Hello @AdamBudzinskiAZA-0329 ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know what the following permission/action "Microsoft.Network/privateDnsZones/join/action" is responsible for.
"Microsoft.Network/privateDnsZones/join/action" is a resource provider operation which joins a Private DNS Zone to a private endpoint.
It is used to reference a private DNS zone from a private endpoint resource. This action is used by private endpoints to do linked access checks.
This is basically the action used in "Private DNS integration" section when creating a private endpoint where you Integrate the private endpoint with a new private DNS zone or adding an existing private DNS zone to a new private endpoint connection via private DNS zone group using Azure Portal/PowerShell/CLi/Rest.
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#private-dns-zone-group
This action is included in the "Private DNS Zone Contributor" build-in role with the following action "Microsoft.Network/privateDnsZones/*". The * in this action includes all the resource provider operations you find with "Microsoft.Network/privateDnsZones/" in this doc.
If you want to restrict some of the actions of "Private DNS Zone Contributor" build-in role and assign a custom role to a user, then you can select the actions from the resource provider operation list and allow only the ones you would like to grant them access to.
So, if you want to make sure that a user is able to deploy a private endpoint with a new/existing private DNS zone integration, then you should allow this "Microsoft.Network/privateDnsZones/join/action" action in their role assignment over a scope where you want to grant them access.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.