Azure built-in roles
Azure role-based access control (Azure RBAC) has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources. If the built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles.
The following tables provide a brief description of each built-in role.
General
| Built-in role | Description |
|---|---|
| Contributor | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. |
| Owner | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. |
| Reader | View all resources, but does not allow you to make any changes. |
| Role Based Access Control Administrator | Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. |
| User Access Administrator | Lets you manage user access to Azure resources. |
Compute
| Built-in role | Description |
|---|---|
| Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. |
| Data Operator for Managed Disks | Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Microsoft Entra authentication. |
| Desktop Virtualization Application Group Contributor | Contributor of the Desktop Virtualization Application Group. |
| Desktop Virtualization Application Group Reader | Reader of the Desktop Virtualization Application Group. |
| Desktop Virtualization Contributor | Contributor of Desktop Virtualization. |
| Desktop Virtualization Host Pool Contributor | Contributor of the Desktop Virtualization Host Pool. |
| Desktop Virtualization Host Pool Reader | Reader of the Desktop Virtualization Host Pool. |
| Desktop Virtualization Reader | Reader of Desktop Virtualization. |
| Desktop Virtualization Session Host Operator | Operator of the Desktop Virtualization Session Host. |
| Desktop Virtualization User | Allows user to use the applications in an application group. |
| Desktop Virtualization User Session Operator | Operator of the Desktop Virtualization User Session. |
| Desktop Virtualization Workspace Contributor | Contributor of the Desktop Virtualization Workspace. |
| Desktop Virtualization Workspace Reader | Reader of the Desktop Virtualization Workspace. |
| Disk Backup Reader | Provides permission to backup vault to perform disk backup. |
| Disk Pool Operator | Provide permission to StoragePool Resource Provider to manage disks added to a disk pool. |
| Disk Restore Operator | Provides permission to backup vault to perform disk restore. |
| Disk Snapshot Contributor | Provides permission to backup vault to manage disk snapshots. |
| Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator |
| Virtual Machine Contributor | Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. |
| Virtual Machine Data Access Administrator (preview) | Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. |
| Virtual Machine Local User Login | View Virtual Machines in the portal and login as a local user configured on the arc server |
| Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. |
| Windows Admin Center Administrator Login | Let's you manage the OS of your resource via Windows Admin Center as an administrator. |
Networking
| Built-in role | Description |
|---|---|
| Azure Front Door Domain Contributor | For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users. |
| Azure Front Door Domain Reader | For internal use within Azure. Can view Azure Front Door domains, but can't make changes. |
| Azure Front Door Profile Reader | Can view AFD standard and premium profiles and their endpoints, but can't make changes. |
| Azure Front Door Secret Contributor | For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users. |
| Azure Front Door Secret Reader | For internal use within Azure. Can view Azure Front Door secrets, but can't make changes. |
| CDN Endpoint Contributor | Can manage CDN endpoints, but can't grant access to other users. |
| CDN Endpoint Reader | Can view CDN endpoints, but can't make changes. |
| CDN Profile Contributor | Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users. |
| CDN Profile Reader | Can view CDN profiles and their endpoints, but can't make changes. |
| Classic Network Contributor | Lets you manage classic networks, but not access to them. |
| DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. |
| Network Contributor | Lets you manage networks, but not access to them. |
| Private DNS Zone Contributor | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. |
| Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. |
Storage
| Built-in role | Description |
|---|---|
| Avere Contributor | Can create and manage an Avere vFXT cluster. |
| Avere Operator | Used by the Avere vFXT cluster to manage the cluster |
| Backup Contributor | Lets you manage backup service, but can't create vaults and give access to others |
| Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others |
| Backup Reader | Can view backup services, but can't make changes |
| Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. |
| Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts |
| Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. |
| Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. |
| Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. |
| Defender for Storage Data Scanner | Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. |
| Elastic SAN Owner | Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access |
| Elastic SAN Reader | Allows for control path read access to Azure Elastic SAN |
| Elastic SAN Volume Group Owner | Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access |
| Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. |
| Storage Account Backup Contributor | Lets you perform backup and restore operations using Azure Backup on the storage account. |
| Storage Account Contributor | Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. |
| Storage Account Key Operator Service Role | Permits listing and regenerating storage account access keys. |
| Storage Blob Data Contributor | Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling data operations. |
| Storage Blob Data Owner | Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see Permissions for calling data operations. |
| Storage Blob Data Reader | Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling data operations. |
| Storage Blob Delegator | Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Microsoft Entra ID credentials. For more information, see Create a user delegation SAS. |
| Storage File Data Privileged Contributor | Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. |
| Storage File Data Privileged Reader | Allows for read access on files/directories in Azure file shares by overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers. |
| Storage File Data SMB Share Contributor | Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers. |
| Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers. |
| Storage File Data SMB Share Reader | Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers. |
| Storage Queue Data Contributor | Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling data operations. |
| Storage Queue Data Message Processor | Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling data operations. |
| Storage Queue Data Message Sender | Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling data operations. |
| Storage Queue Data Reader | Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling data operations. |
| Storage Table Data Contributor | Allows for read, write and delete access to Azure Storage tables and entities |
| Storage Table Data Reader | Allows for read access to Azure Storage tables and entities |
Containers
| Built-in role | Description |
|---|---|
| AcrDelete | Delete repositories, tags, or manifests from a container registry. |
| AcrImageSigner | Push trusted images to or pull trusted images from a container registry enabled for content trust. |
| AcrPull | Pull artifacts from a container registry. |
| AcrPush | Push artifacts to or pull artifacts from a container registry. |
| AcrQuarantineReader | Pull quarantined images from a container registry. |
