers/read | Returns list of containers |
| Microsoft.Storage/storageAccounts/blobServices/containers/write | Returns the result of put blob container |
| Microsoft.Storage/storageAccounts/blobServices/read | Returns blob service properties or statistics |
| Microsoft.Storage/storageAccounts/blobServices/write | Returns the result of put blob service properties |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.Storage/storageAccounts/restoreBlobRanges/action | Restore blob ranges to the state of the specified time |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you perform backup and restore operations using Azure Backup on the storage account.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
"name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/locks/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/operations/read",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/read",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/write",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/restoreBlobRanges/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Account Contributor
Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/* | Create and manage storage accounts |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab",
"name": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Account Key Operator Service Role
Permits listing and regenerating storage account access keys. Learn more
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/regeneratekey/action | Regenerates the access keys for the specified storage account. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts",
"id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12",
"name": "81a9662b-bebf-436f-a333-f67b29880f12",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Blob Data Contributor
Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Learn more
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/delete | Delete a container. |
| Microsoft.Storage/storageAccounts/blobServices/containers/read | Return a container or a list of containers. |
| Microsoft.Storage/storageAccounts/blobServices/containers/write | Modify a container's metadata or properties. |
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Delete a blob. |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Write to a blob. |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action | Moves the blob from one path to another |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | Returns the result of adding blob content |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage blob containers and data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Blob Data Owner
Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Learn more
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/* | Full permissions on containers. |
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* | Full permissions on blobs. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/*",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Blob Data Reader
Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Learn more
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/containers/read | Return a container or a list of containers. |
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Return a blob or a list of blobs. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage blob containers and data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Blob Delegator
Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see Create a user delegation SAS. Learn more
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the Blob service. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for generation of a user delegation key which can be used to sign SAS tokens",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Blob Delegator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage File Data Privileged Contributor
Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder |
| Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Sematics Privilege |
| Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action | Write File Backup Sematics Privilege |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69566ab7-960f-475b-8e7c-b3118f30c6bd",
"name": "69566ab7-960f-475b-8e7c-b3118f30c6bd",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action",
"Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action",
"Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data Privileged Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage File Data Privileged Reader
Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders |
| Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | Read File Backup Sematics Privilege |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Customer has read access on Azure Storage file shares.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b8eda974-7b85-4f76-af95-65846b26df6d",
"name": "b8eda974-7b85-4f76-af95-65846b26df6d",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data Privileged Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage File Data SMB Share Contributor
Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage File Data SMB Share Elevated Contributor
Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | Returns the result of writing a file or creating a folder. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | Returns the result of deleting a file/folder. |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | Returns the result of modifying permission on a file/folder. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7",
"name": "a7264617-510b-434b-a828-9731dc254ea7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Elevated Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage File Data SMB Share Reader
Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | Returns a file/folder or a list of files/folders. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure File Share over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314",
"name": "aba4ae5f-2193-4029-9191-0cb91df5e314",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Queue Data Contributor
Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Learn more
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/queueServices/queues/delete | Delete a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/read | Return a queue or a list of queues. |
| Microsoft.Storage/storageAccounts/queueServices/queues/write | Modify queue metadata or properties. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete | Delete one or more messages from a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/write | Add a message to a queue. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | Returns the result of processing a message |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Storage queues and queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/write"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Queue Data Message Processor
Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | Peek a message. |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | Retrieve and delete a message. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for peek, receive, and delete access to Azure Storage queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed",
"name": "8a0f0c08-91a1-4084-bc3d-661d67233fed",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Processor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Queue Data Message Sender
Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action | Add a message to a queue. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for sending of Azure Storage queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Queue Data Reader
Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Learn more
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/queueServices/queues/read | Returns a queue or a list of queues. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | Peek or retrieve one or more messages from a queue. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage queues and queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925",
"name": "19e7f393-937e-4f77-808e-94535e297925",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Table Data Contributor
Allows for read, write and delete access to Azure Storage tables and entities
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/tableServices/tables/read | Query tables |
| Microsoft.Storage/storageAccounts/tableServices/tables/write | Create tables |
| Microsoft.Storage/storageAccounts/tableServices/tables/delete | Delete tables |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | Query table entities |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | Insert, merge, or replace table entities |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete | Delete table entities |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action | Insert table entities |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action | Merge or update table entities |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage tables and entities",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
"name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/read",
"Microsoft.Storage/storageAccounts/tableServices/tables/write",
"Microsoft.Storage/storageAccounts/tableServices/tables/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/write",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action",
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action"
],
"notDataActions": []
}
],
"roleName": "Storage Table Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Table Data Reader
Allows for read access to Azure Storage tables and entities
| Actions | Description |
|---|---|
| Microsoft.Storage/storageAccounts/tableServices/tables/read | Query tables |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | Query table entities |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage tables and entities",
"id": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6",
"name": "76199698-9eea-4c19-bc75-cec21354c6b6",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read"
],
"notDataActions": []
}
],
"roleName": "Storage Table Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Web
Azure Maps Data Contributor
Grants access to read, write, and delete access to map related data from an Azure maps account. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Maps/accounts/*/read | |
| Microsoft.Maps/accounts/*/write | |
| Microsoft.Maps/accounts/*/delete | |
| Microsoft.Maps/accounts/*/action | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read, write, and delete access to map related data from an Azure maps account.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
"name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Maps/accounts/*/read",
"Microsoft.Maps/accounts/*/write",
"Microsoft.Maps/accounts/*/delete",
"Microsoft.Maps/accounts/*/action"
],
"notDataActions": []
}
],
"roleName": "Azure Maps Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Maps Data Reader
Grants access to read map related data from an Azure maps account. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Maps/accounts/*/read | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read map related data from an Azure maps account.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
"name": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Maps/accounts/*/read"
],
"notDataActions": []
}
],
"roleName": "Azure Maps Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Cloud Config Server Contributor
Allow read, write and delete access to Azure Spring Cloud Config Server Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.AppPlatform/Spring/configService/read | Read the configuration content(for example, application.yaml) for a specific Azure Spring Apps service instance |
| Microsoft.AppPlatform/Spring/configService/write | Write config server content for a specific Azure Spring Apps service instance |
| Microsoft.AppPlatform/Spring/configService/delete | Delete config server content for a specific Azure Spring Apps service instance |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allow read, write and delete access to Azure Spring Cloud Config Server",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b",
"name": "a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/configService/read",
"Microsoft.AppPlatform/Spring/configService/write",
"Microsoft.AppPlatform/Spring/configService/delete"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Config Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Cloud Config Server Reader
Allow read access to Azure Spring Cloud Config Server Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.AppPlatform/Spring/configService/read | Read the configuration content(for example, application.yaml) for a specific Azure Spring Apps service instance |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allow read access to Azure Spring Cloud Config Server",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7",
"name": "d04c6db6-4947-4782-9e91-30a88feb7be7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/configService/read"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Config Server Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Cloud Data Reader
Allow read access to Azure Spring Cloud Data
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.AppPlatform/Spring/*/read | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allow read access to Azure Spring Cloud Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c",
"name": "b5537268-8956-4941-a8f0-646150406f0c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/*/read"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Cloud Service Registry Contributor
Allow read, write and delete access to Azure Spring Cloud Service Registry Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.AppPlatform/Spring/eurekaService/read | Read the user app(s) registration information for a specific Azure Spring Apps service instance |
| Microsoft.AppPlatform/Spring/eurekaService/write | Write the user app(s) registration information for a specific Azure Spring Apps service instance |
| Microsoft.AppPlatform/Spring/eurekaService/delete | Delete the user app registration information for a specific Azure Spring Apps service instance |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allow read, write and delete access to Azure Spring Cloud Service Registry",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1",
"name": "f5880b48-c26d-48be-b172-7927bfa1c8f1",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/eurekaService/read",
"Microsoft.AppPlatform/Spring/eurekaService/write",
"Microsoft.AppPlatform/Spring/eurekaService/delete"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Service Registry Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Cloud Service Registry Reader
Allow read access to Azure Spring Cloud Service Registry Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.AppPlatform/Spring/eurekaService/read | Read the user app(s) registration information for a specific Azure Spring Apps service instance |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allow read access to Azure Spring Cloud Service Registry",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65",
"name": "cff1b556-2399-4e7e-856d-a8f754be7b65",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/eurekaService/read"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Service Registry Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Media Services Account Administrator
Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.Insights/metricDefinitions/read | Read metric definitions |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Media/mediaservices/*/read | |
| Microsoft.Media/mediaservices/assets/listStreamingLocators/action | List Streaming Locators for Asset |
| Microsoft.Media/mediaservices/streamingLocators/listPaths/action | List Paths |
| Microsoft.Media/mediaservices/write | Create or Update any Media Services Account |
| Microsoft.Media/mediaservices/delete | Delete any Media Services Account |
| Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action | Approve Private Endpoint Connections |
| Microsoft.Media/mediaservices/privateEndpointConnections/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466",
"name": "054126f8-9a2b-4f1c-a9ad-eca461f08466",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
"Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
"Microsoft.Media/mediaservices/write",
"Microsoft.Media/mediaservices/delete",
"Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action",
"Microsoft.Media/mediaservices/privateEndpointConnections/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Account Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Media Services Live Events Administrator
Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.Insights/metricDefinitions/read | Read metric definitions |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Media/mediaservices/*/read | |
| Microsoft.Media/mediaservices/assets/* | |
| Microsoft.Media/mediaservices/assets/assetfilters/* | |
| Microsoft.Media/mediaservices/streamingLocators/* | |
| Microsoft.Media/mediaservices/liveEvents/* | |
| NotActions | |
| Microsoft.Media/mediaservices/assets/getEncryptionKey/action | Get Asset Encryption Key |
| Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action | List Content Keys |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77",
"name": "532bc159-b25e-42c0-969e-a1d439f60d77",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/*",
"Microsoft.Media/mediaservices/assets/assetfilters/*",
"Microsoft.Media/mediaservices/streamingLocators/*",
"Microsoft.Media/mediaservices/liveEvents/*"
],
"notActions": [
"Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
"Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Live Events Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Media Services Media Operator
Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.Insights/metricDefinitions/read | Read metric definitions |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Media/mediaservices/*/read | |
| Microsoft.Media/mediaservices/assets/* | |
| Microsoft.Media/mediaservices/assets/assetfilters/* | |
| Microsoft.Media/mediaservices/streamingLocators/* | |
| Microsoft.Media/mediaservices/transforms/jobs/* | |
| NotActions | |
| Microsoft.Media/mediaservices/assets/getEncryptionKey/action | Get Asset Encryption Key |
| Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action | List Content Keys |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c",
"name": "e4395492-1534-4db2-bedf-88c14621589c",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/*",
"Microsoft.Media/mediaservices/assets/assetfilters/*",
"Microsoft.Media/mediaservices/streamingLocators/*",
"Microsoft.Media/mediaservices/transforms/jobs/*"
],
"notActions": [
"Microsoft.Media/mediaservices/assets/getEncryptionKey/action",
"Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Media Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Media Services Policy Administrator
Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.Insights/metricDefinitions/read | Read metric definitions |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Media/mediaservices/*/read | |
| Microsoft.Media/mediaservices/assets/listStreamingLocators/action | List Streaming Locators for Asset |
| Microsoft.Media/mediaservices/streamingLocators/listPaths/action | List Paths |
| Microsoft.Media/mediaservices/accountFilters/* | |
| Microsoft.Media/mediaservices/streamingPolicies/* | |
| Microsoft.Media/mediaservices/contentKeyPolicies/* | |
| Microsoft.Media/mediaservices/transforms/* | |
| NotActions | |
| Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action | Get Policy Properties With Secrets |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae",
"name": "c4bba371-dacd-4a26-b320-7250bca963ae",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
"Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
"Microsoft.Media/mediaservices/accountFilters/*",
"Microsoft.Media/mediaservices/streamingPolicies/*",
"Microsoft.Media/mediaservices/contentKeyPolicies/*",
"Microsoft.Media/mediaservices/transforms/*"
],
"notActions": [
"Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Policy Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Media Services Streaming Endpoints Administrator
Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.Insights/metricDefinitions/read | Read metric definitions |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Media/mediaservices/*/read | |
| Microsoft.Media/mediaservices/assets/listStreamingLocators/action | List Streaming Locators for Asset |
| Microsoft.Media/mediaservices/streamingLocators/listPaths/action | List Paths |
| Microsoft.Media/mediaservices/streamingEndpoints/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804",
"name": "99dba123-b5fe-44d5-874c-ced7199a5804",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
"Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
"Microsoft.Media/mediaservices/streamingEndpoints/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Streaming Endpoints Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Search Index Data Contributor
Grants full access to Azure Cognitive Search index data.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Search/searchServices/indexes/documents/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants full access to Azure Cognitive Search index data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7",
"name": "8ebe5a00-799e-43f5-93ac-243d3dce84a7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Search/searchServices/indexes/documents/*"
],
"notDataActions": []
}
],
"roleName": "Search Index Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Search Index Data Reader
Grants read access to Azure Cognitive Search index data.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Search/searchServices/indexes/documents/read | Read documents or suggested query terms from an index. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants read access to Azure Cognitive Search index data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f",
"name": "1407120a-92aa-4202-b7e9-c0e197c71c8f",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Search/searchServices/indexes/documents/read"
],
"notDataActions": []
}
],
"roleName": "Search Index Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Search Service Contributor
Lets you manage Search services, but not access to them. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Search/searchServices/* | Create and manage search services |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Search services, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0",
"name": "7ca78c08-252a-4471-8644-bb5ff32d4ba0",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Search/searchServices/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Search Service Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR AccessKey Reader
Read SignalR Service Access Keys
| Actions | Description |
|---|---|
| Microsoft.SignalRService/*/read | |
| Microsoft.SignalRService/SignalR/listkeys/action | View the value of SignalR access keys in the management portal or through API |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read SignalR Service Access Keys",
"id": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e",
"name": "04165923-9d83-45d5-8227-78b77b0a687e",
"permissions": [
{
"actions": [
"Microsoft.SignalRService/*/read",
"Microsoft.SignalRService/SignalR/listkeys/action",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SignalR AccessKey Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR App Server
Lets your app server access SignalR Service with AAD auth options.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.SignalRService/SignalR/auth/accessKey/action | Generate an AccessKey for signing AccessTokens, the key will expire in 90 minutes by default |
| Microsoft.SignalRService/SignalR/serverConnection/write | Start a server connection |
| Microsoft.SignalRService/SignalR/clientConnection/write | Close client connection |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets your app server access SignalR Service with AAD auth options.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7",
"name": "420fcaa2-552c-430f-98ca-3264be4806c7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/auth/accessKey/action",
"Microsoft.SignalRService/SignalR/serverConnection/write",
"Microsoft.SignalRService/SignalR/clientConnection/write"
],
"notDataActions": []
}
],
"roleName": "SignalR App Server",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR REST API Owner
Full access to Azure SignalR Service REST APIs
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.SignalRService/SignalR/auth/clientToken/action | Generate an AccessToken for client to connect to ASRS, the token will expire in 5 minutes by default |
| Microsoft.SignalRService/SignalR/hub/* | |
| Microsoft.SignalRService/SignalR/group/* | |
| Microsoft.SignalRService/SignalR/clientConnection/* | |
| Microsoft.SignalRService/SignalR/user/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Full access to Azure SignalR Service REST APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521",
"name": "fd53cd77-2268-407a-8f46-7e7863d0f521",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/auth/clientToken/action",
"Microsoft.SignalRService/SignalR/hub/*",
"Microsoft.SignalRService/SignalR/group/*",
"Microsoft.SignalRService/SignalR/clientConnection/*",
"Microsoft.SignalRService/SignalR/user/*"
],
"notDataActions": []
}
],
"roleName": "SignalR REST API Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR REST API Reader
Read-only access to Azure SignalR Service REST APIs
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.SignalRService/SignalR/group/read | Check group existence or user existence in group |
| Microsoft.SignalRService/SignalR/clientConnection/read | Check client connection existence |
