This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

Azure role-based access control (Azure RBAC) has several Azure built-in roles that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources. If the built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles . For information about how to assign roles, see Steps to assign an Azure role .

This article lists the Azure built-in roles. If you are looking for administrator roles for Azure Active Directory (Azure AD), see Azure AD built-in roles .

The following table provides a brief description of each built-in role. Click the role name to see the list of Actions , NotActions , DataActions , and NotDataActions for each role. For information about what these actions mean and how they apply to the control and data planes, see Understand Azure role definitions .

Contributor Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. b24988ac-6180-42a0-ab88-20f7382dd24c Owner Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Reader View all resources, but does not allow you to make any changes. acdd72a7-3385-48ef-bd42-f606fba81ae7 User Access Administrator Lets you manage user access to Azure resources. 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Compute Classic Virtual Machine Contributor Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. d73bb868-a0df-4d4d-bd69-98a00b01fccb Data Operator for Managed Disks Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. 959f8984-c045-4866-89c7-12bf9737be2e Disk Backup Reader Provides permission to backup vault to perform disk backup. 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 Disk Pool Operator Provide permission to StoragePool Resource Provider to manage disks added to a disk pool. 60fc6e62-5479-42d4-8bf4-67625fcc2840 Disk Restore Operator Provides permission to backup vault to perform disk restore. b50d9833-a0cb-478e-945f-707fcc997c13 Disk Snapshot Contributor Provides permission to backup vault to manage disk snapshots. 7efff54f-a5b4-42b5-a1c5-5411624893ce Virtual Machine Administrator Login View Virtual Machines in the portal and login as administrator 1c0163c0-47e6-4577-8991-ea5c82e286e4 Virtual Machine Contributor Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. 9980e02c-c2be-4d73-94e8-173b1dc7cf3c Virtual Machine User Login View Virtual Machines in the portal and login as a regular user. fb879df8-f326-4884-b1cf-06f3ad86be52 Windows Admin Center Administrator Login Let's you manage the OS of your resource via Windows Admin Center as an administrator. a6333a3e-0164-44c3-b281-7a577aff287f Networking CDN Endpoint Contributor Can manage CDN endpoints, but can't grant access to other users. 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 CDN Endpoint Reader Can view CDN endpoints, but can't make changes. 871e35f6-b5c1-49cc-a043-bde969a0f2cd CDN Profile Contributor Can manage CDN profiles and their endpoints, but can't grant access to other users. ec156ff8-a8d1-4d15-830c-5b80698ca432 CDN Profile Reader Can view CDN profiles and their endpoints, but can't make changes. 8f96442b-4075-438f-813d-ad51ab4019af Classic Network Contributor Lets you manage classic networks, but not access to them. b34d265f-36f7-4a0d-a4d4-e158ca92e90f DNS Zone Contributor Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. befefa01-2a29-4197-83a8-272ff33ce314 Network Contributor Lets you manage networks, but not access to them. 4d97b98b-1d4f-4787-a291-c67834d212e7 Private DNS Zone Contributor Lets you manage private DNS zone resources, but not the virtual networks they are linked to. b12aa53e-6015-4669-85d0-8515ebb3ae7f Traffic Manager Contributor Lets you manage Traffic Manager profiles, but does not let you control who has access to them. a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 Storage Avere Contributor Can create and manage an Avere vFXT cluster. 4f8fab4f-1852-4a58-a46a-8eaf358af14a Avere Operator Used by the Avere vFXT cluster to manage the cluster c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 Backup Contributor Lets you manage backup service, but can't create vaults and give access to others 5e467623-bb1f-42f4-a55d-6e525e11384b Backup Operator Lets you manage backup services, except removal of backup, vault creation and giving access to others 00c29273-979b-4161-815c-10b084fb9324 Backup Reader Can view backup services, but can't make changes a795c7a0-d4a2-40c1-ae25-d81f01202912 Classic Storage Account Contributor Lets you manage classic storage accounts, but not access to them. 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 Classic Storage Account Key Operator Service Role Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts 985d6b00-f706-48f5-a6fe-d0ca12fb668d Data Box Contributor Lets you manage everything under Data Box Service except giving access to others. add466c9-e687-43fc-8d98-dfcf8d720be5 Data Box Reader Lets you manage Data Box Service except creating order or editing order details and giving access to others. 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 Data Lake Analytics Developer Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. 47b7735b-770e-4598-a7da-8b91488b4c88 Elastic SAN Owner Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access 80dcbedb-47ef-405d-95bd-188a1b4ac406 Elastic SAN Reader Allows for control path read access to Azure Elastic SAN af6a70f8-3c9f-4105-acf1-d719e9fca4ca Elastic SAN Volume Group Owner Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access a8281131-f312-4f34-8d98-ae12be9f0d23 Reader and Data Access Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. c12c1c16-33a1-487b-954d-41c89c60f349 Storage Account Backup Contributor Lets you perform backup and restore operations using Azure Backup on the storage account. e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 Storage Account Contributor Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. 17d1049b-9a84-46fb-8f53-869881c3d3ab Storage Account Key Operator Service Role Permits listing and regenerating storage account access keys. 81a9662b-bebf-436f-a333-f67b29880f12 Storage Blob Data Contributor Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . ba92f5b4-2d11-453d-a403-e96b0029c9fe Storage Blob Data Owner Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . b7e6dc6d-f1e8-4753-8033-0f276bb0955b Storage Blob Data Reader Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 Storage Blob Delegator Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see Create a user delegation SAS . db58b8e5-c6ad-4a2a-8342-4190687cbf4a Storage File Data SMB Share Contributor Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers. 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb Storage File Data SMB Share Elevated Contributor Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers. a7264617-510b-434b-a828-9731dc254ea7 Storage File Data SMB Share Reader Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers. aba4ae5f-2193-4029-9191-0cb91df5e314 Storage Queue Data Contributor Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . 974c5e8b-45b9-4653-ba55-5f855dd0fb88 Storage Queue Data Message Processor Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . 8a0f0c08-91a1-4084-bc3d-661d67233fed Storage Queue Data Message Sender Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . c6a89b2d-59bc-44d0-9896-0f6e12d7b80a Storage Queue Data Reader Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . 19e7f393-937e-4f77-808e-94535e297925 Storage Table Data Contributor Allows for read, write and delete access to Azure Storage tables and entities 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 Storage Table Data Reader Allows for read access to Azure Storage tables and entities 76199698-9eea-4c19-bc75-cec21354c6b6 Azure Maps Data Contributor Grants access to read, write, and delete access to map related data from an Azure maps account. 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 Azure Maps Data Reader Grants access to read map related data from an Azure maps account. 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa Azure Spring Cloud Config Server Contributor Allow read, write and delete access to Azure Spring Cloud Config Server a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b Azure Spring Cloud Config Server Reader Allow read access to Azure Spring Cloud Config Server d04c6db6-4947-4782-9e91-30a88feb7be7 Azure Spring Cloud Data Reader Allow read access to Azure Spring Cloud Data b5537268-8956-4941-a8f0-646150406f0c Azure Spring Cloud Service Registry Contributor Allow read, write and delete access to Azure Spring Cloud Service Registry f5880b48-c26d-48be-b172-7927bfa1c8f1 Azure Spring Cloud Service Registry Reader Allow read access to Azure Spring Cloud Service Registry cff1b556-2399-4e7e-856d-a8f754be7b65 Media Services Account Administrator Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. 054126f8-9a2b-4f1c-a9ad-eca461f08466 Media Services Live Events Administrator Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. 532bc159-b25e-42c0-969e-a1d439f60d77 Media Services Media Operator Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. e4395492-1534-4db2-bedf-88c14621589c Media Services Policy Administrator Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. c4bba371-dacd-4a26-b320-7250bca963ae Media Services Streaming Endpoints Administrator Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. 99dba123-b5fe-44d5-874c-ced7199a5804 Search Index Data Contributor Grants full access to Azure Cognitive Search index data. 8ebe5a00-799e-43f5-93ac-243d3dce84a7 Search Index Data Reader Grants read access to Azure Cognitive Search index data. 1407120a-92aa-4202-b7e9-c0e197c71c8f Search Service Contributor Lets you manage Search services, but not access to them. 7ca78c08-252a-4471-8644-bb5ff32d4ba0 SignalR AccessKey Reader Read SignalR Service Access Keys 04165923-9d83-45d5-8227-78b77b0a687e SignalR App Server Lets your app server access SignalR Service with AAD auth options. 420fcaa2-552c-430f-98ca-3264be4806c7 SignalR REST API Owner Full access to Azure SignalR Service REST APIs fd53cd77-2268-407a-8f46-7e7863d0f521 SignalR REST API Reader Read-only access to Azure SignalR Service REST APIs ddde6b66-c0df-4114-a159-3618637b3035 SignalR Service Owner Full access to Azure SignalR Service REST APIs 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 SignalR/Web PubSub Contributor Create, Read, Update, and Delete SignalR service resources 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 Web Plan Contributor Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC. 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b Website Contributor Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC. de139f84-1756-47ae-9be6-808fbbe84772 Containers AcrDelete Delete repositories, tags, or manifests from a container registry. c2f4ef07-c644-48eb-af81-4b1b4947fb11 AcrImageSigner Push trusted images to or pull trusted images from a container registry enabled for content trust. 6cef56e8-d556-48e5-a04f-b8e64114680f AcrPull Pull artifacts from a container registry. 7f951dda-4ed3-4680-a7ca-43fe172d538d AcrPush Push artifacts to or pull artifacts from a container registry. 8311e382-0749-4cb8-b61a-304f252e45ec AcrQuarantineReader Pull quarantined images from a container registry. cdda3590-29a3-44f6-95f2-9f980659eb04 AcrQuarantineWriter Push quarantined images to or pull quarantined images from a container registry. c8d4ff99-41c3-41a8-9f60-21dfdad59608 Azure Kubernetes Fleet Manager RBAC Admin This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. 434fb43a-c01c-447e-9f67-c3ad923cfaba Azure Kubernetes Fleet Manager RBAC Cluster Admin Lets you manage all resources in the fleet manager cluster. 18ab4d3d-a1bf-4477-8ad9-8359bc988f69 Azure Kubernetes Fleet Manager RBAC Reader Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. 30b27cfc-9c84-438e-b0ce-70e35255df80 Azure Kubernetes Fleet Manager RBAC Writer Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. 5af6afb3-c06c-4fa4-8848-71a8aee05683 Azure Kubernetes Service Cluster Admin Role List cluster admin credential action. 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 Azure Kubernetes Service Cluster User Role List cluster user credential action. 4abbcc35-e782-43d8-92c5-2d3f1bd2253f Azure Kubernetes Service Contributor Role Grants access to read and write Azure Kubernetes Service clusters ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 Azure Kubernetes Service RBAC Admin Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. 3498e952-d568-435e-9b2c-8d77e338d7f7 Azure Kubernetes Service RBAC Cluster Admin Lets you manage all resources in the cluster. b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b Azure Kubernetes Service RBAC Reader Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. 7f6c6a51-bcf8-42ba-9220-52d62157d7db Azure Kubernetes Service RBAC Writer Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb Databases Azure Connected SQL Server Onboarding Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. e8113dce-c529-4d33-91fa-e9b972617508 Cosmos DB Account Reader Role Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. fbdf93bf-df7d-467e-a4d2-9458aa1360c8 Cosmos DB Operator Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. 230815da-be43-4aae-9cb4-875f7bd000aa CosmosBackupOperator Can submit restore request for a Cosmos DB database or a container for an account db7b14f2-5adf-42da-9f96-f2ee17bab5cb CosmosRestoreOperator Can perform restore action for Cosmos DB database account with continuous backup mode 5432c526-bc82-444a-b7ba-57c5b0b5b34f DocumentDB Account Contributor Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. 5bd9cd88-fe45-4216-938b-f97437e15450 Redis Cache Contributor Lets you manage Redis caches, but not access to them. e0f68234-74aa-48ed-b826-c38b57376e17 SQL DB Contributor Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec SQL Managed Instance Contributor Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d SQL Security Manager Lets you manage the security-related policies of SQL servers and databases, but not access to them. 056cd41c-7e88-42e1-933e-88ba6a50c9c3 SQL Server Contributor Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 Analytics Azure Event Hubs Data Owner Allows for full access to Azure Event Hubs resources. f526a384-b230-433a-b45c-95f59c4a2dec Azure Event Hubs Data Receiver Allows receive access to Azure Event Hubs resources. a638d3c7-ab3a-418d-83e6-5f17a39d4fde Azure Event Hubs Data Sender Allows send access to Azure Event Hubs resources. 2b629674-e913-4c01-ae53-ef4638d8f975 Data Factory Contributor Create and manage data factories, as well as child resources within them. 673868aa-7521-48a0-acc6-0f60742d39f5 Data Purger Delete private data from a Log Analytics workspace. 150f5e0c-0603-4f03-8c7f-cf70034c4e90 HDInsight Cluster Operator Lets you read and modify HDInsight cluster configurations. 61ed4efc-fab3-44fd-b111-e24485cc132a HDInsight Domain Services Contributor Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package 8d8d5a11-05d3-4bda-a417-a08778121c7c Log Analytics Contributor Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. 92aaf0da-9dab-42b6-94a3-d43ce8d16293 Log Analytics Reader Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. 73c42c96-874c-492b-b04d-ab87d138a893 Schema Registry Contributor (Preview) Read, write, and delete Schema Registry groups and schemas. 5dffeca3-4936-4216-b2bc-10343a5abb25 Schema Registry Reader (Preview) Read and list Schema Registry groups and schemas. 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 Stream Analytics Query Tester Lets you perform query testing without creating a stream analytics job first 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf AI + machine learning AzureML Data Scientist Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. f6c7c914-8db3-469d-8ca1-694a8f32e121 Cognitive Services Contributor Lets you create, read, update, delete and manage keys of Cognitive Services. 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 Cognitive Services Custom Vision Contributor Full access to the project, including the ability to view, create, edit, or delete projects. c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 Cognitive Services Custom Vision Deployment Publish, unpublish or export models. Deployment can view the project but can't update. 5c4089e1-6d96-4d2f-b296-c1bc7137275f Cognitive Services Custom Vision Labeler View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. 88424f51-ebe7-446f-bc41-7fa16989e96c Cognitive Services Custom Vision Reader Read-only actions in the project. Readers can't create or update the project. 93586559-c37d-4a6b-ba08-b9f0940c2d73 Cognitive Services Custom Vision Trainer View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b Cognitive Services Data Reader (Preview) Lets you read Cognitive Services data. b59867f0-fa02-499b-be73-45a86b5b3e1c Cognitive Services Face Recognizer Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. 9894cab4-e18a-44aa-828b-cb588cd6f2d7 Cognitive Services Metrics Advisor Administrator Full access to the project, including the system level configuration. cb43c632-a144-4ec5-977c-e80c4affc34a Cognitive Services QnA Maker Editor Let's you create, edit, import and export a KB. You cannot publish or delete a KB. f4cc2bf9-21be-47a1-bdf1-5c5804381025 Cognitive Services QnA Maker Reader Let's you read and test a KB only. 466ccd10-b268-4a11-b098-b4849f024126 Cognitive Services User Lets you read and list keys of Cognitive Services. a97b65f3-24c7-4388-baec-2e87135dc908 Internet of things Device Update Administrator Gives you full access to management and content operations 02ca0879-e8e4-47a5-a61e-5c618b76e64a Device Update Content Administrator Gives you full access to content operations 0378884a-3af5-44ab-8323-f5b22f9f3c98 Device Update Content Reader Gives you read access to content operations, but does not allow making changes d1ee9a80-8b14-47f0-bdc2-f4a351625a7b Device Update Deployments Administrator Gives you full access to management operations e4237640-0e3d-4a46-8fda-70bc94856432 Device Update Deployments Reader Gives you read access to management operations, but does not allow making changes 49e2f5d2-7741-4835-8efa-19e1fe35e47f Device Update Reader Gives you read access to management and content operations, but does not allow making changes e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f IoT Hub Data Contributor Allows for full access to IoT Hub data plane operations. 4fc6c259-987e-4a07-842e-c321cc9d413f IoT Hub Data Reader Allows for full read access to IoT Hub data-plane properties b447c946-2db7-41ec-983d-d8bf3b1c77e3 IoT Hub Registry Contributor Allows for full access to IoT Hub device registry. 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 IoT Hub Twin Contributor Allows for read and write access to all IoT Hub device and module twins. 494bdba2-168f-4f31-a0a1-191d2f7c028c Mixed reality Remote Rendering Administrator Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering 3df8b902-2a6f-47c7-8cc5-360e9b272a7e Remote Rendering Client Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. d39065c4-c120-43c9-ab0a-63eed9795f0a Spatial Anchors Account Contributor Lets you manage spatial anchors in your account, but not delete them 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 Spatial Anchors Account Owner Lets you manage spatial anchors in your account, including deleting them 70bbe301-9835-447d-afdd-19eb3167307c Spatial Anchors Account Reader Lets you locate and read properties of spatial anchors in your account 5d51204f-eb77-4b1c-b86a-2ec626c49413 Integration API Management Service Contributor Can manage service and the APIs 312a565d-c81f-4fd8-895a-4e21e48d571c API Management Service Operator Role Can manage service but not the APIs e022efe7-f5ba-4159-bbe4-b44f577e9b61 API Management Service Reader Role Read-only access to service and APIs 71522526-b88f-4d52-b57f-d31fc3546d0d API Management Service Workspace API Developer Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. 9565a273-41b9-4368-97d2-aeb0c976a9b3 API Management Service Workspace API Product Manager Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da API Management Workspace API Developer Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. 56328988-075d-4c6a-8766-d93edd6725b6 API Management Workspace API Product Manager Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. 73c2c328-d004-4c5e-938c-35c6f5679a1f API Management Workspace Contributor Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 API Management Workspace Reader Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2 App Configuration Data Owner Allows full access to App Configuration data. 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b App Configuration Data Reader Allows read access to App Configuration data. 516239f1-63e1-4d78-a4de-a74fb236a071 Azure Relay Listener Allows for listen access to Azure Relay resources. 26e0b698-aa6d-4085-9386-aadae190014d Azure Relay Owner Allows for full access to Azure Relay resources. 2787bf04-f1f5-4bfe-8383-c8a24483ee38 Azure Relay Sender Allows for send access to Azure Relay resources. 26baccc8-eea7-41f1-98f4-1762cc7f685d Azure Service Bus Data Owner Allows for full access to Azure Service Bus resources. 090c5cfd-751d-490a-894a-3ce6f1109419 Azure Service Bus Data Receiver Allows for receive access to Azure Service Bus resources. 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 Azure Service Bus Data Sender Allows for send access to Azure Service Bus resources. 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 Azure Stack Registration Owner Lets you manage Azure Stack registrations. 6f12a6df-dd06-4f3e-bcb1-ce8be600526a EventGrid Contributor Lets you manage EventGrid operations. 1e241071-0855-49ea-94dc-649edcd759de EventGrid Data Sender Allows send access to event grid events. d5a91429-5739-47e2-a06b-3470a27159e7 EventGrid EventSubscription Contributor Lets you manage EventGrid event subscription operations. 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 EventGrid EventSubscription Reader Lets you read EventGrid event subscriptions. 2414bbcf-6497-4faf-8c65-045460748405 FHIR Data Contributor Role allows user or principal full access to FHIR Data 5a1fc7df-4bf1-4951-a576-89034ee01acd FHIR Data Exporter Role allows user or principal to read and export FHIR Data 3db33094-8700-4567-8da5-1501d4e7e843 FHIR Data Reader Role allows user or principal to read FHIR Data 4c8d0bbc-75d3-4935-991f-5f3c56d81508 FHIR Data Writer Role allows user or principal to read and write FHIR Data 3f88fce4-5892-4214-ae73-ba5294559913 Integration Service Environment Contributor Lets you manage integration service environments, but not access to them. a41e2c5b-bd99-4a07-88f4-9bf657a760b8 Integration Service Environment Developer Allows developers to create and update workflows, integration accounts and API connections in integration service environments. c7aa55d3-1abb-444a-a5ca-5e51e485d6ec Intelligent Systems Account Contributor Lets you manage Intelligent Systems accounts, but not access to them. 03a6d094-3444-4b3d-88af-7477090a9e5e Logic App Contributor Lets you manage logic apps, but not change access to them. 87a39d53-fc1b-424a-814c-f7e04687dc9e Logic App Operator Lets you read, enable, and disable logic apps, but not edit or update them. 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe Identity Domain Services Contributor Can manage Azure AD Domain Services and related network configurations eeaeda52-9324-47f6-8069-5d5bade478b2 Domain Services Reader Can view Azure AD Domain Services and related network configurations 361898ef-9ed1-48c2-849c-a832951106bb Managed Identity Contributor Create, Read, Update, and Delete User Assigned Identity e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 Managed Identity Operator Read and Assign User Assigned Identity f1a07417-d97a-45cb-824c-7a7467783830 Security Attestation Contributor Can read write or delete the attestation provider instance bbf86eb8-f7b4-4cce-96e4-18cddf81d86e Attestation Reader Can read the attestation provider properties fd1bd22b-8476-40bc-a0bc-69b95687b9f3 Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. 00482a5a-887f-4fb3-b363-3b7fe8e74483 Key Vault Certificates Officer Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. a4417e6f-fecd-4de8-b567-7b0420556985 Key Vault Contributor Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. f25e0fa2-a7c8-4377-a976-54943a77a395 Key Vault Crypto Officer Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 Key Vault Crypto Service Encryption User Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. e147488a-f6f5-4113-8e2d-b22465e65bf6 Key Vault Crypto User Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. 12338af0-0e69-4776-bea7-57ae8d297424 Key Vault Reader Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. 21090545-7ca7-4776-b22c-e363652d74d2 Key Vault Secrets Officer Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. b86a8fe4-44ce-4948-aee5-eccb2c155cd7 Key Vault Secrets User Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. 4633458b-17de-408a-b874-0445c86b69e6 Managed HSM contributor Lets you manage managed HSM pools, but not access to them. 18500a29-7fe2-46b2-a342-b16a415e101d Microsoft Sentinel Automation Contributor Microsoft Sentinel Automation Contributor f4c81013-99ee-4d62-a7ee-b3f1f648599a Microsoft Sentinel Contributor Microsoft Sentinel Contributor ab8e14d6-4a74-4a29-9ba8-549422addade Microsoft Sentinel Playbook Operator Microsoft Sentinel Playbook Operator 51d6186e-6489-4900-b93f-92e23144cca5 Microsoft Sentinel Reader Microsoft Sentinel Reader 8d289c81-5878-46d4-8554-54e1e3d8b5cb Microsoft Sentinel Responder Microsoft Sentinel Responder 3e150937-b8fe-4cfb-8069-0eaf05ecd056 Security Admin View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.

For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT monitoring . fb1c8493-542b-48eb-b624-b4c8fea62acd Security Assessment Contributor Lets you push assessments to Microsoft Defender for Cloud 612c2aa1-cb24-443b-ac28-3ab7272de6f5 Security Manager (Legacy) This is a legacy role. Please use Security Admin instead. e3d13bf0-dd5a-482e-ba6b-9b8433878d10 Security Reader View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.

For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT monitoring . 39bc4728-0917-49c7-9d2c-d95423bc2eb4 DevOps DevTest Labs User Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. 76283e04-6283-4c54-8f91-bcf1374a3c64 Lab Assistant Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab. ce40b423-cede-4313-a93f-9b28290b72e1 Lab Contributor Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs. 5daaa2af-1fe8-407c-9122-bba179798270 Lab Creator Lets you create new labs under your Azure Lab Accounts. b97fb8bc-a8b2-4522-a38b-dd33c7e65ead Lab Operator Gives you limited ability to manage existing labs. a36e6959-b6be-4b12-8e9f-ef4b474d304d Lab Services Contributor Enables you to fully control all Lab Services scenarios in the resource group. f69b8690-cc87-41d6-b77a-a4bc3c0a966f Lab Services Reader Enables you to view, but not change, all lab plans and lab resources. 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc Monitor Application Insights Component Contributor Can manage Application Insights components ae349356-3a1b-4a5e-921d-050484c6347e Application Insights Snapshot Debugger Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the Owner or Contributor roles. When giving users the Application Insights Snapshot Debugger role, you must grant the role directly to the user. The role is not recognized when it is added to a custom role. 08954f03-6346-4c2e-81c0-ec3a5cfae23b Monitoring Contributor Can read all monitoring data and edit monitoring settings. See also Get started with roles, permissions, and security with Azure Monitor . 749f88d5-cbae-40b8-bcfc-e573ddc772fa Monitoring Metrics Publisher Enables publishing metrics against Azure resources 3913510d-42f4-4e42-8a64-420c390055eb Monitoring Reader Can read all monitoring data (metrics, logs, etc.). See also Get started with roles, permissions, and security with Azure Monitor . 43d0d8ad-25c7-4714-9337-8ba259a9fe05 Workbook Contributor Can save shared workbooks. e8ddcd69-c73f-4f9f-9844-4100522f16ad Workbook Reader Can read workbooks. b279062a-9be3-42a0-92ae-8b3cf002ec4d Management and governance Automation Contributor Manage Azure Automation resources and other resources using Azure Automation. f353d9bd-d4a6-484e-a77a-8050b599b867 Automation Job Operator Create and Manage Jobs using Automation Runbooks. 4fe576fe-1146-4730-92eb-48519fa6bf9f Automation Operator Automation Operators are able to start, stop, suspend, and resume jobs d3881f73-407a-4167-8283-e981cbba0404 Automation Runbook Operator Read Runbook properties - to be able to create Jobs of the runbook. 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 Azure Arc Enabled Kubernetes Cluster User Role List cluster user credentials action. 00493d72-78f6-4148-b6c5-d3ce8e4799dd Azure Arc Kubernetes Admin Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. dffb1e0c-446f-4dde-a09f-99eb5cc68b96 Azure Arc Kubernetes Cluster Admin Lets you manage all resources in the cluster. 8393591c-06b9-48a2-a542-1bd6b377f6a2 Azure Arc Kubernetes Viewer Lets you view all resources in cluster/namespace, except secrets. 63f0a09d-1495-4db4-a681-037d84835eb4 Azure Arc Kubernetes Writer Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. 5b999177-9696-4545-85c7-50de3797e5a1 Azure Connected Machine Onboarding Can onboard Azure Connected Machines. b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 Azure Connected Machine Resource Administrator Can read, write, delete and re-onboard Azure Connected Machines. cd570a14-e51a-42ad-bac8-bafd67325302 Billing Reader Allows read access to billing data fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 Blueprint Contributor Can manage blueprint definitions, but not assign them. 41077137-e803-4205-871c-5a86e6a753b4 Blueprint Operator Can assign existing published blueprints, but cannot create new blueprints. Note that this only works if the assignment is done with a user-assigned managed identity. 437d2ced-4a38-4302-8479-ed2bcb43d090 Cost Management Contributor Can view costs and manage cost configuration (e.g. budgets, exports) 434105ed-43f6-45c7-a02f-909b2ba83430 Cost Management Reader Can view cost data and configuration (e.g. budgets, exports) 72fafb9e-0641-4937-9268-a91bfd8191a3 Hierarchy Settings Administrator Allows users to edit and delete Hierarchy Settings 350f8d15-c687-4448-8ae1-157740a3936d Kubernetes Cluster - Azure Arc Onboarding Role definition to authorize any user/service to create connectedClusters resource 34e09817-6cbe-4d01-b1a2-e0eac5743d41 Kubernetes Extension Contributor Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations 85cb6faf-e071-4c9b-8136-154b5a04f717 Managed Application Contributor Role Allows for creating managed application resources. 641177b8-a67a-45b9-a033-47bc880bb21e Managed Application Operator Role Lets you read and perform actions on Managed Application resources c7393b34-138c-406f-901b-d8cf2b17e6ae Managed Applications Reader Lets you read resources in a managed app and request JIT access. b9331d33-8a36-4f8c-b097-4f54124fdb44 Managed Services Registration assignment Delete Role Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. 91c1777a-f3dc-4fae-b103-61d183457e46 Management Group Contributor Management Group Contributor Role 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c Management Group Reader Management Group Reader Role ac63b705-f282-497d-ac71-919bf39d939d New Relic APM Account Contributor Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. 5d28c62d-5b37-4476-8438-e587778df237 Policy Insights Data Writer (Preview) Allows read access to resource policies and write access to resource component policy events. 66bb4e9e-b016-4a94-8249-4c0511c2be84 Quota Request Operator Read and create quota requests, get quota request status, and create support tickets. 0e5f05e5-9ab9-446b-b98d-1e2157c94125 Reservation Purchaser Lets you purchase reservations f7b75c60-3036-4b75-91c3-6b41c27c1689 Resource Policy Contributor Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. 36243c78-bf99-498c-9df9-86d9f8d28608 Site Recovery Contributor Lets you manage Site Recovery service except vault creation and role assignment 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 Site Recovery Operator Lets you failover and failback but not perform other Site Recovery management operations 494ae006-db33-4328-bf46-533a6560a3ca Site Recovery Reader Lets you view Site Recovery status but not perform other management operations dbaa88c4-0c30-4179-9fb3-46319faa6149 Support Request Contributor Lets you create and manage Support requests cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e Tag Contributor Lets you manage tags on entities, without providing access to the entities themselves. 4a9ae827-6dc8-4573-8ac7-8239d42aa03f Template Spec Contributor Allows full access to Template Spec operations at the assigned scope. 1c9b6475-caf0-4164-b5a1-2142a7116f4b Template Spec Reader Allows read access to Template Specs at the assigned scope. 392ae280-861d-42bd-9ea5-08ee6d83b80e Virtual desktop infrastructure Desktop Virtualization Application Group Contributor Contributor of the Desktop Virtualization Application Group. 86240b0e-9422-4c43-887b-b61143f32ba8 Desktop Virtualization Application Group Reader Reader of the Desktop Virtualization Application Group. aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 Desktop Virtualization Contributor Contributor of Desktop Virtualization. 082f0a83-3be5-4ba1-904c-961cca79b387 Desktop Virtualization Host Pool Contributor Contributor of the Desktop Virtualization Host Pool. e307426c-f9b6-4e81-87de-d99efb3c32bc Desktop Virtualization Host Pool Reader Reader of the Desktop Virtualization Host Pool. ceadfde2-b300-400a-ab7b-6143895aa822 Desktop Virtualization Reader Reader of Desktop Virtualization. 49a72310-ab8d-41df-bbb0-79b649203868 Desktop Virtualization Session Host Operator Operator of the Desktop Virtualization Session Host. 2ad6aaab-ead9-4eaa-8ac5-da422f562408 Desktop Virtualization User Allows user to use the applications in an application group. 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 Desktop Virtualization User Session Operator Operator of the Desktop Virtualization User Session. ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 Desktop Virtualization Workspace Contributor Contributor of the Desktop Virtualization Workspace. 21efdde3-836f-432b-bf3d-3e8e734d4b2b Desktop Virtualization Workspace Reader Reader of the Desktop Virtualization Workspace. 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d Other Azure Digital Twins Data Owner Full access role for Digital Twins data-plane bcd981a7-7f74-457b-83e1-cceb9e632ffe Azure Digital Twins Data Reader Read-only role for Digital Twins data-plane properties d57506d4-4c8d-48b1-8587-93c323f6a5a3 BizTalk Contributor Lets you manage BizTalk services, but not access to them. 5e3c6656-6cfa-4708-81fe-0de47ac73342 Grafana Admin Perform all Grafana operations, including the ability to manage data sources, create dashboards, and manage role assignments within Grafana. 22926164-76b3-42b3-bc55-97df8dab3e41 Grafana Editor View and edit a Grafana instance, including its dashboards and alerts. a79a5197-3a5c-4973-a920-486035ffd60f Grafana Viewer View a Grafana instance, including its dashboards and alerts. 60921a7e-fef1-4a43-9b16-a26c52ad4769 Load Test Contributor View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. 749a398d-560b-491b-bb21-08924219302e Load Test Owner Execute all operations on load test resources and load tests 45bb0b16-2f0c-4e78-afaa-a07599b003f6 Load Test Reader View and list all load tests and load test resources but can not make any changes 3ae3fb29-0000-4ccd-bf80-542e7b26e081 Scheduler Job Collections Contributor Lets you manage Scheduler job collections, but not access to them. 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 Services Hub Operator Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. 82200a5b-e217-47a5-b665-6d8765ee745b Microsoft.Authorization /*/Delete Delete roles, policy assignments, policy definitions and policy set definitions Microsoft.Authorization /*/Write Create roles, role assignments, policy assignments, policy definitions and policy set definitions Microsoft.Authorization /elevateAccess/Action Grants the caller User Access Administrator access at the tenant scope Microsoft.Blueprint /blueprintAssignments/write Create or update any blueprint assignments Microsoft.Blueprint /blueprintAssignments/delete Delete any blueprint assignments Microsoft.Compute /galleries/share/action Shares a Gallery to different scopes DataActions NotDataActions "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "name": "b24988ac-6180-42a0-ab88-20f7382dd24c", "permissions": [ "actions": [ "notActions": [ "Microsoft.Authorization/*/Delete", "Microsoft.Authorization/*/Write", "Microsoft.Authorization/elevateAccess/Action", "Microsoft.Blueprint/blueprintAssignments/write", "Microsoft.Blueprint/blueprintAssignments/delete", "Microsoft.Compute/galleries/share/action" "dataActions": [], "notDataActions": [] "roleName": "Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Owner

Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. Learn more

"description": "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "permissions": [ "actions": [ "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Reader

View all resources, but does not allow you to make any changes. Learn more

"description": "View all resources, but does not allow you to make any changes.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", "name": "acdd72a7-3385-48ef-bd42-f606fba81ae7", "permissions": [ "actions": [ "*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

User Access Administrator

Lets you manage user access to Azure resources. Learn more

"description": "Lets you manage user access to Azure resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", "name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", "permissions": [ "actions": [ "*/read", "Microsoft.Authorization/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "User Access Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Compute

Classic Virtual Machine Contributor

Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.

