身分識別的 Azure 內建角色
本文列出身分識別類別中的 Azure 內建角色。
網域服務參與者
可以管理 Azure AD Domain Services 和相關網路設定
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/deployments/read | 取得或列出部署。 |
| Microsoft.Resources/deployments/write | 建立或更新部署。 |
| Microsoft.Resources/deployments/delete | 刪除部署。 |
| Microsoft.Resources/deployments/cancel/action | 取消部署。 |
| Microsoft.Resources/deployments/validate/action | 驗證部署。 |
| Microsoft.Resources/deployments/whatIf/action | 預測範本部署變更。 |
| Microsoft.Resources/deployments/exportTemplate/action | 匯出部署的範本 |
| Microsoft.Resources/deployments/operations/read | 取得或列出部署作業。 |
| Microsoft.Resources/deployments/operationstatuses/read | 取得或列出部署作業狀態。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Insights/AlertRules/Write | 建立或更新傳統計量警示 |
| Microsoft.Insights/AlertRules/Delete | 刪除傳統計量警示 |
| Microsoft.Insights/AlertRules/Read | 讀取傳統計量警示 |
| Microsoft.Insights/AlertRules/Activated/Action | 已啟動傳統計量警示 |
| Microsoft.Insights/AlertRules/Resolved/Action | 已解決傳統計量警示 |
| Microsoft.Insights/AlertRules/Throttled/Action | 傳統計量警示規則已節流 |
| Microsoft.Insights/AlertRules/Incidents/Read | 讀取傳統計量警示事件 |
| Microsoft.Insights/Logs/Read | 從所有記錄讀取數據 |
| Microsoft.Insights/Metrics/Read | 讀取計量 |
| Microsoft.Insights/DiagnosticSettings/* | 建立、更新或讀取 Analysis Server 的診斷設定 |
| Microsoft.Insights/Diagnostic 設定 Categories/Read | 讀取診斷設定類別 |
| Microsoft.AAD/register/action | 註冊網域服務 |
| Microsoft.AAD/unregister/action | 取消註冊網域服務 |
| Microsoft.AAD/domainServices/* | |
| Microsoft.Network/register/action | 註冊訂用帳戶 |
| Microsoft.Network/unregister/action | 取消註冊訂用帳戶 |
| Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
| Microsoft.Network/virtualNetworks/write | 建立虛擬網路或更新現有的虛擬網路 |
| Microsoft.Network/virtualNetworks/delete | 刪除虛擬網路 |
| Microsoft.Network/virtualNetworks/peer/action | 將虛擬網路與另一個虛擬網路對等互連 |
| Microsoft.Network/virtualNetworks/join/action | 加入虛擬網路。 不可警示。 |
| Microsoft.Network/virtualNetworks/subnets/read | 取得虛擬網路子網定義 |
| Microsoft.Network/virtualNetworks/subnets/write | 建立虛擬網路子網或更新現有的虛擬網路子網 |
| Microsoft.Network/virtualNetworks/subnets/delete | 刪除虛擬網路子網 |
| Microsoft.Network/virtualNetworks/subnets/join/action | 加入虛擬網路。 不可警示。 |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | 取得虛擬網路對等互連定義 |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write | 建立虛擬網路對等互連或更新現有的虛擬網路對等互連 |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete | 刪除虛擬網路對等互連 |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnostic 設定/read | 取得 虛擬網絡 的診斷設定 |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | 取得 PingMesh 的可用計量 |
| Microsoft.Network/azureFirewalls/read | 取得 Azure 防火牆 |
| Microsoft.Network/ddosProtectionPlans/read | 取得 DDoS 保護計劃 |
| Microsoft.Network/ddosProtectionPlans/join/action | 加入 DDoS 保護方案。 不可警示。 |
| Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
| Microsoft.Network/loadBalancers/delete | 刪除負載平衡器 |
| Microsoft.Network/loadBalancers/*/read | |
| Microsoft.Network/loadBalancers/backendAddressPools/join/action | 加入負載平衡器後端位址池。 不可警示。 |
| Microsoft.Network/loadBalancers/inboundNatRules/join/action | 聯結負載平衡器輸入 nat 規則。 不可警示。 |
| Microsoft.Network/natGateways/join/action | 聯結 NAT 閘道 |
| Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
| Microsoft.Network/networkInterfaces/write | 建立網路介面或更新現有的網路介面。 |
| Microsoft.Network/networkInterfaces/delete | 刪除網路介面 |
| Microsoft.Network/networkInterfaces/join/action | 將虛擬機加入網路介面。 不可警示。 |
| Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | 取得預設安全性規則定義 |
| Microsoft.Network/networkSecurityGroups/read | 取得網路安全組定義 |
| Microsoft.Network/networkSecurityGroups/write | 建立網路安全組或更新現有的網路安全組 |
| Microsoft.Network/networkSecurityGroups/delete | 刪除網路安全組 |
| Microsoft.Network/networkSecurityGroups/join/action | 加入網路安全組。 不可警示。 |
| Microsoft.Network/networkSecurityGroups/securityRules/read | 取得安全性規則定義 |
| Microsoft.Network/networkSecurityGroups/securityRules/write | 建立安全性規則或更新現有的安全性規則 |
| Microsoft.Network/networkSecurityGroups/securityRules/delete | 刪除安全性規則 |
| Microsoft.Network/routeTables/read | 取得路由表定義 |
| Microsoft.Network/routeTables/write | 建立路由表或 更新 現有的路由表 |
| Microsoft.Network/routeTables/delete | 刪除路由表定義 |
| Microsoft.Network/routeTables/join/action | 聯結路由表。 不可警示。 |
| Microsoft.Network/routeTables/routes/read | 取得路由定義 |