| Microsoft.SignalRService/SignalR/user/read | Check user existence |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read-only access to Azure SignalR Service REST APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035",
"name": "ddde6b66-c0df-4114-a159-3618637b3035",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/group/read",
"Microsoft.SignalRService/SignalR/clientConnection/read",
"Microsoft.SignalRService/SignalR/user/read"
],
"notDataActions": []
}
],
"roleName": "SignalR REST API Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR Service Owner
Full access to Azure SignalR Service REST APIs
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.SignalRService/SignalR/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Full access to Azure SignalR Service REST APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
"name": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/*"
],
"notDataActions": []
}
],
"roleName": "SignalR Service Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SignalR/Web PubSub Contributor
Create, Read, Update, and Delete SignalR service resources
| Actions | Description |
|---|---|
| Microsoft.SignalRService/* | |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Create, Read, Update, and Delete SignalR service resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
"name": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
"permissions": [
{
"actions": [
"Microsoft.SignalRService/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SignalR/Web PubSub Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Web Plan Contributor
Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Web/serverFarms/* | Create and manage server farms |
| Microsoft.Web/hostingEnvironments/Join/Action | Joins an App Service Environment |
| Microsoft.Insights/autoscalesettings/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage the web plans for websites, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
"name": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/serverFarms/*",
"Microsoft.Web/hostingEnvironments/Join/Action",
"Microsoft.Insights/autoscalesettings/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Web Plan Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Website Contributor
Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/components/* | Create and manage Insights components |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Web/certificates/* | Create and manage website certificates |
| Microsoft.Web/listSitesAssignedToHostName/read | Get names of sites assigned to hostname. |
| Microsoft.Web/serverFarms/join/action | Joins an App Service Plan |
| Microsoft.Web/serverFarms/read | Get the properties on an App Service Plan |
| Microsoft.Web/sites/* | Create and manage websites (site creation also requires write permissions to the associated App Service Plan) |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage websites (not web plans), but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772",
"name": "de139f84-1756-47ae-9be6-808fbbe84772",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/components/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/certificates/*",
"Microsoft.Web/listSitesAssignedToHostName/read",
"Microsoft.Web/serverFarms/join/action",
"Microsoft.Web/serverFarms/read",
"Microsoft.Web/sites/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Website Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Containers
AcrDelete
Delete repositories, tags, or manifests from a container registry. Learn more
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/artifacts/delete | Delete artifact in a container registry. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrImageSigner
Push trusted images to or pull trusted images from a container registry enabled for content trust. Learn more
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/sign/write | Push/Pull content trust metadata for a container registry. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/trustedCollections/write | Allows push or publish of trusted collections of container registry content. This is similar to Microsoft.ContainerRegistry/registries/sign/write action except that this is a data action |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPull
Pull artifacts from a container registry. Learn more
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Pull or Get images from a container registry. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrPush
Push artifacts to or pull artifacts from a container registry. Learn more
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/pull/read | Pull or Get images from a container registry. |
| Microsoft.ContainerRegistry/registries/push/write | Push or Write images to a container registry. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineReader
Pull quarantined images from a container registry. Learn more
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | Pull or Get quarantined images from container registry |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Allows pull or get of the quarantined artifacts from container registry. This is similar to Microsoft.ContainerRegistry/registries/quarantine/read except that it is a data action |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AcrQuarantineWriter
Push quarantined images to or pull quarantined images from a container registry. Learn more
| Actions | Description |
|---|---|
| Microsoft.ContainerRegistry/registries/quarantine/read | Pull or Get quarantined images from container registry |
| Microsoft.ContainerRegistry/registries/quarantine/write | Write/Modify quarantine state of quarantined images |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | Allows pull or get of the quarantined artifacts from container registry. This is similar to Microsoft.ContainerRegistry/registries/quarantine/read except that it is a data action |
| Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | Allows write or update of the quarantine state of quarantined artifacts. This is similar to Microsoft.ContainerRegistry/registries/quarantine/write action except that it is a data action |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Admin
This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ContainerService/fleets/read | Get fleet |
| Microsoft.ContainerService/fleets/listCredentials/action | List fleet credentials |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Reads controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write | Writes localsubjectaccessreviews |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Reads events |
| Microsoft.ContainerService/fleets/events/read | Reads events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | Reads limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Reads namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* | |
| Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | Reads resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*",
"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Cluster Admin
Lets you manage all resources in the fleet manager cluster.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ContainerService/fleets/read | Get fleet |
| Microsoft.ContainerService/fleets/listCredentials/action | List fleet credentials |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the fleet manager cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Reader
Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ContainerService/fleets/read | Get fleet |
| Microsoft.ContainerService/fleets/listCredentials/action | List fleet credentials |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Reads controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/read | Reads daemonsets |
| Microsoft.ContainerService/fleets/apps/deployments/read | Reads deployments |
| Microsoft.ContainerService/fleets/apps/statefulsets/read | Reads statefulsets |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers |
| Microsoft.ContainerService/fleets/batch/cronjobs/read | Reads cronjobs |
| Microsoft.ContainerService/fleets/batch/jobs/read | Reads jobs |
| Microsoft.ContainerService/fleets/configmaps/read | Reads configmaps |
| Microsoft.ContainerService/fleets/endpoints/read | Reads endpoints |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Reads events |
| Microsoft.ContainerService/fleets/events/read | Reads events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/read | Reads daemonsets |
| Microsoft.ContainerService/fleets/extensions/deployments/read | Reads deployments |
| Microsoft.ContainerService/fleets/extensions/ingresses/read | Reads ingresses |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/read | Reads networkpolicies |
| Microsoft.ContainerService/fleets/limitranges/read | Reads limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Reads namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read | Reads ingresses |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read | Reads networkpolicies |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/read | Reads persistentvolumeclaims |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Reads replicationcontrollers |
| Microsoft.ContainerService/fleets/replicationcontrollers/read | Reads replicationcontrollers |
| Microsoft.ContainerService/fleets/resourcequotas/read | Reads resourcequotas |
| Microsoft.ContainerService/fleets/serviceaccounts/read | Reads serviceaccounts |
| Microsoft.ContainerService/fleets/services/read | Reads services |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Fleet Manager RBAC Writer
Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ContainerService/fleets/read | Get fleet |
| Microsoft.ContainerService/fleets/listCredentials/action | List fleet credentials |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/fleets/apps/controllerrevisions/read | Reads controllerrevisions |
| Microsoft.ContainerService/fleets/apps/daemonsets/* | |
| Microsoft.ContainerService/fleets/apps/deployments/* | |
| Microsoft.ContainerService/fleets/apps/statefulsets/* | |
| Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/fleets/batch/cronjobs/* | |
| Microsoft.ContainerService/fleets/batch/jobs/* | |
| Microsoft.ContainerService/fleets/configmaps/* | |
| Microsoft.ContainerService/fleets/endpoints/* | |
| Microsoft.ContainerService/fleets/events.k8s.io/events/read | Reads events |
| Microsoft.ContainerService/fleets/events/read | Reads events |
| Microsoft.ContainerService/fleets/extensions/daemonsets/* | |
| Microsoft.ContainerService/fleets/extensions/deployments/* | |
| Microsoft.ContainerService/fleets/extensions/ingresses/* | |
| Microsoft.ContainerService/fleets/extensions/networkpolicies/* | |
| Microsoft.ContainerService/fleets/limitranges/read | Reads limitranges |
| Microsoft.ContainerService/fleets/namespaces/read | Reads namespaces |
| Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/fleets/persistentvolumeclaims/* | |
| Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/replicationcontrollers/* | |
| Microsoft.ContainerService/fleets/resourcequotas/read | Reads resourcequotas |
| Microsoft.ContainerService/fleets/secrets/* | |
| Microsoft.ContainerService/fleets/serviceaccounts/* | |
| Microsoft.ContainerService/fleets/services/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",
"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Cluster Admin Role
List cluster admin credential action. Learn more
| Actions | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action | List the clusterAdmin credential of a managed cluster |
| Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action | Get a managed cluster access profile by role name using list credential |
| Microsoft.ContainerService/managedClusters/read | Get a managed cluster |
| Microsoft.ContainerService/managedClusters/runcommand/action | Run user issued command against managed kubernetes server. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action",
"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Cluster Monitoring User
List cluster monitoring user credential action.
| Actions | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | List the clusterMonitoringUser credential of a managed cluster |
| Microsoft.ContainerService/managedClusters/read | Get a managed cluster |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Cluster User Role
List cluster user credential action. Learn more
| Actions | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | List the clusterUser credential of a managed cluster |
| Microsoft.ContainerService/managedClusters/read | Get a managed cluster |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Contributor Role
Grants access to read and write Azure Kubernetes Service clusters Learn more
| Actions | Description |
|---|---|
| Microsoft.ContainerService/managedClusters/read | Get a managed cluster |
| Microsoft.ContainerService/managedClusters/write | Creates a new managed cluster or updates an existing one |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Admin
Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | List the clusterUser credential of a managed cluster |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| Microsoft.ContainerService/managedClusters/resourcequotas/write | Writes resourcequotas |
| Microsoft.ContainerService/managedClusters/resourcequotas/delete | Deletes resourcequotas |
| Microsoft.ContainerService/managedClusters/namespaces/write | Writes namespaces |
| Microsoft.ContainerService/managedClusters/namespaces/delete | Deletes namespaces |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Cluster Admin
Lets you manage all resources in the cluster. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | List the clusterUser credential of a managed cluster |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Reader
Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Reads controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/read | Reads daemonsets |
| Microsoft.ContainerService/managedClusters/apps/deployments/read | Reads deployments |
| Microsoft.ContainerService/managedClusters/apps/replicasets/read | Reads replicasets |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/read | Reads statefulsets |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read | Reads horizontalpodautoscalers |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/read | Reads cronjobs |
| Microsoft.ContainerService/managedClusters/batch/jobs/read | Reads jobs |
| Microsoft.ContainerService/managedClusters/configmaps/read | Reads configmaps |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Reads endpointslices |
| Microsoft.ContainerService/managedClusters/endpoints/read | Reads endpoints |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Reads events |
| Microsoft.ContainerService/managedClusters/events/read | Reads events |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/read | Reads daemonsets |
| Microsoft.ContainerService/managedClusters/extensions/deployments/read | Reads deployments |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/read | Reads ingresses |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read | Reads networkpolicies |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/read | Reads replicasets |
| Microsoft.ContainerService/managedClusters/limitranges/read | Reads limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Reads pods |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Reads nodes |
| Microsoft.ContainerService/managedClusters/namespaces/read | Reads namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read | Reads ingresses |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read | Reads networkpolicies |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read | Reads persistentvolumeclaims |
| Microsoft.ContainerService/managedClusters/pods/read | Reads pods |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read | Reads poddisruptionbudgets |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/read | Reads replicationcontrollers |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Reads resourcequotas |
| Microsoft.ContainerService/managedClusters/serviceaccounts/read | Reads serviceaccounts |
| Microsoft.ContainerService/managedClusters/services/read | Reads services |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/endpoints/read",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
"Microsoft.ContainerService/managedClusters/extensions/deployments/read",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service RBAC Writer
Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read | Reads controllerrevisions |
| Microsoft.ContainerService/managedClusters/apps/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/apps/deployments/* | |
| Microsoft.ContainerService/managedClusters/apps/replicasets/* | |
| Microsoft.ContainerService/managedClusters/apps/statefulsets/* | |
| Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* | |
| Microsoft.ContainerService/managedClusters/batch/cronjobs/* | |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read | Reads leases |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write | Writes leases |
| Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete | Deletes leases |
| Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read | Reads endpointslices |
| Microsoft.ContainerService/managedClusters/batch/jobs/* | |
| Microsoft.ContainerService/managedClusters/configmaps/* | |
| Microsoft.ContainerService/managedClusters/endpoints/* | |
| Microsoft.ContainerService/managedClusters/events.k8s.io/events/read | Reads events |
| Microsoft.ContainerService/managedClusters/events/* | |
| Microsoft.ContainerService/managedClusters/extensions/daemonsets/* | |
| Microsoft.ContainerService/managedClusters/extensions/deployments/* | |
| Microsoft.ContainerService/managedClusters/extensions/ingresses/* | |
| Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/extensions/replicasets/* | |
| Microsoft.ContainerService/managedClusters/limitranges/read | Reads limitranges |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read | Reads pods |
| Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read | Reads nodes |
| Microsoft.ContainerService/managedClusters/namespaces/read | Reads namespaces |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* | |
| Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* | |
| Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* | |
| Microsoft.ContainerService/managedClusters/pods/* | |
| Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* | |
| Microsoft.ContainerService/managedClusters/replicationcontrollers/* | |
| Microsoft.ContainerService/managedClusters/resourcequotas/read | Reads resourcequotas |
| Microsoft.ContainerService/managedClusters/secrets/* | |
| Microsoft.ContainerService/managedClusters/serviceaccounts/* | |
| Microsoft.ContainerService/managedClusters/services/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",
"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write",
"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",
"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",
"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",
"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",
"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",
"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Databases
Azure Connected SQL Server Onboarding
Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. Learn more
| Actions | Description |
|---|---|
| Microsoft.AzureArcData/sqlServerInstances/read | Retrieves a SQL Server Instance resource |
| Microsoft.AzureArcData/sqlServerInstances/write | Updates a SQL Server Instance resource |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508",
"name": "e8113dce-c529-4d33-91fa-e9b972617508",
"permissions": [
{
"actions": [
"Microsoft.AzureArcData/sqlServerInstances/read",
"Microsoft.AzureArcData/sqlServerInstances/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected SQL Server Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cosmos DB Account Reader Role
Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.DocumentDB/*/read | Read any collection |
| Microsoft.DocumentDB/databaseAccounts/readonlykeys/action | Reads the database account readonly keys. |
| Microsoft.Insights/MetricDefinitions/read | Read metric definitions |
| Microsoft.Insights/Metrics/read | Read metrics |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can read Azure Cosmos DB Accounts data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Insights/MetricDefinitions/read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Account Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cosmos DB Operator
Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. Learn more
| Actions | Description |
|---|---|
| Microsoft.DocumentDb/databaseAccounts/* | |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
| NotActions | |
| Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* | |
| Microsoft.DocumentDB/databaseAccounts/regenerateKey/* | |
| Microsoft.DocumentDB/databaseAccounts/listKeys/* | |
| Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* | |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write | Create or update a SQL Role Definition |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete | Delete a SQL Role Definition |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write | Create or update a SQL Role Assignment |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete | Delete a SQL Role Assignment |
| Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write | Create or update a Mongo Role Definition |
| Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete | Delete a MongoDB Role Definition |
| Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write | Create or update a MongoDB User Definition |
| Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete | Delete a MongoDB User Definition |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa",
"name": "230815da-be43-4aae-9cb4-875f7bd000aa",
"permissions": [
{
"actions": [
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [
"Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
"Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
"Microsoft.DocumentDB/databaseAccounts/listKeys/*",
"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosBackupOperator
Can submit restore request for a Cosmos DB database or a container for an account Learn more
| Actions | Description |
|---|---|
| Microsoft.DocumentDB/databaseAccounts/backup/action | Submit a request to configure backup |
| Microsoft.DocumentDB/databaseAccounts/restore/action | Submit a restore request |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can submit restore request for a Cosmos DB database or a container for an account",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/databaseAccounts/backup/action",
"Microsoft.DocumentDB/databaseAccounts/restore/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosBackupOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosRestoreOperator
Can perform restore action for Cosmos DB database account with continuous backup mode
| Actions | Description |
|---|---|
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action | Submit a restore request |
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read | |
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read | Read a restorable database account or List all the restorable database accounts |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosRestoreOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DocumentDB Account Contributor
Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.DocumentDb/databaseAccounts/* | Create and manage Azure Cosmos DB accounts |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DocumentDB accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
"name": "5bd9cd88-fe45-4216-938b-f97437e15450",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DocumentDB Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Redis Cache Contributor
Lets you manage Redis caches, but not access to them.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Cache/register/action | Registers the 'Microsoft.Cache' resource provider with a subscription |
| Microsoft.Cache/redis/* | Create and manage Redis caches |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Redis caches, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17",
"name": "e0f68234-74aa-48ed-b826-c38b57376e17",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cache/register/action",
"Microsoft.Cache/redis/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Redis Cache Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL DB Contributor
Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Sql/locations/*/read | |
| Microsoft.Sql/servers/databases/* | Create and manage SQL databases |
| Microsoft.Sql/servers/read | Return the list of servers or gets the properties for the specified server. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.Insights/metricDefinitions/read | Read metric definitions |
| NotActions | |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/write | Enable uploading ledger digests |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action | Disable uploading ledger digests |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/auditingSettings/* | Edit audit settings |
| Microsoft.Sql/servers/databases/auditRecords/read | Retrieve the database blob audit records |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/* | Edit data masking policies |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/securityAlertPolicies/* | Edit security alert policies |
| Microsoft.Sql/servers/databases/securityMetrics/* | Edit security metrics |
| Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/databases/*",
"Microsoft.Sql/servers/read",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/servers/databases/ledgerDigestUploads/write",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL DB Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL Managed Instance Contributor
Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.