Microsoft.ClassicStorage /storageAccounts/images/read Returns the storage account image. (Deprecated. Use 'Microsoft.ClassicStorage/storageAccounts/vmImages') Microsoft.ClassicStorage /storageAccounts/listKeys/action Lists the access keys for the storage accounts. Microsoft.ClassicStorage /storageAccounts/read Return the storage account with the given account. Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", "name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.ClassicCompute/domainNames/*", "Microsoft.ClassicCompute/virtualMachines/*", "Microsoft.ClassicNetwork/networkSecurityGroups/join/action", "Microsoft.ClassicNetwork/reservedIps/link/action", "Microsoft.ClassicNetwork/reservedIps/read", "Microsoft.ClassicNetwork/virtualNetworks/join/action", "Microsoft.ClassicNetwork/virtualNetworks/read", "Microsoft.ClassicStorage/storageAccounts/disks/read", "Microsoft.ClassicStorage/storageAccounts/images/read", "Microsoft.ClassicStorage/storageAccounts/listKeys/action", "Microsoft.ClassicStorage/storageAccounts/read", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Classic Virtual Machine Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Data Operator for Managed Disks

Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.

Microsoft.Compute /snapshots/download/action Perform read data operations on Snapshot SAS Uri Microsoft.Compute /snapshots/upload/action Perform write data operations on Snapshot SAS Uri NotDataActions "description": "Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e", "name": "959f8984-c045-4866-89c7-12bf9737be2e", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Compute/disks/download/action", "Microsoft.Compute/disks/upload/action", "Microsoft.Compute/snapshots/download/action", "Microsoft.Compute/snapshots/upload/action" "notDataActions": [] "roleName": "Data Operator for Managed Disks", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Disk Backup Reader

Provides permission to backup vault to perform disk backup. Learn more

Microsoft.Compute /disks/beginGetAccess/action Get the SAS URI of the Disk for blob access NotActions DataActions NotDataActions "description": "Provides permission to backup vault to perform disk backup.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24", "name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Compute/disks/read", "Microsoft.Compute/disks/beginGetAccess/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Disk Backup Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Disk Pool Operator

Provide permission to StoragePool Resource Provider to manage disks added to a disk pool.

"description": "Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840", "name": "60fc6e62-5479-42d4-8bf4-67625fcc2840", "permissions": [ "actions": [ "Microsoft.Compute/disks/write", "Microsoft.Compute/disks/read", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Disk Pool Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Disk Restore Operator

Provides permission to backup vault to perform disk restore. Learn more

"description": "Provides permission to backup vault to perform disk restore.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13", "name": "b50d9833-a0cb-478e-945f-707fcc997c13", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Compute/disks/write", "Microsoft.Compute/disks/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Disk Restore Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Disk Snapshot Contributor

Provides permission to backup vault to manage disk snapshots. Learn more

Microsoft.Compute /snapshots/beginGetAccess/action Get the SAS URI of the Snapshot for blob access Microsoft.Compute /snapshots/endGetAccess/action Revoke the SAS URI of the Snapshot Microsoft.Compute /disks/beginGetAccess/action Get the SAS URI of the Disk for blob access Microsoft.Storage /storageAccounts/listkeys/action Returns the access keys for the specified storage account. Microsoft.Storage /storageAccounts/write Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. Microsoft.Storage /storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.Storage /storageAccounts/delete Deletes an existing storage account. NotActions DataActions NotDataActions "description": "Provides permission to backup vault to manage disk snapshots.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce", "name": "7efff54f-a5b4-42b5-a1c5-5411624893ce", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Compute/snapshots/delete", "Microsoft.Compute/snapshots/write", "Microsoft.Compute/snapshots/read", "Microsoft.Compute/snapshots/beginGetAccess/action", "Microsoft.Compute/snapshots/endGetAccess/action", "Microsoft.Compute/disks/beginGetAccess/action", "Microsoft.Storage/storageAccounts/listkeys/action", "Microsoft.Storage/storageAccounts/write", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/delete" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Disk Snapshot Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Virtual Machine Administrator Login

View Virtual Machines in the portal and login as administrator Learn more

Microsoft.HybridConnectivity /endpoints/listCredentials/action List the endpoint access credentials to the resource. NotActions DataActions Microsoft.Compute /virtualMachines/login/action Log in to a virtual machine as a regular user Microsoft.Compute /virtualMachines/loginAsAdmin/action Log in to a virtual machine with Windows administrator or Linux root user privileges Microsoft.HybridCompute /machines/login/action Log in to a Azure Arc machine as a regular user Microsoft.HybridCompute /machines/loginAsAdmin/action Log in to a Azure Arc machine with Windows administrator or Linux root user privilege NotDataActions "description": "View Virtual Machines in the portal and login as administrator", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", "name": "1c0163c0-47e6-4577-8991-ea5c82e286e4", "permissions": [ "actions": [ "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Compute/virtualMachines/*/read", "Microsoft.HybridCompute/machines/*/read", "Microsoft.HybridConnectivity/endpoints/listCredentials/action" "notActions": [], "dataActions": [ "Microsoft.Compute/virtualMachines/login/action", "Microsoft.Compute/virtualMachines/loginAsAdmin/action", "Microsoft.HybridCompute/machines/login/action", "Microsoft.HybridCompute/machines/loginAsAdmin/action" "notDataActions": [] "roleName": "Virtual Machine Administrator Login", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Virtual Machine Contributor

Create and manage virtual machines, manage disks, install and run software, reset password of the root user of the virtual machine using VM extensions, and manage local user accounts using VM extensions. This role does not grant you management access to the virtual network or storage account the virtual machines are connected to. This role does not allow you to assign roles in Azure RBAC. Learn more

Microsoft.Compute /virtualMachines/* Perform all virtual machine actions including create, update, delete, start, restart, and power off virtual machines. Execute scripts on virtual machines. Microsoft.Compute /virtualMachineScaleSets/* Create and manage virtual machine scale sets Microsoft.Compute /cloudServices/* Microsoft.Compute /disks/write Creates a new Disk or updates an existing one Microsoft.Compute /disks/read Get the properties of a Disk Microsoft.Compute /disks/delete Deletes the Disk Microsoft.DevTestLab /schedules/* Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Network /applicationGateways/backendAddressPools/join/action Joins an application gateway backend address pool. Not Alertable. Microsoft.Network /loadBalancers/backendAddressPools/join/action Joins a load balancer backend address pool. Not Alertable. Microsoft.Network /loadBalancers/inboundNatPools/join/action Joins a load balancer inbound NAT pool. Not alertable. Microsoft.Network /loadBalancers/inboundNatRules/join/action Joins a load balancer inbound nat rule. Not Alertable. Microsoft.Network /loadBalancers/probes/join/action Allows using probes of a load balancer. For example, with this permission healthProbe property of VM scale set can reference the probe. Not alertable. Microsoft.Network /loadBalancers/read Gets a load balancer definition Microsoft.Network /locations/* Create and manage network locations Microsoft.Network /networkInterfaces/* Create and manage network interfaces Microsoft.Network /networkSecurityGroups/join/action Joins a network security group. Not Alertable. Microsoft.Network /networkSecurityGroups/read Gets a network security group definition Microsoft.Network /publicIPAddresses/join/action Joins a public ip address. Not Alertable. Microsoft.Network /publicIPAddresses/read Gets a public ip address definition. Microsoft.Network /virtualNetworks/read Get the virtual network definition Microsoft.Network /virtualNetworks/subnets/join/action Joins a virtual network. Not Alertable. Microsoft.RecoveryServices /locations/* Microsoft.RecoveryServices /Vaults/backupFabrics/backupProtectionIntent/write Create a backup Protection Intent Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/*/read Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/read Returns object details of the Protected Item Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/write Create a backup Protected Item Microsoft.RecoveryServices /Vaults/backupPolicies/read Returns all Protection Policies Microsoft.RecoveryServices /Vaults/backupPolicies/write Creates Protection Policy Microsoft.RecoveryServices /Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices /Vaults/usages/read Returns usage details for a Recovery Services Vault. Microsoft.RecoveryServices /Vaults/write Create Vault operation creates an Azure resource of type 'vault' Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.SerialConsole/serialPorts/connect/action Connect to a serial port Microsoft.SqlVirtualMachine /* Microsoft.Storage /storageAccounts/listKeys/action Returns the access keys for the specified storage account. Microsoft.Storage /storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", "name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Compute/availabilitySets/*", "Microsoft.Compute/locations/*", "Microsoft.Compute/virtualMachines/*", "Microsoft.Compute/virtualMachineScaleSets/*", "Microsoft.Compute/cloudServices/*", "Microsoft.Compute/disks/write", "Microsoft.Compute/disks/read", "Microsoft.Compute/disks/delete", "Microsoft.DevTestLab/schedules/*", "Microsoft.Insights/alertRules/*", "Microsoft.Network/applicationGateways/backendAddressPools/join/action", "Microsoft.Network/loadBalancers/backendAddressPools/join/action", "Microsoft.Network/loadBalancers/inboundNatPools/join/action", "Microsoft.Network/loadBalancers/inboundNatRules/join/action", "Microsoft.Network/loadBalancers/probes/join/action", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/locations/*", "Microsoft.Network/networkInterfaces/*", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/publicIPAddresses/join/action", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.RecoveryServices/locations/*", "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write", "Microsoft.RecoveryServices/Vaults/backupPolicies/read", "Microsoft.RecoveryServices/Vaults/backupPolicies/write", "Microsoft.RecoveryServices/Vaults/read", "Microsoft.RecoveryServices/Vaults/usages/read", "Microsoft.RecoveryServices/Vaults/write", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.SerialConsole/serialPorts/connect/action", "Microsoft.SqlVirtualMachine/*", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Virtual Machine Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Virtual Machine User Login

View Virtual Machines in the portal and login as a regular user. Learn more

Microsoft.HybridConnectivity /endpoints/listCredentials/action List the endpoint access credentials to the resource. NotActions DataActions Microsoft.Compute /virtualMachines/login/action Log in to a virtual machine as a regular user Microsoft.HybridCompute /machines/login/action Log in to a Azure Arc machine as a regular user NotDataActions "description": "View Virtual Machines in the portal and login as a regular user.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", "name": "fb879df8-f326-4884-b1cf-06f3ad86be52", "permissions": [ "actions": [ "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Compute/virtualMachines/*/read", "Microsoft.HybridCompute/machines/*/read", "Microsoft.HybridConnectivity/endpoints/listCredentials/action" "notActions": [], "dataActions": [ "Microsoft.Compute/virtualMachines/login/action", "Microsoft.HybridCompute/machines/login/action" "notDataActions": [] "roleName": "Virtual Machine User Login", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Windows Admin Center Administrator Login

Let's you manage the OS of your resource via Windows Admin Center as an administrator. Learn more

Microsoft.HybridCompute /machines/upgradeExtensions/action Upgrades Extensions on Azure Arc machines Microsoft.HybridCompute /operations/read Read all Operations for Azure Arc for Servers Microsoft.Network /networkInterfaces/read Gets a network interface definition. Microsoft.Network /loadBalancers/read Gets a load balancer definition Microsoft.Network /publicIPAddresses/read Gets a public ip address definition. Microsoft.Network /virtualNetworks/read Get the virtual network definition Microsoft.Network /networkSecurityGroups/read Gets a network security group definition Microsoft.Network /networkSecurityGroups/defaultSecurityRules/read Gets a default security rule definition Microsoft.Network /networkWatchers/securityGroupView/action View the configured and effective network security group rules applied on a VM. Microsoft.Network /networkSecurityGroups/securityRules/read Gets a security rule definition Microsoft.Network /networkSecurityGroups/securityRules/write Creates a security rule or updates an existing security rule Microsoft.HybridConnectivity /endpoints/write Create or update the endpoint to the target resource. Microsoft.HybridConnectivity /endpoints/read Get or list of endpoints to the target resource. Microsoft.HybridConnectivity /endpoints/listManagedProxyDetails/action List the managed proxy details to the resource. Microsoft.Compute /virtualMachines/read Get the properties of a virtual machine Microsoft.Compute /virtualMachines/patchAssessmentResults/latest/read Retrieves the summary of the latest patch assessment operation Microsoft.Compute /virtualMachines/patchAssessmentResults/latest/softwarePatches/read Retrieves list of patches assessed during the last patch assessment operation Microsoft.Compute /virtualMachines/patchInstallationResults/read Retrieves the summary of the latest patch installation operation Microsoft.Compute /virtualMachines/patchInstallationResults/softwarePatches/read Retrieves list of patches attempted to be installed during the last patch installation operation Microsoft.Compute /virtualMachines/extensions/read Get the properties of a virtual machine extension Microsoft.Compute /virtualMachines/instanceView/read Gets the detailed runtime status of the virtual machine and its resources Microsoft.Compute /virtualMachines/runCommands/read Get the properties of a virtual machine run command Microsoft.Compute /virtualMachines/vmSizes/read Lists available sizes the virtual machine can be updated to Microsoft.Compute /locations/publishers/artifacttypes/types/read Get the properties of a VMExtension Type Microsoft.Compute /locations/publishers/artifacttypes/types/versions/read Get the properties of a VMExtension Version Microsoft.Compute /diskAccesses/read Get the properties of DiskAccess resource Microsoft.Compute /galleries/images/read Gets the properties of Gallery Image Microsoft.Compute /images/read Get the properties of the Image Microsoft.AzureStackHCI /Clusters/Read Gets clusters Microsoft.AzureStackHCI /Clusters/ArcSettings/Read Gets arc resource of HCI cluster Microsoft.AzureStackHCI /Clusters/ArcSettings/Extensions/Read Gets extension resource of HCI cluster Microsoft.AzureStackHCI /Clusters/ArcSettings/Extensions/Write Create or update extension resource of HCI cluster Microsoft.AzureStackHCI /Clusters/ArcSettings/Extensions/Delete Delete extension resources of HCI cluster Microsoft.AzureStackHCI /Operations/Read Gets operations Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read Read virtualmachines Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write Write extension resource Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read Gets extension resource NotActions DataActions Microsoft.HybridCompute /machines/WACLoginAsAdmin/action Lets you manage the OS of your resource via Windows Admin Center as an administrator. Microsoft.Compute /virtualMachines/WACloginAsAdmin/action Lets you manage the OS of your resource via Windows Admin Center as an administrator Microsoft.AzureStackHCI /Clusters/WACloginAsAdmin/Action Manage OS of HCI resource via Windows Admin Center as an administrator Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action Lets you manage the OS of your resource via Windows Admin Center as an administrator. NotDataActions "description": "Let's you manage the OS of your resource via Windows Admin Center as an administrator.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f", "name": "a6333a3e-0164-44c3-b281-7a577aff287f", "permissions": [ "actions": [ "Microsoft.HybridCompute/machines/*/read", "Microsoft.HybridCompute/machines/extensions/*", "Microsoft.HybridCompute/machines/upgradeExtensions/action", "Microsoft.HybridCompute/operations/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read", "Microsoft.Network/networkWatchers/securityGroupView/action", "Microsoft.Network/networkSecurityGroups/securityRules/read", "Microsoft.Network/networkSecurityGroups/securityRules/write", "Microsoft.HybridConnectivity/endpoints/write", "Microsoft.HybridConnectivity/endpoints/read", "Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read", "Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read", "Microsoft.Compute/virtualMachines/patchInstallationResults/read", "Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read", "Microsoft.Compute/virtualMachines/extensions/read", "Microsoft.Compute/virtualMachines/instanceView/read", "Microsoft.Compute/virtualMachines/runCommands/read", "Microsoft.Compute/virtualMachines/vmSizes/read", "Microsoft.Compute/locations/publishers/artifacttypes/types/read", "Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read", "Microsoft.Compute/diskAccesses/read", "Microsoft.Compute/galleries/images/read", "Microsoft.Compute/images/read", "Microsoft.AzureStackHCI/Clusters/Read", "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read", "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read", "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write", "Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete", "Microsoft.AzureStackHCI/Operations/Read", "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read", "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write", "Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read" "notActions": [], "dataActions": [ "Microsoft.HybridCompute/machines/WACLoginAsAdmin/action", "Microsoft.Compute/virtualMachines/WACloginAsAdmin/action", "Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action", "Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action" "notDataActions": [] "roleName": "Windows Admin Center Administrator Login", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Networking

CDN Endpoint Contributor

Can manage CDN endpoints, but can't grant access to other users.

"description": "Can manage CDN endpoints, but can't grant access to other users.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", "name": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Cdn/edgenodes/read", "Microsoft.Cdn/operationresults/*", "Microsoft.Cdn/profiles/endpoints/*", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "CDN Endpoint Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

CDN Endpoint Reader

Can view CDN endpoints, but can't make changes.

"description": "Can view CDN endpoints, but can't make changes.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", "name": "871e35f6-b5c1-49cc-a043-bde969a0f2cd", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Cdn/edgenodes/read", "Microsoft.Cdn/operationresults/*", "Microsoft.Cdn/profiles/endpoints/*/read", "Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "CDN Endpoint Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

CDN Profile Contributor

Can manage CDN profiles and their endpoints, but can't grant access to other users. Learn more

"description": "Can manage CDN profiles and their endpoints, but can't grant access to other users.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", "name": "ec156ff8-a8d1-4d15-830c-5b80698ca432", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Cdn/edgenodes/read", "Microsoft.Cdn/operationresults/*", "Microsoft.Cdn/profiles/*", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "CDN Profile Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

CDN Profile Reader

Can view CDN profiles and their endpoints, but can't make changes.

"description": "Can view CDN profiles and their endpoints, but can't make changes.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", "name": "8f96442b-4075-438f-813d-ad51ab4019af", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Cdn/edgenodes/read", "Microsoft.Cdn/operationresults/*", "Microsoft.Cdn/profiles/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "CDN Profile Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Classic Network Contributor

Lets you manage classic networks, but not access to them. Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage classic networks, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", "name": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.ClassicNetwork/*", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Classic Network Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

DNS Zone Contributor

Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", "name": "befefa01-2a29-4197-83a8-272ff33ce314", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Network/dnsZones/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "DNS Zone Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Network Contributor

Lets you manage networks, but not access to them.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage networks, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", "name": "4d97b98b-1d4f-4787-a291-c67834d212e7", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Network/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Network Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Private DNS Zone Contributor

Lets you manage private DNS zone resources, but not the virtual networks they are linked to. Learn more

"description": "Lets you manage private DNS zone resources, but not the virtual networks they are linked to.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", "name": "b12aa53e-6015-4669-85d0-8515ebb3ae7f", "permissions": [ "actions": [ "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Network/privateDnsZones/*", "Microsoft.Network/privateDnsOperationResults/*", "Microsoft.Network/privateDnsOperationStatuses/*", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/join/action", "Microsoft.Authorization/*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Private DNS Zone Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Traffic Manager Contributor

Lets you manage Traffic Manager profiles, but does not let you control who has access to them.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage Traffic Manager profiles, but does not let you control who has access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", "name": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Network/trafficManagerProfiles/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Traffic Manager Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage

Avere Contributor

Can create and manage an Avere vFXT cluster. Learn more

Microsoft.Network /virtualNetworks/subnets/join/action Joins a virtual network. Not Alertable. Microsoft.Network /virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Not alertable. Microsoft.Network /networkSecurityGroups/join/action Joins a network security group. Not Alertable. Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage /*/read Microsoft.Storage /storageAccounts/* Create and manage storage accounts Microsoft.Support /* Create and update a support ticket Microsoft.Resources /subscriptions/resourceGroups/resources/read Gets the resources for the resource group. NotActions DataActions Microsoft.Storage /storageAccounts/blobServices/containers/blobs/delete Returns the result of deleting a blob Microsoft.Storage /storageAccounts/blobServices/containers/blobs/read Returns a blob or a list of blobs Microsoft.Storage /storageAccounts/blobServices/containers/blobs/write Returns the result of writing a blob NotDataActions "description": "Can create and manage an Avere vFXT cluster.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", "name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Compute/*/read", "Microsoft.Compute/availabilitySets/*", "Microsoft.Compute/proximityPlacementGroups/*", "Microsoft.Compute/virtualMachines/*", "Microsoft.Compute/disks/*", "Microsoft.Network/*/read", "Microsoft.Network/networkInterfaces/*", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Resources/deployments/*", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/*/read", "Microsoft.Storage/storageAccounts/*", "Microsoft.Support/*", "Microsoft.Resources/subscriptions/resourceGroups/resources/read" "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" "notDataActions": [] "roleName": "Avere Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Avere Operator

Used by the Avere vFXT cluster to manage the cluster Learn more

Microsoft.Network /networkInterfaces/write Creates a network interface or updates an existing network interface. Microsoft.Network /virtualNetworks/read Get the virtual network definition Microsoft.Network /virtualNetworks/subnets/read Gets a virtual network subnet definition Microsoft.Network /virtualNetworks/subnets/join/action Joins a virtual network. Not Alertable. Microsoft.Network /networkSecurityGroups/join/action Joins a network security group. Not Alertable. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage /storageAccounts/blobServices/containers/delete Returns the result of deleting a container Microsoft.Storage /storageAccounts/blobServices/containers/read Returns list of containers Microsoft.Storage /storageAccounts/blobServices/containers/write Returns the result of put blob container NotActions DataActions Microsoft.Storage /storageAccounts/blobServices/containers/blobs/delete Returns the result of deleting a blob Microsoft.Storage /storageAccounts/blobServices/containers/blobs/read Returns a blob or a list of blobs Microsoft.Storage /storageAccounts/blobServices/containers/blobs/write Returns the result of writing a blob NotDataActions "description": "Used by the Avere vFXT cluster to manage the cluster", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", "name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", "permissions": [ "actions": [ "Microsoft.Compute/virtualMachines/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/blobServices/containers/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write" "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" "notDataActions": [] "roleName": "Avere Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Backup Contributor

Lets you manage backup service, but can't create vaults and give access to others Learn more