| AcrQuarantineWriter | Push quarantined images to or pull quarantined images from a container registry. |
| Azure Arc Enabled Kubernetes Cluster User Role | List cluster user credentials action. |
| Azure Arc Kubernetes Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. |
| Azure Arc Kubernetes Cluster Admin | Lets you manage all resources in the cluster. |
| Azure Arc Kubernetes Viewer | Lets you view all resources in cluster/namespace, except secrets. |
| Azure Arc Kubernetes Writer | Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. |
| Azure Kubernetes Fleet Manager RBAC Admin | This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. |
| Azure Kubernetes Fleet Manager RBAC Cluster Admin | Lets you manage all resources in the fleet manager cluster. |
| Azure Kubernetes Fleet Manager RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. |
| Azure Kubernetes Fleet Manager RBAC Writer | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. |
| Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. |
| Azure Kubernetes Service Cluster Monitoring User | List cluster monitoring user credential action. |
| Azure Kubernetes Service Cluster User Role | List cluster user credential action. |
| Azure Kubernetes Service Contributor Role | Grants access to read and write Azure Kubernetes Service clusters |
| Azure Kubernetes Service RBAC Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. |
| Azure Kubernetes Service RBAC Cluster Admin | Lets you manage all resources in the cluster. |
| Azure Kubernetes Service RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. |
| Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. |
| Kubernetes Agentless Operator | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services |
| Kubernetes Cluster - Azure Arc Onboarding | Role definition to authorize any user/service to create connectedClusters resource |
| Kubernetes Extension Contributor | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations |
Databases
| Built-in role | Description |
|---|---|
| Azure Connected SQL Server Onboarding | Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. |
| Cosmos DB Account Reader Role | Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. |
| Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. |
| CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account |
| CosmosRestoreOperator | Can perform restore action for Cosmos DB database account with continuous backup mode |
| DocumentDB Account Contributor | Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. |
| Redis Cache Contributor | Lets you manage Redis caches, but not access to them. |
| SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. |
| SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. |
| SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. |
| SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. |
Security
| Built-in role | Description |
|---|---|
| App Compliance Automation Administrator | Create, read, download, modify and delete reports objects and related other resource objects. |
| App Compliance Automation Reader | Read, download the reports objects and related other resource objects. |
| Attestation Contributor | Can read write or delete the attestation provider instance |
| Attestation Reader | Can read the attestation provider properties |
| Key Vault Administrator | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Certificate User | Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Certificates Officer | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Contributor | Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. |
| Key Vault Crypto Officer | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Crypto Service Encryption User | Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Crypto Service Release User | Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Crypto User | Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Data Access Administrator | Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments. |
| Key Vault Reader | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Secrets Officer | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Key Vault Secrets User | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. |
| Managed HSM contributor | Lets you manage managed HSM pools, but not access to them. |
| Microsoft Sentinel Automation Contributor | Microsoft Sentinel Automation Contributor |
| Microsoft Sentinel Contributor | Microsoft Sentinel Contributor |
| Microsoft Sentinel Playbook Operator | Microsoft Sentinel Playbook Operator |
| Microsoft Sentinel Reader | Microsoft Sentinel Reader |
| Microsoft Sentinel Responder | Microsoft Sentinel Responder |
| Security Admin | View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations. |
| Security Assessment Contributor | Lets you push assessments to Microsoft Defender for Cloud |
| Security Manager (Legacy) | This is a legacy role. Please use Security Admin instead. |
| Security Reader | View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes. |
Management and governance
| Built-in role | Description |
|---|---|
| Automation Contributor | Manage Azure Automation resources and other resources using Azure Automation. |
| Automation Job Operator | Create and Manage Jobs using Automation Runbooks. |
| Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs |
| Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. |
| Azure Connected Machine Onboarding | Can onboard Azure Connected Machines. |
| Azure Connected Machine Resource Administrator | Can read, write, delete and re-onboard Azure Connected Machines. |
| Azure Connected Machine Resource Manager | Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group |
| Azure Resource Bridge Deployment Role | Azure Resource Bridge Deployment Role |
| Billing Reader | Allows read access to billing data |
| Blueprint Contributor | Can manage blueprint definitions, but not assign them. |
| Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. Note that this only works if the assignment is done with a user-assigned managed identity. |
| Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) |
| Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) |
| Hierarchy Settings Administrator | Allows users to edit and delete Hierarchy Settings |
| Managed Application Contributor Role | Allows for creating managed application resources. |
| Managed Application Operator Role | Lets you read and perform actions on Managed Application resources |
| Managed Applications Reader | Lets you read resources in a managed app and request JIT access. |
| Managed Services Registration assignment Delete Role | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. |
| Management Group Contributor | Management Group Contributor Role |
| Management Group Reader | Management Group Reader Role |
| New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. |
| Policy Insights Data Writer (Preview) | Allows read access to resource policies and write access to resource component policy events. |
| Quota Request Operator | Read and create quota requests, get quota request status, and create support tickets. |
| Reservation Purchaser | Lets you purchase reservations |
| Reservations Administrator | Lets one read and manage all the reservations in a tenant |
| Reservations Reader | Lets one read all the reservations in a tenant |
| Resource Policy Contributor | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. |
| Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment |
| Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations |
| Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations |
| Support Request Contributor | Lets you create and manage Support requests |
| Tag Contributor | Lets you manage tags on entities, without providing access to the entities themselves. |
| Template Spec Contributor | Allows full access to Template Spec operations at the assigned scope. |
| Template Spec Reader | Allows read access to Template Specs at the assigned scope. |