| Actions | Description |
|---|---|
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Network/networkSecurityGroups/* | |
| Microsoft.Network/routeTables/* | |
| Microsoft.Sql/locations/*/read | |
| Microsoft.Sql/locations/instanceFailoverGroups/* | |
| Microsoft.Sql/managedInstances/* | |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Network/virtualNetworks/subnets/* | |
| Microsoft.Network/virtualNetworks/* | |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.Insights/metricDefinitions/read | Read metric definitions |
| NotActions | |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete | Deletes a specific managed server Azure Active Directory only authentication object |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write | Adds or updates a specific managed server Azure Active Directory only authentication object |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"permissions": [
{
"actions": [
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/routeTables/*",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/locations/instanceFailoverGroups/*",
"Microsoft.Sql/managedInstances/*",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Managed Instance Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL Security Manager
Lets you manage the security-related policies of SQL servers and databases, but not access to them. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Sql/locations/administratorAzureAsyncOperation/read | Gets the Managed instance azure async administrator operations result. |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read | Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write | Change the managed instance Advanced Threat Protection settings for a given managed instance |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read | Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given managed database |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read | Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write | Change the managed instance Advanced Threat Protection settings for a given managed instance |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read | Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given managed database |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/read | Retrieve a list of server Advanced Threat Protection settings configured for a given server |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/write | Change the server Advanced Threat Protection settings for a given server |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/serverConfigurationOptions/read | Gets properties for the specified Azure SQL Managed Instance Server Configuration Option. |
| Microsoft.Sql/managedInstances/serverConfigurationOptions/write | Updates Azure SQL Managed Instance's Server Configuration Option properties for the specified instance. |
| Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read | Gets the status of Azure SQL Managed Instance Server Configuration Option Azure async operation. |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/read | Retrieve a list of server Advanced Threat Protection settings configured for a given server |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/write | Change the server Advanced Threat Protection settings for a given server |
| Microsoft.Sql/servers/auditingSettings/* | Create and manage SQL server auditing setting |
| Microsoft.Sql/servers/extendedAuditingSettings/read | Retrieve details of the extended server blob auditing policy configured on a given server |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read | Retrieve a list of database Advanced Threat Protection settings configured for a given database |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given database |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read | Retrieve a list of database Advanced Threat Protection settings configured for a given database |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given database |
| Microsoft.Sql/servers/databases/auditingSettings/* | Create and manage SQL server database auditing settings |
| Microsoft.Sql/servers/databases/auditRecords/read | Retrieve the database blob audit records |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/* | Create and manage SQL server database data masking policies |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/read | Retrieve details of the extended blob auditing policy configured on a given database |
| Microsoft.Sql/servers/databases/read | Return the list of databases or gets the properties for the specified database. |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/read | Get a database schema. |
| Microsoft.Sql/servers/databases/schemas/tables/columns/read | Get a database column. |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/read | Get a database table. |
| Microsoft.Sql/servers/databases/securityAlertPolicies/* | Create and manage SQL server database security alert policies |
| Microsoft.Sql/servers/databases/securityMetrics/* | Create and manage SQL server database security metrics |
| Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/transparentDataEncryption/* | |
| Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/devOpsAuditingSettings/* | |
| Microsoft.Sql/servers/firewallRules/* | |
| Microsoft.Sql/servers/read | Return the list of servers or gets the properties for the specified server. |
| Microsoft.Sql/servers/securityAlertPolicies/* | Create and manage SQL server security alert policies |
| Microsoft.Sql/servers/sqlvulnerabilityAssessments/* | |
| Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Sql/servers/azureADOnlyAuthentications/* | |
| Microsoft.Sql/managedInstances/read | Return the list of managed instances or gets the properties for the specified managed instance. |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* | |
| Microsoft.Security/sqlVulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/administrators/read | Gets a list of managed instance administrators. |
| Microsoft.Sql/servers/administrators/read | Gets a specific Azure Active Directory administrator object |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/* | |
| Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read | Gets in-progress operations of ledger digest upload settings |
| Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read | Gets in-progress operations of ledger digest upload settings |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/read",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/write",
"Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/read",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/transparentDataEncryption/*",
"Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/firewallRules/*",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Support/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/*",
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
"Microsoft.Security/sqlVulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/administrators/read",
"Microsoft.Sql/servers/administrators/read",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/*",
"Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read",
"Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Security Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL Server Contributor
Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Sql/locations/*/read | |
| Microsoft.Sql/servers/* | Create and manage SQL servers |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.Insights/metricDefinitions/read | Read metric definitions |
| NotActions | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/auditingSettings/* | Edit SQL server auditing settings |
| Microsoft.Sql/servers/databases/auditingSettings/* | Edit SQL server database auditing settings |
| Microsoft.Sql/servers/databases/auditRecords/read | Retrieve the database blob audit records |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/* | Edit SQL server database data masking policies |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/securityAlertPolicies/* | Edit SQL server database security alert policies |
| Microsoft.Sql/servers/databases/securityMetrics/* | Edit SQL server database security metrics |
| Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/devOpsAuditingSettings/* | |
| Microsoft.Sql/servers/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/securityAlertPolicies/* | Edit SQL server security alert policies |
| Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/azureADOnlyAuthentications/delete | Deletes a specific server Azure Active Directory only authentication object |
| Microsoft.Sql/servers/azureADOnlyAuthentications/write | Adds or updates a specific server Azure Active Directory only authentication object |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete | Deletes a specific server external policy based authorization property |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write | Adds or updates a specific server external policy based authorization property |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/*",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/write",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Analytics
Azure Event Hubs Data Owner
Allows for full access to Azure Event Hubs resources. Learn more
| Actions | Description |
|---|---|
| Microsoft.EventHub/* | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.EventHub/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Event Hubs resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec",
"name": "f526a384-b230-433a-b45c-95f59c4a2dec",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Event Hubs Data Receiver
Allows receive access to Azure Event Hubs resources. Learn more
| Actions | Description |
|---|---|
| Microsoft.EventHub/*/eventhubs/consumergroups/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.EventHub/*/receive/action | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows receive access to Azure Event Hubs resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
"name": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*/eventhubs/consumergroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*/receive/action"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Receiver",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Event Hubs Data Sender
Allows send access to Azure Event Hubs resources. Learn more
| Actions | Description |
|---|---|
| Microsoft.EventHub/*/eventhubs/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.EventHub/*/send/action | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows send access to Azure Event Hubs resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975",
"name": "2b629674-e913-4c01-ae53-ef4638d8f975",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*/eventhubs/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Factory Contributor
Create and manage data factories, as well as child resources within them. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.DataFactory/dataFactories/* | Create and manage data factories, and child resources within them. |
| Microsoft.DataFactory/factories/* | Create and manage data factories, and child resources within them. |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.EventGrid/eventSubscriptions/write | Create or update an eventSubscription |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Create and manage data factories, as well as child resources within them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5",
"name": "673868aa-7521-48a0-acc6-0f60742d39f5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DataFactory/dataFactories/*",
"Microsoft.DataFactory/factories/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.EventGrid/eventSubscriptions/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Factory Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Data Purger
Delete private data from a Log Analytics workspace. Learn more
| Actions | Description |
|---|---|
| Microsoft.Insights/components/*/read | |
| Microsoft.Insights/components/purge/action | Purging data from Application Insights |
| Microsoft.OperationalInsights/workspaces/*/read | View log analytics data |
| Microsoft.OperationalInsights/workspaces/purge/action | Delete specified data by query from workspace. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can purge analytics data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90",
"name": "150f5e0c-0603-4f03-8c7f-cf70034c4e90",
"permissions": [
{
"actions": [
"Microsoft.Insights/components/*/read",
"Microsoft.Insights/components/purge/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/purge/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Purger",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
HDInsight Cluster Operator
Lets you read and modify HDInsight cluster configurations. Learn more
| Actions | Description |
|---|---|
| Microsoft.HDInsight/*/read | |
| Microsoft.HDInsight/clusters/getGatewaySettings/action | Get gateway settings for HDInsight Cluster |
| Microsoft.HDInsight/clusters/updateGatewaySettings/action | Update gateway settings for HDInsight Cluster |
| Microsoft.HDInsight/clusters/configurations/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/deployments/operations/read | Gets or lists deployment operations. |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you read and modify HDInsight cluster configurations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a",
"name": "61ed4efc-fab3-44fd-b111-e24485cc132a",
"permissions": [
{
"actions": [
"Microsoft.HDInsight/*/read",
"Microsoft.HDInsight/clusters/getGatewaySettings/action",
"Microsoft.HDInsight/clusters/updateGatewaySettings/action",
"Microsoft.HDInsight/clusters/configurations/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight Cluster Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
HDInsight Domain Services Contributor
Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package Learn more
| Actions | Description |
|---|---|
| Microsoft.AAD/*/read | |
| Microsoft.AAD/domainServices/*/read | |
| Microsoft.AAD/domainServices/oucontainer/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c",
"name": "8d8d5a11-05d3-4bda-a417-a08778121c7c",
"permissions": [
{
"actions": [
"Microsoft.AAD/*/read",
"Microsoft.AAD/domainServices/*/read",
"Microsoft.AAD/domainServices/oucontainer/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Log Analytics Contributor
Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. Learn more
| Actions | Description |
|---|---|
| */read | Read resources of all types, except secrets. |
| Microsoft.ClassicCompute/virtualMachines/extensions/* | |
| Microsoft.ClassicStorage/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. |
| Microsoft.Compute/virtualMachines/extensions/* | |
| Microsoft.HybridCompute/machines/extensions/write | Installs or Updates an Azure Arc extensions |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server |
| Microsoft.OperationalInsights/* | |
| Microsoft.OperationsManagement/* | |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/* | |
| Microsoft.Storage/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"name": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.ClassicCompute/virtualMachines/extensions/*",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.Compute/virtualMachines/extensions/*",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.OperationalInsights/*",
"Microsoft.OperationsManagement/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Log Analytics Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Log Analytics Reader
Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. Learn more
| Actions | Description |
|---|---|
| */read | Read resources of all types, except secrets. |
| Microsoft.OperationalInsights/workspaces/analytics/query/action | Search using new engine. |
| Microsoft.OperationalInsights/workspaces/search/action | Executes a search query |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| Microsoft.OperationalInsights/workspaces/sharedKeys/read | Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893",
"name": "73c42c96-874c-492b-b04d-ab87d138a893",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.OperationalInsights/workspaces/sharedKeys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Log Analytics Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Schema Registry Contributor (Preview)
Read, write, and delete Schema Registry groups and schemas.
| Actions | Description |
|---|---|
| Microsoft.EventHub/namespaces/schemagroups/* | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.EventHub/namespaces/schemas/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read, write, and delete Schema Registry groups and schemas.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25",
"name": "5dffeca3-4936-4216-b2bc-10343a5abb25",
"permissions": [
{
"actions": [
"Microsoft.EventHub/namespaces/schemagroups/*"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/namespaces/schemas/*"
],
"notDataActions": []
}
],
"roleName": "Schema Registry Contributor (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Schema Registry Reader (Preview)
Read and list Schema Registry groups and schemas.