Microsoft.RecoveryServices /Vaults/backupFabrics/operationResults/* Manage results of operation on backup management Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/* Create and manage backup containers inside backup fabrics of Recovery Services vault Microsoft.RecoveryServices /Vaults/backupFabrics/refreshContainers/action Refreshes the container list Microsoft.RecoveryServices /Vaults/backupJobs/* Create and manage backup jobs Microsoft.RecoveryServices /Vaults/backupJobsExport/action Export Jobs Microsoft.RecoveryServices /Vaults/backupOperationResults/* Create and manage Results of backup management operations Microsoft.RecoveryServices /Vaults/backupPolicies/* Create and manage backup policies Microsoft.RecoveryServices /Vaults/backupProtectableItems/* Create and manage items which can be backed up Microsoft.RecoveryServices /Vaults/backupProtectedItems/* Create and manage backed up items Microsoft.RecoveryServices /Vaults/backupProtectionContainers/* Create and manage containers holding backup items Microsoft.RecoveryServices /Vaults/backupSecurityPIN/* Microsoft.RecoveryServices /Vaults/backupUsageSummaries/read Returns summaries for Protected Items and Protected Servers for a Recovery Services . Microsoft.RecoveryServices /Vaults/certificates/* Create and manage certificates related to backup in Recovery Services vault Microsoft.RecoveryServices /Vaults/extendedInformation/* Create and manage extended info related to vault Microsoft.RecoveryServices /Vaults/monitoringAlerts/read Gets the alerts for the Recovery services vault. Microsoft.RecoveryServices /Vaults/monitoringConfigurations/* Microsoft.RecoveryServices /Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices /Vaults/registeredIdentities/* Create and manage registered identities Microsoft.RecoveryServices /Vaults/usages/* Create and manage usage of Recovery Services vault Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage /storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.RecoveryServices /Vaults/backupstorageconfig/* Microsoft.RecoveryServices /Vaults/backupconfig/* Microsoft.RecoveryServices /Vaults/backupValidateOperation/action Validate Operation on Protected Item Microsoft.RecoveryServices /Vaults/write Create Vault operation creates an Azure resource of type 'vault' Microsoft.RecoveryServices /Vaults/backupOperations/read Returns Backup Operation Status for Recovery Services Vault. Microsoft.RecoveryServices /Vaults/backupEngines/read Returns all the backup management servers registered with vault. Microsoft.RecoveryServices /Vaults/backupFabrics/backupProtectionIntent/* Microsoft.RecoveryServices /Vaults/backupFabrics/protectableContainers/read Get all protectable containers Microsoft.RecoveryServices /vaults/operationStatus/read Gets Operation Status for a given Operation Microsoft.RecoveryServices /vaults/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation Microsoft.RecoveryServices /locations/backupStatus/action Check Backup Status for Recovery Services Vaults Microsoft.RecoveryServices /locations/backupPreValidateProtection/action Microsoft.RecoveryServices /locations/backupValidateFeatures/action Validate Features Microsoft.RecoveryServices /Vaults/monitoringAlerts/write Resolves the alert. Microsoft.RecoveryServices /operations/read Operation returns the list of Operations for a Resource Provider Microsoft.RecoveryServices /locations/operationStatus/read Gets Operation Status for a given Operation Microsoft.RecoveryServices /Vaults/backupProtectionIntents/read List all backup Protection Intents Microsoft.Support /* Create and update a support ticket Microsoft.DataProtection /locations/getBackupStatus/action Check Backup Status for Recovery Services Vaults Microsoft.DataProtection /backupVaults/backupInstances/write Creates a Backup Instance Microsoft.DataProtection /backupVaults/backupInstances/delete Deletes the Backup Instance Microsoft.DataProtection /backupVaults/backupInstances/read Returns all Backup Instances Microsoft.DataProtection /backupVaults/backupInstances/read Returns all Backup Instances Microsoft.DataProtection /backupVaults/deletedBackupInstances/read List soft-deleted Backup Instances in a Backup Vault. Microsoft.DataProtection /backupVaults/deletedBackupInstances/undelete/action Perform undelete of soft-deleted Backup Instance. Backup Instance moves from SoftDeleted to ProtectionStopped state. Microsoft.DataProtection /backupVaults/backupInstances/backup/action Performs Backup on the Backup Instance Microsoft.DataProtection /backupVaults/backupInstances/validateRestore/action Validates for Restore of the Backup Instance Microsoft.DataProtection /backupVaults/backupInstances/restore/action Triggers restore on the Backup Instance Microsoft.DataProtection /backupVaults/backupPolicies/write Creates Backup Policy Microsoft.DataProtection /backupVaults/backupPolicies/delete Deletes the Backup Policy Microsoft.DataProtection /backupVaults/backupPolicies/read Returns all Backup Policies Microsoft.DataProtection /backupVaults/backupPolicies/read Returns all Backup Policies Microsoft.DataProtection /backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points Microsoft.DataProtection /backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points Microsoft.DataProtection /backupVaults/backupInstances/findRestorableTimeRanges/action Finds Restorable Time Ranges Microsoft.DataProtection /backupVaults/write Update BackupVault operation updates an Azure resource of type 'Backup Vault' Microsoft.DataProtection /backupVaults/read Gets list of Backup Vaults in a Resource Group Microsoft.DataProtection /backupVaults/operationResults/read Gets Operation Result of a Patch Operation for a Backup Vault Microsoft.DataProtection /backupVaults/operationStatus/read Returns Backup Operation Status for Backup Vault. Microsoft.DataProtection /locations/checkNameAvailability/action Checks if the requested BackupVault Name is Available Microsoft.DataProtection /locations/checkFeatureSupport/action Validates if a feature is supported Microsoft.DataProtection /backupVaults/read Gets list of Backup Vaults in a Resource Group Microsoft.DataProtection /backupVaults/read Gets list of Backup Vaults in a Resource Group Microsoft.DataProtection /locations/operationStatus/read Returns Backup Operation Status for Backup Vault. Microsoft.DataProtection /locations/operationResults/read Returns Backup Operation Result for Backup Vault. Microsoft.DataProtection /backupVaults/validateForBackup/action Validates for backup of Backup Instance Microsoft.DataProtection /operations/read Operation returns the list of Operations for a Resource Provider NotActions DataActions NotDataActions "description": "Lets you manage backup service,but can't create vaults and give access to others", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", "name": "5e467623-bb1f-42f4-a55d-6e525e11384b", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.RecoveryServices/locations/*", "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*", "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action", "Microsoft.RecoveryServices/Vaults/backupJobs/*", "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", "Microsoft.RecoveryServices/Vaults/backupOperationResults/*", "Microsoft.RecoveryServices/Vaults/backupPolicies/*", "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*", "Microsoft.RecoveryServices/Vaults/backupProtectedItems/*", "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*", "Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*", "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", "Microsoft.RecoveryServices/Vaults/certificates/*", "Microsoft.RecoveryServices/Vaults/extendedInformation/*", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", "Microsoft.RecoveryServices/Vaults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/*", "Microsoft.RecoveryServices/Vaults/usages/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*", "Microsoft.RecoveryServices/Vaults/backupconfig/*", "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action", "Microsoft.RecoveryServices/Vaults/write", "Microsoft.RecoveryServices/Vaults/backupOperations/read", "Microsoft.RecoveryServices/Vaults/backupEngines/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read", "Microsoft.RecoveryServices/vaults/operationStatus/read", "Microsoft.RecoveryServices/vaults/operationResults/read", "Microsoft.RecoveryServices/locations/backupStatus/action", "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action", "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", "Microsoft.RecoveryServices/operations/read", "Microsoft.RecoveryServices/locations/operationStatus/read", "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", "Microsoft.Support/*", "Microsoft.DataProtection/locations/getBackupStatus/action", "Microsoft.DataProtection/backupVaults/backupInstances/write", "Microsoft.DataProtection/backupVaults/backupInstances/delete", "Microsoft.DataProtection/backupVaults/backupInstances/read", "Microsoft.DataProtection/backupVaults/backupInstances/read", "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", "Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action", "Microsoft.DataProtection/backupVaults/backupInstances/backup/action", "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action", "Microsoft.DataProtection/backupVaults/backupInstances/restore/action", "Microsoft.DataProtection/backupVaults/backupPolicies/write", "Microsoft.DataProtection/backupVaults/backupPolicies/delete", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", "Microsoft.DataProtection/backupVaults/write", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/operationResults/read", "Microsoft.DataProtection/backupVaults/operationStatus/read", "Microsoft.DataProtection/locations/checkNameAvailability/action", "Microsoft.DataProtection/locations/checkFeatureSupport/action", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/locations/operationStatus/read", "Microsoft.DataProtection/locations/operationResults/read", "Microsoft.DataProtection/backupVaults/validateForBackup/action", "Microsoft.DataProtection/operations/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Backup Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Backup Operator

Lets you manage backup services, except removal of backup, vault creation and giving access to others Learn more

Microsoft.RecoveryServices /Vaults/backupFabrics/operationResults/read Returns status of the operation Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/operationResults/read Gets result of Operation performed on Protection Container. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/backup/action Performs Backup for Protected Item. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read Gets Result of Operation Performed on Protected Items. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read Returns the status of Operation performed on Protected Items. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/read Returns object details of the Protected Item Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action Provision Instant Item Recovery for Protected Item Microsoft.RecoveryServices /vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action Get AccessToken for Cross Region Restore. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read Get Recovery Points for Protected Items. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action Restore Recovery Points for Protected Items. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action Revoke Instant Item Recovery for Protected Item Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/write Create a backup Protected Item Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/read Returns all registered containers Microsoft.RecoveryServices /Vaults/backupFabrics/refreshContainers/action Refreshes the container list Microsoft.RecoveryServices /Vaults/backupJobs/* Create and manage backup jobs Microsoft.RecoveryServices /Vaults/backupJobsExport/action Export Jobs Microsoft.RecoveryServices /Vaults/backupOperationResults/* Create and manage Results of backup management operations Microsoft.RecoveryServices /Vaults/backupPolicies/operationResults/read Get Results of Policy Operation. Microsoft.RecoveryServices /Vaults/backupPolicies/read Returns all Protection Policies Microsoft.RecoveryServices /Vaults/backupProtectableItems/* Create and manage items which can be backed up Microsoft.RecoveryServices /Vaults/backupProtectedItems/read Returns the list of all Protected Items. Microsoft.RecoveryServices /Vaults/backupProtectionContainers/read Returns all containers belonging to the subscription Microsoft.RecoveryServices /Vaults/backupUsageSummaries/read Returns summaries for Protected Items and Protected Servers for a Recovery Services . Microsoft.RecoveryServices /Vaults/certificates/write The Update Resource Certificate operation updates the resource/vault credential certificate. Microsoft.RecoveryServices /Vaults/extendedInformation/read The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? Microsoft.RecoveryServices /Vaults/extendedInformation/write The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? Microsoft.RecoveryServices /Vaults/monitoringAlerts/read Gets the alerts for the Recovery services vault. Microsoft.RecoveryServices /Vaults/monitoringConfigurations/* Microsoft.RecoveryServices /Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices /Vaults/registeredIdentities/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation Microsoft.RecoveryServices /Vaults/registeredIdentities/read The Get Containers operation can be used get the containers registered for a resource. Microsoft.RecoveryServices /Vaults/registeredIdentities/write The Register Service Container operation can be used to register a container with Recovery Service. Microsoft.RecoveryServices /Vaults/usages/read Returns usage details for a Recovery Services Vault. Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage /storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.RecoveryServices /Vaults/backupstorageconfig/* Microsoft.RecoveryServices /Vaults/backupValidateOperation/action Validate Operation on Protected Item Microsoft.RecoveryServices /Vaults/backupTriggerValidateOperation/action Validate Operation on Protected Item Microsoft.RecoveryServices /Vaults/backupValidateOperationResults/read Validate Operation on Protected Item Microsoft.RecoveryServices /Vaults/backupValidateOperationsStatuses/read Validate Operation on Protected Item Microsoft.RecoveryServices /Vaults/backupOperations/read Returns Backup Operation Status for Recovery Services Vault. Microsoft.RecoveryServices /Vaults/backupPolicies/operations/read Get Status of Policy Operation. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/write Creates a registered container Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/inquire/action Do inquiry for workloads within a container Microsoft.RecoveryServices /Vaults/backupEngines/read Returns all the backup management servers registered with vault. Microsoft.RecoveryServices /Vaults/backupFabrics/backupProtectionIntent/write Create a backup Protection Intent Microsoft.RecoveryServices /Vaults/backupFabrics/backupProtectionIntent/read Get a backup Protection Intent Microsoft.RecoveryServices /Vaults/backupFabrics/protectableContainers/read Get all protectable containers Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/items/read Get all items in a container Microsoft.RecoveryServices /locations/backupStatus/action Check Backup Status for Recovery Services Vaults Microsoft.RecoveryServices /locations/backupPreValidateProtection/action Microsoft.RecoveryServices /locations/backupValidateFeatures/action Validate Features Microsoft.RecoveryServices /locations/backupAadProperties/read Get AAD Properties for authentication in the third region for Cross Region Restore. Microsoft.RecoveryServices /locations/backupCrrJobs/action List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. Microsoft.RecoveryServices /locations/backupCrrJob/action Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. Microsoft.RecoveryServices /locations/backupCrossRegionRestore/action Trigger Cross region restore. Microsoft.RecoveryServices /locations/backupCrrOperationResults/read Returns CRR Operation Result for Recovery Services Vault. Microsoft.RecoveryServices /locations/backupCrrOperationsStatus/read Returns CRR Operation Status for Recovery Services Vault. Microsoft.RecoveryServices /Vaults/monitoringAlerts/write Resolves the alert. Microsoft.RecoveryServices /operations/read Operation returns the list of Operations for a Resource Provider Microsoft.RecoveryServices /locations/operationStatus/read Gets Operation Status for a given Operation Microsoft.RecoveryServices /Vaults/backupProtectionIntents/read List all backup Protection Intents Microsoft.Support /* Create and update a support ticket Microsoft.DataProtection /backupVaults/backupInstances/read Returns all Backup Instances Microsoft.DataProtection /backupVaults/backupInstances/read Returns all Backup Instances Microsoft.DataProtection /backupVaults/deletedBackupInstances/read List soft-deleted Backup Instances in a Backup Vault. Microsoft.DataProtection /backupVaults/backupPolicies/read Returns all Backup Policies Microsoft.DataProtection /backupVaults/backupPolicies/read Returns all Backup Policies Microsoft.DataProtection /backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points Microsoft.DataProtection /backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points Microsoft.DataProtection /backupVaults/backupInstances/findRestorableTimeRanges/action Finds Restorable Time Ranges Microsoft.DataProtection /backupVaults/read Gets list of Backup Vaults in a Resource Group Microsoft.DataProtection /backupVaults/operationResults/read Gets Operation Result of a Patch Operation for a Backup Vault Microsoft.DataProtection /backupVaults/operationStatus/read Returns Backup Operation Status for Backup Vault. Microsoft.DataProtection /backupVaults/read Gets list of Backup Vaults in a Resource Group Microsoft.DataProtection /backupVaults/read Gets list of Backup Vaults in a Resource Group Microsoft.DataProtection /locations/operationStatus/read Returns Backup Operation Status for Backup Vault. Microsoft.DataProtection /locations/operationResults/read Returns Backup Operation Result for Backup Vault. Microsoft.DataProtection /operations/read Operation returns the list of Operations for a Resource Provider Microsoft.DataProtection /backupVaults/validateForBackup/action Validates for backup of Backup Instance Microsoft.DataProtection /backupVaults/backupInstances/backup/action Performs Backup on the Backup Instance Microsoft.DataProtection /backupVaults/backupInstances/validateRestore/action Validates for Restore of the Backup Instance Microsoft.DataProtection /backupVaults/backupInstances/restore/action Triggers restore on the Backup Instance NotActions DataActions NotDataActions "description": "Lets you manage backup services, except removal of backup, vault creation and giving access to others", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", "name": "00c29273-979b-4161-815c-10b084fb9324", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action", "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action", "Microsoft.RecoveryServices/Vaults/backupJobs/*", "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", "Microsoft.RecoveryServices/Vaults/backupOperationResults/*", "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupPolicies/read", "Microsoft.RecoveryServices/Vaults/backupProtectableItems/*", "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read", "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read", "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", "Microsoft.RecoveryServices/Vaults/certificates/write", "Microsoft.RecoveryServices/Vaults/extendedInformation/read", "Microsoft.RecoveryServices/Vaults/extendedInformation/write", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", "Microsoft.RecoveryServices/Vaults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/write", "Microsoft.RecoveryServices/Vaults/usages/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.RecoveryServices/Vaults/backupstorageconfig/*", "Microsoft.RecoveryServices/Vaults/backupValidateOperation/action", "Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action", "Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read", "Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read", "Microsoft.RecoveryServices/Vaults/backupOperations/read", "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action", "Microsoft.RecoveryServices/Vaults/backupEngines/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write", "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read", "Microsoft.RecoveryServices/locations/backupStatus/action", "Microsoft.RecoveryServices/locations/backupPreValidateProtection/action", "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", "Microsoft.RecoveryServices/locations/backupAadProperties/read", "Microsoft.RecoveryServices/locations/backupCrrJobs/action", "Microsoft.RecoveryServices/locations/backupCrrJob/action", "Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action", "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read", "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", "Microsoft.RecoveryServices/operations/read", "Microsoft.RecoveryServices/locations/operationStatus/read", "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", "Microsoft.Support/*", "Microsoft.DataProtection/backupVaults/backupInstances/read", "Microsoft.DataProtection/backupVaults/backupInstances/read", "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/operationResults/read", "Microsoft.DataProtection/backupVaults/operationStatus/read", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/locations/operationStatus/read", "Microsoft.DataProtection/locations/operationResults/read", "Microsoft.DataProtection/operations/read", "Microsoft.DataProtection/backupVaults/validateForBackup/action", "Microsoft.DataProtection/backupVaults/backupInstances/backup/action", "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action", "Microsoft.DataProtection/backupVaults/backupInstances/restore/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Backup Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Backup Reader

Can view backup services, but can't make changes Learn more

Microsoft.RecoveryServices /locations/allocatedStamp/read GetAllocatedStamp is internal operation used by service Microsoft.RecoveryServices /Vaults/backupFabrics/operationResults/read Returns status of the operation Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/operationResults/read Gets result of Operation performed on Protection Container. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read Gets Result of Operation Performed on Protected Items. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read Returns the status of Operation performed on Protected Items. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/read Returns object details of the Protected Item Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read Get Recovery Points for Protected Items. Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/read Returns all registered containers Microsoft.RecoveryServices /Vaults/backupJobs/operationResults/read Returns the Result of Job Operation. Microsoft.RecoveryServices /Vaults/backupJobs/read Returns all Job Objects Microsoft.RecoveryServices /Vaults/backupJobsExport/action Export Jobs Microsoft.RecoveryServices /Vaults/backupOperationResults/read Returns Backup Operation Result for Recovery Services Vault. Microsoft.RecoveryServices /Vaults/backupPolicies/operationResults/read Get Results of Policy Operation. Microsoft.RecoveryServices /Vaults/backupPolicies/read Returns all Protection Policies Microsoft.RecoveryServices /Vaults/backupProtectedItems/read Returns the list of all Protected Items. Microsoft.RecoveryServices /Vaults/backupProtectionContainers/read Returns all containers belonging to the subscription Microsoft.RecoveryServices /Vaults/backupUsageSummaries/read Returns summaries for Protected Items and Protected Servers for a Recovery Services . Microsoft.RecoveryServices /Vaults/extendedInformation/read The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? Microsoft.RecoveryServices /Vaults/monitoringAlerts/read Gets the alerts for the Recovery services vault. Microsoft.RecoveryServices /Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices /Vaults/registeredIdentities/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation Microsoft.RecoveryServices /Vaults/registeredIdentities/read The Get Containers operation can be used get the containers registered for a resource. Microsoft.RecoveryServices /Vaults/backupstorageconfig/read Returns Storage Configuration for Recovery Services Vault. Microsoft.RecoveryServices /Vaults/backupconfig/read Returns Configuration for Recovery Services Vault. Microsoft.RecoveryServices /Vaults/backupOperations/read Returns Backup Operation Status for Recovery Services Vault. Microsoft.RecoveryServices /Vaults/backupPolicies/operations/read Get Status of Policy Operation. Microsoft.RecoveryServices /Vaults/backupEngines/read Returns all the backup management servers registered with vault. Microsoft.RecoveryServices /Vaults/backupFabrics/backupProtectionIntent/read Get a backup Protection Intent Microsoft.RecoveryServices /Vaults/backupFabrics/protectionContainers/items/read Get all items in a container Microsoft.RecoveryServices /locations/backupStatus/action Check Backup Status for Recovery Services Vaults Microsoft.RecoveryServices /Vaults/monitoringConfigurations/* Microsoft.RecoveryServices /Vaults/monitoringAlerts/write Resolves the alert. Microsoft.RecoveryServices /operations/read Operation returns the list of Operations for a Resource Provider Microsoft.RecoveryServices /locations/operationStatus/read Gets Operation Status for a given Operation Microsoft.RecoveryServices /Vaults/backupProtectionIntents/read List all backup Protection Intents Microsoft.RecoveryServices /Vaults/usages/read Returns usage details for a Recovery Services Vault. Microsoft.RecoveryServices /locations/backupValidateFeatures/action Validate Features Microsoft.RecoveryServices /locations/backupCrrJobs/action List Cross Region Restore Jobs in the secondary region for Recovery Services Vault. Microsoft.RecoveryServices /locations/backupCrrJob/action Get Cross Region Restore Job Details in the secondary region for Recovery Services Vault. Microsoft.RecoveryServices /locations/backupCrrOperationResults/read Returns CRR Operation Result for Recovery Services Vault. Microsoft.RecoveryServices /locations/backupCrrOperationsStatus/read Returns CRR Operation Status for Recovery Services Vault. Microsoft.DataProtection /locations/getBackupStatus/action Check Backup Status for Recovery Services Vaults Microsoft.DataProtection /backupVaults/backupInstances/write Creates a Backup Instance Microsoft.DataProtection /backupVaults/backupInstances/read Returns all Backup Instances Microsoft.DataProtection /backupVaults/deletedBackupInstances/read List soft-deleted Backup Instances in a Backup Vault. Microsoft.DataProtection /backupVaults/backupInstances/backup/action Performs Backup on the Backup Instance Microsoft.DataProtection /backupVaults/backupInstances/validateRestore/action Validates for Restore of the Backup Instance Microsoft.DataProtection /backupVaults/backupInstances/restore/action Triggers restore on the Backup Instance Microsoft.DataProtection /backupVaults/backupPolicies/read Returns all Backup Policies Microsoft.DataProtection /backupVaults/backupPolicies/read Returns all Backup Policies Microsoft.DataProtection /backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points Microsoft.DataProtection /backupVaults/backupInstances/recoveryPoints/read Returns all Recovery Points Microsoft.DataProtection /backupVaults/backupInstances/findRestorableTimeRanges/action Finds Restorable Time Ranges Microsoft.DataProtection /backupVaults/read Gets list of Backup Vaults in a Resource Group Microsoft.DataProtection /backupVaults/operationResults/read Gets Operation Result of a Patch Operation for a Backup Vault Microsoft.DataProtection /backupVaults/operationStatus/read Returns Backup Operation Status for Backup Vault. Microsoft.DataProtection /backupVaults/read Gets list of Backup Vaults in a Resource Group Microsoft.DataProtection /backupVaults/read Gets list of Backup Vaults in a Resource Group Microsoft.DataProtection /locations/operationStatus/read Returns Backup Operation Status for Backup Vault. Microsoft.DataProtection /locations/operationResults/read Returns Backup Operation Result for Backup Vault. Microsoft.DataProtection /backupVaults/validateForBackup/action Validates for backup of Backup Instance Microsoft.DataProtection /operations/read Operation returns the list of Operations for a Resource Provider NotActions DataActions NotDataActions "description": "Can view backup services, but can't make changes", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", "name": "a795c7a0-d4a2-40c1-ae25-d81f01202912", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.RecoveryServices/locations/allocatedStamp/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read", "Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupJobs/read", "Microsoft.RecoveryServices/Vaults/backupJobsExport/action", "Microsoft.RecoveryServices/Vaults/backupOperationResults/read", "Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read", "Microsoft.RecoveryServices/Vaults/backupPolicies/read", "Microsoft.RecoveryServices/Vaults/backupProtectedItems/read", "Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read", "Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read", "Microsoft.RecoveryServices/Vaults/extendedInformation/read", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", "Microsoft.RecoveryServices/Vaults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", "Microsoft.RecoveryServices/Vaults/backupstorageconfig/read", "Microsoft.RecoveryServices/Vaults/backupconfig/read", "Microsoft.RecoveryServices/Vaults/backupOperations/read", "Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read", "Microsoft.RecoveryServices/Vaults/backupEngines/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read", "Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read", "Microsoft.RecoveryServices/locations/backupStatus/action", "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/write", "Microsoft.RecoveryServices/operations/read", "Microsoft.RecoveryServices/locations/operationStatus/read", "Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read", "Microsoft.RecoveryServices/Vaults/usages/read", "Microsoft.RecoveryServices/locations/backupValidateFeatures/action", "Microsoft.RecoveryServices/locations/backupCrrJobs/action", "Microsoft.RecoveryServices/locations/backupCrrJob/action", "Microsoft.RecoveryServices/locations/backupCrrOperationResults/read", "Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read", "Microsoft.DataProtection/locations/getBackupStatus/action", "Microsoft.DataProtection/backupVaults/backupInstances/write", "Microsoft.DataProtection/backupVaults/backupInstances/read", "Microsoft.DataProtection/backupVaults/deletedBackupInstances/read", "Microsoft.DataProtection/backupVaults/backupInstances/backup/action", "Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action", "Microsoft.DataProtection/backupVaults/backupInstances/restore/action", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupPolicies/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read", "Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/operationResults/read", "Microsoft.DataProtection/backupVaults/operationStatus/read", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/backupVaults/read", "Microsoft.DataProtection/locations/operationStatus/read", "Microsoft.DataProtection/locations/operationResults/read", "Microsoft.DataProtection/backupVaults/validateForBackup/action", "Microsoft.DataProtection/operations/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Backup Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Classic Storage Account Contributor

Lets you manage classic storage accounts, but not access to them.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage classic storage accounts, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", "name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.ClassicStorage/storageAccounts/*", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Classic Storage Account Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Classic Storage Account Key Operator Service Role

Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts Learn more

Microsoft.ClassicStorage /storageAccounts/listkeys/action Lists the access keys for the storage accounts. Microsoft.ClassicStorage /storageAccounts/regeneratekey/action Regenerates the existing access keys for the storage account. NotActions DataActions NotDataActions "description": "Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", "name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d", "permissions": [ "actions": [ "Microsoft.ClassicStorage/storageAccounts/listkeys/action", "Microsoft.ClassicStorage/storageAccounts/regeneratekey/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Classic Storage Account Key Operator Service Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Data Box Contributor

Lets you manage everything under Data Box Service except giving access to others. Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket Microsoft.Databox /* NotActions DataActions NotDataActions "description": "Lets you manage everything under Data Box Service except giving access to others.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", "name": "add466c9-e687-43fc-8d98-dfcf8d720be5", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Databox/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Data Box Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Data Box Reader

Lets you manage Data Box Service except creating order or editing order details and giving access to others. Learn more

Microsoft.Databox /jobs/listcredentials/action Lists the unencrypted credentials related to the order. Microsoft.Databox /locations/availableSkus/action This method returns the list of available skus. Microsoft.Databox /locations/validateInputs/action This method does all type of validations. Microsoft.Databox /locations/regionConfiguration/action This method returns the configurations for the region. Microsoft.Databox /locations/validateAddress/action Validates the shipping address and provides alternate addresses if any. Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage Data Box Service except creating order or editing order details and giving access to others.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", "name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Databox/*/read", "Microsoft.Databox/jobs/listsecrets/action", "Microsoft.Databox/jobs/listcredentials/action", "Microsoft.Databox/locations/availableSkus/action", "Microsoft.Databox/locations/validateInputs/action", "Microsoft.Databox/locations/regionConfiguration/action", "Microsoft.Databox/locations/validateAddress/action", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Data Box Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Data Lake Analytics Developer

Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions Microsoft.BigAnalytics/accounts/Delete Microsoft.BigAnalytics/accounts/TakeOwnership/action Microsoft.BigAnalytics/accounts/Write Microsoft.DataLakeAnalytics /accounts/Delete Delete a DataLakeAnalytics account. Microsoft.DataLakeAnalytics /accounts/TakeOwnership/action Grant permissions to cancel jobs submitted by other users. Microsoft.DataLakeAnalytics /accounts/Write Create or update a DataLakeAnalytics account. Microsoft.DataLakeAnalytics /accounts/dataLakeStoreAccounts/Write Create or update a linked DataLakeStore account of a DataLakeAnalytics account. Microsoft.DataLakeAnalytics /accounts/dataLakeStoreAccounts/Delete Unlink a DataLakeStore account from a DataLakeAnalytics account. Microsoft.DataLakeAnalytics /accounts/storageAccounts/Write Create or update a linked Storage account of a DataLakeAnalytics account. Microsoft.DataLakeAnalytics /accounts/storageAccounts/Delete Unlink a Storage account from a DataLakeAnalytics account. Microsoft.DataLakeAnalytics /accounts/firewallRules/Write Create or update a firewall rule. Microsoft.DataLakeAnalytics /accounts/firewallRules/Delete Delete a firewall rule. Microsoft.DataLakeAnalytics /accounts/computePolicies/Write Create or update a compute policy. Microsoft.DataLakeAnalytics /accounts/computePolicies/Delete Delete a compute policy. DataActions NotDataActions "description": "Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", "name": "47b7735b-770e-4598-a7da-8b91488b4c88", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.BigAnalytics/accounts/*", "Microsoft.DataLakeAnalytics/accounts/*", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [ "Microsoft.BigAnalytics/accounts/Delete", "Microsoft.BigAnalytics/accounts/TakeOwnership/action", "Microsoft.BigAnalytics/accounts/Write", "Microsoft.DataLakeAnalytics/accounts/Delete", "Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action", "Microsoft.DataLakeAnalytics/accounts/Write", "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write", "Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete", "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write", "Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete", "Microsoft.DataLakeAnalytics/accounts/firewallRules/Write", "Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete", "Microsoft.DataLakeAnalytics/accounts/computePolicies/Write", "Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete" "dataActions": [], "notDataActions": [] "roleName": "Data Lake Analytics Developer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Elastic SAN Owner

Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.ElasticSan /elasticSans/* Microsoft.ElasticSan /locations/* NotActions DataActions NotDataActions "description": "Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-405d-95bd-188a1b4ac406", "name": "80dcbedb-47ef-405d-95bd-188a1b4ac406", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ElasticSan/elasticSans/*", "Microsoft.ElasticSan/locations/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Elastic SAN Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Elastic SAN Reader

Allows for control path read access to Azure Elastic SAN

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.ElasticSan /elasticSans/*/read NotActions DataActions NotDataActions "description": "Allows for control path read access to Azure Elastic SAN", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-4105-acf1-d719e9fca4ca", "name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca", "permissions": [ "actions": [ "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ElasticSan/elasticSans/*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Elastic SAN Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Elastic SAN Volume Group Owner

Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access

Microsoft.ElasticSan /locations/asyncoperations/read Polls the status of an asynchronous operation. NotActions DataActions NotDataActions "description": "Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-4f34-8d98-ae12be9f0d23", "name": "a8281131-f312-4f34-8d98-ae12be9f0d23", "permissions": [ "actions": [ "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read", "Microsoft.ElasticSan/elasticSans/volumeGroups/*", "Microsoft.ElasticSan/locations/asyncoperations/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Elastic SAN Volume Group Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Reader and Data Access

Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.