| Microsoft.Network/routeTables/routes/write | 建立路由或 更新 現有的路由 |
| Microsoft.Network/routeTables/routes/delete | 刪除路由定義 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can manage Azure AD Domain Services and related network configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2",
"name": "eeaeda52-9324-47f6-8069-5d5bade478b2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.Insights/DiagnosticSettings/*",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/register/action",
"Microsoft.AAD/unregister/action",
"Microsoft.AAD/domainServices/*",
"Microsoft.Network/register/action",
"Microsoft.Network/unregister/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/natGateways/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Domain Services 讀取者
可以檢視 Azure AD Domain Services 和相關網路組態
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/deployments/read | 取得或列出部署。 |
| Microsoft.Resources/deployments/operations/read | 取得或列出部署作業。 |
| Microsoft.Resources/deployments/operationstatuses/read | 取得或列出部署作業狀態。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Insights/AlertRules/Read | 讀取傳統計量警示 |
| Microsoft.Insights/AlertRules/Incidents/Read | 讀取傳統計量警示事件 |
| Microsoft.Insights/Logs/Read | 從所有記錄讀取數據 |
| Microsoft.Insights/Metrics/read | 讀取計量 |
| Microsoft.Insights/Diagnostic 設定/read | 讀取資源診斷設定 |
| Microsoft.Insights/Diagnostic 設定 Categories/Read | 讀取診斷設定類別 |
| Microsoft.AAD/domainServices/*/read | |
| Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
| Microsoft.Network/virtualNetworks/subnets/read | 取得虛擬網路子網定義 |
| Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | 取得虛擬網路對等互連定義 |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnostic 設定/read | 取得 虛擬網絡 的診斷設定 |
| Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read | 取得 PingMesh 的可用計量 |
| Microsoft.Network/azureFirewalls/read | 取得 Azure 防火牆 |
| Microsoft.Network/ddosProtectionPlans/read | 取得 DDoS 保護計劃 |
| Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
| Microsoft.Network/loadBalancers/*/read | |
| Microsoft.Network/natGateways/read | 取得 Nat 閘道定義 |
| Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
| Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | 取得預設安全性規則定義 |
| Microsoft.Network/networkSecurityGroups/read | 取得網路安全組定義 |
| Microsoft.Network/networkSecurityGroups/securityRules/read | 取得安全性規則定義 |
| Microsoft.Network/routeTables/read | 取得路由表定義 |
| Microsoft.Network/routeTables/routes/read | 取得路由定義 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can view Azure AD Domain Services and related network configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb",
"name": "361898ef-9ed1-48c2-849c-a832951106bb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Insights/DiagnosticSettings/read",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/domainServices/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/routes/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
受控識別參與者
建立、讀取、更新和刪除使用者指派的身分識別
| 動作 | 描述 |
|---|---|
| Microsoft.ManagedIdentity/userAssignedIdentities/read | 取得現有的使用者指派身分識別 |
| Microsoft.ManagedIdentity/userAssignedIdentities/write | 建立新使用者指派的身分識別,或更新與現有使用者指派身分識別相關聯的標籤 |
| Microsoft.ManagedIdentity/userAssignedIdentities/delete | 刪除現有的使用者指派身分識別 |
| Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read | 取得或列出同盟身分識別認證 |
| Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write | 新增或更新同盟身分識別認證 |
| Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete | 刪除同盟身分識別認證 |
| Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action | 撤銷使用者指派身分識別上的所有現有令牌 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Support/* | 建立及更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Create, Read, Update, and Delete User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
受控身分識別操作員
讀取和指派使用者指派的身分識別
| 動作 | 描述 |
|---|---|
| Microsoft.ManagedIdentity/userAssignedIdentities/*/read | |
| Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action | |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Support/* | 建立及更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Read and Assign User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
"name": "f1a07417-d97a-45cb-824c-7a7467783830",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}