| Actions | Description |
|---|---|
| Microsoft.EventHub/namespaces/schemagroups/read | Get list of SchemaGroup Resource Descriptions |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.EventHub/namespaces/schemas/read | Retrieve schemas |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read and list Schema Registry groups and schemas.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
"name": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
"permissions": [
{
"actions": [
"Microsoft.EventHub/namespaces/schemagroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/namespaces/schemas/read"
],
"notDataActions": []
}
],
"roleName": "Schema Registry Reader (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Stream Analytics Query Tester
Lets you perform query testing without creating a stream analytics job first
| Actions | Description |
|---|---|
| Microsoft.StreamAnalytics/locations/TestQuery/action | Test Query for Stream Analytics Resource Provider |
| Microsoft.StreamAnalytics/locations/OperationResults/read | Read Stream Analytics Operation Result |
| Microsoft.StreamAnalytics/locations/SampleInput/action | Sample Input for Stream Analytics Resource Provider |
| Microsoft.StreamAnalytics/locations/CompileQuery/action | Compile Query for Stream Analytics Resource Provider |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you perform query testing without creating a stream analytics job first",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf",
"name": "1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf",
"permissions": [
{
"actions": [
"Microsoft.StreamAnalytics/locations/TestQuery/action",
"Microsoft.StreamAnalytics/locations/OperationResults/read",
"Microsoft.StreamAnalytics/locations/SampleInput/action",
"Microsoft.StreamAnalytics/locations/CompileQuery/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Stream Analytics Query Tester",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AI + machine learning
AzureML Compute Operator
Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). Learn more
| Actions | Description |
|---|---|
| Microsoft.MachineLearningServices/workspaces/computes/* | |
| Microsoft.MachineLearningServices/workspaces/notebooks/vm/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs).",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-4e8e-8e2c-7a6c3bf38815",
"name": "e503ece1-11d0-4e8e-8e2c-7a6c3bf38815",
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/workspaces/computes/*",
"Microsoft.MachineLearningServices/workspaces/notebooks/vm/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AzureML Compute Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
AzureML Data Scientist
Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. Learn more
| Actions | Description |
|---|---|
| Microsoft.MachineLearningServices/workspaces/*/read | |
| Microsoft.MachineLearningServices/workspaces/*/action | |
| Microsoft.MachineLearningServices/workspaces/*/delete | |
| Microsoft.MachineLearningServices/workspaces/*/write | |
| NotActions | |
| Microsoft.MachineLearningServices/workspaces/delete | Deletes the Machine Learning Services Workspace(s) |
| Microsoft.MachineLearningServices/workspaces/write | Creates or updates a Machine Learning Services Workspace(s) |
| Microsoft.MachineLearningServices/workspaces/computes/*/write | |
| Microsoft.MachineLearningServices/workspaces/computes/*/delete | |
| Microsoft.MachineLearningServices/workspaces/computes/listKeys/action | List secrets for compute resources in Machine Learning Services Workspace |
| Microsoft.MachineLearningServices/workspaces/listKeys/action | List secrets for a Machine Learning Services Workspace |
| Microsoft.MachineLearningServices/workspaces/hubs/write | Creates or updates a Machine Learning Services Hub Workspace(s) |
| Microsoft.MachineLearningServices/workspaces/hubs/delete | Deletes the Machine Learning Services Hub Workspace(s) |
| Microsoft.MachineLearningServices/workspaces/featurestores/write | Creates or Updates the Machine Learning Services FeatureStore(s) |
| Microsoft.MachineLearningServices/workspaces/featurestores/delete | Deletes the Machine Learning Services FeatureStore(s) |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121",
"name": "f6c7c914-8db3-469d-8ca1-694a8f32e121",
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/workspaces/*/read",
"Microsoft.MachineLearningServices/workspaces/*/action",
"Microsoft.MachineLearningServices/workspaces/*/delete",
"Microsoft.MachineLearningServices/workspaces/*/write"
],
"notActions": [
"Microsoft.MachineLearningServices/workspaces/delete",
"Microsoft.MachineLearningServices/workspaces/write",
"Microsoft.MachineLearningServices/workspaces/computes/*/write",
"Microsoft.MachineLearningServices/workspaces/computes/*/delete",
"Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
"Microsoft.MachineLearningServices/workspaces/listKeys/action",
"Microsoft.MachineLearningServices/workspaces/hubs/write",
"Microsoft.MachineLearningServices/workspaces/hubs/delete",
"Microsoft.MachineLearningServices/workspaces/featurestores/write",
"Microsoft.MachineLearningServices/workspaces/featurestores/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AzureML Data Scientist",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Contributor
Lets you create, read, update, delete and manage keys of Cognitive Services. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.CognitiveServices/* | |
| Microsoft.Features/features/read | Gets the features of a subscription. |
| Microsoft.Features/providers/features/read | Gets the feature of a subscription in a given resource provider. |
| Microsoft.Features/providers/features/register/action | Registers the feature for a subscription in a given resource provider. |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server |
| Microsoft.Insights/logDefinitions/read | Read log definitions |
| Microsoft.Insights/metricdefinitions/read | Read metric definitions |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/deployments/operations/read | Gets or lists deployment operations. |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you create, read, update, delete and manage keys of Cognitive Services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
"name": "25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.CognitiveServices/*",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Insights/logDefinitions/read",
"Microsoft.Insights/metricdefinitions/read",
"Microsoft.Insights/metrics/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cognitive Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Custom Vision Contributor
Full access to the project, including the ability to view, create, edit, or delete projects. Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/*/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Full access to the project, including the ability to view, create, edit, or delete projects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
"name": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Custom Vision Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Custom Vision Deployment
Publish, unpublish or export models. Deployment can view the project but can't update. Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/*/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/*/read | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/classify/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/detect/* | |
| NotDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | Exports a project. |
{
"assignableScopes": [
"/"
],
"description": "Publish, unpublish or export models. Deployment can view the project but can't update.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f",
"name": "5c4089e1-6d96-4d2f-b296-c1bc7137275f",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*",
"Microsoft.CognitiveServices/accounts/CustomVision/classify/*",
"Microsoft.CognitiveServices/accounts/CustomVision/detect/*"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Deployment",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Custom Vision Labeler
View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/*/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/*/read | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action | Get images that were sent to your prediction endpoint. |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/images/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/* | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action | This API will get suggested tags and regions for an array/batch of untagged images along with confidences for the tags. It returns an empty array if no tags are found. |
| NotDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | Exports a project. |
{
"assignableScopes": [
"/"
],
"description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c",
"name": "88424f51-ebe7-446f-bc41-7fa16989e96c",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Labeler",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Custom Vision Reader
Read-only actions in the project. Readers can't create or update the project. Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/*/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/*/read | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action | Get images that were sent to your prediction endpoint. |
| NotDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | Exports a project. |
{
"assignableScopes": [
"/"
],
"description": "Read-only actions in the project. Readers can't create or update the project.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73",
"name": "93586559-c37d-4a6b-ba08-b9f0940c2d73",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Custom Vision Trainer
View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/*/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/* | |
| NotDataActions | |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/action | Create a project. |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/delete | Delete a specific project. |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action | Imports a project. |
| Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | Exports a project. |
{
"assignableScopes": [
"/"
],
"description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
"name": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/action",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/delete",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Trainer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Data Reader (Preview)
Lets you read Cognitive Services data.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/*/read | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you read Cognitive Services data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c",
"name": "b59867f0-fa02-499b-be73-45a86b5b3e1c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/*/read"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Data Reader (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Face Recognizer
Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices.
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/accounts/Face/detect/action | Detect human faces in an image, return face rectangles, and optionally with faceIds, landmarks, and attributes. |
| Microsoft.CognitiveServices/accounts/Face/verify/action | Verify whether two faces belong to a same person or whether one face belongs to a person. |
| Microsoft.CognitiveServices/accounts/Face/identify/action | 1-to-many identification to find the closest matches of the specific query person face from a person group or large person group. |
| Microsoft.CognitiveServices/accounts/Face/group/action | Divide candidate faces into groups based on face similarity. |
| Microsoft.CognitiveServices/accounts/Face/findsimilars/action | Given query face's faceId, to search the similar-looking faces from a faceId array, a face list or a large face list. faceId |
| Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action | Performs liveness detection on a target face in a sequence of infrared, color and/or depth images, and returns the liveness classification of the target face as either ‘real face’, ‘spoof face’, or ‘uncertain’ if a classification cannot be made with the given inputs. |
| Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action | Performs liveness detection on a target face in a sequence of images of the same modality (e.g. color or infrared), and returns the liveness classification of the target face as either ‘real face’, ‘spoof face’, or ‘uncertain’ if a classification cannot be made with the given inputs. |
| Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action | Detects liveness of a target face in a sequence of images of the same stream type (e.g. color) and then compares with VerifyImage to return confidence score for identity scenarios. |
| Microsoft.CognitiveServices/accounts/Face/*/sessions/action | |
| Microsoft.CognitiveServices/accounts/Face/*/sessions/delete | |
| Microsoft.CognitiveServices/accounts/Face/*/sessions/read | |
| Microsoft.CognitiveServices/accounts/Face/*/sessions/audit/read | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7",
"name": "9894cab4-e18a-44aa-828b-cb588cd6f2d7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/Face/detect/action",
"Microsoft.CognitiveServices/accounts/Face/verify/action",
"Microsoft.CognitiveServices/accounts/Face/identify/action",
"Microsoft.CognitiveServices/accounts/Face/group/action",
"Microsoft.CognitiveServices/accounts/Face/findsimilars/action",
"Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action",
"Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action",
"Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action",
"Microsoft.CognitiveServices/accounts/Face/*/sessions/action",
"Microsoft.CognitiveServices/accounts/Face/*/sessions/delete",
"Microsoft.CognitiveServices/accounts/Face/*/sessions/read",
"Microsoft.CognitiveServices/accounts/Face/*/sessions/audit/read"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Face Recognizer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Metrics Advisor Administrator
Full access to the project, including the system level configuration. Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/*/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/accounts/MetricsAdvisor/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Full access to the project, including the system level configuration.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a",
"name": "cb43c632-a144-4ec5-977c-e80c4affc34a",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/MetricsAdvisor/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Metrics Advisor Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services OpenAI Contributor
Full access including the ability to fine-tune, deploy and generate text Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/*/read | |
| Microsoft.CognitiveServices/accounts/deployments/write | Writes deployments. |
| Microsoft.CognitiveServices/accounts/deployments/delete | Deletes deployments. |
| Microsoft.CognitiveServices/accounts/raiPolicies/read | Gets all applicable policies under the account including default policies. |
| Microsoft.CognitiveServices/accounts/raiPolicies/write | Create or update a custom Responsible AI policy. |
| Microsoft.CognitiveServices/accounts/raiPolicies/delete | Deletes a custom Responsible AI policy that's not referenced by an existing deployment. |
| Microsoft.CognitiveServices/accounts/commitmentplans/read | Reads commitment plans. |
| Microsoft.CognitiveServices/accounts/commitmentplans/write | Writes commitment plans. |
| Microsoft.CognitiveServices/accounts/commitmentplans/delete | Deletes commitment plans. |
| Microsoft.Authorization/roleAssignments/read | Get information about a role assignment. |
| Microsoft.Authorization/roleDefinitions/read | Get information about a role definition. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/accounts/OpenAI/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Full access including the ability to fine-tune, deploy and generate text",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-4b5d-821b-7da978bf7442",
"name": "a001fd3d-188f-4b5d-821b-7da978bf7442",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.CognitiveServices/accounts/deployments/write",
"Microsoft.CognitiveServices/accounts/deployments/delete",
"Microsoft.CognitiveServices/accounts/raiPolicies/read",
"Microsoft.CognitiveServices/accounts/raiPolicies/write",
"Microsoft.CognitiveServices/accounts/raiPolicies/delete",
"Microsoft.CognitiveServices/accounts/commitmentplans/read",
"Microsoft.CognitiveServices/accounts/commitmentplans/write",
"Microsoft.CognitiveServices/accounts/commitmentplans/delete",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/OpenAI/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services OpenAI Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services OpenAI User
Read access to view files, models, deployments. The ability to create completion and embedding calls. Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/*/read | |
| Microsoft.Authorization/roleAssignments/read | Get information about a role assignment. |
| Microsoft.Authorization/roleDefinitions/read | Get information about a role definition. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/accounts/OpenAI/*/read | |
| Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action | Create a completion from a chosen model |
| Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action | Search for the most relevant documents using the current engine. |
| Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action | (Intended for browsers only.) Stream generated text from the model via GET request. This method is provided because the browser-native EventSource method can only send GET requests. It supports a more limited set of configuration options than the POST variant. |
| Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/write | |
| Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action | Search for the most relevant documents using the current engine. |
| Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action | Create a completion from a chosen model. |
| Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action | Creates a completion for the chat message |
| Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/completions/action | Creates a completion for the chat message with extensions |
| Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action | Return the embeddings for a given prompt. |
| Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/write | |
| Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action | Create image generations. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Ability to view files, models, deployments. Readers are able to call inference operations such as chat completions and image generation.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-4f28-af87-19fc36ad61bd",
"name": "5e0bd9bd-7b93-4f28-af87-19fc36ad61bd",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/OpenAI/*/read",
"Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action",
"Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action",
"Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action",
"Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/write",
"Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action",
"Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action",
"Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action",
"Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/completions/action",
"Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action",
"Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/write",
"Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services OpenAI User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services QnA Maker Editor
Let's you create, edit, import and export a KB. You cannot publish or delete a KB. Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/*/read | |
| Microsoft.Authorization/roleAssignments/read | Get information about a role assignment. |
| Microsoft.Authorization/roleDefinitions/read | Get information about a role definition. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read | Download the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read | Download alterations from runtime. |
| Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write | Replace alterations data. |
| Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint |
| Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action | Re-generates an endpoint key. |
| Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint |
| Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write | Update endpoint seettings for an endpoint. |
| Microsoft.CognitiveServices/accounts/QnAMaker/operations/read | Gets details of a specific long running operation. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read | Download the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read | Download alterations from runtime. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write | Replace alterations data. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read | Gets endpoint keys for an endpoint |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action | Re-generates an endpoint key. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read | Gets endpoint settings for an endpoint |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write | Update endpoint seettings for an endpoint. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read | Gets details of a specific long running operation. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read | Download the knowledgebase. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write | Asynchronous operation to create a new knowledgebase. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write | Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action | Train call to add suggestions to the knowledgebase. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read | Download alterations from runtime. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write | Replace alterations data. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action | Re-generates an endpoint key. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write | Update endpoint seettings for an endpoint. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read | Gets details of a specific long running operation. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Let's you create, edit, import and export a KB. You cannot publish or delete a KB.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025",
"name": "f4cc2bf9-21be-47a1-bdf1-5c5804381025",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action",
"Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write",
"Microsoft.CognitiveServices/accounts/QnAMaker/operations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services QnA Maker Editor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services QnA Maker Reader
Let's you read and test a KB only. Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/*/read | |
| Microsoft.Authorization/roleAssignments/read | Get information about a role assignment. |
| Microsoft.Authorization/roleDefinitions/read | Get information about a role definition. |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read | Download the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read | Download alterations from runtime. |
| Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint |
| Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read | Download the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read | Download alterations from runtime. |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read | Gets endpoint keys for an endpoint |
| Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read | Gets endpoint settings for an endpoint |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read | Gets List of Knowledgebases or details of a specific knowledgebaser. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read | Download the knowledgebase. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action | GenerateAnswer call to query the knowledgebase. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read | Download alterations from runtime. |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read | Gets endpoint keys for an endpoint |
| Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read | Gets endpoint settings for an endpoint |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Let's you read and test a KB only.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126",
"name": "466ccd10-b268-4a11-b098-b4849f024126",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services QnA Maker Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Usages Reader
Minimal permission to view Cognitive Services usages. Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/locations/usages/read | Read all usages data |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Minimal permission to view Cognitive Services usages.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bba48692-92b0-4667-a9ad-c31c7b334ac2",