Microsoft.Storage /storageAccounts/listKeys/action Returns the access keys for the specified storage account. Microsoft.Storage /storageAccounts/ListAccountSas/action Returns the Account SAS token for the specified storage account. Microsoft.Storage /storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. NotActions DataActions NotDataActions "description": "Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", "name": "c12c1c16-33a1-487b-954d-41c89c60f349", "permissions": [ "actions": [ "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/ListAccountSas/action", "Microsoft.Storage/storageAccounts/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Reader and Data Access", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Account Backup Contributor

Lets you perform backup and restore operations using Azure Backup on the storage account. Learn more

Microsoft.Features /providers/features/read Gets the feature of a subscription in a given resource provider. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage /operations/read Polls the status of an asynchronous operation. Microsoft.Storage /storageAccounts/objectReplicationPolicies/delete Delete object replication policy Microsoft.Storage /storageAccounts/objectReplicationPolicies/read List object replication policies Microsoft.Storage /storageAccounts/objectReplicationPolicies/write Create or update object replication policy Microsoft.Storage /storageAccounts/objectReplicationPolicies/restorePointMarkers/write Create object replication restore point marker Microsoft.Storage /storageAccounts/blobServices/containers/read Returns list of containers Microsoft.Storage /storageAccounts/blobServices/containers/write Returns the result of put blob container Microsoft.Storage /storageAccounts/blobServices/read Returns blob service properties or statistics Microsoft.Storage /storageAccounts/blobServices/write Returns the result of put blob service properties Microsoft.Storage /storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.Storage /storageAccounts/restoreBlobRanges/action Restore blob ranges to the state of the specified time NotActions DataActions NotDataActions "description": "Lets you perform backup and restore operations using Azure Backup on the storage account.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", "name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Authorization/locks/read", "Microsoft.Authorization/locks/write", "Microsoft.Authorization/locks/delete", "Microsoft.Features/features/read", "Microsoft.Features/providers/features/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/operations/read", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/read", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/write", "Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/blobServices/write", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/restoreBlobRanges/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Storage Account Backup Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Account Contributor

Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. Learn more

Microsoft.Insights /diagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.Network /virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Not alertable. Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage /storageAccounts/* Create and manage storage accounts Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", "name": "17d1049b-9a84-46fb-8f53-869881c3d3ab", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Storage Account Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Account Key Operator Service Role

Permits listing and regenerating storage account access keys. Learn more

Microsoft.Storage /storageAccounts/listkeys/action Returns the access keys for the specified storage account. Microsoft.Storage /storageAccounts/regeneratekey/action Regenerates the access keys for the specified storage account. NotActions DataActions NotDataActions "description": "Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", "name": "81a9662b-bebf-436f-a333-f67b29880f12", "permissions": [ "actions": [ "Microsoft.Storage/storageAccounts/listkeys/action", "Microsoft.Storage/storageAccounts/regeneratekey/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Storage Account Key Operator Service Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Blob Data Contributor

Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . Learn more

Microsoft.Storage /storageAccounts/blobServices/containers/read Return a container or a list of containers. Microsoft.Storage /storageAccounts/blobServices/containers/write Modify a container's metadata or properties. Microsoft.Storage /storageAccounts/blobServices/generateUserDelegationKey/action Returns a user delegation key for the Blob service. NotActions DataActions Microsoft.Storage /storageAccounts/blobServices/containers/blobs/delete Delete a blob. Microsoft.Storage /storageAccounts/blobServices/containers/blobs/read Return a blob or a list of blobs. Microsoft.Storage /storageAccounts/blobServices/containers/blobs/write Write to a blob. Microsoft.Storage /storageAccounts/blobServices/containers/blobs/move/action Moves the blob from one path to another Microsoft.Storage /storageAccounts/blobServices/containers/blobs/add/action Returns the result of adding blob content NotDataActions "description": "Allows for read, write and delete access to Azure Storage blob containers and data", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", "name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe", "permissions": [ "actions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" "notDataActions": [] "roleName": "Storage Blob Data Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Blob Data Owner

Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . Learn more

Microsoft.Storage /storageAccounts/blobServices/containers/* Full permissions on containers. Microsoft.Storage /storageAccounts/blobServices/generateUserDelegationKey/action Returns a user delegation key for the Blob service. NotActions DataActions Microsoft.Storage /storageAccounts/blobServices/containers/blobs/* Full permissions on blobs. NotDataActions "description": "Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", "name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b", "permissions": [ "actions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/*", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*" "notDataActions": [] "roleName": "Storage Blob Data Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Blob Data Reader

Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . Learn more

Microsoft.Storage /storageAccounts/blobServices/containers/read Return a container or a list of containers. Microsoft.Storage /storageAccounts/blobServices/generateUserDelegationKey/action Returns a user delegation key for the Blob service. NotActions DataActions Microsoft.Storage /storageAccounts/blobServices/containers/blobs/read Return a blob or a list of blobs. NotDataActions "description": "Allows for read access to Azure Storage blob containers and data", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", "name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", "permissions": [ "actions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" "notDataActions": [] "roleName": "Storage Blob Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Blob Delegator

Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see Create a user delegation SAS . Learn more

Microsoft.Storage /storageAccounts/blobServices/generateUserDelegationKey/action Returns a user delegation key for the Blob service. NotActions DataActions NotDataActions "description": "Allows for generation of a user delegation key which can be used to sign SAS tokens", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", "name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a", "permissions": [ "actions": [ "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Storage Blob Delegator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage File Data SMB Share Contributor

Allows for read, write, and delete access on files/directories in Azure file shares. This role has no built-in equivalent on Windows file servers. Learn more

Microsoft.Storage /storageAccounts/fileServices/fileshares/files/read Returns a file/folder or a list of files/folders. Microsoft.Storage /storageAccounts/fileServices/fileshares/files/write Returns the result of writing a file or creating a folder. Microsoft.Storage /storageAccounts/fileServices/fileshares/files/delete Returns the result of deleting a file/folder. NotDataActions "description": "Allows for read, write, and delete access in Azure Storage file shares over SMB", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", "name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete" "notDataActions": [] "roleName": "Storage File Data SMB Share Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage File Data SMB Share Elevated Contributor

Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares. This role is equivalent to a file share ACL of change on Windows file servers. Learn more

Microsoft.Storage /storageAccounts/fileServices/fileshares/files/read Returns a file/folder or a list of files/folders. Microsoft.Storage /storageAccounts/fileServices/fileshares/files/write Returns the result of writing a file or creating a folder. Microsoft.Storage /storageAccounts/fileServices/fileshares/files/delete Returns the result of deleting a file/folder. Microsoft.Storage /storageAccounts/fileServices/fileshares/files/modifypermissions/action Returns the result of modifying permission on a file/folder. NotDataActions "description": "Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", "name": "a7264617-510b-434b-a828-9731dc254ea7", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete", "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action" "notDataActions": [] "roleName": "Storage File Data SMB Share Elevated Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage File Data SMB Share Reader

Allows for read access on files/directories in Azure file shares. This role is equivalent to a file share ACL of read on Windows file servers. Learn more

Microsoft.Storage /storageAccounts/fileServices/fileshares/files/read Returns a file/folder or a list of files/folders. NotDataActions "description": "Allows for read access to Azure File Share over SMB", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", "name": "aba4ae5f-2193-4029-9191-0cb91df5e314", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read" "notDataActions": [] "roleName": "Storage File Data SMB Share Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Queue Data Contributor

Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . Learn more

Microsoft.Storage /storageAccounts/queueServices/queues/read Return a queue or a list of queues. Microsoft.Storage /storageAccounts/queueServices/queues/write Modify queue metadata or properties. NotActions DataActions Microsoft.Storage /storageAccounts/queueServices/queues/messages/delete Delete one or more messages from a queue. Microsoft.Storage /storageAccounts/queueServices/queues/messages/read Peek or retrieve one or more messages from a queue. Microsoft.Storage /storageAccounts/queueServices/queues/messages/write Add a message to a queue. Microsoft.Storage /storageAccounts/queueServices/queues/messages/process/action Returns the result of processing a message NotDataActions "description": "Allows for read, write, and delete access to Azure Storage queues and queue messages", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", "name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88", "permissions": [ "actions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/delete", "Microsoft.Storage/storageAccounts/queueServices/queues/read", "Microsoft.Storage/storageAccounts/queueServices/queues/write" "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete", "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read", "Microsoft.Storage/storageAccounts/queueServices/queues/messages/write", "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action" "notDataActions": [] "roleName": "Storage Queue Data Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Queue Data Message Processor

Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . Learn more

Microsoft.Storage /storageAccounts/queueServices/queues/messages/process/action Retrieve and delete a message. NotDataActions "description": "Allows for peek, receive, and delete access to Azure Storage queue messages", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", "name": "8a0f0c08-91a1-4084-bc3d-661d67233fed", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read", "Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action" "notDataActions": [] "roleName": "Storage Queue Data Message Processor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Queue Data Message Sender

Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . Learn more

Microsoft.Storage /storageAccounts/queueServices/queues/messages/add/action Add a message to a queue. NotDataActions "description": "Allows for sending of Azure Storage queue messages", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", "name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action" "notDataActions": [] "roleName": "Storage Queue Data Message Sender", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Queue Data Reader

Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations . Learn more

Microsoft.Storage /storageAccounts/queueServices/queues/read Returns a queue or a list of queues. NotActions DataActions Microsoft.Storage /storageAccounts/queueServices/queues/messages/read Peek or retrieve one or more messages from a queue. NotDataActions "description": "Allows for read access to Azure Storage queues and queue messages", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", "name": "19e7f393-937e-4f77-808e-94535e297925", "permissions": [ "actions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/read" "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read" "notDataActions": [] "roleName": "Storage Queue Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Table Data Contributor

Allows for read, write and delete access to Azure Storage tables and entities

Microsoft.Storage /storageAccounts/tableServices/tables/entities/read Query table entities Microsoft.Storage /storageAccounts/tableServices/tables/entities/write Insert, merge, or replace table entities Microsoft.Storage /storageAccounts/tableServices/tables/entities/delete Delete table entities Microsoft.Storage /storageAccounts/tableServices/tables/entities/add/action Insert table entities Microsoft.Storage /storageAccounts/tableServices/tables/entities/update/action Merge or update table entities NotDataActions "description": "Allows for read, write and delete access to Azure Storage tables and entities", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", "name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3", "permissions": [ "actions": [ "Microsoft.Storage/storageAccounts/tableServices/tables/read", "Microsoft.Storage/storageAccounts/tableServices/tables/write", "Microsoft.Storage/storageAccounts/tableServices/tables/delete" "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read", "Microsoft.Storage/storageAccounts/tableServices/tables/entities/write", "Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete", "Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action", "Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action" "notDataActions": [] "roleName": "Storage Table Data Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Storage Table Data Reader

Allows for read access to Azure Storage tables and entities

Microsoft.Storage /storageAccounts/tableServices/tables/entities/read Query table entities NotDataActions "description": "Allows for read access to Azure Storage tables and entities", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6", "name": "76199698-9eea-4c19-bc75-cec21354c6b6", "permissions": [ "actions": [ "Microsoft.Storage/storageAccounts/tableServices/tables/read" "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/tableServices/tables/entities/read" "notDataActions": [] "roleName": "Storage Table Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Maps Data Contributor

Grants access to read, write, and delete access to map related data from an Azure maps account. Learn more

"description": "Grants access to read, write, and delete access to map related data from an Azure maps account.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", "name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Maps/accounts/*/read", "Microsoft.Maps/accounts/*/write", "Microsoft.Maps/accounts/*/delete", "Microsoft.Maps/accounts/*/action" "notDataActions": [] "roleName": "Azure Maps Data Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Maps Data Reader

Grants access to read map related data from an Azure maps account. Learn more

"description": "Grants access to read map related data from an Azure maps account.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", "name": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Maps/accounts/*/read" "notDataActions": [] "roleName": "Azure Maps Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Spring Cloud Config Server Contributor

Allow read, write and delete access to Azure Spring Cloud Config Server Learn more

Microsoft.AppPlatform /Spring/configService/read Read the configuration content(for example, application.yaml) for a specific Azure Spring Apps service instance Microsoft.AppPlatform /Spring/configService/write Write config server content for a specific Azure Spring Apps service instance Microsoft.AppPlatform /Spring/configService/delete Delete config server content for a specific Azure Spring Apps service instance NotDataActions "description": "Allow read, write and delete access to Azure Spring Cloud Config Server", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b", "name": "a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.AppPlatform/Spring/configService/read", "Microsoft.AppPlatform/Spring/configService/write", "Microsoft.AppPlatform/Spring/configService/delete" "notDataActions": [] "roleName": "Azure Spring Cloud Config Server Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Spring Cloud Config Server Reader

Allow read access to Azure Spring Cloud Config Server Learn more

Microsoft.AppPlatform /Spring/configService/read Read the configuration content(for example, application.yaml) for a specific Azure Spring Apps service instance NotDataActions "description": "Allow read access to Azure Spring Cloud Config Server", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7", "name": "d04c6db6-4947-4782-9e91-30a88feb7be7", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.AppPlatform/Spring/configService/read" "notDataActions": [] "roleName": "Azure Spring Cloud Config Server Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Spring Cloud Data Reader

Allow read access to Azure Spring Cloud Data

"description": "Allow read access to Azure Spring Cloud Data", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c", "name": "b5537268-8956-4941-a8f0-646150406f0c", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.AppPlatform/Spring/*/read" "notDataActions": [] "roleName": "Azure Spring Cloud Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Spring Cloud Service Registry Contributor

Allow read, write and delete access to Azure Spring Cloud Service Registry Learn more

Microsoft.AppPlatform /Spring/eurekaService/read Read the user app(s) registration information for a specific Azure Spring Apps service instance Microsoft.AppPlatform /Spring/eurekaService/write Write the user app(s) registration information for a specific Azure Spring Apps service instance Microsoft.AppPlatform /Spring/eurekaService/delete Delete the user app registration information for a specific Azure Spring Apps service instance NotDataActions "description": "Allow read, write and delete access to Azure Spring Cloud Service Registry", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1", "name": "f5880b48-c26d-48be-b172-7927bfa1c8f1", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.AppPlatform/Spring/eurekaService/read", "Microsoft.AppPlatform/Spring/eurekaService/write", "Microsoft.AppPlatform/Spring/eurekaService/delete" "notDataActions": [] "roleName": "Azure Spring Cloud Service Registry Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Spring Cloud Service Registry Reader

Allow read access to Azure Spring Cloud Service Registry Learn more

Microsoft.AppPlatform /Spring/eurekaService/read Read the user app(s) registration information for a specific Azure Spring Apps service instance NotDataActions "description": "Allow read access to Azure Spring Cloud Service Registry", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65", "name": "cff1b556-2399-4e7e-856d-a8f754be7b65", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.AppPlatform/Spring/eurekaService/read" "notDataActions": [] "roleName": "Azure Spring Cloud Service Registry Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Media Services Account Administrator

Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Media /mediaservices/*/read Microsoft.Media /mediaservices/assets/listStreamingLocators/action List Streaming Locators for Asset Microsoft.Media /mediaservices/streamingLocators/listPaths/action List Paths Microsoft.Media /mediaservices/write Create or Update any Media Services Account Microsoft.Media /mediaservices/delete Delete any Media Services Account Microsoft.Media /mediaservices/privateEndpointConnectionsApproval/action Approve Private Endpoint Connections Microsoft.Media /mediaservices/privateEndpointConnections/* NotActions DataActions NotDataActions "description": "Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466", "name": "054126f8-9a2b-4f1c-a9ad-eca461f08466", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/metrics/read", "Microsoft.Insights/metricDefinitions/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Media/mediaservices/*/read", "Microsoft.Media/mediaservices/assets/listStreamingLocators/action", "Microsoft.Media/mediaservices/streamingLocators/listPaths/action", "Microsoft.Media/mediaservices/write", "Microsoft.Media/mediaservices/delete", "Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action", "Microsoft.Media/mediaservices/privateEndpointConnections/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Media Services Account Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Media Services Live Events Administrator

Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Media /mediaservices/*/read Microsoft.Media /mediaservices/assets/* Microsoft.Media /mediaservices/assets/assetfilters/* Microsoft.Media /mediaservices/streamingLocators/* Microsoft.Media /mediaservices/liveEvents/* NotActions Microsoft.Media /mediaservices/assets/getEncryptionKey/action Get Asset Encryption Key Microsoft.Media /mediaservices/streamingLocators/listContentKeys/action List Content Keys DataActions NotDataActions "description": "Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77", "name": "532bc159-b25e-42c0-969e-a1d439f60d77", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/metrics/read", "Microsoft.Insights/metricDefinitions/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Media/mediaservices/*/read", "Microsoft.Media/mediaservices/assets/*", "Microsoft.Media/mediaservices/assets/assetfilters/*", "Microsoft.Media/mediaservices/streamingLocators/*", "Microsoft.Media/mediaservices/liveEvents/*" "notActions": [ "Microsoft.Media/mediaservices/assets/getEncryptionKey/action", "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action" "dataActions": [], "notDataActions": [] "roleName": "Media Services Live Events Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Media Services Media Operator

Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Media /mediaservices/*/read Microsoft.Media /mediaservices/assets/* Microsoft.Media /mediaservices/assets/assetfilters/* Microsoft.Media /mediaservices/streamingLocators/* Microsoft.Media /mediaservices/transforms/jobs/* NotActions Microsoft.Media /mediaservices/assets/getEncryptionKey/action Get Asset Encryption Key Microsoft.Media /mediaservices/streamingLocators/listContentKeys/action List Content Keys DataActions NotDataActions "description": "Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c", "name": "e4395492-1534-4db2-bedf-88c14621589c", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/metrics/read", "Microsoft.Insights/metricDefinitions/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Media/mediaservices/*/read", "Microsoft.Media/mediaservices/assets/*", "Microsoft.Media/mediaservices/assets/assetfilters/*", "Microsoft.Media/mediaservices/streamingLocators/*", "Microsoft.Media/mediaservices/transforms/jobs/*" "notActions": [ "Microsoft.Media/mediaservices/assets/getEncryptionKey/action", "Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action" "dataActions": [], "notDataActions": [] "roleName": "Media Services Media Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Media Services Policy Administrator

Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Media /mediaservices/*/read Microsoft.Media /mediaservices/assets/listStreamingLocators/action List Streaming Locators for Asset Microsoft.Media /mediaservices/streamingLocators/listPaths/action List Paths Microsoft.Media /mediaservices/accountFilters/* Microsoft.Media /mediaservices/streamingPolicies/* Microsoft.Media /mediaservices/contentKeyPolicies/* Microsoft.Media /mediaservices/transforms/* NotActions Microsoft.Media /mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action Get Policy Properties With Secrets DataActions NotDataActions "description": "Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae", "name": "c4bba371-dacd-4a26-b320-7250bca963ae", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/metrics/read", "Microsoft.Insights/metricDefinitions/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Media/mediaservices/*/read", "Microsoft.Media/mediaservices/assets/listStreamingLocators/action", "Microsoft.Media/mediaservices/streamingLocators/listPaths/action", "Microsoft.Media/mediaservices/accountFilters/*", "Microsoft.Media/mediaservices/streamingPolicies/*", "Microsoft.Media/mediaservices/contentKeyPolicies/*", "Microsoft.Media/mediaservices/transforms/*" "notActions": [ "Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action" "dataActions": [], "notDataActions": [] "roleName": "Media Services Policy Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Media Services Streaming Endpoints Administrator

Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Media /mediaservices/*/read Microsoft.Media /mediaservices/assets/listStreamingLocators/action List Streaming Locators for Asset Microsoft.Media /mediaservices/streamingLocators/listPaths/action List Paths Microsoft.Media /mediaservices/streamingEndpoints/* NotActions DataActions NotDataActions "description": "Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804", "name": "99dba123-b5fe-44d5-874c-ced7199a5804", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/metrics/read", "Microsoft.Insights/metricDefinitions/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Media/mediaservices/*/read", "Microsoft.Media/mediaservices/assets/listStreamingLocators/action", "Microsoft.Media/mediaservices/streamingLocators/listPaths/action", "Microsoft.Media/mediaservices/streamingEndpoints/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Media Services Streaming Endpoints Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Search Index Data Contributor

Grants full access to Azure Cognitive Search index data.

"description": "Grants full access to Azure Cognitive Search index data.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7", "name": "8ebe5a00-799e-43f5-93ac-243d3dce84a7", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Search/searchServices/indexes/documents/*" "notDataActions": [] "roleName": "Search Index Data Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Search Index Data Reader

Grants read access to Azure Cognitive Search index data.

Microsoft.Search /searchServices/indexes/documents/read Read documents or suggested query terms from an index. NotDataActions "description": "Grants read access to Azure Cognitive Search index data.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f", "name": "1407120a-92aa-4202-b7e9-c0e197c71c8f", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Search/searchServices/indexes/documents/read" "notDataActions": [] "roleName": "Search Index Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Search Service Contributor

Lets you manage Search services, but not access to them. Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Search /searchServices/* Create and manage search services Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage Search services, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", "name": "7ca78c08-252a-4471-8644-bb5ff32d4ba0", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Search/searchServices/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Search Service Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

SignalR AccessKey Reader

Read SignalR Service Access Keys

Microsoft.SignalRService /SignalR/listkeys/action View the value of SignalR access keys in the management portal or through API Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Read SignalR Service Access Keys", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", "name": "04165923-9d83-45d5-8227-78b77b0a687e", "permissions": [ "actions": [ "Microsoft.SignalRService/*/read", "Microsoft.SignalRService/SignalR/listkeys/action", "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "SignalR AccessKey Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

SignalR App Server

Lets your app server access SignalR Service with AAD auth options.

Microsoft.SignalRService /SignalR/auth/accessKey/action Generate an AccessKey for signing AccessTokens, the key will expire in 90 minutes by default. Microsoft.SignalRService /SignalR/serverConnection/write Start a server connection. Microsoft.SignalRService /SignalR/clientConnection/write Close client connection. NotDataActions "description": "Lets your app server access SignalR Service with AAD auth options.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-430f-98ca-3264be4806c7", "name": "420fcaa2-552c-430f-98ca-3264be4806c7", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.SignalRService/SignalR/auth/accessKey/action", "Microsoft.SignalRService/SignalR/serverConnection/write", "Microsoft.SignalRService/SignalR/clientConnection/write" "notDataActions": [] "roleName": "SignalR App Server", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

SignalR REST API Owner

Full access to Azure SignalR Service REST APIs

Microsoft.SignalRService /SignalR/auth/clientToken/action Generate an AccessToken for client to connect to ASRS, the token will expire in 5 minutes by default. Microsoft.SignalRService /SignalR/hub/send/action Broadcast messages to all client connections in hub. Microsoft.SignalRService /SignalR/group/send/action Broadcast message to group. Microsoft.SignalRService /SignalR/group/read Check group existence or user existence in group. Microsoft.SignalRService /SignalR/group/write Join / Leave group. Microsoft.SignalRService /SignalR/clientConnection/send/action Send messages directly to a client connection. Microsoft.SignalRService /SignalR/clientConnection/read Check client connection existence. Microsoft.SignalRService /SignalR/clientConnection/write Close client connection. Microsoft.SignalRService /SignalR/user/send/action Send messages to user, who may consist of multiple client connections. Microsoft.SignalRService /SignalR/user/read Check user existence. Microsoft.SignalRService /SignalR/user/write Modify a user. NotDataActions "description": "Full access to Azure SignalR Service REST APIs", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521", "name": "fd53cd77-2268-407a-8f46-7e7863d0f521", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.SignalRService/SignalR/auth/clientToken/action", "Microsoft.SignalRService/SignalR/hub/send/action", "Microsoft.SignalRService/SignalR/group/send/action", "Microsoft.SignalRService/SignalR/group/read", "Microsoft.SignalRService/SignalR/group/write", "Microsoft.SignalRService/SignalR/clientConnection/send/action", "Microsoft.SignalRService/SignalR/clientConnection/read", "Microsoft.SignalRService/SignalR/clientConnection/write", "Microsoft.SignalRService/SignalR/user/send/action", "Microsoft.SignalRService/SignalR/user/read", "Microsoft.SignalRService/SignalR/user/write" "notDataActions": [] "roleName": "SignalR REST API Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

SignalR REST API Reader

Read-only access to Azure SignalR Service REST APIs

Microsoft.SignalRService /SignalR/group/read Check group existence or user existence in group. Microsoft.SignalRService /SignalR/clientConnection/read Check client connection existence. Microsoft.SignalRService /SignalR/user/read Check user existence. NotDataActions "description": "Read-only access to Azure SignalR Service REST APIs", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035", "name": "ddde6b66-c0df-4114-a159-3618637b3035", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.SignalRService/SignalR/group/read", "Microsoft.SignalRService/SignalR/clientConnection/read", "Microsoft.SignalRService/SignalR/user/read" "notDataActions": [] "roleName": "SignalR REST API Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

SignalR Service Owner

Full access to Azure SignalR Service REST APIs

Microsoft.SignalRService /SignalR/auth/accessKey/action Generate an AccessKey for signing AccessTokens, the key will expire in 90 minutes by default. Microsoft.SignalRService /SignalR/auth/clientToken/action Generate an AccessToken for client to connect to ASRS, the token will expire in 5 minutes by default. Microsoft.SignalRService /SignalR/hub/send/action Broadcast messages to all client connections in hub. Microsoft.SignalRService /SignalR/group/send/action Broadcast message to group. Microsoft.SignalRService /SignalR/group/read Check group existence or user existence in group. Microsoft.SignalRService /SignalR/group/write Join / Leave group. Microsoft.SignalRService /SignalR/clientConnection/send/action Send messages directly to a client connection. Microsoft.SignalRService /SignalR/clientConnection/read Check client connection existence. Microsoft.SignalRService /SignalR/clientConnection/write Close client connection. Microsoft.SignalRService /SignalR/serverConnection/write Start a server connection. Microsoft.SignalRService /SignalR/user/send/action Send messages to user, who may consist of multiple client connections. Microsoft.SignalRService /SignalR/user/read Check user existence. Microsoft.SignalRService /SignalR/user/write Modify a user. Microsoft.SignalRService /SignalR/livetrace/* NotDataActions "description": "Full access to Azure SignalR Service REST APIs", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3", "name": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.SignalRService/SignalR/auth/accessKey/action", "Microsoft.SignalRService/SignalR/auth/clientToken/action", "Microsoft.SignalRService/SignalR/hub/send/action", "Microsoft.SignalRService/SignalR/group/send/action", "Microsoft.SignalRService/SignalR/group/read", "Microsoft.SignalRService/SignalR/group/write", "Microsoft.SignalRService/SignalR/clientConnection/send/action", "Microsoft.SignalRService/SignalR/clientConnection/read", "Microsoft.SignalRService/SignalR/clientConnection/write", "Microsoft.SignalRService/SignalR/serverConnection/write", "Microsoft.SignalRService/SignalR/user/send/action", "Microsoft.SignalRService/SignalR/user/read", "Microsoft.SignalRService/SignalR/user/write", "Microsoft.SignalRService/SignalR/livetrace/*" "notDataActions": [] "roleName": "SignalR Service Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

SignalR/Web PubSub Contributor

Create, Read, Update, and Delete SignalR service resources

"description": "Create, Read, Update, and Delete SignalR service resources", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", "name": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", "permissions": [ "actions": [ "Microsoft.SignalRService/*", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "SignalR/Web PubSub Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Web Plan Contributor

Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket Microsoft.Web /serverFarms/* Create and manage server farms Microsoft.Web /hostingEnvironments/Join/Action Joins an App Service Environment Microsoft.Insights /autoscalesettings/* NotActions DataActions NotDataActions "description": "Lets you manage the web plans for websites, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", "name": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Web/serverFarms/*", "Microsoft.Web/hostingEnvironments/Join/Action", "Microsoft.Insights/autoscalesettings/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Web Plan Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Website Contributor

Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket Microsoft.Web /certificates/* Create and manage website certificates Microsoft.Web /listSitesAssignedToHostName/read Get names of sites assigned to hostname. Microsoft.Web /serverFarms/join/action Joins an App Service Plan Microsoft.Web /serverFarms/read Get the properties on an App Service Plan Microsoft.Web /sites/* Create and manage websites (site creation also requires write permissions to the associated App Service Plan) NotActions DataActions NotDataActions "description": "Lets you manage websites (not web plans), but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", "name": "de139f84-1756-47ae-9be6-808fbbe84772", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/components/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Web/certificates/*", "Microsoft.Web/listSitesAssignedToHostName/read", "Microsoft.Web/serverFarms/join/action", "Microsoft.Web/serverFarms/read", "Microsoft.Web/sites/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Website Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Containers

AcrDelete

Delete repositories, tags, or manifests from a container registry. Learn more

Microsoft.ContainerRegistry /registries/artifacts/delete Delete artifact in a container registry. NotActions DataActions NotDataActions "description": "acr delete", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", "name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11", "permissions": [ "actions": [ "Microsoft.ContainerRegistry/registries/artifacts/delete" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "AcrDelete", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

AcrImageSigner

Push trusted images to or pull trusted images from a container registry enabled for content trust. Learn more

Microsoft.ContainerRegistry /registries/sign/write Push/Pull content trust metadata for a container registry. NotActions DataActions Microsoft.ContainerRegistry /registries/trustedCollections/write Allows push or publish of trusted collections of container registry content. This is similar to Microsoft.ContainerRegistry/registries/sign/write action except that this is a data action NotDataActions "description": "acr image signer", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", "name": "6cef56e8-d556-48e5-a04f-b8e64114680f", "permissions": [ "actions": [ "Microsoft.ContainerRegistry/registries/sign/write" "notActions": [], "dataActions": [ "Microsoft.ContainerRegistry/registries/trustedCollections/write" "notDataActions": [] "roleName": "AcrImageSigner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

AcrPull

Pull artifacts from a container registry. Learn more

Microsoft.ContainerRegistry /registries/pull/read Pull or Get images from a container registry. NotActions DataActions NotDataActions "description": "acr pull", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", "name": "7f951dda-4ed3-4680-a7ca-43fe172d538d", "permissions": [ "actions": [ "Microsoft.ContainerRegistry/registries/pull/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "AcrPull", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

AcrPush

Push artifacts to or pull artifacts from a container registry. Learn more

Microsoft.ContainerRegistry /registries/pull/read Pull or Get images from a container registry. Microsoft.ContainerRegistry /registries/push/write Push or Write images to a container registry. NotActions DataActions NotDataActions "description": "acr push", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", "name": "8311e382-0749-4cb8-b61a-304f252e45ec", "permissions": [ "actions": [ "Microsoft.ContainerRegistry/registries/pull/read", "Microsoft.ContainerRegistry/registries/push/write" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "AcrPush", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

AcrQuarantineReader

Pull quarantined images from a container registry. Learn more

Microsoft.ContainerRegistry /registries/quarantine/read Pull or Get quarantined images from container registry NotActions DataActions Microsoft.ContainerRegistry /registries/quarantinedArtifacts/read Allows pull or get of the quarantined artifacts from container registry. This is similar to Microsoft.ContainerRegistry/registries/quarantine/read except that it is a data action NotDataActions "description": "acr quarantine data reader", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", "name": "cdda3590-29a3-44f6-95f2-9f980659eb04", "permissions": [ "actions": [ "Microsoft.ContainerRegistry/registries/quarantine/read" "notActions": [], "dataActions": [ "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read" "notDataActions": [] "roleName": "AcrQuarantineReader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