"name": "bba48692-92b0-4667-a9ad-c31c7b334ac2",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/locations/usages/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cognitive Services Usages Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services User
Lets you read and list keys of Cognitive Services. Learn more
| Actions | Description |
|---|---|
| Microsoft.CognitiveServices/*/read | |
| Microsoft.CognitiveServices/accounts/listkeys/action | List keys |
| Microsoft.Insights/alertRules/read | Read a classic metric alert |
| Microsoft.Insights/diagnosticSettings/read | Read a resource diagnostic setting |
| Microsoft.Insights/logDefinitions/read | Read log definitions |
| Microsoft.Insights/metricdefinitions/read | Read metric definitions |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/operations/read | Gets or lists deployment operations. |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.CognitiveServices/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you read and list keys of Cognitive Services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908",
"name": "a97b65f3-24c7-4388-baec-2e87135dc908",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.CognitiveServices/accounts/listkeys/action",
"Microsoft.Insights/alertRules/read",
"Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Insights/logDefinitions/read",
"Microsoft.Insights/metricdefinitions/read",
"Microsoft.Insights/metrics/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Internet of things
Device Update Administrator
Gives you full access to management and content operations Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.DeviceUpdate/accounts/instances/updates/read | Performs a read operation related to updates |
| Microsoft.DeviceUpdate/accounts/instances/updates/write | Performs a write operation related to updates |
| Microsoft.DeviceUpdate/accounts/instances/updates/delete | Performs a delete operation related to updates |
| Microsoft.DeviceUpdate/accounts/instances/management/read | Performs a read operation related to management |
| Microsoft.DeviceUpdate/accounts/instances/management/write | Performs a write operation related to management |
| Microsoft.DeviceUpdate/accounts/instances/management/delete | Performs a delete operation related to management |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Gives you full access to management and content operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a",
"name": "02ca0879-e8e4-47a5-a61e-5c618b76e64a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read",
"Microsoft.DeviceUpdate/accounts/instances/updates/write",
"Microsoft.DeviceUpdate/accounts/instances/updates/delete",
"Microsoft.DeviceUpdate/accounts/instances/management/read",
"Microsoft.DeviceUpdate/accounts/instances/management/write",
"Microsoft.DeviceUpdate/accounts/instances/management/delete"
],
"notDataActions": []
}
],
"roleName": "Device Update Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Device Update Content Administrator
Gives you full access to content operations Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.DeviceUpdate/accounts/instances/updates/read | Performs a read operation related to updates |
| Microsoft.DeviceUpdate/accounts/instances/updates/write | Performs a write operation related to updates |
| Microsoft.DeviceUpdate/accounts/instances/updates/delete | Performs a delete operation related to updates |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Gives you full access to content operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98",
"name": "0378884a-3af5-44ab-8323-f5b22f9f3c98",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read",
"Microsoft.DeviceUpdate/accounts/instances/updates/write",
"Microsoft.DeviceUpdate/accounts/instances/updates/delete"
],
"notDataActions": []
}
],
"roleName": "Device Update Content Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Device Update Content Reader
Gives you read access to content operations, but does not allow making changes Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.DeviceUpdate/accounts/instances/updates/read | Performs a read operation related to updates |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Gives you read access to content operations, but does not allow making changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
"name": "d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Content Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Device Update Deployments Administrator
Gives you full access to management operations Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.DeviceUpdate/accounts/instances/management/read | Performs a read operation related to management |
| Microsoft.DeviceUpdate/accounts/instances/management/write | Performs a write operation related to management |
| Microsoft.DeviceUpdate/accounts/instances/management/delete | Performs a delete operation related to management |
| Microsoft.DeviceUpdate/accounts/instances/updates/read | Performs a read operation related to updates |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Gives you full access to management operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432",
"name": "e4237640-0e3d-4a46-8fda-70bc94856432",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/management/read",
"Microsoft.DeviceUpdate/accounts/instances/management/write",
"Microsoft.DeviceUpdate/accounts/instances/management/delete",
"Microsoft.DeviceUpdate/accounts/instances/updates/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Deployments Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Device Update Deployments Reader
Gives you read access to management operations, but does not allow making changes Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.DeviceUpdate/accounts/instances/management/read | Performs a read operation related to management |
| Microsoft.DeviceUpdate/accounts/instances/updates/read | Performs a read operation related to updates |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Gives you read access to management operations, but does not allow making changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f",
"name": "49e2f5d2-7741-4835-8efa-19e1fe35e47f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/management/read",
"Microsoft.DeviceUpdate/accounts/instances/updates/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Deployments Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Device Update Reader
Gives you read access to management and content operations, but does not allow making changes Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.DeviceUpdate/accounts/instances/updates/read | Performs a read operation related to updates |
| Microsoft.DeviceUpdate/accounts/instances/management/read | Performs a read operation related to management |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Gives you read access to management and content operations, but does not allow making changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
"name": "e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read",
"Microsoft.DeviceUpdate/accounts/instances/management/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
IoT Hub Data Contributor
Allows for full access to IoT Hub data plane operations. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Devices/IotHubs/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to IoT Hub data plane operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f",
"name": "4fc6c259-987e-4a07-842e-c321cc9d413f",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/*"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
IoT Hub Data Reader
Allows for full read access to IoT Hub data-plane properties Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Devices/IotHubs/*/read | |
| Microsoft.Devices/IotHubs/fileUpload/notifications/action | Receive, complete, or abandon file upload notifications |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full read access to IoT Hub data-plane properties",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3",
"name": "b447c946-2db7-41ec-983d-d8bf3b1c77e3",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/*/read",
"Microsoft.Devices/IotHubs/fileUpload/notifications/action"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
IoT Hub Registry Contributor
Allows for full access to IoT Hub device registry. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Devices/IotHubs/devices/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to IoT Hub device registry.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
"name": "4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/devices/*"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Registry Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
IoT Hub Twin Contributor
Allows for read and write access to all IoT Hub device and module twins. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Devices/IotHubs/twins/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for read and write access to all IoT Hub device and module twins.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c",
"name": "494bdba2-168f-4f31-a0a1-191d2f7c028c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/twins/*"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Twin Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Mixed reality
Remote Rendering Administrator
Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.MixedReality/RemoteRenderingAccounts/convert/action | Start asset conversion |
| Microsoft.MixedReality/RemoteRenderingAccounts/convert/read | Get asset conversion properties |
| Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete | Stop asset conversion |
| Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read | Get session properties |
| Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action | Start sessions |
| Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete | Stop sessions |
| Microsoft.MixedReality/RemoteRenderingAccounts/render/read | Connect to a session |
| Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read | Connect to the Remote Rendering inspector |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
"name": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/RemoteRenderingAccounts/convert/action",
"Microsoft.MixedReality/RemoteRenderingAccounts/convert/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete",
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
"Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
],
"notDataActions": []
}
],
"roleName": "Remote Rendering Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Remote Rendering Client
Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read | Get session properties |
| Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action | Start sessions |
| Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete | Stop sessions |
| Microsoft.MixedReality/RemoteRenderingAccounts/render/read | Connect to a session |
| Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read | Connect to the Remote Rendering inspector |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a",
"name": "d39065c4-c120-43c9-ab0a-63eed9795f0a",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",
"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
"Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
],
"notDataActions": []
}
],
"roleName": "Remote Rendering Client",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Spatial Anchors Account Contributor
Lets you manage spatial anchors in your account, but not delete them Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.MixedReality/SpatialAnchorsAccounts/create/action | Create spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/query/read | Locate spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service |
| Microsoft.MixedReality/SpatialAnchorsAccounts/write | Update spatial anchors properties |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage spatial anchors in your account, but not delete them",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
"name": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
"Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/write"
],
"notDataActions": []
}
],
"roleName": "Spatial Anchors Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Spatial Anchors Account Owner
Lets you manage spatial anchors in your account, including deleting them Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.MixedReality/SpatialAnchorsAccounts/create/action | Create spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/delete | Delete spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/query/read | Locate spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service |
| Microsoft.MixedReality/SpatialAnchorsAccounts/write | Update spatial anchors properties |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage spatial anchors in your account, including deleting them",
"id": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c",
"name": "70bbe301-9835-447d-afdd-19eb3167307c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
"Microsoft.MixedReality/SpatialAnchorsAccounts/delete",
"Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/write"
],
"notDataActions": []
}
],
"roleName": "Spatial Anchors Account Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Spatial Anchors Account Reader
Lets you locate and read properties of spatial anchors in your account Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read | Discover nearby spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read | Get properties of spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/query/read | Locate spatial anchors |
| Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read | Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you locate and read properties of spatial anchors in your account",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413",
"name": "5d51204f-eb77-4b1c-b86a-2ec626c49413",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read"
],
"notDataActions": []
}
],
"roleName": "Spatial Anchors Account Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Integration
API Management Service Contributor
Can manage service and the APIs Learn more
| Actions | Description |
|---|---|
| Microsoft.ApiManagement/service/* | Create and manage API Management service |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can manage service and the APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c",
"name": "312a565d-c81f-4fd8-895a-4e21e48d571c",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
API Management Service Operator Role
Can manage service but not the APIs Learn more
| Actions | Description |
|---|---|
| Microsoft.ApiManagement/service/*/read | Read API Management Service instances |
| Microsoft.ApiManagement/service/backup/action | Backup API Management Service to the specified container in a user provided storage account |
| Microsoft.ApiManagement/service/delete | Delete API Management Service instance |
| Microsoft.ApiManagement/service/managedeployments/action | Change SKU/units, add/remove regional deployments of API Management Service |
| Microsoft.ApiManagement/service/read | Read metadata for an API Management Service instance |
| Microsoft.ApiManagement/service/restore/action | Restore API Management Service from the specified container in a user provided storage account |
| Microsoft.ApiManagement/service/updatecertificate/action | Upload TLS/SSL certificate for an API Management Service |
| Microsoft.ApiManagement/service/updatehostname/action | Setup, update or remove custom domain names for an API Management Service |
| Microsoft.ApiManagement/service/write | Create or Update API Management Service instance |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| Microsoft.ApiManagement/service/users/keys/read | Get keys associated with user |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can manage service but not the APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61",
"name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*/read",
"Microsoft.ApiManagement/service/backup/action",
"Microsoft.ApiManagement/service/delete",
"Microsoft.ApiManagement/service/managedeployments/action",
"Microsoft.ApiManagement/service/read",
"Microsoft.ApiManagement/service/restore/action",
"Microsoft.ApiManagement/service/updatecertificate/action",
"Microsoft.ApiManagement/service/updatehostname/action",
"Microsoft.ApiManagement/service/write",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.ApiManagement/service/users/keys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Operator Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
API Management Service Reader Role
Read-only access to service and APIs Learn more
| Actions | Description |
|---|---|
| Microsoft.ApiManagement/service/*/read | Read API Management Service instances |
| Microsoft.ApiManagement/service/read | Read metadata for an API Management Service instance |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| Microsoft.ApiManagement/service/users/keys/read | Get keys associated with user |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read-only access to service and APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d",
"name": "71522526-b88f-4d52-b57f-d31fc3546d0d",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*/read",
"Microsoft.ApiManagement/service/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.ApiManagement/service/users/keys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
API Management Service Workspace API Developer
Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. Learn more
| Actions | Description |
|---|---|
| Microsoft.ApiManagement/service/tags/read | Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. |
| Microsoft.ApiManagement/service/tags/apiLinks/* | |
| Microsoft.ApiManagement/service/tags/operationLinks/* | |
| Microsoft.ApiManagement/service/tags/productLinks/* | |
| Microsoft.ApiManagement/service/products/read | Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. |
| Microsoft.ApiManagement/service/products/apiLinks/* | |
| Microsoft.ApiManagement/service/read | Read metadata for an API Management Service instance |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9565a273-41b9-4368-97d2-aeb0c976a9b3",
"name": "9565a273-41b9-4368-97d2-aeb0c976a9b3",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/tags/read",
"Microsoft.ApiManagement/service/tags/apiLinks/*",
"Microsoft.ApiManagement/service/tags/operationLinks/*",
"Microsoft.ApiManagement/service/tags/productLinks/*",
"Microsoft.ApiManagement/service/products/read",
"Microsoft.ApiManagement/service/products/apiLinks/*",
"Microsoft.ApiManagement/service/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Workspace API Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
API Management Service Workspace API Product Manager
Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. Learn more
| Actions | Description |
|---|---|
| Microsoft.ApiManagement/service/users/read | Lists a collection of registered users in the specified service instance. or Gets the details of the user specified by its identifier. |
| Microsoft.ApiManagement/service/tags/read | Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. |
| Microsoft.ApiManagement/service/tags/apiLinks/* | |
| Microsoft.ApiManagement/service/tags/operationLinks/* | |
| Microsoft.ApiManagement/service/tags/productLinks/* | |
| Microsoft.ApiManagement/service/products/read | Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. |
| Microsoft.ApiManagement/service/products/apiLinks/* | |
| Microsoft.ApiManagement/service/groups/read | Lists a collection of groups defined within a service instance. or Gets the details of the group specified by its identifier. |
| Microsoft.ApiManagement/service/groups/users/* | |
| Microsoft.ApiManagement/service/read | Read metadata for an API Management Service instance |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da",
"name": "d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/users/read",
"Microsoft.ApiManagement/service/tags/read",
"Microsoft.ApiManagement/service/tags/apiLinks/*",
"Microsoft.ApiManagement/service/tags/operationLinks/*",
"Microsoft.ApiManagement/service/tags/productLinks/*",
"Microsoft.ApiManagement/service/products/read",
"Microsoft.ApiManagement/service/products/apiLinks/*",
"Microsoft.ApiManagement/service/groups/read",
"Microsoft.ApiManagement/service/groups/users/*",
"Microsoft.ApiManagement/service/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Workspace API Product Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
API Management Workspace API Developer
Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. Learn more
| Actions | Description |
|---|---|
| Microsoft.ApiManagement/service/workspaces/*/read | |
| Microsoft.ApiManagement/service/workspaces/apis/* | |
| Microsoft.ApiManagement/service/workspaces/apiVersionSets/* | |
| Microsoft.ApiManagement/service/workspaces/policies/* | |
| Microsoft.ApiManagement/service/workspaces/schemas/* | |
| Microsoft.ApiManagement/service/workspaces/products/* | |
| Microsoft.ApiManagement/service/workspaces/policyFragments/* | |
| Microsoft.ApiManagement/service/workspaces/namedValues/* | |
| Microsoft.ApiManagement/service/workspaces/tags/* | |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/56328988-075d-4c6a-8766-d93edd6725b6",
"name": "56328988-075d-4c6a-8766-d93edd6725b6",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*/read",
"Microsoft.ApiManagement/service/workspaces/apis/*",
"Microsoft.ApiManagement/service/workspaces/apiVersionSets/*",
"Microsoft.ApiManagement/service/workspaces/policies/*",
"Microsoft.ApiManagement/service/workspaces/schemas/*",
"Microsoft.ApiManagement/service/workspaces/products/*",
"Microsoft.ApiManagement/service/workspaces/policyFragments/*",
"Microsoft.ApiManagement/service/workspaces/namedValues/*",
"Microsoft.ApiManagement/service/workspaces/tags/*",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace API Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
API Management Workspace API Product Manager
Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. Learn more
| Actions | Description |
|---|---|
| Microsoft.ApiManagement/service/workspaces/*/read | |
| Microsoft.ApiManagement/service/workspaces/products/* | |
| Microsoft.ApiManagement/service/workspaces/subscriptions/* | |
| Microsoft.ApiManagement/service/workspaces/groups/* | |
| Microsoft.ApiManagement/service/workspaces/tags/* | |
| Microsoft.ApiManagement/service/workspaces/notifications/* | |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/73c2c328-d004-4c5e-938c-35c6f5679a1f",
"name": "73c2c328-d004-4c5e-938c-35c6f5679a1f",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*/read",
"Microsoft.ApiManagement/service/workspaces/products/*",
"Microsoft.ApiManagement/service/workspaces/subscriptions/*",
"Microsoft.ApiManagement/service/workspaces/groups/*",
"Microsoft.ApiManagement/service/workspaces/tags/*",
"Microsoft.ApiManagement/service/workspaces/notifications/*",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace API Product Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
API Management Workspace Contributor
Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. Learn more
| Actions | Description |
|---|---|
| Microsoft.ApiManagement/service/workspaces/* | |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0c34c906-8d99-4cb7-8bb7-33f5b0a1a799",
"name": "0c34c906-8d99-4cb7-8bb7-33f5b0a1a799",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
API Management Workspace Reader
Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. Learn more
| Actions | Description |
|---|---|
| Microsoft.ApiManagement/service/workspaces/*/read | |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Has read-only access to entities in the workspace. This role should be assigned on the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2",
"name": "ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
App Configuration Data Owner
Allows full access to App Configuration data. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.AppConfiguration/configurationStores/*/read | |
| Microsoft.AppConfiguration/configurationStores/*/write | |
| Microsoft.AppConfiguration/configurationStores/*/delete | |
| Microsoft.AppConfiguration/configurationStores/*/action | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows full access to App Configuration data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
"name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppConfiguration/configurationStores/*/read",
"Microsoft.AppConfiguration/configurationStores/*/write",
"Microsoft.AppConfiguration/configurationStores/*/delete",
"Microsoft.AppConfiguration/configurationStores/*/action"
],
"notDataActions": []
}
],
"roleName": "App Configuration Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
App Configuration Data Reader
Allows read access to App Configuration data. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.AppConfiguration/configurationStores/*/read | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows read access to App Configuration data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071",
"name": "516239f1-63e1-4d78-a4de-a74fb236a071",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppConfiguration/configurationStores/*/read"
],
"notDataActions": []
}
],
"roleName": "App Configuration Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Relay Listener
Allows for listen access to Azure Relay resources.