AcrQuarantineWriter

Push quarantined images to or pull quarantined images from a container registry. Learn more

Microsoft.ContainerRegistry /registries/quarantine/read Pull or Get quarantined images from container registry Microsoft.ContainerRegistry /registries/quarantine/write Write/Modify quarantine state of quarantined images NotActions DataActions Microsoft.ContainerRegistry /registries/quarantinedArtifacts/read Allows pull or get of the quarantined artifacts from container registry. This is similar to Microsoft.ContainerRegistry/registries/quarantine/read except that it is a data action Microsoft.ContainerRegistry /registries/quarantinedArtifacts/write Allows write or update of the quarantine state of quarantined artifacts. This is similar to Microsoft.ContainerRegistry/registries/quarantine/write action except that it is a data action NotDataActions "description": "acr quarantine data writer", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", "name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608", "permissions": [ "actions": [ "Microsoft.ContainerRegistry/registries/quarantine/read", "Microsoft.ContainerRegistry/registries/quarantine/write" "notActions": [], "dataActions": [ "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read", "Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write" "notDataActions": [] "roleName": "AcrQuarantineWriter", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Kubernetes Fleet Manager RBAC Admin

This role grants admin access - provides write permissions on most objects within a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.ContainerService /fleets/read Get fleet Microsoft.ContainerService /fleets/listCredentials/action List fleet credentials NotActions DataActions Microsoft.ContainerService /fleets/apps/controllerrevisions/read Reads controllerrevisions Microsoft.ContainerService /fleets/apps/daemonsets/* Microsoft.ContainerService /fleets/apps/deployments/* Microsoft.ContainerService /fleets/apps/statefulsets/* Microsoft.ContainerService /fleets/authorization.k8s.io/localsubjectaccessreviews/write Writes localsubjectaccessreviews Microsoft.ContainerService /fleets/autoscaling/horizontalpodautoscalers/* Microsoft.ContainerService /fleets/batch/cronjobs/* Microsoft.ContainerService /fleets/batch/jobs/* Microsoft.ContainerService /fleets/configmaps/* Microsoft.ContainerService /fleets/endpoints/* Microsoft.ContainerService /fleets/events.k8s.io/events/read Reads events Microsoft.ContainerService /fleets/events/read Reads events Microsoft.ContainerService /fleets/extensions/daemonsets/* Microsoft.ContainerService /fleets/extensions/deployments/* Microsoft.ContainerService /fleets/extensions/ingresses/* Microsoft.ContainerService /fleets/extensions/networkpolicies/* Microsoft.ContainerService /fleets/limitranges/read Reads limitranges Microsoft.ContainerService /fleets/namespaces/read Reads namespaces Microsoft.ContainerService /fleets/networking.k8s.io/ingresses/* Microsoft.ContainerService /fleets/networking.k8s.io/networkpolicies/* Microsoft.ContainerService /fleets/persistentvolumeclaims/* Microsoft.ContainerService /fleets/policy/poddisruptionbudgets/* Microsoft.ContainerService /fleets/rbac.authorization.k8s.io/rolebindings/* Microsoft.ContainerService /fleets/rbac.authorization.k8s.io/roles/* Microsoft.ContainerService /fleets/replicationcontrollers/* Microsoft.ContainerService /fleets/replicationcontrollers/* Microsoft.ContainerService /fleets/resourcequotas/read Reads resourcequotas Microsoft.ContainerService /fleets/secrets/* Microsoft.ContainerService /fleets/serviceaccounts/* Microsoft.ContainerService /fleets/services/* NotDataActions "description": "This role grants admin access - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-447e-9f67-c3ad923cfaba", "name": "434fb43a-c01c-447e-9f67-c3ad923cfaba", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ContainerService/fleets/read", "Microsoft.ContainerService/fleets/listCredentials/action" "notActions": [], "dataActions": [ "Microsoft.ContainerService/fleets/apps/controllerrevisions/read", "Microsoft.ContainerService/fleets/apps/daemonsets/*", "Microsoft.ContainerService/fleets/apps/deployments/*", "Microsoft.ContainerService/fleets/apps/statefulsets/*", "Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write", "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*", "Microsoft.ContainerService/fleets/batch/cronjobs/*", "Microsoft.ContainerService/fleets/batch/jobs/*", "Microsoft.ContainerService/fleets/configmaps/*", "Microsoft.ContainerService/fleets/endpoints/*", "Microsoft.ContainerService/fleets/events.k8s.io/events/read", "Microsoft.ContainerService/fleets/events/read", "Microsoft.ContainerService/fleets/extensions/daemonsets/*", "Microsoft.ContainerService/fleets/extensions/deployments/*", "Microsoft.ContainerService/fleets/extensions/ingresses/*", "Microsoft.ContainerService/fleets/extensions/networkpolicies/*", "Microsoft.ContainerService/fleets/limitranges/read", "Microsoft.ContainerService/fleets/namespaces/read", "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*", "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*", "Microsoft.ContainerService/fleets/persistentvolumeclaims/*", "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*", "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*", "Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*", "Microsoft.ContainerService/fleets/replicationcontrollers/*", "Microsoft.ContainerService/fleets/replicationcontrollers/*", "Microsoft.ContainerService/fleets/resourcequotas/read", "Microsoft.ContainerService/fleets/secrets/*", "Microsoft.ContainerService/fleets/serviceaccounts/*", "Microsoft.ContainerService/fleets/services/*" "notDataActions": [] "roleName": "Azure Kubernetes Fleet Manager RBAC Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Kubernetes Fleet Manager RBAC Cluster Admin

Lets you manage all resources in the fleet manager cluster.

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.ContainerService /fleets/read Get fleet Microsoft.ContainerService /fleets/listCredentials/action List fleet credentials NotActions DataActions Microsoft.ContainerService /fleets/* NotDataActions "description": "Lets you manage all resources in the fleet manager cluster.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-4477-8ad9-8359bc988f69", "name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ContainerService/fleets/read", "Microsoft.ContainerService/fleets/listCredentials/action" "notActions": [], "dataActions": [ "Microsoft.ContainerService/fleets/*" "notDataActions": [] "roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Kubernetes Fleet Manager RBAC Reader

Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.ContainerService /fleets/read Get fleet Microsoft.ContainerService /fleets/listCredentials/action List fleet credentials NotActions DataActions Microsoft.ContainerService /fleets/apps/controllerrevisions/read Reads controllerrevisions Microsoft.ContainerService /fleets/apps/daemonsets/read Reads daemonsets Microsoft.ContainerService /fleets/apps/deployments/read Reads deployments Microsoft.ContainerService /fleets/apps/statefulsets/read Reads statefulsets Microsoft.ContainerService /fleets/autoscaling/horizontalpodautoscalers/read Reads horizontalpodautoscalers Microsoft.ContainerService /fleets/batch/cronjobs/read Reads cronjobs Microsoft.ContainerService /fleets/batch/jobs/read Reads jobs Microsoft.ContainerService /fleets/configmaps/read Reads configmaps Microsoft.ContainerService /fleets/endpoints/read Reads endpoints Microsoft.ContainerService /fleets/events.k8s.io/events/read Reads events Microsoft.ContainerService /fleets/events/read Reads events Microsoft.ContainerService /fleets/extensions/daemonsets/read Reads daemonsets Microsoft.ContainerService /fleets/extensions/deployments/read Reads deployments Microsoft.ContainerService /fleets/extensions/ingresses/read Reads ingresses Microsoft.ContainerService /fleets/extensions/networkpolicies/read Reads networkpolicies Microsoft.ContainerService /fleets/limitranges/read Reads limitranges Microsoft.ContainerService /fleets/namespaces/read Reads namespaces Microsoft.ContainerService /fleets/networking.k8s.io/ingresses/read Reads ingresses Microsoft.ContainerService /fleets/networking.k8s.io/networkpolicies/read Reads networkpolicies Microsoft.ContainerService /fleets/persistentvolumeclaims/read Reads persistentvolumeclaims Microsoft.ContainerService /fleets/policy/poddisruptionbudgets/read Reads poddisruptionbudgets Microsoft.ContainerService /fleets/replicationcontrollers/read Reads replicationcontrollers Microsoft.ContainerService /fleets/replicationcontrollers/read Reads replicationcontrollers Microsoft.ContainerService /fleets/resourcequotas/read Reads resourcequotas Microsoft.ContainerService /fleets/serviceaccounts/read Reads serviceaccounts Microsoft.ContainerService /fleets/services/read Reads services NotDataActions "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-438e-b0ce-70e35255df80", "name": "30b27cfc-9c84-438e-b0ce-70e35255df80", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ContainerService/fleets/read", "Microsoft.ContainerService/fleets/listCredentials/action" "notActions": [], "dataActions": [ "Microsoft.ContainerService/fleets/apps/controllerrevisions/read", "Microsoft.ContainerService/fleets/apps/daemonsets/read", "Microsoft.ContainerService/fleets/apps/deployments/read", "Microsoft.ContainerService/fleets/apps/statefulsets/read", "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read", "Microsoft.ContainerService/fleets/batch/cronjobs/read", "Microsoft.ContainerService/fleets/batch/jobs/read", "Microsoft.ContainerService/fleets/configmaps/read", "Microsoft.ContainerService/fleets/endpoints/read", "Microsoft.ContainerService/fleets/events.k8s.io/events/read", "Microsoft.ContainerService/fleets/events/read", "Microsoft.ContainerService/fleets/extensions/daemonsets/read", "Microsoft.ContainerService/fleets/extensions/deployments/read", "Microsoft.ContainerService/fleets/extensions/ingresses/read", "Microsoft.ContainerService/fleets/extensions/networkpolicies/read", "Microsoft.ContainerService/fleets/limitranges/read", "Microsoft.ContainerService/fleets/namespaces/read", "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read", "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read", "Microsoft.ContainerService/fleets/persistentvolumeclaims/read", "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read", "Microsoft.ContainerService/fleets/replicationcontrollers/read", "Microsoft.ContainerService/fleets/replicationcontrollers/read", "Microsoft.ContainerService/fleets/resourcequotas/read", "Microsoft.ContainerService/fleets/serviceaccounts/read", "Microsoft.ContainerService/fleets/services/read" "notDataActions": [] "roleName": "Azure Kubernetes Fleet Manager RBAC Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Kubernetes Fleet Manager RBAC Writer

Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.ContainerService /fleets/read Get fleet Microsoft.ContainerService /fleets/listCredentials/action List fleet credentials NotActions DataActions Microsoft.ContainerService /fleets/apps/controllerrevisions/read Reads controllerrevisions Microsoft.ContainerService /fleets/apps/daemonsets/* Microsoft.ContainerService /fleets/apps/deployments/* Microsoft.ContainerService /fleets/apps/statefulsets/* Microsoft.ContainerService /fleets/autoscaling/horizontalpodautoscalers/* Microsoft.ContainerService /fleets/batch/cronjobs/* Microsoft.ContainerService /fleets/batch/jobs/* Microsoft.ContainerService /fleets/configmaps/* Microsoft.ContainerService /fleets/endpoints/* Microsoft.ContainerService /fleets/events.k8s.io/events/read Reads events Microsoft.ContainerService /fleets/events/read Reads events Microsoft.ContainerService /fleets/extensions/daemonsets/* Microsoft.ContainerService /fleets/extensions/deployments/* Microsoft.ContainerService /fleets/extensions/ingresses/* Microsoft.ContainerService /fleets/extensions/networkpolicies/* Microsoft.ContainerService /fleets/limitranges/read Reads limitranges Microsoft.ContainerService /fleets/namespaces/read Reads namespaces Microsoft.ContainerService /fleets/networking.k8s.io/ingresses/* Microsoft.ContainerService /fleets/networking.k8s.io/networkpolicies/* Microsoft.ContainerService /fleets/persistentvolumeclaims/* Microsoft.ContainerService /fleets/policy/poddisruptionbudgets/* Microsoft.ContainerService /fleets/replicationcontrollers/* Microsoft.ContainerService /fleets/replicationcontrollers/* Microsoft.ContainerService /fleets/resourcequotas/read Reads resourcequotas Microsoft.ContainerService /fleets/secrets/* Microsoft.ContainerService /fleets/serviceaccounts/* Microsoft.ContainerService /fleets/services/* NotDataActions "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-4fa4-8848-71a8aee05683", "name": "5af6afb3-c06c-4fa4-8848-71a8aee05683", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ContainerService/fleets/read", "Microsoft.ContainerService/fleets/listCredentials/action" "notActions": [], "dataActions": [ "Microsoft.ContainerService/fleets/apps/controllerrevisions/read", "Microsoft.ContainerService/fleets/apps/daemonsets/*", "Microsoft.ContainerService/fleets/apps/deployments/*", "Microsoft.ContainerService/fleets/apps/statefulsets/*", "Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*", "Microsoft.ContainerService/fleets/batch/cronjobs/*", "Microsoft.ContainerService/fleets/batch/jobs/*", "Microsoft.ContainerService/fleets/configmaps/*", "Microsoft.ContainerService/fleets/endpoints/*", "Microsoft.ContainerService/fleets/events.k8s.io/events/read", "Microsoft.ContainerService/fleets/events/read", "Microsoft.ContainerService/fleets/extensions/daemonsets/*", "Microsoft.ContainerService/fleets/extensions/deployments/*", "Microsoft.ContainerService/fleets/extensions/ingresses/*", "Microsoft.ContainerService/fleets/extensions/networkpolicies/*", "Microsoft.ContainerService/fleets/limitranges/read", "Microsoft.ContainerService/fleets/namespaces/read", "Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*", "Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*", "Microsoft.ContainerService/fleets/persistentvolumeclaims/*", "Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*", "Microsoft.ContainerService/fleets/replicationcontrollers/*", "Microsoft.ContainerService/fleets/replicationcontrollers/*", "Microsoft.ContainerService/fleets/resourcequotas/read", "Microsoft.ContainerService/fleets/secrets/*", "Microsoft.ContainerService/fleets/serviceaccounts/*", "Microsoft.ContainerService/fleets/services/*" "notDataActions": [] "roleName": "Azure Kubernetes Fleet Manager RBAC Writer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Kubernetes Service Cluster Admin Role

List cluster admin credential action. Learn more

Microsoft.ContainerService /managedClusters/listClusterAdminCredential/action List the clusterAdmin credential of a managed cluster Microsoft.ContainerService /managedClusters/accessProfiles/listCredential/action Get a managed cluster access profile by role name using list credential Microsoft.ContainerService /managedClusters/read Get a managed cluster Microsoft.ContainerService /managedClusters/runcommand/action Run user issued command against managed kubernetes server. NotActions DataActions NotDataActions "description": "List cluster admin credential action.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", "name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", "permissions": [ "actions": [ "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action", "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action", "Microsoft.ContainerService/managedClusters/read", "Microsoft.ContainerService/managedClusters/runcommand/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Azure Kubernetes Service Cluster Admin Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Kubernetes Service Cluster User Role

List cluster user credential action. Learn more

Microsoft.ContainerService /managedClusters/listClusterUserCredential/action List the clusterUser credential of a managed cluster Microsoft.ContainerService /managedClusters/read Get a managed cluster NotActions DataActions NotDataActions "description": "List cluster user credential action.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", "name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f", "permissions": [ "actions": [ "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", "Microsoft.ContainerService/managedClusters/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Azure Kubernetes Service Cluster User Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Kubernetes Service Contributor Role

Grants access to read and write Azure Kubernetes Service clusters Learn more

Microsoft.ContainerService /managedClusters/write Creates a new managed cluster or updates an existing one Microsoft.Resources /deployments/* Create and manage a deployment NotActions DataActions NotDataActions "description": "Grants access to read and write Azure Kubernetes Service clusters", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", "name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", "permissions": [ "actions": [ "Microsoft.ContainerService/managedClusters/read", "Microsoft.ContainerService/managedClusters/write", "Microsoft.Resources/deployments/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Azure Kubernetes Service Contributor Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Kubernetes Service RBAC Admin

Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. Learn more

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.ContainerService /managedClusters/listClusterUserCredential/action List the clusterUser credential of a managed cluster NotActions DataActions Microsoft.ContainerService /managedClusters/* NotDataActions Microsoft.ContainerService /managedClusters/resourcequotas/write Writes resourcequotas Microsoft.ContainerService /managedClusters/resourcequotas/delete Deletes resourcequotas Microsoft.ContainerService /managedClusters/namespaces/write Writes namespaces Microsoft.ContainerService /managedClusters/namespaces/delete Deletes namespaces "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7", "name": "3498e952-d568-435e-9b2c-8d77e338d7f7", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action" "notActions": [], "dataActions": [ "Microsoft.ContainerService/managedClusters/*" "notDataActions": [ "Microsoft.ContainerService/managedClusters/resourcequotas/write", "Microsoft.ContainerService/managedClusters/resourcequotas/delete", "Microsoft.ContainerService/managedClusters/namespaces/write", "Microsoft.ContainerService/managedClusters/namespaces/delete" "roleName": "Azure Kubernetes Service RBAC Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Kubernetes Service RBAC Cluster Admin

Lets you manage all resources in the cluster. Learn more

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.ContainerService /managedClusters/listClusterUserCredential/action List the clusterUser credential of a managed cluster NotActions DataActions Microsoft.ContainerService /managedClusters/* NotDataActions "description": "Lets you manage all resources in the cluster.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b", "name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action" "notActions": [], "dataActions": [ "Microsoft.ContainerService/managedClusters/*" "notDataActions": [] "roleName": "Azure Kubernetes Service RBAC Cluster Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Kubernetes Service RBAC Reader

Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. Learn more

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. NotActions DataActions Microsoft.ContainerService /managedClusters/apps/controllerrevisions/read Reads controllerrevisions Microsoft.ContainerService /managedClusters/apps/daemonsets/read Reads daemonsets Microsoft.ContainerService /managedClusters/apps/deployments/read Reads deployments Microsoft.ContainerService /managedClusters/apps/replicasets/read Reads replicasets Microsoft.ContainerService /managedClusters/apps/statefulsets/read Reads statefulsets Microsoft.ContainerService /managedClusters/autoscaling/horizontalpodautoscalers/read Reads horizontalpodautoscalers Microsoft.ContainerService /managedClusters/batch/cronjobs/read Reads cronjobs Microsoft.ContainerService /managedClusters/batch/jobs/read Reads jobs Microsoft.ContainerService /managedClusters/configmaps/read Reads configmaps Microsoft.ContainerService /managedClusters/endpoints/read Reads endpoints Microsoft.ContainerService /managedClusters/events.k8s.io/events/read Reads events Microsoft.ContainerService /managedClusters/events/read Reads events Microsoft.ContainerService /managedClusters/extensions/daemonsets/read Reads daemonsets Microsoft.ContainerService /managedClusters/extensions/deployments/read Reads deployments Microsoft.ContainerService /managedClusters/extensions/ingresses/read Reads ingresses Microsoft.ContainerService /managedClusters/extensions/networkpolicies/read Reads networkpolicies Microsoft.ContainerService /managedClusters/extensions/replicasets/read Reads replicasets Microsoft.ContainerService /managedClusters/limitranges/read Reads limitranges Microsoft.ContainerService /managedClusters/namespaces/read Reads namespaces Microsoft.ContainerService /managedClusters/networking.k8s.io/ingresses/read Reads ingresses Microsoft.ContainerService /managedClusters/networking.k8s.io/networkpolicies/read Reads networkpolicies Microsoft.ContainerService /managedClusters/persistentvolumeclaims/read Reads persistentvolumeclaims Microsoft.ContainerService /managedClusters/pods/read Reads pods Microsoft.ContainerService /managedClusters/policy/poddisruptionbudgets/read Reads poddisruptionbudgets Microsoft.ContainerService /managedClusters/replicationcontrollers/read Reads replicationcontrollers Microsoft.ContainerService /managedClusters/replicationcontrollers/read Reads replicationcontrollers Microsoft.ContainerService /managedClusters/resourcequotas/read Reads resourcequotas Microsoft.ContainerService /managedClusters/serviceaccounts/read Reads serviceaccounts Microsoft.ContainerService /managedClusters/services/read Reads services NotDataActions "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db", "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [ "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read", "Microsoft.ContainerService/managedClusters/apps/daemonsets/read", "Microsoft.ContainerService/managedClusters/apps/deployments/read", "Microsoft.ContainerService/managedClusters/apps/replicasets/read", "Microsoft.ContainerService/managedClusters/apps/statefulsets/read", "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read", "Microsoft.ContainerService/managedClusters/batch/cronjobs/read", "Microsoft.ContainerService/managedClusters/batch/jobs/read", "Microsoft.ContainerService/managedClusters/configmaps/read", "Microsoft.ContainerService/managedClusters/endpoints/read", "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read", "Microsoft.ContainerService/managedClusters/events/read", "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read", "Microsoft.ContainerService/managedClusters/extensions/deployments/read", "Microsoft.ContainerService/managedClusters/extensions/ingresses/read", "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read", "Microsoft.ContainerService/managedClusters/extensions/replicasets/read", "Microsoft.ContainerService/managedClusters/limitranges/read", "Microsoft.ContainerService/managedClusters/namespaces/read", "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read", "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read", "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read", "Microsoft.ContainerService/managedClusters/pods/read", "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read", "Microsoft.ContainerService/managedClusters/replicationcontrollers/read", "Microsoft.ContainerService/managedClusters/replicationcontrollers/read", "Microsoft.ContainerService/managedClusters/resourcequotas/read", "Microsoft.ContainerService/managedClusters/serviceaccounts/read", "Microsoft.ContainerService/managedClusters/services/read" "notDataActions": [] "roleName": "Azure Kubernetes Service RBAC Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Kubernetes Service RBAC Writer

Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. Learn more

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. NotActions DataActions Microsoft.ContainerService /managedClusters/apps/controllerrevisions/read Reads controllerrevisions Microsoft.ContainerService /managedClusters/apps/daemonsets/* Microsoft.ContainerService /managedClusters/apps/deployments/* Microsoft.ContainerService /managedClusters/apps/replicasets/* Microsoft.ContainerService /managedClusters/apps/statefulsets/* Microsoft.ContainerService /managedClusters/autoscaling/horizontalpodautoscalers/* Microsoft.ContainerService /managedClusters/batch/cronjobs/* Microsoft.ContainerService /managedClusters/batch/jobs/* Microsoft.ContainerService /managedClusters/configmaps/* Microsoft.ContainerService /managedClusters/endpoints/* Microsoft.ContainerService /managedClusters/events.k8s.io/events/read Reads events Microsoft.ContainerService /managedClusters/events/read Reads events Microsoft.ContainerService /managedClusters/extensions/daemonsets/* Microsoft.ContainerService /managedClusters/extensions/deployments/* Microsoft.ContainerService /managedClusters/extensions/ingresses/* Microsoft.ContainerService /managedClusters/extensions/networkpolicies/* Microsoft.ContainerService /managedClusters/extensions/replicasets/* Microsoft.ContainerService /managedClusters/limitranges/read Reads limitranges Microsoft.ContainerService /managedClusters/namespaces/read Reads namespaces Microsoft.ContainerService /managedClusters/networking.k8s.io/ingresses/* Microsoft.ContainerService /managedClusters/networking.k8s.io/networkpolicies/* Microsoft.ContainerService /managedClusters/persistentvolumeclaims/* Microsoft.ContainerService /managedClusters/pods/* Microsoft.ContainerService /managedClusters/policy/poddisruptionbudgets/* Microsoft.ContainerService /managedClusters/replicationcontrollers/* Microsoft.ContainerService /managedClusters/replicationcontrollers/* Microsoft.ContainerService /managedClusters/resourcequotas/read Reads resourcequotas Microsoft.ContainerService /managedClusters/secrets/* Microsoft.ContainerService /managedClusters/serviceaccounts/* Microsoft.ContainerService /managedClusters/services/* NotDataActions "description": "Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb", "name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [ "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read", "Microsoft.ContainerService/managedClusters/apps/daemonsets/*", "Microsoft.ContainerService/managedClusters/apps/deployments/*", "Microsoft.ContainerService/managedClusters/apps/replicasets/*", "Microsoft.ContainerService/managedClusters/apps/statefulsets/*", "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*", "Microsoft.ContainerService/managedClusters/batch/cronjobs/*", "Microsoft.ContainerService/managedClusters/batch/jobs/*", "Microsoft.ContainerService/managedClusters/configmaps/*", "Microsoft.ContainerService/managedClusters/endpoints/*", "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read", "Microsoft.ContainerService/managedClusters/events/read", "Microsoft.ContainerService/managedClusters/extensions/daemonsets/*", "Microsoft.ContainerService/managedClusters/extensions/deployments/*", "Microsoft.ContainerService/managedClusters/extensions/ingresses/*", "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*", "Microsoft.ContainerService/managedClusters/extensions/replicasets/*", "Microsoft.ContainerService/managedClusters/limitranges/read", "Microsoft.ContainerService/managedClusters/namespaces/read", "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*", "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*", "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*", "Microsoft.ContainerService/managedClusters/pods/*", "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*", "Microsoft.ContainerService/managedClusters/replicationcontrollers/*", "Microsoft.ContainerService/managedClusters/replicationcontrollers/*", "Microsoft.ContainerService/managedClusters/resourcequotas/read", "Microsoft.ContainerService/managedClusters/secrets/*", "Microsoft.ContainerService/managedClusters/serviceaccounts/*", "Microsoft.ContainerService/managedClusters/services/*" "notDataActions": [] "roleName": "Azure Kubernetes Service RBAC Writer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Databases

Azure Connected SQL Server Onboarding

Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. Learn more

"description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508", "name": "e8113dce-c529-4d33-91fa-e9b972617508", "permissions": [ "actions": [ "Microsoft.AzureArcData/sqlServerInstances/read", "Microsoft.AzureArcData/sqlServerInstances/write" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Azure Connected SQL Server Onboarding", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cosmos DB Account Reader Role

Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. Learn more

Microsoft.DocumentDB /databaseAccounts/readonlykeys/action Reads the database account readonly keys. Microsoft.Insights /MetricDefinitions/read Read metric definitions Microsoft.Insights /Metrics/read Read metrics Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Can read Azure Cosmos DB Accounts data", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", "name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.DocumentDB/*/read", "Microsoft.DocumentDB/databaseAccounts/readonlykeys/action", "Microsoft.Insights/MetricDefinitions/read", "Microsoft.Insights/Metrics/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Cosmos DB Account Reader Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cosmos DB Operator

Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket Microsoft.Network /virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Not alertable. NotActions Microsoft.DocumentDB /databaseAccounts/readonlyKeys/* Microsoft.DocumentDB /databaseAccounts/regenerateKey/* Microsoft.DocumentDB /databaseAccounts/listKeys/* Microsoft.DocumentDB /databaseAccounts/listConnectionStrings/* Microsoft.DocumentDB /databaseAccounts/sqlRoleDefinitions/write Create or update a SQL Role Definition Microsoft.DocumentDB /databaseAccounts/sqlRoleDefinitions/delete Delete a SQL Role Definition Microsoft.DocumentDB /databaseAccounts/sqlRoleAssignments/write Create or update a SQL Role Assignment Microsoft.DocumentDB /databaseAccounts/sqlRoleAssignments/delete Delete a SQL Role Assignment Microsoft.DocumentDB /databaseAccounts/mongodbRoleDefinitions/write Create or update a Mongo Role Definition Microsoft.DocumentDB /databaseAccounts/mongodbRoleDefinitions/delete Delete a MongoDB Role Definition Microsoft.DocumentDB /databaseAccounts/mongodbUserDefinitions/write Create or update a MongoDB User Definition Microsoft.DocumentDB /databaseAccounts/mongodbUserDefinitions/delete Delete a MongoDB User Definition DataActions NotDataActions "description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", "name": "230815da-be43-4aae-9cb4-875f7bd000aa", "permissions": [ "actions": [ "Microsoft.DocumentDb/databaseAccounts/*", "Microsoft.Insights/alertRules/*", "Microsoft.Authorization/*/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action" "notActions": [ "Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*", "Microsoft.DocumentDB/databaseAccounts/regenerateKey/*", "Microsoft.DocumentDB/databaseAccounts/listKeys/*", "Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*", "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete", "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write", "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete", "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write", "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete", "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write", "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete" "dataActions": [], "notDataActions": [] "roleName": "Cosmos DB Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

CosmosBackupOperator

Can submit restore request for a Cosmos DB database or a container for an account Learn more

"description": "Can submit restore request for a Cosmos DB database or a container for an account", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", "name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb", "permissions": [ "actions": [ "Microsoft.DocumentDB/databaseAccounts/backup/action", "Microsoft.DocumentDB/databaseAccounts/restore/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "CosmosBackupOperator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

CosmosRestoreOperator

Can perform restore action for Cosmos DB database account with continuous backup mode

Microsoft.DocumentDB /locations/restorableDatabaseAccounts/restore/action Submit a restore request Microsoft.DocumentDB /locations/restorableDatabaseAccounts/*/read Microsoft.DocumentDB /locations/restorableDatabaseAccounts/read Read a restorable database account or List all the restorable database accounts NotActions DataActions NotDataActions "description": "Can perform restore action for Cosmos DB database account with continuous backup mode", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f", "name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f", "permissions": [ "actions": [ "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action", "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read", "Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "CosmosRestoreOperator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

DocumentDB Account Contributor

Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket Microsoft.Network /virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Not alertable. NotActions DataActions NotDataActions "description": "Lets you manage DocumentDB accounts, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", "name": "5bd9cd88-fe45-4216-938b-f97437e15450", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.DocumentDb/databaseAccounts/*", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "DocumentDB Account Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Redis Cache Contributor

Lets you manage Redis caches, but not access to them.