| Actions | Description |
|---|---|
| Microsoft.Relay/*/wcfRelays/read | |
| Microsoft.Relay/*/hybridConnections/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Relay/*/listen/action | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for listen access to Azure Relay resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d",
"name": "26e0b698-aa6d-4085-9386-aadae190014d",
"permissions": [
{
"actions": [
"Microsoft.Relay/*/wcfRelays/read",
"Microsoft.Relay/*/hybridConnections/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*/listen/action"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Listener",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Relay Owner
Allows for full access to Azure Relay resources.
| Actions | Description |
|---|---|
| Microsoft.Relay/* | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Relay/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Relay resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38",
"name": "2787bf04-f1f5-4bfe-8383-c8a24483ee38",
"permissions": [
{
"actions": [
"Microsoft.Relay/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Relay Sender
Allows for send access to Azure Relay resources.
| Actions | Description |
|---|---|
| Microsoft.Relay/*/wcfRelays/read | |
| Microsoft.Relay/*/hybridConnections/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Relay/*/send/action | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for send access to Azure Relay resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d",
"name": "26baccc8-eea7-41f1-98f4-1762cc7f685d",
"permissions": [
{
"actions": [
"Microsoft.Relay/*/wcfRelays/read",
"Microsoft.Relay/*/hybridConnections/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Service Bus Data Owner
Allows for full access to Azure Service Bus resources. Learn more
| Actions | Description |
|---|---|
| Microsoft.ServiceBus/* | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ServiceBus/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Service Bus resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
"name": "090c5cfd-751d-490a-894a-3ce6f1109419",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Service Bus Data Receiver
Allows for receive access to Azure Service Bus resources. Learn more
| Actions | Description |
|---|---|
| Microsoft.ServiceBus/*/queues/read | |
| Microsoft.ServiceBus/*/topics/read | |
| Microsoft.ServiceBus/*/topics/subscriptions/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ServiceBus/*/receive/action | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for receive access to Azure Service Bus resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
"name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*/queues/read",
"Microsoft.ServiceBus/*/topics/read",
"Microsoft.ServiceBus/*/topics/subscriptions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*/receive/action"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Receiver",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Service Bus Data Sender
Allows for send access to Azure Service Bus resources. Learn more
| Actions | Description |
|---|---|
| Microsoft.ServiceBus/*/queues/read | |
| Microsoft.ServiceBus/*/topics/read | |
| Microsoft.ServiceBus/*/topics/subscriptions/read | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.ServiceBus/*/send/action | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows for send access to Azure Service Bus resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
"name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*/queues/read",
"Microsoft.ServiceBus/*/topics/read",
"Microsoft.ServiceBus/*/topics/subscriptions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Stack Registration Owner
Lets you manage Azure Stack registrations.
| Actions | Description |
|---|---|
| Microsoft.AzureStack/edgeSubscriptions/read | |
| Microsoft.AzureStack/registrations/products/*/action | |
| Microsoft.AzureStack/registrations/products/read | Gets the properties of an Azure Stack Marketplace product |
| Microsoft.AzureStack/registrations/read | Gets the properties of an Azure Stack registration |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Stack registrations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
"name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
"permissions": [
{
"actions": [
"Microsoft.AzureStack/edgeSubscriptions/read",
"Microsoft.AzureStack/registrations/products/*/action",
"Microsoft.AzureStack/registrations/products/read",
"Microsoft.AzureStack/registrations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Stack Registration Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
EventGrid Contributor
Lets you manage EventGrid operations.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.EventGrid/* | Create and manage Event Grid resources |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage EventGrid operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de",
"name": "1e241071-0855-49ea-94dc-649edcd759de",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
EventGrid Data Sender
Allows send access to event grid events.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.EventGrid/topics/read | Read a topic |
| Microsoft.EventGrid/domains/read | Read a domain |
| Microsoft.EventGrid/partnerNamespaces/read | Read a partner namespace |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.EventGrid/namespaces/read | Read a namespace |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.EventGrid/events/send/action | Send events to topics |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows send access to event grid events.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7",
"name": "d5a91429-5739-47e2-a06b-3470a27159e7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/topics/read",
"Microsoft.EventGrid/domains/read",
"Microsoft.EventGrid/partnerNamespaces/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.EventGrid/namespaces/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventGrid/events/send/action"
],
"notDataActions": []
}
],
"roleName": "EventGrid Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
EventGrid EventSubscription Contributor
Lets you manage EventGrid event subscription operations. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.EventGrid/eventSubscriptions/* | Create and manage regional event subscriptions |
| Microsoft.EventGrid/topicTypes/eventSubscriptions/read | List global event subscriptions by topic type |
| Microsoft.EventGrid/locations/eventSubscriptions/read | List regional event subscriptions |
| Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read | List regional event subscriptions by topictype |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage EventGrid event subscription operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
"name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/eventSubscriptions/*",
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
"Microsoft.EventGrid/locations/eventSubscriptions/read",
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid EventSubscription Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
EventGrid EventSubscription Reader
Lets you read EventGrid event subscriptions. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.EventGrid/eventSubscriptions/read | Read an eventSubscription |
| Microsoft.EventGrid/topicTypes/eventSubscriptions/read | List global event subscriptions by topic type |
| Microsoft.EventGrid/locations/eventSubscriptions/read | List regional event subscriptions |
| Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read | List regional event subscriptions by topictype |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you read EventGrid event subscriptions.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405",
"name": "2414bbcf-6497-4faf-8c65-045460748405",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/eventSubscriptions/read",
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
"Microsoft.EventGrid/locations/eventSubscriptions/read",
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid EventSubscription Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
FHIR Data Contributor
Role allows user or principal full access to FHIR Data Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.HealthcareApis/services/fhir/resources/* | |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/* | |
| NotDataActions | |
| Microsoft.HealthcareApis/services/fhir/resources/smart/action | Allows user to access FHIR Service according to SMART on FHIR specification. |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action | Allows user to access FHIR Service according to SMART on FHIR specification. |
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal full access to FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd",
"name": "5a1fc7df-4bf1-4951-a576-89034ee01acd",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/*",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/*"
],
"notDataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/smart/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action"
]
}
],
"roleName": "FHIR Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
FHIR Data Exporter
Role allows user or principal to read and export FHIR Data Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). |
| Microsoft.HealthcareApis/services/fhir/resources/export/action | Export operation ($export). |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action | Export operation ($export). |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read and export FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843",
"name": "3db33094-8700-4567-8da5-1501d4e7e843",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/services/fhir/resources/export/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Exporter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
FHIR Data Importer
Role allows user or principal to read and import FHIR Data Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action | Import FHIR resources in batch. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read and import FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b",
"name": "4465e953-8ced-4406-a58e-0f6e3f3b530b",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Importer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
FHIR Data Reader
Role allows user or principal to read FHIR Data Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508",
"name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
FHIR Data Writer
Role allows user or principal to read and write FHIR Data Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.HealthcareApis/services/fhir/resources/read | Read FHIR resources (includes searching and versioned history). |
| Microsoft.HealthcareApis/services/fhir/resources/write | Write FHIR resources (includes create and update). |
| Microsoft.HealthcareApis/services/fhir/resources/delete | Delete FHIR resources (soft delete). |
| Microsoft.HealthcareApis/services/fhir/resources/export/action | Export operation ($export). |
| Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action | Validate operation ($validate). |
| Microsoft.HealthcareApis/services/fhir/resources/reindex/action | Allows user to run Reindex job to index any search parameters that haven't yet been indexed. |
| Microsoft.HealthcareApis/services/fhir/resources/convertData/action | Data convert operation ($convert-data) |
| Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action | Allows user to perform Create Update Delete operations on profile resources. |
| Microsoft.HealthcareApis/services/fhir/resources/import/action | Import FHIR resources in batch. |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | Read FHIR resources (includes searching and versioned history). |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/write | Write FHIR resources (includes create and update). |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete | Delete FHIR resources (soft delete). |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action | Export operation ($export). |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action | Validate operation ($validate). |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action | Allows user to run Reindex job to index any search parameters that haven't yet been indexed. |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action | Data convert operation ($convert-data) |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action | Allows user to perform Create Update Delete operations on profile resources. |
| Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action | Import FHIR resources in batch. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read and write FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913",
"name": "3f88fce4-5892-4214-ae73-ba5294559913",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/services/fhir/resources/write",
"Microsoft.HealthcareApis/services/fhir/resources/delete",
"Microsoft.HealthcareApis/services/fhir/resources/export/action",
"Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action",
"Microsoft.HealthcareApis/services/fhir/resources/reindex/action",
"Microsoft.HealthcareApis/services/fhir/resources/convertData/action",
"Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action",
"Microsoft.HealthcareApis/services/fhir/resources/import/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/write",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Integration Service Environment Contributor
Lets you manage integration service environments, but not access to them. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Logic/integrationServiceEnvironments/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage integration service environments, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
"name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Support/*",
"Microsoft.Logic/integrationServiceEnvironments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Integration Service Environment Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Integration Service Environment Developer
Allows developers to create and update workflows, integration accounts and API connections in integration service environments. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Logic/integrationServiceEnvironments/read | Reads the integration service environment. |
| Microsoft.Logic/integrationServiceEnvironments/*/join/action | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
"name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Support/*",
"Microsoft.Logic/integrationServiceEnvironments/read",
"Microsoft.Logic/integrationServiceEnvironments/*/join/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Integration Service Environment Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Intelligent Systems Account Contributor
Lets you manage Intelligent Systems accounts, but not access to them.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.IntelligentSystems/accounts/* | Create and manage intelligent systems accounts |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Intelligent Systems accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e",
"name": "03a6d094-3444-4b3d-88af-7477090a9e5e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.IntelligentSystems/accounts/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Intelligent Systems Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Logic App Contributor
Lets you manage logic apps, but not change access to them. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ClassicStorage/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. |
| Microsoft.ClassicStorage/storageAccounts/read | Return the storage account with the given account. |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/metricAlerts/* | |
| Microsoft.Insights/diagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server |
| Microsoft.Insights/logdefinitions/* | This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. |
| Microsoft.Insights/metricDefinitions/* | Read metric definitions (list of available metric types for a resource). |
| Microsoft.Logic/* | Manages Logic Apps resources. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Storage/storageAccounts/listkeys/action | Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Web/connectionGateways/* | Create and manages a Connection Gateway. |
| Microsoft.Web/connections/* | Create and manages a Connection. |
| Microsoft.Web/customApis/* | Creates and manages a Custom API. |
| Microsoft.Web/serverFarms/join/action | Joins an App Service Plan |
| Microsoft.Web/serverFarms/read | Get the properties on an App Service Plan |
| Microsoft.Web/sites/functions/listSecrets/action | List Function secrets. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage logic app, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e",
"name": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metricAlerts/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Insights/logdefinitions/*",
"Microsoft.Insights/metricDefinitions/*",
"Microsoft.Logic/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*",
"Microsoft.Web/connectionGateways/*",
"Microsoft.Web/connections/*",
"Microsoft.Web/customApis/*",
"Microsoft.Web/serverFarms/join/action",
"Microsoft.Web/serverFarms/read",
"Microsoft.Web/sites/functions/listSecrets/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic App Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Logic App Operator
Lets you read, enable, and disable logic apps, but not edit or update them. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/*/read | Read Insights alert rules |
| Microsoft.Insights/metricAlerts/*/read | |
| Microsoft.Insights/diagnosticSettings/*/read | Gets diagnostic settings for Logic Apps |
| Microsoft.Insights/metricDefinitions/*/read | Gets the available metrics for Logic Apps. |
| Microsoft.Logic/*/read | Reads Logic Apps resources. |
| Microsoft.Logic/workflows/disable/action | Disables the workflow. |
| Microsoft.Logic/workflows/enable/action | Enables the workflow. |
| Microsoft.Logic/workflows/validate/action | Validates the workflow. |
| Microsoft.Resources/deployments/operations/read | Gets or lists deployment operations. |
| Microsoft.Resources/subscriptions/operationresults/read | Get the subscription operation results. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Web/connectionGateways/*/read | Read Connection Gateways. |
| Microsoft.Web/connections/*/read | Read Connections. |
| Microsoft.Web/customApis/*/read | Read Custom API. |
| Microsoft.Web/serverFarms/read | Get the properties on an App Service Plan |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you read, enable and disable logic app.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
"name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*/read",
"Microsoft.Insights/metricAlerts/*/read",
"Microsoft.Insights/diagnosticSettings/*/read",
"Microsoft.Insights/metricDefinitions/*/read",
"Microsoft.Logic/*/read",
"Microsoft.Logic/workflows/disable/action",
"Microsoft.Logic/workflows/enable/action",
"Microsoft.Logic/workflows/validate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/connectionGateways/*/read",
"Microsoft.Web/connections/*/read",
"Microsoft.Web/customApis/*/read",
"Microsoft.Web/serverFarms/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic App Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Identity
Domain Services Contributor
Can manage Azure AD Domain Services and related network configurations Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/deployments/read | Gets or lists deployments. |
| Microsoft.Resources/deployments/write | Creates or updates an deployment. |
| Microsoft.Resources/deployments/delete | Deletes a deployment. |
| Microsoft.Resources/deployments/cancel/action | Cancels a deployment. |
| Microsoft.Resources/deployments/validate/action | Validates an deployment. |
| Microsoft.Resources/deployments/whatIf/action | Predicts template deployment changes. |
| Microsoft.Resources/deployments/exportTemplate/action | Export template for a deployment |
| Microsoft.Resources/deployments/operations/read | Gets or lists deployment operations. |
| Microsoft.Resources/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Insights/AlertRules/Write | Create or update a classic metric alert |
| Microsoft.Insights/AlertRules/Delete | Delete a classic metric alert |
| Microsoft.Insights/AlertRules/Read | Read a classic metric alert |
| Microsoft.Insights/AlertRules/Activated/Action | Classic metric alert activated |
| Microsoft.Insights/AlertRules/Resolved/Action | Classic metric alert resolved |
| Microsoft.Insights/AlertRules/Throttled/Action | Classic metric alert rule throttled |
| Microsoft.Insights/AlertRules/Incidents/Read | Read a classic metric alert incident |
| Microsoft.Insights/Logs/Read | Reading data from all your logs |
| Microsoft.Insights/Metrics/Read | Read metrics |
| Microsoft.Insights/DiagnosticSettings/* | Creates, updates, or reads the diagnostic setting for Analysis Server |
| Microsoft.Insights/DiagnosticSettingsCategories/Read | Read diagnostic settings categories |
| Microsoft.AAD/register/action | Register Domain Service |
| Microsoft.AAD/unregister/action | Unregister Domain Service |
| Microsoft.AAD/domainServices/* | |
| Microsoft.Network/register/action | Registers the subscription |
| Microsoft.Network/unregister/action | Unregisters the subscription |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/virtualNetworks/write | Creates a virtual network or updates an existing virtual network |
| Microsoft.Network/virtualNetworks/delete | Deletes a virtual network |
| Microsoft.Network/virtualNetworks/peer/action | Peers a virtual network with another virtual network |
| Microsoft.Network/virtualNetworks/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.Network/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
| Microsoft.Network/virtualNetworks/subnets/write | Creates a virtual network subnet or updates an existing virtual network subnet |
| Microsoft.Network/virtualNetworks/subnets/delete | Deletes a virtual network subnet |
| Microsoft.Network/virtualNetworks/subnets/join/action | Joins a virtual network. Not Alertable. |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | Gets a virtual network peering definition |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write | Creates a virtual network peering or updates an existing virtual network peering |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete | Deletes a virtual network peering |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic settings of Virtual Network |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | Gets available metrics for the PingMesh |
| Microsoft.Network/azureFirewalls/read | Get Azure Firewall |
| Microsoft.Network/ddosProtectionPlans/read | Gets a DDoS Protection Plan |
| Microsoft.Network/ddosProtectionPlans/join/action | Joins a DDoS Protection Plan. Not alertable. |
| Microsoft.Network/loadBalancers/read | Gets a load balancer definition |
| Microsoft.Network/loadBalancers/delete | Deletes a load balancer |
| Microsoft.Network/loadBalancers/*/read | |
| Microsoft.Network/loadBalancers/backendAddressPools/join/action | Joins a load balancer backend address pool. Not Alertable. |
| Microsoft.Network/loadBalancers/inboundNatRules/join/action | Joins a load balancer inbound nat rule. Not Alertable. |
| Microsoft.Network/natGateways/join/action | Joins a NAT Gateway |
| Microsoft.Network/networkInterfaces/read | Gets a network interface definition. |
| Microsoft.Network/networkInterfaces/write | Creates a network interface or updates an existing network interface. |
| Microsoft.Network/networkInterfaces/delete | Deletes a network interface |
| Microsoft.Network/networkInterfaces/join/action | Joins a Virtual Machine to a network interface. Not Alertable. |
| Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | Gets a default security rule definition |
| Microsoft.Network/networkSecurityGroups/read | Gets a network security group definition |
| Microsoft.Network/networkSecurityGroups/write | Creates a network security group or updates an existing network security group |
| Microsoft.Network/networkSecurityGroups/delete | Deletes a network security group |
| Microsoft.Network/networkSecurityGroups/join/action | Joins a network security group. Not Alertable. |
| Microsoft.Network/networkSecurityGroups/securityRules/read | Gets a security rule definition |
| Microsoft.Network/networkSecurityGroups/securityRules/write | Creates a security rule or updates an existing security rule |
| Microsoft.Network/networkSecurityGroups/securityRules/delete | Deletes a security rule |
| Microsoft.Network/routeTables/read | Gets a route table definition |
| Microsoft.Network/routeTables/write | Creates a route table or Updates an existing route table |
| Microsoft.Network/routeTables/delete | Deletes a route table definition |
| Microsoft.Network/routeTables/join/action | Joins a route table. Not Alertable. |
| Microsoft.Network/routeTables/routes/read | Gets a route definition |
| Microsoft.Network/routeTables/routes/write | Creates a route or Updates an existing route |
| Microsoft.Network/routeTables/routes/delete | Deletes a route definition |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can manage Azure AD Domain Services and related network configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2",
"name": "eeaeda52-9324-47f6-8069-5d5bade478b2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.Insights/DiagnosticSettings/*",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/register/action",
"Microsoft.AAD/unregister/action",
"Microsoft.AAD/domainServices/*",
"Microsoft.Network/register/action",
"Microsoft.Network/unregister/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/natGateways/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Domain Services Reader
Can view Azure AD Domain Services and related network configurations
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/deployments/read | Gets or lists deployments. |
| Microsoft.Resources/deployments/operations/read | Gets or lists deployment operations. |
| Microsoft.Resources/deployments/operationstatuses/read | Gets or lists deployment operation statuses. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Insights/AlertRules/Read | Read a classic metric alert |
| Microsoft.Insights/AlertRules/Incidents/Read | Read a classic metric alert incident |
| Microsoft.Insights/Logs/Read | Reading data from all your logs |
| Microsoft.Insights/Metrics/read | Read metrics |
| Microsoft.Insights/DiagnosticSettings/read | Read a resource diagnostic setting |
| Microsoft.Insights/DiagnosticSettingsCategories/Read | Read diagnostic settings categories |
| Microsoft.AAD/domainServices/*/read | |
| Microsoft.Network/virtualNetworks/read | Get the virtual network definition |
| Microsoft.Network/virtualNetworks/subnets/read | Gets a virtual network subnet definition |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | Gets a virtual network peering definition |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read | Get the diagnostic settings of Virtual Network |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | Gets available metrics for the PingMesh |
| Microsoft.Network/azureFirewalls/read | Get Azure Firewall |
| Microsoft.Network/ddosProtectionPlans/read | Gets a DDoS Protection Plan |
| Microsoft.Network/loadBalancers/read | Gets a load balancer definition |
| Microsoft.Network/loadBalancers/*/read | |
| Microsoft.Network/natGateways/read | Gets a Nat Gateway Definition |
| Microsoft.Network/networkInterfaces/read | Gets a network interface definition. |
| Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | Gets a default security rule definition |
| Microsoft.Network/networkSecurityGroups/read | Gets a network security group definition |
| Microsoft.Network/networkSecurityGroups/securityRules/read | Gets a security rule definition |
| Microsoft.Network/routeTables/read | Gets a route table definition |
| Microsoft.Network/routeTables/routes/read | Gets a route definition |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can view Azure AD Domain Services and related network configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb",
"name": "361898ef-9ed1-48c2-849c-a832951106bb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Insights/DiagnosticSettings/read",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/domainServices/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/routes/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Managed Identity Contributor
Create, Read, Update, and Delete User Assigned Identity Learn more
| Actions | Description |
|---|---|
| Microsoft.ManagedIdentity/userAssignedIdentities/read | Gets an existing user assigned identity |
| Microsoft.ManagedIdentity/userAssignedIdentities/write | Creates a new user assigned identity or updates the tags associated with an existing user assigned identity |
| Microsoft.ManagedIdentity/userAssignedIdentities/delete | Deletes an existing user assigned identity |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Create, Read, Update, and Delete User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Managed Identity Operator
Read and Assign User Assigned Identity Learn more
| Actions | Description |
|---|---|
| Microsoft.ManagedIdentity/userAssignedIdentities/*/read | |
| Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action | |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read and Assign User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
"name": "f1a07417-d97a-45cb-824c-7a7467783830",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Security
App Compliance Automation Administrator
Create, read, download, modify and delete reports objects and related other resource objects. Learn more
| Actions | Description |
|---|---|
| Microsoft.AppComplianceAutomation/* | |
| Microsoft.Storage/storageAccounts/blobServices/write | Returns the result of put blob service properties |
| Microsoft.Storage/storageAccounts/fileservices/write | Put file service properties |
| Microsoft.Storage/storageAccounts/listKeys/action | Returns the access keys for the specified storage account. |
| Microsoft.Storage/storageAccounts/write | Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. |
| Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Returns a user delegation key for the blob service |
| Microsoft.Storage/storageAccounts/read | Returns the list of storage accounts or gets the properties for the specified storage account. |
| Microsoft.Storage/storageAccounts/blobServices/containers/read | Returns list of containers |
| Microsoft.Storage/storageAccounts/blobServices/containers/write | Returns the result of put blob container |
| Microsoft.Storage/storageAccounts/blobServices/read | Returns blob service properties or statistics |
| Microsoft.PolicyInsights/policyStates/queryResults/action | Query information about policy states. |
| Microsoft.PolicyInsights/policyStates/triggerEvaluation/action | Triggers a new compliance evaluation for the selected scope. |
| Microsoft.Resources/resources/read | Get the list of resources based upon filters. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/subscriptions/resourceGroups/resources/read | Gets the resources for the resource group. |
| Microsoft.Resources/subscriptions/resources/read | Gets resources of a subscription. |
| Microsoft.Resources/subscriptions/resourceGroups/delete | Deletes a resource group and all its resources. |
| Microsoft.Resources/subscriptions/resourceGroups/write | Creates or updates a resource group. |
| Microsoft.Resources/tags/read | Gets all the tags on a resource. |
| Microsoft.Resources/deployments/validate/action | Validates an deployment. |
| Microsoft.Security/automations/read | Gets the automations for the scope |
| Microsoft.Resources/deployments/write | Creates or updates an deployment. |
| Microsoft.Security/automations/delete | Deletes the automation for the scope |
| Microsoft.Security/automations/write | Creates or updates the automation for the scope |
| Microsoft.Security/register/action | Registers the subscription for Azure Security Center |
| Microsoft.Security/unregister/action | Unregisters the subscription from Azure Security Center |
| */read | Read resources of all types, except secrets. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Create, read, download, modify and delete reports objects and related other resource objects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0f37683f-2463-46b6-9ce7-9b788b988ba2",
"name": "0f37683f-2463-46b6-9ce7-9b788b988ba2",
"permissions": [
{
"actions": [
"Microsoft.AppComplianceAutomation/*",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/fileservices/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.PolicyInsights/policyStates/queryResults/action",
"Microsoft.PolicyInsights/policyStates/triggerEvaluation/action",
"Microsoft.Resources/resources/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read",
"Microsoft.Resources/subscriptions/resources/read",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/tags/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Security/automations/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Security/automations/delete",
"Microsoft.Security/automations/write",
"Microsoft.Security/register/action",
"Microsoft.Security/unregister/action",
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Compliance Automation Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
App Compliance Automation Reader
Read, download the reports objects and related other resource objects. Learn more
| Actions | Description |
|---|---|
| */read | Read resources of all types, except secrets. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read, download the reports objects and related other resource objects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
"name": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Compliance Automation Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Attestation Contributor
Can read write or delete the attestation provider instance Learn more
| Actions | Description |
|---|---|
| Microsoft.Attestation/attestationProviders/attestation/read | Gets the attestation service status. |
| Microsoft.Attestation/attestationProviders/attestation/write | Adds attestation service. |
| Microsoft.Attestation/attestationProviders/attestation/delete | Removes attestation service. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can read write or delete the attestation provider instance",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read",
"Microsoft.Attestation/attestationProviders/attestation/write",
"Microsoft.Attestation/attestationProviders/attestation/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Attestation Reader
Can read the attestation provider properties Learn more
| Actions | Description |
|---|---|
| Microsoft.Attestation/attestationProviders/attestation/read | Gets the attestation service status. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can read the attestation provider properties",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault Administrator
Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.KeyVault/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
| Microsoft.KeyVault/deletedVaults/read | View the properties of soft deleted key vaults |
| Microsoft.KeyVault/locations/*/read | |
| Microsoft.KeyVault/vaults/*/read | |
| Microsoft.KeyVault/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.KeyVault/vaults/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483",
"name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault Certificates Officer
Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.KeyVault/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
| Microsoft.KeyVault/deletedVaults/read | View the properties of soft deleted key vaults |
| Microsoft.KeyVault/locations/*/read | |
| Microsoft.KeyVault/vaults/*/read | |
| Microsoft.KeyVault/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.KeyVault/vaults/certificatecas/* | |
| Microsoft.KeyVault/vaults/certificates/* | |
| Microsoft.KeyVault/vaults/certificatecontacts/write | Manage Certificate Contact |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985",
"name": "a4417e6f-fecd-4de8-b567-7b0420556985",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificatecas/*",
"Microsoft.KeyVault/vaults/certificates/*",
"Microsoft.KeyVault/vaults/certificatecontacts/write"
],
"notDataActions": []
}
],
"roleName": "Key Vault Certificates Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault Contributor
Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.KeyVault/* | |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| Microsoft.KeyVault/locations/deletedVaults/purge/action | Purge a soft deleted key vault |
| Microsoft.KeyVault/hsmPools/* | |
| Microsoft.KeyVault/managedHsms/* | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage key vaults, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395",
"name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.KeyVault/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.KeyVault/locations/deletedVaults/purge/action",
"Microsoft.KeyVault/hsmPools/*",
"Microsoft.KeyVault/managedHsms/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Key Vault Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault Crypto Officer
Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.KeyVault/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
| Microsoft.KeyVault/deletedVaults/read | View the properties of soft deleted key vaults |
| Microsoft.KeyVault/locations/*/read | |
| Microsoft.KeyVault/vaults/*/read | |
| Microsoft.KeyVault/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.KeyVault/vaults/keys/* | |
| Microsoft.KeyVault/vaults/keyrotationpolicies/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/*",
"Microsoft.KeyVault/vaults/keyrotationpolicies/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault Crypto Service Encryption User
Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more
| Actions | Description |
|---|---|
| Microsoft.EventGrid/eventSubscriptions/write | Create or update an eventSubscription |
| Microsoft.EventGrid/eventSubscriptions/read | Read an eventSubscription |
| Microsoft.EventGrid/eventSubscriptions/delete | Delete an eventSubscription |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.KeyVault/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. |
| Microsoft.KeyVault/vaults/keys/wrap/action | Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. |
| Microsoft.KeyVault/vaults/keys/unwrap/action | Unwraps a symmetric key with a Key Vault key. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6",
"name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
"permissions": [
{
"actions": [
"Microsoft.EventGrid/eventSubscriptions/write",
"Microsoft.EventGrid/eventSubscriptions/read",
"Microsoft.EventGrid/eventSubscriptions/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Service Encryption User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault Crypto User
Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.KeyVault/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. |
| Microsoft.KeyVault/vaults/keys/update/action | Updates the specified attributes associated with the given key. |
| Microsoft.KeyVault/vaults/keys/backup/action | Creates the backup file of a key. The file can used to restore the key in a Key Vault of same subscription. Restrictions may apply. |
| Microsoft.KeyVault/vaults/keys/encrypt/action | Encrypts plaintext with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. |
| Microsoft.KeyVault/vaults/keys/decrypt/action | Decrypts ciphertext with a key. |
| Microsoft.KeyVault/vaults/keys/wrap/action | Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. |
| Microsoft.KeyVault/vaults/keys/unwrap/action | Unwraps a symmetric key with a Key Vault key. |
| Microsoft.KeyVault/vaults/keys/sign/action | Signs a message digest (hash) with a key. |
| Microsoft.KeyVault/vaults/keys/verify/action | Verifies the signature of a message digest (hash) with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424",
"name": "12338af0-0e69-4776-bea7-57ae8d297424",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/update/action",
"Microsoft.KeyVault/vaults/keys/backup/action",
"Microsoft.KeyVault/vaults/keys/encrypt/action",
"Microsoft.KeyVault/vaults/keys/decrypt/action",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action",
"Microsoft.KeyVault/vaults/keys/sign/action",
"Microsoft.KeyVault/vaults/keys/verify/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault Data Access Administrator (preview)
Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.