Microsoft.Cache /register/action Registers the 'Microsoft.Cache' resource provider with a subscription Microsoft.Cache /redis/* Create and manage Redis caches Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage Redis caches, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", "name": "e0f68234-74aa-48ed-b826-c38b57376e17", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Cache/register/action", "Microsoft.Cache/redis/*", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Redis Cache Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

SQL DB Contributor

Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Sql /locations/*/read Microsoft.Sql /servers/databases/* Create and manage SQL databases Microsoft.Sql /servers/read Return the list of servers or gets the properties for the specified server. Microsoft.Support /* Create and update a support ticket Microsoft.Insights /metrics/read Read metrics Microsoft.Insights /metricDefinitions/read Read metric definitions NotActions Microsoft.Sql /servers/databases/ledgerDigestUploads/write Enable uploading ledger digests Microsoft.Sql /servers/databases/ledgerDigestUploads/disable/action Disable uploading ledger digests Microsoft.Sql /managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql /managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql /managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql /managedInstances/databases/securityAlertPolicies/* Microsoft.Sql /managedInstances/databases/sensitivityLabels/* Microsoft.Sql /managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql /managedInstances/securityAlertPolicies/* Microsoft.Sql /managedInstances/vulnerabilityAssessments/* Microsoft.Sql /servers/databases/auditingSettings/* Edit audit settings Microsoft.Sql /servers/databases/auditRecords/read Retrieve the database blob audit records Microsoft.Sql /servers/databases/currentSensitivityLabels/* Microsoft.Sql /servers/databases/dataMaskingPolicies/* Edit data masking policies Microsoft.Sql /servers/databases/extendedAuditingSettings/* Microsoft.Sql /servers/databases/recommendedSensitivityLabels/* Microsoft.Sql /servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql /servers/databases/securityAlertPolicies/* Edit security alert policies Microsoft.Sql /servers/databases/securityMetrics/* Edit security metrics Microsoft.Sql /servers/databases/sensitivityLabels/* Microsoft.Sql /servers/databases/vulnerabilityAssessments/* Microsoft.Sql /servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql /servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql /servers/vulnerabilityAssessments/* DataActions NotDataActions "description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", "name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Sql/locations/*/read", "Microsoft.Sql/servers/databases/*", "Microsoft.Sql/servers/read", "Microsoft.Support/*", "Microsoft.Insights/metrics/read", "Microsoft.Insights/metricDefinitions/read" "notActions": [ "Microsoft.Sql/servers/databases/ledgerDigestUploads/write", "Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action", "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*", "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*", "Microsoft.Sql/managedInstances/securityAlertPolicies/*", "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*", "Microsoft.Sql/servers/databases/auditingSettings/*", "Microsoft.Sql/servers/databases/auditRecords/read", "Microsoft.Sql/servers/databases/currentSensitivityLabels/*", "Microsoft.Sql/servers/databases/dataMaskingPolicies/*", "Microsoft.Sql/servers/databases/extendedAuditingSettings/*", "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*", "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*", "Microsoft.Sql/servers/databases/securityAlertPolicies/*", "Microsoft.Sql/servers/databases/securityMetrics/*", "Microsoft.Sql/servers/databases/sensitivityLabels/*", "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*", "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*", "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*", "Microsoft.Sql/servers/vulnerabilityAssessments/*" "dataActions": [], "notDataActions": [] "roleName": "SQL DB Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

SQL Managed Instance Contributor

Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Network /networkSecurityGroups/* Microsoft.Network /routeTables/* Microsoft.Sql /locations/*/read Microsoft.Sql /locations/instanceFailoverGroups/* Microsoft.Sql /managedInstances/* Microsoft.Support /* Create and update a support ticket Microsoft.Network /virtualNetworks/subnets/* Microsoft.Network /virtualNetworks/* Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Insights /metrics/read Read metrics Microsoft.Insights /metricDefinitions/read Read metric definitions NotActions Microsoft.Sql /managedInstances/azureADOnlyAuthentications/delete Deletes a specific managed server Azure Active Directory only authentication object Microsoft.Sql /managedInstances/azureADOnlyAuthentications/write Adds or updates a specific managed server Azure Active Directory only authentication object DataActions NotDataActions "description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", "name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", "permissions": [ "actions": [ "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Network/networkSecurityGroups/*", "Microsoft.Network/routeTables/*", "Microsoft.Sql/locations/*/read", "Microsoft.Sql/locations/instanceFailoverGroups/*", "Microsoft.Sql/managedInstances/*", "Microsoft.Support/*", "Microsoft.Network/virtualNetworks/subnets/*", "Microsoft.Network/virtualNetworks/*", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/metrics/read", "Microsoft.Insights/metricDefinitions/read" "notActions": [ "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete", "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write" "dataActions": [], "notDataActions": [] "roleName": "SQL Managed Instance Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

SQL Security Manager

Lets you manage the security-related policies of SQL servers and databases, but not access to them. Learn more

Microsoft.Network /virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Not alertable. Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Sql /locations/administratorAzureAsyncOperation/read Gets the Managed instance azure async administrator operations result. Microsoft.Sql /managedInstances/advancedThreatProtectionSettings/read Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance Microsoft.Sql /managedInstances/advancedThreatProtectionSettings/write Change the managed instance Advanced Threat Protection settings for a given managed instance Microsoft.Sql /managedInstances/databases/advancedThreatProtectionSettings/read Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database Microsoft.Sql /managedInstances/databases/advancedThreatProtectionSettings/write Change the database Advanced Threat Protection settings for a given managed database Microsoft.Sql /managedInstances/advancedThreatProtectionSettings/read Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance Microsoft.Sql /managedInstances/advancedThreatProtectionSettings/write Change the managed instance Advanced Threat Protection settings for a given managed instance Microsoft.Sql /managedInstances/databases/advancedThreatProtectionSettings/read Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database Microsoft.Sql /managedInstances/databases/advancedThreatProtectionSettings/write Change the database Advanced Threat Protection settings for a given managed database Microsoft.Sql /managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql /managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql /managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql /managedInstances/databases/securityAlertPolicies/* Microsoft.Sql /managedInstances/databases/sensitivityLabels/* Microsoft.Sql /managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql /servers/advancedThreatProtectionSettings/read Retrieve a list of server Advanced Threat Protection settings configured for a given server Microsoft.Sql /servers/advancedThreatProtectionSettings/write Change the server Advanced Threat Protection settings for a given server Microsoft.Sql /managedInstances/securityAlertPolicies/* Microsoft.Sql /managedInstances/databases/transparentDataEncryption/* Microsoft.Sql /managedInstances/vulnerabilityAssessments/* Microsoft.Sql /managedInstances/serverConfigurationOptions/read Gets properties for the specified Azure SQL Managed Instance Server Configuration Option. Microsoft.Sql /managedInstances/serverConfigurationOptions/write Updates Azure SQL Managed Instance's Server Configuration Option properties for the specified instance. Microsoft.Sql /locations/serverConfigurationOptionAzureAsyncOperation/read Gets the status of Azure SQL Managed Instance Server Configuration Option Azure async operation. Microsoft.Sql /servers/advancedThreatProtectionSettings/read Retrieve a list of server Advanced Threat Protection settings configured for a given server Microsoft.Sql /servers/advancedThreatProtectionSettings/write Change the server Advanced Threat Protection settings for a given server Microsoft.Sql /servers/auditingSettings/* Create and manage SQL server auditing setting Microsoft.Sql /servers/extendedAuditingSettings/read Retrieve details of the extended server blob auditing policy configured on a given server Microsoft.Sql /servers/databases/advancedThreatProtectionSettings/read Retrieve a list of database Advanced Threat Protection settings configured for a given database Microsoft.Sql /servers/databases/advancedThreatProtectionSettings/write Change the database Advanced Threat Protection settings for a given database Microsoft.Sql /servers/databases/advancedThreatProtectionSettings/read Retrieve a list of database Advanced Threat Protection settings configured for a given database Microsoft.Sql /servers/databases/advancedThreatProtectionSettings/write Change the database Advanced Threat Protection settings for a given database Microsoft.Sql /servers/databases/auditingSettings/* Create and manage SQL server database auditing settings Microsoft.Sql /servers/databases/auditRecords/read Retrieve the database blob audit records Microsoft.Sql /servers/databases/currentSensitivityLabels/* Microsoft.Sql /servers/databases/dataMaskingPolicies/* Create and manage SQL server database data masking policies Microsoft.Sql /servers/databases/extendedAuditingSettings/read Retrieve details of the extended blob auditing policy configured on a given database Microsoft.Sql /servers/databases/read Return the list of databases or gets the properties for the specified database. Microsoft.Sql /servers/databases/recommendedSensitivityLabels/* Microsoft.Sql /servers/databases/schemas/read Get a database schema. Microsoft.Sql /servers/databases/schemas/tables/columns/read Get a database column. Microsoft.Sql /servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql /servers/databases/schemas/tables/read Get a database table. Microsoft.Sql /servers/databases/securityAlertPolicies/* Create and manage SQL server database security alert policies Microsoft.Sql /servers/databases/securityMetrics/* Create and manage SQL server database security metrics Microsoft.Sql /servers/databases/sensitivityLabels/* Microsoft.Sql /servers/databases/transparentDataEncryption/* Microsoft.Sql /servers/databases/sqlvulnerabilityAssessments/* Microsoft.Sql /servers/databases/vulnerabilityAssessments/* Microsoft.Sql /servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql /servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql /servers/devOpsAuditingSettings/* Microsoft.Sql /servers/firewallRules/* Microsoft.Sql /servers/read Return the list of servers or gets the properties for the specified server. Microsoft.Sql /servers/securityAlertPolicies/* Create and manage SQL server security alert policies Microsoft.Sql /servers/sqlvulnerabilityAssessments/* Microsoft.Sql /servers/vulnerabilityAssessments/* Microsoft.Support /* Create and update a support ticket Microsoft.Sql /servers/azureADOnlyAuthentications/* Microsoft.Sql /managedInstances/read Return the list of managed instances or gets the properties for the specified managed instance. Microsoft.Sql /managedInstances/azureADOnlyAuthentications/* Microsoft.Security /sqlVulnerabilityAssessments/* Microsoft.Sql /managedInstances/administrators/read Gets a list of managed instance administrators. Microsoft.Sql /servers/administrators/read Gets a specific Azure Active Directory administrator object Microsoft.Sql /servers/databases/ledgerDigestUploads/* Microsoft.Sql /locations/ledgerDigestUploadsAzureAsyncOperation/read Gets in-progress operations of ledger digest upload settings Microsoft.Sql /locations/ledgerDigestUploadsOperationResults/read Gets in-progress operations of ledger digest upload settings Microsoft.Sql /servers/externalPolicyBasedAuthorizations/* NotActions DataActions NotDataActions "description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", "name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Sql/locations/administratorAzureAsyncOperation/read", "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read", "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write", "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read", "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write", "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read", "Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write", "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read", "Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write", "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*", "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*", "Microsoft.Sql/servers/advancedThreatProtectionSettings/read", "Microsoft.Sql/servers/advancedThreatProtectionSettings/write", "Microsoft.Sql/managedInstances/securityAlertPolicies/*", "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*", "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*", "Microsoft.Sql/managedInstances/serverConfigurationOptions/read", "Microsoft.Sql/managedInstances/serverConfigurationOptions/write", "Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read", "Microsoft.Sql/servers/advancedThreatProtectionSettings/read", "Microsoft.Sql/servers/advancedThreatProtectionSettings/write", "Microsoft.Sql/servers/auditingSettings/*", "Microsoft.Sql/servers/extendedAuditingSettings/read", "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read", "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write", "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read", "Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write", "Microsoft.Sql/servers/databases/auditingSettings/*", "Microsoft.Sql/servers/databases/auditRecords/read", "Microsoft.Sql/servers/databases/currentSensitivityLabels/*", "Microsoft.Sql/servers/databases/dataMaskingPolicies/*", "Microsoft.Sql/servers/databases/extendedAuditingSettings/read", "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*", "Microsoft.Sql/servers/databases/schemas/read", "Microsoft.Sql/servers/databases/schemas/tables/columns/read", "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*", "Microsoft.Sql/servers/databases/schemas/tables/read", "Microsoft.Sql/servers/databases/securityAlertPolicies/*", "Microsoft.Sql/servers/databases/securityMetrics/*", "Microsoft.Sql/servers/databases/sensitivityLabels/*", "Microsoft.Sql/servers/databases/transparentDataEncryption/*", "Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*", "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*", "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*", "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*", "Microsoft.Sql/servers/devOpsAuditingSettings/*", "Microsoft.Sql/servers/firewallRules/*", "Microsoft.Sql/servers/read", "Microsoft.Sql/servers/securityAlertPolicies/*", "Microsoft.Sql/servers/sqlvulnerabilityAssessments/*", "Microsoft.Sql/servers/vulnerabilityAssessments/*", "Microsoft.Support/*", "Microsoft.Sql/servers/azureADOnlyAuthentications/*", "Microsoft.Sql/managedInstances/read", "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*", "Microsoft.Security/sqlVulnerabilityAssessments/*", "Microsoft.Sql/managedInstances/administrators/read", "Microsoft.Sql/servers/administrators/read", "Microsoft.Sql/servers/databases/ledgerDigestUploads/*", "Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read", "Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read", "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "SQL Security Manager", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

SQL Server Contributor

Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Sql /locations/*/read Microsoft.Sql /servers/* Create and manage SQL servers Microsoft.Support /* Create and update a support ticket Microsoft.Insights /metrics/read Read metrics Microsoft.Insights /metricDefinitions/read Read metric definitions NotActions Microsoft.Sql /managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql /managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql /managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql /managedInstances/databases/securityAlertPolicies/* Microsoft.Sql /managedInstances/databases/sensitivityLabels/* Microsoft.Sql /managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql /managedInstances/securityAlertPolicies/* Microsoft.Sql /managedInstances/vulnerabilityAssessments/* Microsoft.Sql /servers/auditingSettings/* Edit SQL server auditing settings Microsoft.Sql /servers/databases/auditingSettings/* Edit SQL server database auditing settings Microsoft.Sql /servers/databases/auditRecords/read Retrieve the database blob audit records Microsoft.Sql /servers/databases/currentSensitivityLabels/* Microsoft.Sql /servers/databases/dataMaskingPolicies/* Edit SQL server database data masking policies Microsoft.Sql /servers/databases/extendedAuditingSettings/* Microsoft.Sql /servers/databases/recommendedSensitivityLabels/* Microsoft.Sql /servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql /servers/databases/securityAlertPolicies/* Edit SQL server database security alert policies Microsoft.Sql /servers/databases/securityMetrics/* Edit SQL server database security metrics Microsoft.Sql /servers/databases/sensitivityLabels/* Microsoft.Sql /servers/databases/vulnerabilityAssessments/* Microsoft.Sql /servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql /servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql /servers/devOpsAuditingSettings/* Microsoft.Sql /servers/extendedAuditingSettings/* Microsoft.Sql /servers/securityAlertPolicies/* Edit SQL server security alert policies Microsoft.Sql /servers/vulnerabilityAssessments/* Microsoft.Sql /servers/azureADOnlyAuthentications/delete Deletes a specific server Azure Active Directory only authentication object Microsoft.Sql /servers/azureADOnlyAuthentications/write Adds or updates a specific server Azure Active Directory only authentication object Microsoft.Sql /servers/externalPolicyBasedAuthorizations/delete Deletes a specific server external policy based authorization property Microsoft.Sql /servers/externalPolicyBasedAuthorizations/write Adds or updates a specific server external policy based authorization property DataActions NotDataActions "description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", "name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Sql/locations/*/read", "Microsoft.Sql/servers/*", "Microsoft.Support/*", "Microsoft.Insights/metrics/read", "Microsoft.Insights/metricDefinitions/read" "notActions": [ "Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*", "Microsoft.Sql/managedInstances/databases/sensitivityLabels/*", "Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*", "Microsoft.Sql/managedInstances/securityAlertPolicies/*", "Microsoft.Sql/managedInstances/vulnerabilityAssessments/*", "Microsoft.Sql/servers/auditingSettings/*", "Microsoft.Sql/servers/databases/auditingSettings/*", "Microsoft.Sql/servers/databases/auditRecords/read", "Microsoft.Sql/servers/databases/currentSensitivityLabels/*", "Microsoft.Sql/servers/databases/dataMaskingPolicies/*", "Microsoft.Sql/servers/databases/extendedAuditingSettings/*", "Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*", "Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*", "Microsoft.Sql/servers/databases/securityAlertPolicies/*", "Microsoft.Sql/servers/databases/securityMetrics/*", "Microsoft.Sql/servers/databases/sensitivityLabels/*", "Microsoft.Sql/servers/databases/vulnerabilityAssessments/*", "Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*", "Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*", "Microsoft.Sql/servers/devOpsAuditingSettings/*", "Microsoft.Sql/servers/extendedAuditingSettings/*", "Microsoft.Sql/servers/securityAlertPolicies/*", "Microsoft.Sql/servers/vulnerabilityAssessments/*", "Microsoft.Sql/servers/azureADOnlyAuthentications/delete", "Microsoft.Sql/servers/azureADOnlyAuthentications/write", "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete", "Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write" "dataActions": [], "notDataActions": [] "roleName": "SQL Server Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Analytics

Azure Event Hubs Data Owner

Allows for full access to Azure Event Hubs resources. Learn more

"description": "Allows for full access to Azure Event Hubs resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", "name": "f526a384-b230-433a-b45c-95f59c4a2dec", "permissions": [ "actions": [ "Microsoft.EventHub/*" "notActions": [], "dataActions": [ "Microsoft.EventHub/*" "notDataActions": [] "roleName": "Azure Event Hubs Data Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Event Hubs Data Receiver

Allows receive access to Azure Event Hubs resources. Learn more

"description": "Allows receive access to Azure Event Hubs resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", "name": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde", "permissions": [ "actions": [ "Microsoft.EventHub/*/eventhubs/consumergroups/read" "notActions": [], "dataActions": [ "Microsoft.EventHub/*/receive/action" "notDataActions": [] "roleName": "Azure Event Hubs Data Receiver", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Event Hubs Data Sender

Allows send access to Azure Event Hubs resources. Learn more

"description": "Allows send access to Azure Event Hubs resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", "name": "2b629674-e913-4c01-ae53-ef4638d8f975", "permissions": [ "actions": [ "Microsoft.EventHub/*/eventhubs/read" "notActions": [], "dataActions": [ "Microsoft.EventHub/*/send/action" "notDataActions": [] "roleName": "Azure Event Hubs Data Sender", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Data Factory Contributor

Create and manage data factories, as well as child resources within them. Learn more

Microsoft.DataFactory /dataFactories/* Create and manage data factories, and child resources within them. Microsoft.DataFactory /factories/* Create and manage data factories, and child resources within them. Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket Microsoft.EventGrid /eventSubscriptions/write Create or update an eventSubscription NotActions DataActions NotDataActions "description": "Create and manage data factories, as well as child resources within them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", "name": "673868aa-7521-48a0-acc6-0f60742d39f5", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.DataFactory/dataFactories/*", "Microsoft.DataFactory/factories/*", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.EventGrid/eventSubscriptions/write" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Data Factory Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Data Purger

Delete private data from a Log Analytics workspace. Learn more

Microsoft.OperationalInsights /workspaces/purge/action Delete specified data by query from workspace. NotActions DataActions NotDataActions "description": "Can purge analytics data", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", "name": "150f5e0c-0603-4f03-8c7f-cf70034c4e90", "permissions": [ "actions": [ "Microsoft.Insights/components/*/read", "Microsoft.Insights/components/purge/action", "Microsoft.OperationalInsights/workspaces/*/read", "Microsoft.OperationalInsights/workspaces/purge/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Data Purger", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

HDInsight Cluster Operator

Lets you read and modify HDInsight cluster configurations. Learn more

Microsoft.HDInsight /clusters/getGatewaySettings/action Get gateway settings for HDInsight Cluster Microsoft.HDInsight /clusters/updateGatewaySettings/action Update gateway settings for HDInsight Cluster Microsoft.HDInsight /clusters/configurations/* Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Resources /deployments/operations/read Gets or lists deployment operations. Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you read and modify HDInsight cluster configurations.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", "name": "61ed4efc-fab3-44fd-b111-e24485cc132a", "permissions": [ "actions": [ "Microsoft.HDInsight/*/read", "Microsoft.HDInsight/clusters/getGatewaySettings/action", "Microsoft.HDInsight/clusters/updateGatewaySettings/action", "Microsoft.HDInsight/clusters/configurations/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/operations/read", "Microsoft.Insights/alertRules/*", "Microsoft.Authorization/*/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "HDInsight Cluster Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

HDInsight Domain Services Contributor

Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package Learn more

"description": "Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", "name": "8d8d5a11-05d3-4bda-a417-a08778121c7c", "permissions": [ "actions": [ "Microsoft.AAD/*/read", "Microsoft.AAD/domainServices/*/read", "Microsoft.AAD/domainServices/oucontainer/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "HDInsight Domain Services Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Log Analytics Contributor

Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. Learn more

Microsoft.ClassicStorage /storageAccounts/listKeys/action Lists the access keys for the storage accounts. Microsoft.Compute /virtualMachines/extensions/* Microsoft.HybridCompute /machines/extensions/write Installs or Updates an Azure Arc extensions Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Insights /diagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.OperationalInsights /* Microsoft.OperationsManagement /* Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourcegroups/deployments/* Microsoft.Storage /storageAccounts/listKeys/action Returns the access keys for the specified storage account. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", "name": "92aaf0da-9dab-42b6-94a3-d43ce8d16293", "permissions": [ "actions": [ "*/read", "Microsoft.ClassicCompute/virtualMachines/extensions/*", "Microsoft.ClassicStorage/storageAccounts/listKeys/action", "Microsoft.Compute/virtualMachines/extensions/*", "Microsoft.HybridCompute/machines/extensions/write", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.OperationalInsights/*", "Microsoft.OperationsManagement/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourcegroups/deployments/*", "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Log Analytics Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Log Analytics Reader

Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. Learn more

Microsoft.OperationalInsights /workspaces/sharedKeys/read Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. DataActions NotDataActions "description": "Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", "name": "73c42c96-874c-492b-b04d-ab87d138a893", "permissions": [ "actions": [ "*/read", "Microsoft.OperationalInsights/workspaces/analytics/query/action", "Microsoft.OperationalInsights/workspaces/search/action", "Microsoft.Support/*" "notActions": [ "Microsoft.OperationalInsights/workspaces/sharedKeys/read" "dataActions": [], "notDataActions": [] "roleName": "Log Analytics Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Schema Registry Contributor (Preview)

Read, write, and delete Schema Registry groups and schemas.

"description": "Read, write, and delete Schema Registry groups and schemas.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-4216-b2bc-10343a5abb25", "name": "5dffeca3-4936-4216-b2bc-10343a5abb25", "permissions": [ "actions": [ "Microsoft.EventHub/namespaces/schemagroups/*" "notActions": [], "dataActions": [ "Microsoft.EventHub/namespaces/schemas/*" "notDataActions": [] "roleName": "Schema Registry Contributor (Preview)", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Schema Registry Reader (Preview)

Read and list Schema Registry groups and schemas.

Microsoft.EventHub /namespaces/schemagroups/read Get list of SchemaGroup Resource Descriptions NotActions DataActions Microsoft.EventHub /namespaces/schemas/read Retrieve schemas NotDataActions "description": "Read and list Schema Registry groups and schemas.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-40a6-83c0-9d98858bc7d2", "name": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2", "permissions": [ "actions": [ "Microsoft.EventHub/namespaces/schemagroups/read" "notActions": [], "dataActions": [ "Microsoft.EventHub/namespaces/schemas/read" "notDataActions": [] "roleName": "Schema Registry Reader (Preview)", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Stream Analytics Query Tester

Lets you perform query testing without creating a stream analytics job first

Microsoft.StreamAnalytics /locations/TestQuery/action Test Query for Stream Analytics Resource Provider Microsoft.StreamAnalytics /locations/OperationResults/read Read Stream Analytics Operation Result Microsoft.StreamAnalytics /locations/SampleInput/action Sample Input for Stream Analytics Resource Provider Microsoft.StreamAnalytics /locations/CompileQuery/action Compile Query for Stream Analytics Resource Provider NotActions DataActions NotDataActions "description": "Lets you perform query testing without creating a stream analytics job first", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf", "name": "1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf", "permissions": [ "actions": [ "Microsoft.StreamAnalytics/locations/TestQuery/action", "Microsoft.StreamAnalytics/locations/OperationResults/read", "Microsoft.StreamAnalytics/locations/SampleInput/action", "Microsoft.StreamAnalytics/locations/CompileQuery/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Stream Analytics Query Tester", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

AI + machine learning

AzureML Data Scientist

Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself.

Microsoft.MachineLearningServices /featurestores/read Gets the Machine Learning Services FeatureStore(s) Microsoft.MachineLearningServices /featurestores/checkNameAvailability/read Checks the Machine Learning Services FeatureStore name availability NotActions Microsoft.MachineLearningServices /workspaces/delete Deletes the Machine Learning Services Workspace(s) Microsoft.MachineLearningServices /workspaces/write Creates or updates a Machine Learning Services Workspace(s) Microsoft.MachineLearningServices /workspaces/computes/*/write Microsoft.MachineLearningServices /workspaces/computes/*/delete Microsoft.MachineLearningServices /workspaces/computes/listKeys/action List secrets for compute resources in Machine Learning Services Workspace Microsoft.MachineLearningServices /workspaces/listKeys/action List secrets for a Machine Learning Services Workspace DataActions NotDataActions "description": "Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121", "name": "f6c7c914-8db3-469d-8ca1-694a8f32e121", "permissions": [ "actions": [ "Microsoft.MachineLearningServices/workspaces/*/read", "Microsoft.MachineLearningServices/workspaces/*/action", "Microsoft.MachineLearningServices/workspaces/*/delete", "Microsoft.MachineLearningServices/workspaces/*/write", "Microsoft.MachineLearningServices/featurestores/read", "Microsoft.MachineLearningServices/featurestores/checkNameAvailability/read" "notActions": [ "Microsoft.MachineLearningServices/workspaces/delete", "Microsoft.MachineLearningServices/workspaces/write", "Microsoft.MachineLearningServices/workspaces/computes/*/write", "Microsoft.MachineLearningServices/workspaces/computes/*/delete", "Microsoft.MachineLearningServices/workspaces/computes/listKeys/action", "Microsoft.MachineLearningServices/workspaces/listKeys/action" "dataActions": [], "notDataActions": [] "roleName": "AzureML Data Scientist", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services Contributor

Lets you create, read, update, delete and manage keys of Cognitive Services. Learn more

Microsoft.Features /providers/features/read Gets the feature of a subscription in a given resource provider. Microsoft.Features /providers/features/register/action Registers the feature for a subscription in a given resource provider. Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Insights /diagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.Insights /logDefinitions/read Read log definitions Microsoft.Insights /metricdefinitions/read Read metric definitions Microsoft.Insights /metrics/read Read metrics Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /deployments/operations/read Gets or lists deployment operations. Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourcegroups/deployments/* Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you create, read, update, delete and manage keys of Cognitive Services.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", "name": "25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.CognitiveServices/*", "Microsoft.Features/features/read", "Microsoft.Features/providers/features/read", "Microsoft.Features/providers/features/register/action", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Insights/logDefinitions/read", "Microsoft.Insights/metricdefinitions/read", "Microsoft.Insights/metrics/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/deployments/operations/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourcegroups/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Cognitive Services Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services Custom Vision Contributor

Full access to the project, including the ability to view, create, edit, or delete projects. Learn more

"description": "Full access to the project, including the ability to view, create, edit, or delete projects.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", "name": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", "permissions": [ "actions": [ "Microsoft.CognitiveServices/*/read" "notActions": [], "dataActions": [ "Microsoft.CognitiveServices/accounts/CustomVision/*" "notDataActions": [] "roleName": "Cognitive Services Custom Vision Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services Custom Vision Deployment

Publish, unpublish or export models. Deployment can view the project but can't update. Learn more

"description": "Publish, unpublish or export models. Deployment can view the project but can't update.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", "name": "5c4089e1-6d96-4d2f-b296-c1bc7137275f", "permissions": [ "actions": [ "Microsoft.CognitiveServices/*/read" "notActions": [], "dataActions": [ "Microsoft.CognitiveServices/accounts/CustomVision/*/read", "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*", "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*", "Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*", "Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*", "Microsoft.CognitiveServices/accounts/CustomVision/classify/*", "Microsoft.CognitiveServices/accounts/CustomVision/detect/*" "notDataActions": [ "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" "roleName": "Cognitive Services Custom Vision Deployment", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services Custom Vision Labeler

View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. Learn more

Microsoft.CognitiveServices /accounts/CustomVision/projects/predictions/query/action Get images that were sent to your prediction endpoint. Microsoft.CognitiveServices /accounts/CustomVision/projects/images/* Microsoft.CognitiveServices /accounts/CustomVision/projects/tags/* Microsoft.CognitiveServices /accounts/CustomVision/projects/images/suggested/* Microsoft.CognitiveServices /accounts/CustomVision/projects/tagsandregions/suggestions/action This API will get suggested tags and regions for an array/batch of untagged images along with confidences for the tags. It returns an empty array if no tags are found. NotDataActions Microsoft.CognitiveServices /accounts/CustomVision/projects/export/read Exports a project. "description": "View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", "name": "88424f51-ebe7-446f-bc41-7fa16989e96c", "permissions": [ "actions": [ "Microsoft.CognitiveServices/*/read" "notActions": [], "dataActions": [ "Microsoft.CognitiveServices/accounts/CustomVision/*/read", "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action", "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*", "Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*", "Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*", "Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action" "notDataActions": [ "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" "roleName": "Cognitive Services Custom Vision Labeler", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services Custom Vision Reader

Read-only actions in the project. Readers can't create or update the project. Learn more

Microsoft.CognitiveServices /accounts/CustomVision/projects/predictions/query/action Get images that were sent to your prediction endpoint. NotDataActions Microsoft.CognitiveServices /accounts/CustomVision/projects/export/read Exports a project. "description": "Read-only actions in the project. Readers can't create or update the project.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", "name": "93586559-c37d-4a6b-ba08-b9f0940c2d73", "permissions": [ "actions": [ "Microsoft.CognitiveServices/*/read" "notActions": [], "dataActions": [ "Microsoft.CognitiveServices/accounts/CustomVision/*/read", "Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action" "notDataActions": [ "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" "roleName": "Cognitive Services Custom Vision Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services Custom Vision Trainer

View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. Learn more

Microsoft.CognitiveServices /accounts/CustomVision/projects/delete Delete a specific project. Microsoft.CognitiveServices /accounts/CustomVision/projects/import/action Imports a project. Microsoft.CognitiveServices /accounts/CustomVision/projects/export/read Exports a project. "description": "View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", "name": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", "permissions": [ "actions": [ "Microsoft.CognitiveServices/*/read" "notActions": [], "dataActions": [ "Microsoft.CognitiveServices/accounts/CustomVision/*" "notDataActions": [ "Microsoft.CognitiveServices/accounts/CustomVision/projects/action", "Microsoft.CognitiveServices/accounts/CustomVision/projects/delete", "Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action", "Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read" "roleName": "Cognitive Services Custom Vision Trainer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services Data Reader (Preview)

Lets you read Cognitive Services data.