| Actions | Description |
|---|---|
| Microsoft.Authorization/roleAssignments/write | Create a role assignment at the specified scope. |
| Microsoft.Authorization/roleAssignments/delete | Delete a role assignment at the specified scope. |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Management/managementGroups/read | List management groups for the authenticated user. |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.KeyVault/vaults/*/read | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Condition | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) | Add or remove role assignments for the following roles: Key Vault Administrator Key Vault Certificates Officer Key Vault Crypto Officer Key Vault Crypto Service Encryption User Key Vault Crypto User Key Vault Reader Key Vault Secrets Officer Key Vault Secrets User |
{
"id": "/providers/Microsoft.Authorization/roleDefinitions/8b54135c-b56d-4d72-a534-26097cfdc8d8",
"properties": {
"roleName": "Key Vault Data Access Administrator (preview)",
"description": "Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*",
"Microsoft.KeyVault/vaults/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-17de-408a-b874-0445c86b69e6}))"
}
]
}
}
Key Vault Reader
Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.KeyVault/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
| Microsoft.KeyVault/deletedVaults/read | View the properties of soft deleted key vaults |
| Microsoft.KeyVault/locations/*/read | |
| Microsoft.KeyVault/vaults/*/read | |
| Microsoft.KeyVault/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.KeyVault/vaults/*/read | |
| Microsoft.KeyVault/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2",
"name": "21090545-7ca7-4776-b22c-e363652d74d2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault Secrets Officer
Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.KeyVault/checkNameAvailability/read | Checks that a key vault name is valid and is not in use |
| Microsoft.KeyVault/deletedVaults/read | View the properties of soft deleted key vaults |
| Microsoft.KeyVault/locations/*/read | |
| Microsoft.KeyVault/vaults/*/read | |
| Microsoft.KeyVault/operations/read | Lists operations available on Microsoft.KeyVault resource provider |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.KeyVault/vaults/secrets/* | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault Secrets User
Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more
| Actions | Description |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.KeyVault/vaults/secrets/getSecret/action | Gets the value of a secret. |
| Microsoft.KeyVault/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6",
"name": "4633458b-17de-408a-b874-0445c86b69e6",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Managed HSM contributor
Lets you manage managed HSM pools, but not access to them. Learn more
| Actions | Description |
|---|---|
| Microsoft.KeyVault/managedHSMs/* | |
| Microsoft.KeyVault/deletedManagedHsms/read | View the properties of a deleted managed hsm |
| Microsoft.KeyVault/locations/deletedManagedHsms/read | View the properties of a deleted managed hsm |
| Microsoft.KeyVault/locations/deletedManagedHsms/purge/action | Purge a soft deleted managed hsm |
| Microsoft.KeyVault/locations/managedHsmOperationResults/read | Check the result of a long run operation |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage managed HSM pools, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d",
"name": "18500a29-7fe2-46b2-a342-b16a415e101d",
"permissions": [
{
"actions": [
"Microsoft.KeyVault/managedHSMs/*",
"Microsoft.KeyVault/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/purge/action",
"Microsoft.KeyVault/locations/managedHsmOperationResults/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed HSM contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel Automation Contributor
Microsoft Sentinel Automation Contributor Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Logic/workflows/triggers/read | Reads the trigger. |
| Microsoft.Logic/workflows/triggers/listCallbackUrl/action | Gets the callback URL for trigger. |
| Microsoft.Logic/workflows/runs/read | Reads the workflow run. |
| Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read | List Web Apps Hostruntime Workflow Triggers. |
| Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | Get Web Apps Hostruntime Workflow Trigger Uri. |
| Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read | List Web Apps Hostruntime Workflow Runs. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Automation Contributor",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a",
"name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Logic/workflows/triggers/read",
"Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
"Microsoft.Logic/workflows/runs/read",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Automation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel Contributor
Microsoft Sentinel Contributor Learn more
| Actions | Description |
|---|---|
| Microsoft.SecurityInsights/* | |
| Microsoft.OperationalInsights/workspaces/analytics/query/action | Search using new engine. |
| Microsoft.OperationalInsights/workspaces/*/read | View log analytics data |
| Microsoft.OperationalInsights/workspaces/savedSearches/* | |
| Microsoft.OperationsManagement/solutions/read | Get existing OMS solution |
| Microsoft.OperationalInsights/workspaces/query/read | Run queries over the data in the workspace |
| Microsoft.OperationalInsights/workspaces/query/*/read | |
| Microsoft.OperationalInsights/workspaces/dataSources/read | Get data source under a workspace. |
| Microsoft.OperationalInsights/querypacks/*/read | |
| Microsoft.Insights/workbooks/* | |
| Microsoft.Insights/myworkbooks/read | Read a private Workbook |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
| Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Contributor",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade",
"name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/*",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/*",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel Playbook Operator
Microsoft Sentinel Playbook Operator Learn more
| Actions | Description |
|---|---|
| Microsoft.Logic/workflows/read | Reads the workflow. |
| Microsoft.Logic/workflows/triggers/listCallbackUrl/action | Gets the callback URL for trigger. |
| Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action | Get Web Apps Hostruntime Workflow Trigger Uri. |
| Microsoft.Web/sites/read | Get the properties of a Web App |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Playbook Operator",
"id": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5",
"name": "51d6186e-6489-4900-b93f-92e23144cca5",
"permissions": [
{
"actions": [
"Microsoft.Logic/workflows/read",
"Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action",
"Microsoft.Web/sites/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Playbook Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel Reader
Microsoft Sentinel Reader Learn more
| Actions | Description |
|---|---|
| Microsoft.SecurityInsights/*/read | |
| Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action | Check user authorization and license |
| Microsoft.SecurityInsights/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators |
| Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action | Query Threat Intelligence Indicators |
| Microsoft.OperationalInsights/workspaces/analytics/query/action | Search using new engine. |
| Microsoft.OperationalInsights/workspaces/*/read | View log analytics data |
| Microsoft.OperationalInsights/workspaces/LinkedServices/read | Get linked services under given workspace. |
| Microsoft.OperationalInsights/workspaces/savedSearches/read | Gets a saved search query. |
| Microsoft.OperationsManagement/solutions/read | Get existing OMS solution |
| Microsoft.OperationalInsights/workspaces/query/read | Run queries over the data in the workspace |
| Microsoft.OperationalInsights/workspaces/query/*/read | |
| Microsoft.OperationalInsights/querypacks/*/read | |
| Microsoft.OperationalInsights/workspaces/dataSources/read | Get data source under a workspace. |
| Microsoft.Insights/workbooks/read | Read a workbook |
| Microsoft.Insights/myworkbooks/read | Read a private Workbook |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Resources/templateSpecs/*/read | Get or list template specs and template spec versions |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
| Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/LinkedServices/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/templateSpecs/*/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Microsoft Sentinel Responder
Microsoft Sentinel Responder Learn more
| Actions | Description |
|---|---|
| Microsoft.SecurityInsights/*/read | |
| Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action | Check user authorization and license |
| Microsoft.SecurityInsights/automationRules/* | |
| Microsoft.SecurityInsights/cases/* | |
| Microsoft.SecurityInsights/incidents/* | |
| Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator |
| Microsoft.SecurityInsights/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators |
| Microsoft.SecurityInsights/threatIntelligence/bulkTag/action | Bulk Tags Threat Intelligence |
| Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator |
| Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action | Replace Tags of Threat Intelligence Indicator |
| Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action | Query Threat Intelligence Indicators |
| Microsoft.OperationalInsights/workspaces/analytics/query/action | Search using new engine. |
| Microsoft.OperationalInsights/workspaces/*/read | View log analytics data |
| Microsoft.OperationalInsights/workspaces/dataSources/read | Get data source under a workspace. |
| Microsoft.OperationalInsights/workspaces/savedSearches/read | Gets a saved search query. |
| Microsoft.OperationsManagement/solutions/read | Get existing OMS solution |
| Microsoft.OperationalInsights/workspaces/query/read | Run queries over the data in the workspace |
| Microsoft.OperationalInsights/workspaces/query/*/read | |
| Microsoft.OperationalInsights/workspaces/dataSources/read | Get data source under a workspace. |
| Microsoft.OperationalInsights/querypacks/*/read | |
| Microsoft.Insights/workbooks/read | Read a workbook |
| Microsoft.Insights/myworkbooks/read | Read a private Workbook |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| Microsoft.SecurityInsights/cases/*/Delete | |
| Microsoft.SecurityInsights/incidents/*/Delete | |
| Microsoft.SecurityInsights/ConfidentialWatchlists/* | |
| Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Responder",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
"Microsoft.SecurityInsights/automationRules/*",
"Microsoft.SecurityInsights/cases/*",
"Microsoft.SecurityInsights/incidents/*",
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
"Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
"Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action",
"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/cases/*/Delete",
"Microsoft.SecurityInsights/incidents/*/Delete",
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",
"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Responder",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Security Admin
View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.
For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT monitoring. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Authorization/policyAssignments/* | Create and manage policy assignments |
| Microsoft.Authorization/policyDefinitions/* | Create and manage policy definitions |
| Microsoft.Authorization/policyExemptions/* | Create and manage policy exemptions |
| Microsoft.Authorization/policySetDefinitions/* | Create and manage policy sets |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Management/managementGroups/read | List management groups for the authenticated user. |
| Microsoft.operationalInsights/workspaces/*/read | View log analytics data |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Security/* | Create and manage security components and policies |
| Microsoft.IoTSecurity/* | |
| Microsoft.IoTFirmwareDefense/* | |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Security Admin Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
"name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/policyAssignments/*",
"Microsoft.Authorization/policyDefinitions/*",
"Microsoft.Authorization/policyExemptions/*",
"Microsoft.Authorization/policySetDefinitions/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Management/managementGroups/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.IoTSecurity/*",
"Microsoft.IoTFirmwareDefense/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Security Assessment Contributor
Lets you push assessments to Microsoft Defender for Cloud
| Actions | Description |
|---|---|
| Microsoft.Security/assessments/write | Create or update security assessments on your subscription |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you push assessments to Security Center",
"id": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5",
"name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
"permissions": [
{
"actions": [
"Microsoft.Security/assessments/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Assessment Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Security Manager (Legacy)
This is a legacy role. Please use Security Admin instead.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ClassicCompute/*/read | Read configuration information classic virtual machines |
| Microsoft.ClassicCompute/virtualMachines/*/write | Write configuration for classic virtual machines |
| Microsoft.ClassicNetwork/*/read | Read configuration information about classic network |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Security/* | Create and manage security components and policies |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "This is a legacy role. Please use Security Administrator instead",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
"name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/*/read",
"Microsoft.ClassicCompute/virtualMachines/*/write",
"Microsoft.ClassicNetwork/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Manager (Legacy)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Security Reader
View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.
For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT monitoring. Learn more
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/read | Read a classic metric alert |
| Microsoft.operationalInsights/workspaces/*/read | View log analytics data |
| Microsoft.Resources/deployments/*/read | |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Security/*/read | Read security components and policies |
| Microsoft.IoTSecurity/*/read | |
| Microsoft.Support/*/read | |
| Microsoft.Security/iotDefenderSettings/packageDownloads/action | Gets downloadable IoT Defender packages information |
| Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action | Download manager activation file with subscription quota data |
| Microsoft.Security/iotSensors/downloadResetPassword/action | Downloads reset password file for IoT Sensors |
| Microsoft.IoTSecurity/defenderSettings/packageDownloads/action | Gets downloadable IoT Defender packages information |
| Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action | Download manager activation file |