"description": "Lets you read Cognitive Services data.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", "name": "b59867f0-fa02-499b-be73-45a86b5b3e1c", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.CognitiveServices/*/read" "notDataActions": [] "roleName": "Cognitive Services Data Reader (Preview)", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services Face Recognizer

Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices.

Microsoft.CognitiveServices /accounts/Face/detect/action Detect human faces in an image, return face rectangles, and optionally with faceIds, landmarks, and attributes. Microsoft.CognitiveServices /accounts/Face/verify/action Verify whether two faces belong to a same person or whether one face belongs to a person. Microsoft.CognitiveServices /accounts/Face/identify/action 1-to-many identification to find the closest matches of the specific query person face from a person group or large person group. Microsoft.CognitiveServices /accounts/Face/group/action Divide candidate faces into groups based on face similarity. Microsoft.CognitiveServices /accounts/Face/findsimilars/action Given query face's faceId, to search the similar-looking faces from a faceId array, a face list or a large face list. faceId Microsoft.CognitiveServices /accounts/Face/detectliveness/multimodal/action

Performs liveness detection on a target face in a sequence of infrared, color and/or depth images, and returns the liveness classification of the target face as either ‘real face’, ‘spoof face’, or ‘uncertain’ if a classification cannot be made with the given inputs.

Microsoft.CognitiveServices /accounts/Face/detectliveness/singlemodal/action

Performs liveness detection on a target face in a sequence of images of the same modality (e.g. color or infrared), and returns the liveness classification of the target face as either ‘real face’, ‘spoof face’, or ‘uncertain’ if a classification cannot be made with the given inputs.

Microsoft.CognitiveServices /accounts/Face/detectlivenesswithverify/singlemodal/action Detects liveness of a target face in a sequence of images of the same stream type (e.g. color) and then compares with VerifyImage to return confidence score for identity scenarios. NotDataActions "description": "Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7", "name": "9894cab4-e18a-44aa-828b-cb588cd6f2d7", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.CognitiveServices/accounts/Face/detect/action", "Microsoft.CognitiveServices/accounts/Face/verify/action", "Microsoft.CognitiveServices/accounts/Face/identify/action", "Microsoft.CognitiveServices/accounts/Face/group/action", "Microsoft.CognitiveServices/accounts/Face/findsimilars/action", "Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action", "Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action", "Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action" "notDataActions": [] "roleName": "Cognitive Services Face Recognizer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services Metrics Advisor Administrator

Full access to the project, including the system level configuration. Learn more

"description": "Full access to the project, including the system level configuration.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a", "name": "cb43c632-a144-4ec5-977c-e80c4affc34a", "permissions": [ "actions": [ "Microsoft.CognitiveServices/*/read" "notActions": [], "dataActions": [ "Microsoft.CognitiveServices/accounts/MetricsAdvisor/*" "notDataActions": [] "roleName": "Cognitive Services Metrics Advisor Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services QnA Maker Editor

Let's you create, edit, import and export a KB. You cannot publish or delete a KB. Learn more

Microsoft.CognitiveServices /accounts/QnAMaker/knowledgebases/read Gets List of Knowledgebases or details of a specific knowledgebaser. Microsoft.CognitiveServices /accounts/QnAMaker/knowledgebases/download/read Download the knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker/knowledgebases/create/write Asynchronous operation to create a new knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker/knowledgebases/write Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. Microsoft.CognitiveServices /accounts/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer call to query the knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker/knowledgebases/train/action Train call to add suggestions to the knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker/alterations/read Download alterations from runtime. Microsoft.CognitiveServices /accounts/QnAMaker/alterations/write Replace alterations data. Microsoft.CognitiveServices /accounts/QnAMaker/endpointkeys/read Gets endpoint keys for an endpoint Microsoft.CognitiveServices /accounts/QnAMaker/endpointkeys/refreshkeys/action Re-generates an endpoint key. Microsoft.CognitiveServices /accounts/QnAMaker/endpointsettings/read Gets endpoint settings for an endpoint Microsoft.CognitiveServices /accounts/QnAMaker/endpointsettings/write Update endpoint seettings for an endpoint. Microsoft.CognitiveServices /accounts/QnAMaker/operations/read Gets details of a specific long running operation. Microsoft.CognitiveServices /accounts/QnAMaker.v2/knowledgebases/read Gets List of Knowledgebases or details of a specific knowledgebaser. Microsoft.CognitiveServices /accounts/QnAMaker.v2/knowledgebases/download/read Download the knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker.v2/knowledgebases/create/write Asynchronous operation to create a new knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker.v2/knowledgebases/write Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. Microsoft.CognitiveServices /accounts/QnAMaker.v2/knowledgebases/generateanswer/action GenerateAnswer call to query the knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker.v2/knowledgebases/train/action Train call to add suggestions to the knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker.v2/alterations/read Download alterations from runtime. Microsoft.CognitiveServices /accounts/QnAMaker.v2/alterations/write Replace alterations data. Microsoft.CognitiveServices /accounts/QnAMaker.v2/endpointkeys/read Gets endpoint keys for an endpoint Microsoft.CognitiveServices /accounts/QnAMaker.v2/endpointkeys/refreshkeys/action Re-generates an endpoint key. Microsoft.CognitiveServices /accounts/QnAMaker.v2/endpointsettings/read Gets endpoint settings for an endpoint Microsoft.CognitiveServices /accounts/QnAMaker.v2/endpointsettings/write Update endpoint seettings for an endpoint. Microsoft.CognitiveServices /accounts/QnAMaker.v2/operations/read Gets details of a specific long running operation. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/knowledgebases/read Gets List of Knowledgebases or details of a specific knowledgebaser. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/knowledgebases/download/read Download the knowledgebase. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/knowledgebases/create/write Asynchronous operation to create a new knowledgebase. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/knowledgebases/write Asynchronous operation to modify a knowledgebase or Replace knowledgebase contents. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer call to query the knowledgebase. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/knowledgebases/train/action Train call to add suggestions to the knowledgebase. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/alterations/read Download alterations from runtime. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/alterations/write Replace alterations data. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/endpointkeys/read Gets endpoint keys for an endpoint Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action Re-generates an endpoint key. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/endpointsettings/read Gets endpoint settings for an endpoint Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/endpointsettings/write Update endpoint seettings for an endpoint. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/operations/read Gets details of a specific long running operation. NotDataActions "description": "Let's you create, edit, import and export a KB. You cannot publish or delete a KB.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", "name": "f4cc2bf9-21be-47a1-bdf1-5c5804381025", "permissions": [ "actions": [ "Microsoft.CognitiveServices/*/read", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read" "notActions": [], "dataActions": [ "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read", "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read", "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write", "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write", "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action", "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action", "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read", "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write", "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read", "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action", "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read", "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write", "Microsoft.CognitiveServices/accounts/QnAMaker/operations/read", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read" "notDataActions": [] "roleName": "Cognitive Services QnA Maker Editor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services QnA Maker Reader

Let's you read and test a KB only. Learn more

Microsoft.CognitiveServices /accounts/QnAMaker/knowledgebases/read Gets List of Knowledgebases or details of a specific knowledgebaser. Microsoft.CognitiveServices /accounts/QnAMaker/knowledgebases/download/read Download the knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer call to query the knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker/alterations/read Download alterations from runtime. Microsoft.CognitiveServices /accounts/QnAMaker/endpointkeys/read Gets endpoint keys for an endpoint Microsoft.CognitiveServices /accounts/QnAMaker/endpointsettings/read Gets endpoint settings for an endpoint Microsoft.CognitiveServices /accounts/QnAMaker.v2/knowledgebases/read Gets List of Knowledgebases or details of a specific knowledgebaser. Microsoft.CognitiveServices /accounts/QnAMaker.v2/knowledgebases/download/read Download the knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker.v2/knowledgebases/generateanswer/action GenerateAnswer call to query the knowledgebase. Microsoft.CognitiveServices /accounts/QnAMaker.v2/alterations/read Download alterations from runtime. Microsoft.CognitiveServices /accounts/QnAMaker.v2/endpointkeys/read Gets endpoint keys for an endpoint Microsoft.CognitiveServices /accounts/QnAMaker.v2/endpointsettings/read Gets endpoint settings for an endpoint Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/knowledgebases/read Gets List of Knowledgebases or details of a specific knowledgebaser. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/knowledgebases/download/read Download the knowledgebase. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action GenerateAnswer call to query the knowledgebase. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/alterations/read Download alterations from runtime. Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/endpointkeys/read Gets endpoint keys for an endpoint Microsoft.CognitiveServices /accounts/TextAnalytics/QnAMaker/endpointsettings/read Gets endpoint settings for an endpoint NotDataActions "description": "Let's you read and test a KB only.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", "name": "466ccd10-b268-4a11-b098-b4849f024126", "permissions": [ "actions": [ "Microsoft.CognitiveServices/*/read", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleDefinitions/read" "notActions": [], "dataActions": [ "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read", "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read", "Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action", "Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read", "Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read", "Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read", "Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read", "Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read" "notDataActions": [] "roleName": "Cognitive Services QnA Maker Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cognitive Services User

Lets you read and list keys of Cognitive Services. Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/operations/read Gets or lists deployment operations. Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions Microsoft.CognitiveServices /* NotDataActions "description": "Lets you read and list keys of Cognitive Services.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", "name": "a97b65f3-24c7-4388-baec-2e87135dc908", "permissions": [ "actions": [ "Microsoft.CognitiveServices/*/read", "Microsoft.CognitiveServices/accounts/listkeys/action", "Microsoft.Insights/alertRules/read", "Microsoft.Insights/diagnosticSettings/read", "Microsoft.Insights/logDefinitions/read", "Microsoft.Insights/metricdefinitions/read", "Microsoft.Insights/metrics/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/operations/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [ "Microsoft.CognitiveServices/*" "notDataActions": [] "roleName": "Cognitive Services User", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Internet of things

Device Update Administrator

Gives you full access to management and content operations Learn more

Microsoft.DeviceUpdate /accounts/instances/updates/read Performs a read operation related to updates Microsoft.DeviceUpdate /accounts/instances/updates/write Performs a write operation related to updates Microsoft.DeviceUpdate /accounts/instances/updates/delete Performs a delete operation related to updates Microsoft.DeviceUpdate /accounts/instances/management/read Performs a read operation related to management Microsoft.DeviceUpdate /accounts/instances/management/write Performs a write operation related to management Microsoft.DeviceUpdate /accounts/instances/management/delete Performs a delete operation related to management NotDataActions "description": "Gives you full access to management and content operations", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a", "name": "02ca0879-e8e4-47a5-a61e-5c618b76e64a", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Insights/alertRules/*" "notActions": [], "dataActions": [ "Microsoft.DeviceUpdate/accounts/instances/updates/read", "Microsoft.DeviceUpdate/accounts/instances/updates/write", "Microsoft.DeviceUpdate/accounts/instances/updates/delete", "Microsoft.DeviceUpdate/accounts/instances/management/read", "Microsoft.DeviceUpdate/accounts/instances/management/write", "Microsoft.DeviceUpdate/accounts/instances/management/delete" "notDataActions": [] "roleName": "Device Update Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Device Update Content Administrator

Gives you full access to content operations Learn more

Microsoft.DeviceUpdate /accounts/instances/updates/read Performs a read operation related to updates Microsoft.DeviceUpdate /accounts/instances/updates/write Performs a write operation related to updates Microsoft.DeviceUpdate /accounts/instances/updates/delete Performs a delete operation related to updates NotDataActions "description": "Gives you full access to content operations", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98", "name": "0378884a-3af5-44ab-8323-f5b22f9f3c98", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Insights/alertRules/*" "notActions": [], "dataActions": [ "Microsoft.DeviceUpdate/accounts/instances/updates/read", "Microsoft.DeviceUpdate/accounts/instances/updates/write", "Microsoft.DeviceUpdate/accounts/instances/updates/delete" "notDataActions": [] "roleName": "Device Update Content Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Device Update Content Reader

Gives you read access to content operations, but does not allow making changes Learn more

Microsoft.DeviceUpdate /accounts/instances/updates/read Performs a read operation related to updates NotDataActions "description": "Gives you read access to content operations, but does not allow making changes", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b", "name": "d1ee9a80-8b14-47f0-bdc2-f4a351625a7b", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Insights/alertRules/*" "notActions": [], "dataActions": [ "Microsoft.DeviceUpdate/accounts/instances/updates/read" "notDataActions": [] "roleName": "Device Update Content Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Device Update Deployments Administrator

Gives you full access to management operations Learn more

Microsoft.DeviceUpdate /accounts/instances/management/read Performs a read operation related to management Microsoft.DeviceUpdate /accounts/instances/management/write Performs a write operation related to management Microsoft.DeviceUpdate /accounts/instances/management/delete Performs a delete operation related to management Microsoft.DeviceUpdate /accounts/instances/updates/read Performs a read operation related to updates NotDataActions "description": "Gives you full access to management operations", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432", "name": "e4237640-0e3d-4a46-8fda-70bc94856432", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Insights/alertRules/*" "notActions": [], "dataActions": [ "Microsoft.DeviceUpdate/accounts/instances/management/read", "Microsoft.DeviceUpdate/accounts/instances/management/write", "Microsoft.DeviceUpdate/accounts/instances/management/delete", "Microsoft.DeviceUpdate/accounts/instances/updates/read" "notDataActions": [] "roleName": "Device Update Deployments Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Device Update Deployments Reader

Gives you read access to management operations, but does not allow making changes Learn more

Microsoft.DeviceUpdate /accounts/instances/management/read Performs a read operation related to management Microsoft.DeviceUpdate /accounts/instances/updates/read Performs a read operation related to updates NotDataActions "description": "Gives you read access to management operations, but does not allow making changes", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f", "name": "49e2f5d2-7741-4835-8efa-19e1fe35e47f", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Insights/alertRules/*" "notActions": [], "dataActions": [ "Microsoft.DeviceUpdate/accounts/instances/management/read", "Microsoft.DeviceUpdate/accounts/instances/updates/read" "notDataActions": [] "roleName": "Device Update Deployments Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Device Update Reader

Gives you read access to management and content operations, but does not allow making changes Learn more

Microsoft.DeviceUpdate /accounts/instances/updates/read Performs a read operation related to updates Microsoft.DeviceUpdate /accounts/instances/management/read Performs a read operation related to management NotDataActions "description": "Gives you read access to management and content operations, but does not allow making changes", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f", "name": "e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Insights/alertRules/*" "notActions": [], "dataActions": [ "Microsoft.DeviceUpdate/accounts/instances/updates/read", "Microsoft.DeviceUpdate/accounts/instances/management/read" "notDataActions": [] "roleName": "Device Update Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

IoT Hub Data Contributor

Allows for full access to IoT Hub data plane operations. Learn more

"description": "Allows for full access to IoT Hub data plane operations.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f", "name": "4fc6c259-987e-4a07-842e-c321cc9d413f", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Devices/IotHubs/*" "notDataActions": [] "roleName": "IoT Hub Data Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

IoT Hub Data Reader

Allows for full read access to IoT Hub data-plane properties Learn more

Microsoft.Devices /IotHubs/fileUpload/notifications/action Receive, complete, or abandon file upload notifications NotDataActions "description": "Allows for full read access to IoT Hub data-plane properties", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3", "name": "b447c946-2db7-41ec-983d-d8bf3b1c77e3", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Devices/IotHubs/*/read", "Microsoft.Devices/IotHubs/fileUpload/notifications/action" "notDataActions": [] "roleName": "IoT Hub Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

IoT Hub Registry Contributor

Allows for full access to IoT Hub device registry. Learn more

"description": "Allows for full access to IoT Hub device registry.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47", "name": "4ea46cd5-c1b2-4a8e-910b-273211f9ce47", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Devices/IotHubs/devices/*" "notDataActions": [] "roleName": "IoT Hub Registry Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

IoT Hub Twin Contributor

Allows for read and write access to all IoT Hub device and module twins. Learn more

"description": "Allows for read and write access to all IoT Hub device and module twins.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c", "name": "494bdba2-168f-4f31-a0a1-191d2f7c028c", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Devices/IotHubs/twins/*" "notDataActions": [] "roleName": "IoT Hub Twin Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Mixed reality

Remote Rendering Administrator

Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering Learn more

Microsoft.MixedReality /RemoteRenderingAccounts/convert/read Get asset conversion properties Microsoft.MixedReality /RemoteRenderingAccounts/convert/delete Stop asset conversion Microsoft.MixedReality /RemoteRenderingAccounts/managesessions/read Get session properties Microsoft.MixedReality /RemoteRenderingAccounts/managesessions/action Start sessions Microsoft.MixedReality /RemoteRenderingAccounts/managesessions/delete Stop sessions Microsoft.MixedReality /RemoteRenderingAccounts/render/read Connect to a session Microsoft.MixedReality /RemoteRenderingAccounts/diagnostic/read Connect to the Remote Rendering inspector NotDataActions "description": "Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", "name": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.MixedReality/RemoteRenderingAccounts/convert/action", "Microsoft.MixedReality/RemoteRenderingAccounts/convert/read", "Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete", "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read", "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action", "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete", "Microsoft.MixedReality/RemoteRenderingAccounts/render/read", "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read" "notDataActions": [] "roleName": "Remote Rendering Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Remote Rendering Client

Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. Learn more

Microsoft.MixedReality /RemoteRenderingAccounts/managesessions/read Get session properties Microsoft.MixedReality /RemoteRenderingAccounts/managesessions/action Start sessions Microsoft.MixedReality /RemoteRenderingAccounts/managesessions/delete Stop sessions Microsoft.MixedReality /RemoteRenderingAccounts/render/read Connect to a session Microsoft.MixedReality /RemoteRenderingAccounts/diagnostic/read Connect to the Remote Rendering inspector NotDataActions "description": "Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", "name": "d39065c4-c120-43c9-ab0a-63eed9795f0a", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read", "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action", "Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete", "Microsoft.MixedReality/RemoteRenderingAccounts/render/read", "Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read" "notDataActions": [] "roleName": "Remote Rendering Client", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Spatial Anchors Account Contributor

Lets you manage spatial anchors in your account, but not delete them Learn more

Microsoft.MixedReality /SpatialAnchorsAccounts/discovery/read Discover nearby spatial anchors Microsoft.MixedReality /SpatialAnchorsAccounts/properties/read Get properties of spatial anchors Microsoft.MixedReality /SpatialAnchorsAccounts/query/read Locate spatial anchors Microsoft.MixedReality /SpatialAnchorsAccounts/submitdiag/read Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service Microsoft.MixedReality /SpatialAnchorsAccounts/write Update spatial anchors properties NotDataActions "description": "Lets you manage spatial anchors in your account, but not delete them", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", "name": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action", "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read", "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read", "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read", "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read", "Microsoft.MixedReality/SpatialAnchorsAccounts/write" "notDataActions": [] "roleName": "Spatial Anchors Account Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Spatial Anchors Account Owner

Lets you manage spatial anchors in your account, including deleting them Learn more

Microsoft.MixedReality /SpatialAnchorsAccounts/discovery/read Discover nearby spatial anchors Microsoft.MixedReality /SpatialAnchorsAccounts/properties/read Get properties of spatial anchors Microsoft.MixedReality /SpatialAnchorsAccounts/query/read Locate spatial anchors Microsoft.MixedReality /SpatialAnchorsAccounts/submitdiag/read Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service Microsoft.MixedReality /SpatialAnchorsAccounts/write Update spatial anchors properties NotDataActions "description": "Lets you manage spatial anchors in your account, including deleting them", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", "name": "70bbe301-9835-447d-afdd-19eb3167307c", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.MixedReality/SpatialAnchorsAccounts/create/action", "Microsoft.MixedReality/SpatialAnchorsAccounts/delete", "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read", "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read", "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read", "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read", "Microsoft.MixedReality/SpatialAnchorsAccounts/write" "notDataActions": [] "roleName": "Spatial Anchors Account Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Spatial Anchors Account Reader

Lets you locate and read properties of spatial anchors in your account Learn more

Microsoft.MixedReality /SpatialAnchorsAccounts/discovery/read Discover nearby spatial anchors Microsoft.MixedReality /SpatialAnchorsAccounts/properties/read Get properties of spatial anchors Microsoft.MixedReality /SpatialAnchorsAccounts/query/read Locate spatial anchors Microsoft.MixedReality /SpatialAnchorsAccounts/submitdiag/read Submit diagnostics data to help improve the quality of the Azure Spatial Anchors service NotDataActions "description": "Lets you locate and read properties of spatial anchors in your account", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", "name": "5d51204f-eb77-4b1c-b86a-2ec626c49413", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read", "Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read", "Microsoft.MixedReality/SpatialAnchorsAccounts/query/read", "Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read" "notDataActions": [] "roleName": "Spatial Anchors Account Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Integration

API Management Service Contributor

Can manage service and the APIs Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Can manage service and the APIs", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", "name": "312a565d-c81f-4fd8-895a-4e21e48d571c", "permissions": [ "actions": [ "Microsoft.ApiManagement/service/*", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "API Management Service Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

API Management Service Operator Role

Can manage service but not the APIs Learn more

Microsoft.ApiManagement /service/backup/action Backup API Management Service to the specified container in a user provided storage account Microsoft.ApiManagement /service/delete Delete API Management Service instance Microsoft.ApiManagement /service/managedeployments/action Change SKU/units, add/remove regional deployments of API Management Service Microsoft.ApiManagement /service/read Read metadata for an API Management Service instance Microsoft.ApiManagement /service/restore/action Restore API Management Service from the specified container in a user provided storage account Microsoft.ApiManagement /service/updatecertificate/action Upload TLS/SSL certificate for an API Management Service Microsoft.ApiManagement /service/updatehostname/action Setup, update or remove custom domain names for an API Management Service Microsoft.ApiManagement /service/write Create or Update API Management Service instance Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions Microsoft.ApiManagement /service/users/keys/read Get keys associated with user DataActions NotDataActions "description": "Can manage service but not the APIs", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", "name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61", "permissions": [ "actions": [ "Microsoft.ApiManagement/service/*/read", "Microsoft.ApiManagement/service/backup/action", "Microsoft.ApiManagement/service/delete", "Microsoft.ApiManagement/service/managedeployments/action", "Microsoft.ApiManagement/service/read", "Microsoft.ApiManagement/service/restore/action", "Microsoft.ApiManagement/service/updatecertificate/action", "Microsoft.ApiManagement/service/updatehostname/action", "Microsoft.ApiManagement/service/write", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [ "Microsoft.ApiManagement/service/users/keys/read" "dataActions": [], "notDataActions": [] "roleName": "API Management Service Operator Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

API Management Service Reader Role

Read-only access to service and APIs Learn more

Microsoft.ApiManagement /service/read Read metadata for an API Management Service instance Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions Microsoft.ApiManagement /service/users/keys/read Get keys associated with user DataActions NotDataActions "description": "Read-only access to service and APIs", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", "name": "71522526-b88f-4d52-b57f-d31fc3546d0d", "permissions": [ "actions": [ "Microsoft.ApiManagement/service/*/read", "Microsoft.ApiManagement/service/read", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [ "Microsoft.ApiManagement/service/users/keys/read" "dataActions": [], "notDataActions": [] "roleName": "API Management Service Reader Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

API Management Service Workspace API Developer

Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. Learn more

Microsoft.ApiManagement /service/tags/read Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. Microsoft.ApiManagement /service/tags/apiLinks/* Microsoft.ApiManagement /service/tags/operationLinks/* Microsoft.ApiManagement /service/tags/productLinks/* Microsoft.ApiManagement /service/products/read Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. Microsoft.ApiManagement /service/products/apiLinks/* Microsoft.ApiManagement /service/read Read metadata for an API Management Service instance Microsoft.Authorization /*/read Read roles and role assignments NotActions DataActions NotDataActions "description": "Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9565a273-41b9-4368-97d2-aeb0c976a9b3", "name": "9565a273-41b9-4368-97d2-aeb0c976a9b3", "permissions": [ "actions": [ "Microsoft.ApiManagement/service/tags/read", "Microsoft.ApiManagement/service/tags/apiLinks/*", "Microsoft.ApiManagement/service/tags/operationLinks/*", "Microsoft.ApiManagement/service/tags/productLinks/*", "Microsoft.ApiManagement/service/products/read", "Microsoft.ApiManagement/service/products/apiLinks/*", "Microsoft.ApiManagement/service/read", "Microsoft.Authorization/*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "API Management Service Workspace API Developer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

API Management Service Workspace API Product Manager

Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. Learn more

Microsoft.ApiManagement /service/users/read Lists a collection of registered users in the specified service instance. or Gets the details of the user specified by its identifier. Microsoft.ApiManagement /service/tags/read Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. Microsoft.ApiManagement /service/tags/apiLinks/* Microsoft.ApiManagement /service/tags/operationLinks/* Microsoft.ApiManagement /service/tags/productLinks/* Microsoft.ApiManagement /service/products/read Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. Microsoft.ApiManagement /service/products/apiLinks/* Microsoft.ApiManagement /service/groups/users/* Microsoft.ApiManagement /service/read Read metadata for an API Management Service instance Microsoft.Authorization /*/read Read roles and role assignments NotActions DataActions NotDataActions "description": "Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da", "name": "d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da", "permissions": [ "actions": [ "Microsoft.ApiManagement/service/users/read", "Microsoft.ApiManagement/service/tags/read", "Microsoft.ApiManagement/service/tags/apiLinks/*", "Microsoft.ApiManagement/service/tags/operationLinks/*", "Microsoft.ApiManagement/service/tags/productLinks/*", "Microsoft.ApiManagement/service/products/read", "Microsoft.ApiManagement/service/products/apiLinks/*", "Microsoft.ApiManagement/service/groups/users/*", "Microsoft.ApiManagement/service/read", "Microsoft.Authorization/*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "API Management Service Workspace API Product Manager", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

API Management Workspace API Developer

Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. Learn more

"description": "Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/56328988-075d-4c6a-8766-d93edd6725b6", "name": "56328988-075d-4c6a-8766-d93edd6725b6", "permissions": [ "actions": [ "Microsoft.ApiManagement/service/workspaces/*/read", "Microsoft.ApiManagement/service/workspaces/apis/*", "Microsoft.ApiManagement/service/workspaces/apiVersionSets/*", "Microsoft.ApiManagement/service/workspaces/policies/*", "Microsoft.ApiManagement/service/workspaces/schemas/*", "Microsoft.ApiManagement/service/workspaces/products/*", "Microsoft.ApiManagement/service/workspaces/policyFragments/*", "Microsoft.ApiManagement/service/workspaces/namedValues/*", "Microsoft.ApiManagement/service/workspaces/tags/*", "Microsoft.Authorization/*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "API Management Workspace API Developer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

API Management Workspace API Product Manager

Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. Learn more

"description": "Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/73c2c328-d004-4c5e-938c-35c6f5679a1f", "name": "73c2c328-d004-4c5e-938c-35c6f5679a1f", "permissions": [ "actions": [ "Microsoft.ApiManagement/service/workspaces/*/read", "Microsoft.ApiManagement/service/workspaces/products/*", "Microsoft.ApiManagement/service/workspaces/subscriptions/*", "Microsoft.ApiManagement/service/workspaces/groups/*", "Microsoft.ApiManagement/service/workspaces/tags/*", "Microsoft.ApiManagement/service/workspaces/notifications/*", "Microsoft.Authorization/*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "API Management Workspace API Product Manager", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

API Management Workspace Contributor

Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. Learn more

"description": "Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0c34c906-8d99-4cb7-8bb7-33f5b0a1a799", "name": "0c34c906-8d99-4cb7-8bb7-33f5b0a1a799", "permissions": [ "actions": [ "Microsoft.ApiManagement/service/workspaces/*", "Microsoft.Authorization/*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "API Management Workspace Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

API Management Workspace Reader

Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. Learn more

"description": "Has read-only access to entities in the workspace. This role should be assigned on the workspace scope.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2", "name": "ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2", "permissions": [ "actions": [ "Microsoft.ApiManagement/service/workspaces/*/read", "Microsoft.Authorization/*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "API Management Workspace Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

App Configuration Data Owner

Allows full access to App Configuration data. Learn more

"description": "Allows full access to App Configuration data.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", "name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.AppConfiguration/configurationStores/*/read", "Microsoft.AppConfiguration/configurationStores/*/write", "Microsoft.AppConfiguration/configurationStores/*/delete", "Microsoft.AppConfiguration/configurationStores/*/action" "notDataActions": [] "roleName": "App Configuration Data Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

App Configuration Data Reader

Allows read access to App Configuration data. Learn more

"description": "Allows read access to App Configuration data.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", "name": "516239f1-63e1-4d78-a4de-a74fb236a071", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.AppConfiguration/configurationStores/*/read" "notDataActions": [] "roleName": "App Configuration Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Relay Listener

Allows for listen access to Azure Relay resources.

"description": "Allows for listen access to Azure Relay resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d", "name": "26e0b698-aa6d-4085-9386-aadae190014d", "permissions": [ "actions": [ "Microsoft.Relay/*/wcfRelays/read", "Microsoft.Relay/*/hybridConnections/read" "notActions": [], "dataActions": [ "Microsoft.Relay/*/listen/action" "notDataActions": [] "roleName": "Azure Relay Listener", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Relay Owner

Allows for full access to Azure Relay resources.

"description": "Allows for full access to Azure Relay resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38", "name": "2787bf04-f1f5-4bfe-8383-c8a24483ee38", "permissions": [ "actions": [ "Microsoft.Relay/*" "notActions": [], "dataActions": [ "Microsoft.Relay/*" "notDataActions": [] "roleName": "Azure Relay Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Relay Sender

Allows for send access to Azure Relay resources.

"description": "Allows for send access to Azure Relay resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d", "name": "26baccc8-eea7-41f1-98f4-1762cc7f685d", "permissions": [ "actions": [ "Microsoft.Relay/*/wcfRelays/read", "Microsoft.Relay/*/hybridConnections/read" "notActions": [], "dataActions": [ "Microsoft.Relay/*/send/action" "notDataActions": [] "roleName": "Azure Relay Sender", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Service Bus Data Owner

Allows for full access to Azure Service Bus resources. Learn more

"description": "Allows for full access to Azure Service Bus resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", "name": "090c5cfd-751d-490a-894a-3ce6f1109419", "permissions": [ "actions": [ "Microsoft.ServiceBus/*" "notActions": [], "dataActions": [ "Microsoft.ServiceBus/*" "notDataActions": [] "roleName": "Azure Service Bus Data Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Service Bus Data Receiver

Allows for receive access to Azure Service Bus resources. Learn more

"description": "Allows for receive access to Azure Service Bus resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", "name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", "permissions": [ "actions": [ "Microsoft.ServiceBus/*/queues/read", "Microsoft.ServiceBus/*/topics/read", "Microsoft.ServiceBus/*/topics/subscriptions/read" "notActions": [], "dataActions": [ "Microsoft.ServiceBus/*/receive/action" "notDataActions": [] "roleName": "Azure Service Bus Data Receiver", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Service Bus Data Sender

Allows for send access to Azure Service Bus resources. Learn more

"description": "Allows for send access to Azure Service Bus resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", "name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", "permissions": [ "actions": [ "Microsoft.ServiceBus/*/queues/read", "Microsoft.ServiceBus/*/topics/read", "Microsoft.ServiceBus/*/topics/subscriptions/read" "notActions": [], "dataActions": [ "Microsoft.ServiceBus/*/send/action" "notDataActions": [] "roleName": "Azure Service Bus Data Sender", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Stack Registration Owner

Lets you manage Azure Stack registrations.

Microsoft.AzureStack /registrations/products/read Gets the properties of an Azure Stack Marketplace product Microsoft.AzureStack /registrations/read Gets the properties of an Azure Stack registration NotActions DataActions NotDataActions "description": "Lets you manage Azure Stack registrations.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a", "permissions": [ "actions": [ "Microsoft.AzureStack/edgeSubscriptions/read", "Microsoft.AzureStack/registrations/products/*/action", "Microsoft.AzureStack/registrations/products/read", "Microsoft.AzureStack/registrations/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Azure Stack Registration Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

EventGrid Contributor

Lets you manage EventGrid operations.

"description": "Lets you manage EventGrid operations.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de", "name": "1e241071-0855-49ea-94dc-649edcd759de", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.EventGrid/*", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "EventGrid Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

EventGrid Data Sender

Allows send access to event grid events.

"description": "Allows send access to event grid events.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7", "name": "d5a91429-5739-47e2-a06b-3470a27159e7", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.EventGrid/topics/read", "Microsoft.EventGrid/domains/read", "Microsoft.EventGrid/partnerNamespaces/read", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [ "Microsoft.EventGrid/events/send/action" "notDataActions": [] "roleName": "EventGrid Data Sender", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

EventGrid EventSubscription Contributor

Lets you manage EventGrid event subscription operations. Learn more

Microsoft.EventGrid /topicTypes/eventSubscriptions/read List global event subscriptions by topic type Microsoft.EventGrid /locations/eventSubscriptions/read List regional event subscriptions Microsoft.EventGrid /locations/topicTypes/eventSubscriptions/read List regional event subscriptions by topictype Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage EventGrid event subscription operations.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", "name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.EventGrid/eventSubscriptions/*", "Microsoft.EventGrid/topicTypes/eventSubscriptions/read", "Microsoft.EventGrid/locations/eventSubscriptions/read", "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "EventGrid EventSubscription Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

EventGrid EventSubscription Reader

Lets you read EventGrid event subscriptions. Learn more

Microsoft.EventGrid /topicTypes/eventSubscriptions/read List global event subscriptions by topic type Microsoft.EventGrid /locations/eventSubscriptions/read List regional event subscriptions Microsoft.EventGrid /locations/topicTypes/eventSubscriptions/read List regional event subscriptions by topictype Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. NotActions DataActions NotDataActions "description": "Lets you read EventGrid event subscriptions.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", "name": "2414bbcf-6497-4faf-8c65-045460748405", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.EventGrid/eventSubscriptions/read", "Microsoft.EventGrid/topicTypes/eventSubscriptions/read", "Microsoft.EventGrid/locations/eventSubscriptions/read", "Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "EventGrid EventSubscription Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

FHIR Data Contributor

Role allows user or principal full access to FHIR Data Learn more

"description": "Role allows user or principal full access to FHIR Data", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", "name": "5a1fc7df-4bf1-4951-a576-89034ee01acd", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.HealthcareApis/services/fhir/resources/*", "Microsoft.HealthcareApis/workspaces/fhirservices/resources/*" "notDataActions": [] "roleName": "FHIR Data Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

FHIR Data Exporter

Role allows user or principal to read and export FHIR Data Learn more

Microsoft.HealthcareApis/services/fhir/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/services/fhir/resources/export/action Export operation ($export). Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action Export operation ($export). NotDataActions "description": "Role allows user or principal to read and export FHIR Data", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", "name": "3db33094-8700-4567-8da5-1501d4e7e843", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.HealthcareApis/services/fhir/resources/read", "Microsoft.HealthcareApis/services/fhir/resources/export/action", "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read", "Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action" "notDataActions": [] "roleName": "FHIR Data Exporter", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

FHIR Data Reader

Role allows user or principal to read FHIR Data Learn more

Microsoft.HealthcareApis/services/fhir/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history). NotDataActions "description": "Role allows user or principal to read FHIR Data", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", "name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.HealthcareApis/services/fhir/resources/read", "Microsoft.HealthcareApis/workspaces/fhirservices/resources/read" "notDataActions": [] "roleName": "FHIR Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

FHIR Data Writer

Role allows user or principal to read and write FHIR Data Learn more

Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action Hard Delete (including version history). Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action Hard Delete (including version history). "description": "Role allows user or principal to read and write FHIR Data", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", "name": "3f88fce4-5892-4214-ae73-ba5294559913", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.HealthcareApis/services/fhir/resources/*", "Microsoft.HealthcareApis/workspaces/fhirservices/resources/*" "notDataActions": [ "Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action", "Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action" "roleName": "FHIR Data Writer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Integration Service Environment Contributor

Lets you manage integration service environments, but not access to them. Learn more

"description": "Lets you manage integration service environments, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", "name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Support/*", "Microsoft.Logic/integrationServiceEnvironments/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Integration Service Environment Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Integration Service Environment Developer

Allows developers to create and update workflows, integration accounts and API connections in integration service environments. Learn more

Microsoft.Logic /integrationServiceEnvironments/read Reads the integration service environment. Microsoft.Logic /integrationServiceEnvironments/*/join/action NotActions DataActions NotDataActions "description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", "name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Support/*", "Microsoft.Logic/integrationServiceEnvironments/read", "Microsoft.Logic/integrationServiceEnvironments/*/join/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Integration Service Environment Developer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Intelligent Systems Account Contributor

Lets you manage Intelligent Systems accounts, but not access to them.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage Intelligent Systems accounts, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", "name": "03a6d094-3444-4b3d-88af-7477090a9e5e", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.IntelligentSystems/accounts/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Intelligent Systems Account Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Logic App Contributor

Lets you manage logic apps, but not change access to them. Learn more

Microsoft.ClassicStorage /storageAccounts/listKeys/action Lists the access keys for the storage accounts. Microsoft.ClassicStorage /storageAccounts/read Return the storage account with the given account. Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Insights /metricAlerts/* Microsoft.Insights /diagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.Insights /logdefinitions/* This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. Microsoft.Insights /metricDefinitions/* Read metric definitions (list of available metric types for a resource). Microsoft.Logic /* Manages Logic Apps resources. Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage /storageAccounts/listkeys/action Returns the access keys for the specified storage account. Microsoft.Storage /storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.Support /* Create and update a support ticket Microsoft.Web /connectionGateways/* Create and manages a Connection Gateway. Microsoft.Web /connections/* Create and manages a Connection. Microsoft.Web /customApis/* Creates and manages a Custom API. Microsoft.Web /serverFarms/join/action Joins an App Service Plan Microsoft.Web /serverFarms/read Get the properties on an App Service Plan Microsoft.Web /sites/functions/listSecrets/action List Function secrets. NotActions DataActions NotDataActions "description": "Lets you manage logic app, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", "name": "87a39d53-fc1b-424a-814c-f7e04687dc9e", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.ClassicStorage/storageAccounts/listKeys/action", "Microsoft.ClassicStorage/storageAccounts/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/metricAlerts/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.Insights/logdefinitions/*", "Microsoft.Insights/metricDefinitions/*", "Microsoft.Logic/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/listkeys/action", "Microsoft.Storage/storageAccounts/read", "Microsoft.Support/*", "Microsoft.Web/connectionGateways/*", "Microsoft.Web/connections/*", "Microsoft.Web/customApis/*", "Microsoft.Web/serverFarms/join/action", "Microsoft.Web/serverFarms/read", "Microsoft.Web/sites/functions/listSecrets/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Logic App Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Logic App Operator

Lets you read, enable, and disable logic apps, but not edit or update them. Learn more

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket Microsoft.Web /connectionGateways/*/read Read Connection Gateways. Microsoft.Web /connections/*/read Read Connections. Microsoft.Web /customApis/*/read Read Custom API. Microsoft.Web /serverFarms/read Get the properties on an App Service Plan NotActions DataActions NotDataActions "description": "Lets you read, enable and disable logic app.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", "name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*/read", "Microsoft.Insights/metricAlerts/*/read", "Microsoft.Insights/diagnosticSettings/*/read", "Microsoft.Insights/metricDefinitions/*/read", "Microsoft.Logic/*/read", "Microsoft.Logic/workflows/disable/action", "Microsoft.Logic/workflows/enable/action", "Microsoft.Logic/workflows/validate/action", "Microsoft.Resources/deployments/operations/read", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Web/connectionGateways/*/read", "Microsoft.Web/connections/*/read", "Microsoft.Web/customApis/*/read", "Microsoft.Web/serverFarms/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Logic App Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Identity

Domain Services Contributor

Can manage Azure AD Domain Services and related network configurations Learn more

Microsoft.Resources /deployments/operationstatuses/read Gets or lists deployment operation statuses. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Insights /AlertRules/Write Create or update a classic metric alert Microsoft.Insights /AlertRules/Delete Delete a classic metric alert Microsoft.Insights /AlertRules/Read Read a classic metric alert Microsoft.Insights /AlertRules/Activated/Action Classic metric alert activated Microsoft.Insights /AlertRules/Resolved/Action Classic metric alert resolved Microsoft.Insights /AlertRules/Throttled/Action Classic metric alert rule throttled Microsoft.Insights /AlertRules/Incidents/Read Read a classic metric alert incident Microsoft.Insights /Logs/Read Reading data from all your logs Microsoft.Insights /Metrics/Read Read metrics Microsoft.Insights /DiagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.Insights /DiagnosticSettingsCategories/Read Read diagnostic settings categories Microsoft.AAD /register/action Register Domain Service Microsoft.AAD /unregister/action Unregister Domain Service Microsoft.AAD /domainServices/* Microsoft.Network /register/action Registers the subscription Microsoft.Network /unregister/action Unregisters the subscription Microsoft.Network /virtualNetworks/read Get the virtual network definition Microsoft.Network /virtualNetworks/write Creates a virtual network or updates an existing virtual network Microsoft.Network /virtualNetworks/delete Deletes a virtual network Microsoft.Network /virtualNetworks/peer/action Peers a virtual network with another virtual network Microsoft.Network /virtualNetworks/join/action Joins a virtual network. Not Alertable. Microsoft.Network /virtualNetworks/subnets/read Gets a virtual network subnet definition Microsoft.Network /virtualNetworks/subnets/write Creates a virtual network subnet or updates an existing virtual network subnet Microsoft.Network /virtualNetworks/subnets/delete Deletes a virtual network subnet Microsoft.Network /virtualNetworks/subnets/join/action Joins a virtual network. Not Alertable. Microsoft.Network /virtualNetworks/virtualNetworkPeerings/read Gets a virtual network peering definition Microsoft.Network /virtualNetworks/virtualNetworkPeerings/write Creates a virtual network peering or updates an existing virtual network peering Microsoft.Network /virtualNetworks/virtualNetworkPeerings/delete Deletes a virtual network peering Microsoft.Network /virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read Get the diagnostic settings of Virtual Network Microsoft.Network /virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read Gets available metrics for the PingMesh Microsoft.Network /azureFirewalls/read Get Azure Firewall Microsoft.Network /ddosProtectionPlans/read Gets a DDoS Protection Plan Microsoft.Network /ddosProtectionPlans/join/action Joins a DDoS Protection Plan. Not alertable. Microsoft.Network /loadBalancers/read Gets a load balancer definition Microsoft.Network /loadBalancers/delete Deletes a load balancer Microsoft.Network /loadBalancers/*/read Microsoft.Network /loadBalancers/backendAddressPools/join/action Joins a load balancer backend address pool. Not Alertable. Microsoft.Network /loadBalancers/inboundNatRules/join/action Joins a load balancer inbound nat rule. Not Alertable. Microsoft.Network /natGateways/join/action Joins a NAT Gateway Microsoft.Network /networkInterfaces/read Gets a network interface definition. Microsoft.Network /networkInterfaces/write Creates a network interface or updates an existing network interface. Microsoft.Network /networkInterfaces/delete Deletes a network interface Microsoft.Network /networkInterfaces/join/action Joins a Virtual Machine to a network interface. Not Alertable. Microsoft.Network /networkSecurityGroups/defaultSecurityRules/read Gets a default security rule definition Microsoft.Network /networkSecurityGroups/read Gets a network security group definition Microsoft.Network /networkSecurityGroups/write Creates a network security group or updates an existing network security group Microsoft.Network /networkSecurityGroups/delete Deletes a network security group Microsoft.Network /networkSecurityGroups/join/action Joins a network security group. Not Alertable. Microsoft.Network /networkSecurityGroups/securityRules/read Gets a security rule definition Microsoft.Network /networkSecurityGroups/securityRules/write Creates a security rule or updates an existing security rule Microsoft.Network /networkSecurityGroups/securityRules/delete Deletes a security rule Microsoft.Network /routeTables/read Gets a route table definition Microsoft.Network /routeTables/write Creates a route table or Updates an existing route table Microsoft.Network /routeTables/delete Deletes a route table definition Microsoft.Network /routeTables/join/action Joins a route table. Not Alertable. Microsoft.Network /routeTables/routes/read Gets a route definition Microsoft.Network /routeTables/routes/write Creates a route or Updates an existing route Microsoft.Network /routeTables/routes/delete Deletes a route definition NotActions DataActions NotDataActions "description": "Can manage Azure AD Domain Services and related network configurations", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-47f6-8069-5d5bade478b2", "name": "eeaeda52-9324-47f6-8069-5d5bade478b2", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/write", "Microsoft.Resources/deployments/delete", "Microsoft.Resources/deployments/cancel/action", "Microsoft.Resources/deployments/validate/action", "Microsoft.Resources/deployments/whatIf/action", "Microsoft.Resources/deployments/exportTemplate/action", "Microsoft.Resources/deployments/operations/read", "Microsoft.Resources/deployments/operationstatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/AlertRules/Write", "Microsoft.Insights/AlertRules/Delete", "Microsoft.Insights/AlertRules/Read", "Microsoft.Insights/AlertRules/Activated/Action", "Microsoft.Insights/AlertRules/Resolved/Action", "Microsoft.Insights/AlertRules/Throttled/Action", "Microsoft.Insights/AlertRules/Incidents/Read", "Microsoft.Insights/Logs/Read", "Microsoft.Insights/Metrics/Read", "Microsoft.Insights/DiagnosticSettings/*", "Microsoft.Insights/DiagnosticSettingsCategories/Read", "Microsoft.AAD/register/action", "Microsoft.AAD/unregister/action", "Microsoft.AAD/domainServices/*", "Microsoft.Network/register/action", "Microsoft.Network/unregister/action", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/write", "Microsoft.Network/virtualNetworks/delete", "Microsoft.Network/virtualNetworks/peer/action", "Microsoft.Network/virtualNetworks/join/action", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/write", "Microsoft.Network/virtualNetworks/subnets/delete", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete", "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read", "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read", "Microsoft.Network/azureFirewalls/read", "Microsoft.Network/ddosProtectionPlans/read", "Microsoft.Network/ddosProtectionPlans/join/action", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/loadBalancers/delete", "Microsoft.Network/loadBalancers/*/read", "Microsoft.Network/loadBalancers/backendAddressPools/join/action", "Microsoft.Network/loadBalancers/inboundNatRules/join/action", "Microsoft.Network/natGateways/join/action", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/networkInterfaces/delete", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkSecurityGroups/write", "Microsoft.Network/networkSecurityGroups/delete", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.Network/networkSecurityGroups/securityRules/read", "Microsoft.Network/networkSecurityGroups/securityRules/write", "Microsoft.Network/networkSecurityGroups/securityRules/delete", "Microsoft.Network/routeTables/read", "Microsoft.Network/routeTables/write", "Microsoft.Network/routeTables/delete", "Microsoft.Network/routeTables/join/action", "Microsoft.Network/routeTables/routes/read", "Microsoft.Network/routeTables/routes/write", "Microsoft.Network/routeTables/routes/delete" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Domain Services Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Domain Services Reader

Can view Azure AD Domain Services and related network configurations

Microsoft.Resources /deployments/operationstatuses/read Gets or lists deployment operation statuses. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Insights /AlertRules/Read Read a classic metric alert Microsoft.Insights /AlertRules/Incidents/Read Read a classic metric alert incident Microsoft.Insights /Logs/Read Reading data from all your logs Microsoft.Insights /Metrics/read Read metrics Microsoft.Insights /DiagnosticSettings/read Read a resource diagnostic setting Microsoft.Insights /DiagnosticSettingsCategories/Read Read diagnostic settings categories Microsoft.AAD /domainServices/*/read Microsoft.Network /virtualNetworks/read Get the virtual network definition Microsoft.Network /virtualNetworks/subnets/read Gets a virtual network subnet definition Microsoft.Network /virtualNetworks/virtualNetworkPeerings/read Gets a virtual network peering definition Microsoft.Network /virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read Get the diagnostic settings of Virtual Network Microsoft.Network /virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read Gets available metrics for the PingMesh Microsoft.Network /azureFirewalls/read Get Azure Firewall Microsoft.Network /ddosProtectionPlans/read Gets a DDoS Protection Plan Microsoft.Network /loadBalancers/read Gets a load balancer definition Microsoft.Network /loadBalancers/*/read Microsoft.Network /natGateways/read Gets a Nat Gateway Definition Microsoft.Network /networkInterfaces/read Gets a network interface definition. Microsoft.Network /networkSecurityGroups/defaultSecurityRules/read Gets a default security rule definition Microsoft.Network /networkSecurityGroups/read Gets a network security group definition Microsoft.Network /networkSecurityGroups/securityRules/read Gets a security rule definition Microsoft.Network /routeTables/read Gets a route table definition Microsoft.Network /routeTables/routes/read Gets a route definition NotActions DataActions NotDataActions "description": "Can view Azure AD Domain Services and related network configurations", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-48c2-849c-a832951106bb", "name": "361898ef-9ed1-48c2-849c-a832951106bb", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/operations/read", "Microsoft.Resources/deployments/operationstatuses/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/AlertRules/Read", "Microsoft.Insights/AlertRules/Incidents/Read", "Microsoft.Insights/Logs/Read", "Microsoft.Insights/Metrics/read", "Microsoft.Insights/DiagnosticSettings/read", "Microsoft.Insights/DiagnosticSettingsCategories/Read", "Microsoft.AAD/domainServices/*/read", "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read", "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read", "Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read", "Microsoft.Network/azureFirewalls/read", "Microsoft.Network/ddosProtectionPlans/read", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/loadBalancers/*/read", "Microsoft.Network/natGateways/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkSecurityGroups/securityRules/read", "Microsoft.Network/routeTables/read", "Microsoft.Network/routeTables/routes/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Domain Services Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Managed Identity Contributor

Create, Read, Update, and Delete User Assigned Identity Learn more

Microsoft.ManagedIdentity /userAssignedIdentities/read Gets an existing user assigned identity Microsoft.ManagedIdentity /userAssignedIdentities/write Creates a new user assigned identity or updates the tags associated with an existing user assigned identity Microsoft.ManagedIdentity /userAssignedIdentities/delete Deletes an existing user assigned identity Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Create, Read, Update, and Delete User Assigned Identity", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", "name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", "permissions": [ "actions": [ "Microsoft.ManagedIdentity/userAssignedIdentities/read", "Microsoft.ManagedIdentity/userAssignedIdentities/write", "Microsoft.ManagedIdentity/userAssignedIdentities/delete", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Managed Identity Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Managed Identity Operator

Read and Assign User Assigned Identity Learn more

"description": "Read and Assign User Assigned Identity", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", "name": "f1a07417-d97a-45cb-824c-7a7467783830", "permissions": [ "actions": [ "Microsoft.ManagedIdentity/userAssignedIdentities/*/read", "Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Managed Identity Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Security

Attestation Contributor

Can read write or delete the attestation provider instance Learn more

"description": "Can read write or delete the attestation provider instance", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", "name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", "permissions": [ "actions": [ "Microsoft.Attestation/attestationProviders/attestation/read", "Microsoft.Attestation/attestationProviders/attestation/write", "Microsoft.Attestation/attestationProviders/attestation/delete" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Attestation Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Attestation Reader

Can read the attestation provider properties Learn more

"description": "Can read the attestation provider properties", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", "name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3", "permissions": [ "actions": [ "Microsoft.Attestation/attestationProviders/attestation/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Attestation Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Key Vault Administrator

Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more

Microsoft.KeyVault /checkNameAvailability/read Checks that a key vault name is valid and is not in use Microsoft.KeyVault /deletedVaults/read View the properties of soft deleted key vaults Microsoft.KeyVault /locations/*/read Microsoft.KeyVault /vaults/*/read Microsoft.KeyVault /operations/read Lists operations available on Microsoft.KeyVault resource provider NotActions DataActions Microsoft.KeyVault /vaults/* NotDataActions "description": "Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483", "name": "00482a5a-887f-4fb3-b363-3b7fe8e74483", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.KeyVault/checkNameAvailability/read", "Microsoft.KeyVault/deletedVaults/read", "Microsoft.KeyVault/locations/*/read", "Microsoft.KeyVault/vaults/*/read", "Microsoft.KeyVault/operations/read" "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/*" "notDataActions": [] "roleName": "Key Vault Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Key Vault Certificates Officer

Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more

Microsoft.KeyVault /checkNameAvailability/read Checks that a key vault name is valid and is not in use Microsoft.KeyVault /deletedVaults/read View the properties of soft deleted key vaults Microsoft.KeyVault /locations/*/read Microsoft.KeyVault /vaults/*/read Microsoft.KeyVault /operations/read Lists operations available on Microsoft.KeyVault resource provider NotActions DataActions Microsoft.KeyVault /vaults/certificatecas/* Microsoft.KeyVault /vaults/certificates/* NotDataActions "description": "Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985", "name": "a4417e6f-fecd-4de8-b567-7b0420556985", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.KeyVault/checkNameAvailability/read", "Microsoft.KeyVault/deletedVaults/read", "Microsoft.KeyVault/locations/*/read", "Microsoft.KeyVault/vaults/*/read", "Microsoft.KeyVault/operations/read" "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/certificatecas/*", "Microsoft.KeyVault/vaults/certificates/*" "notDataActions": [] "roleName": "Key Vault Certificates Officer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Key Vault Contributor

Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. Learn more

"description": "Lets you manage key vaults, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", "name": "f25e0fa2-a7c8-4377-a976-54943a77a395", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.KeyVault/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [ "Microsoft.KeyVault/locations/deletedVaults/purge/action", "Microsoft.KeyVault/hsmPools/*", "Microsoft.KeyVault/managedHsms/*" "dataActions": [], "notDataActions": [] "roleName": "Key Vault Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Key Vault Crypto Officer

Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more

Microsoft.KeyVault /checkNameAvailability/read Checks that a key vault name is valid and is not in use Microsoft.KeyVault /deletedVaults/read View the properties of soft deleted key vaults Microsoft.KeyVault /locations/*/read Microsoft.KeyVault /vaults/*/read Microsoft.KeyVault /operations/read Lists operations available on Microsoft.KeyVault resource provider NotActions DataActions Microsoft.KeyVault /vaults/keys/* Microsoft.KeyVault /vaults/keyrotationpolicies/* NotDataActions "description": "Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603", "name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.KeyVault/checkNameAvailability/read", "Microsoft.KeyVault/deletedVaults/read", "Microsoft.KeyVault/locations/*/read", "Microsoft.KeyVault/vaults/*/read", "Microsoft.KeyVault/operations/read" "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/keys/*", "Microsoft.KeyVault/vaults/keyrotationpolicies/*" "notDataActions": [] "roleName": "Key Vault Crypto Officer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Key Vault Crypto Service Encryption User

Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more

Microsoft.KeyVault /vaults/keys/read List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. Microsoft.KeyVault /vaults/keys/wrap/action Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. Microsoft.KeyVault /vaults/keys/unwrap/action Unwraps a symmetric key with a Key Vault key. NotDataActions "description": "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6", "name": "e147488a-f6f5-4113-8e2d-b22465e65bf6", "permissions": [ "actions": [ "Microsoft.EventGrid/eventSubscriptions/write", "Microsoft.EventGrid/eventSubscriptions/read", "Microsoft.EventGrid/eventSubscriptions/delete" "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/keys/wrap/action", "Microsoft.KeyVault/vaults/keys/unwrap/action" "notDataActions": [] "roleName": "Key Vault Crypto Service Encryption User", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Key Vault Crypto User

Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more

Microsoft.KeyVault /vaults/keys/read List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. Microsoft.KeyVault /vaults/keys/update/action Updates the specified attributes associated with the given key. Microsoft.KeyVault /vaults/keys/backup/action Creates the backup file of a key. The file can used to restore the key in a Key Vault of same subscription. Restrictions may apply. Microsoft.KeyVault /vaults/keys/encrypt/action Encrypts plaintext with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. Microsoft.KeyVault /vaults/keys/decrypt/action Decrypts ciphertext with a key. Microsoft.KeyVault /vaults/keys/wrap/action Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access. Microsoft.KeyVault /vaults/keys/unwrap/action Unwraps a symmetric key with a Key Vault key. Microsoft.KeyVault /vaults/keys/sign/action Signs a message digest (hash) with a key. Microsoft.KeyVault /vaults/keys/verify/action Verifies the signature of a message digest (hash) with a key. Note that if the key is asymmetric, this operation can be performed by principals with read access. NotDataActions "description": "Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424", "name": "12338af0-0e69-4776-bea7-57ae8d297424", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/keys/update/action", "Microsoft.KeyVault/vaults/keys/backup/action", "Microsoft.KeyVault/vaults/keys/encrypt/action", "Microsoft.KeyVault/vaults/keys/decrypt/action", "Microsoft.KeyVault/vaults/keys/wrap/action", "Microsoft.KeyVault/vaults/keys/unwrap/action", "Microsoft.KeyVault/vaults/keys/sign/action", "Microsoft.KeyVault/vaults/keys/verify/action" "notDataActions": [] "roleName": "Key Vault Crypto User", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Key Vault Reader

Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more

Microsoft.KeyVault /checkNameAvailability/read Checks that a key vault name is valid and is not in use Microsoft.KeyVault /deletedVaults/read View the properties of soft deleted key vaults Microsoft.KeyVault /locations/*/read Microsoft.KeyVault /vaults/*/read Microsoft.KeyVault /operations/read Lists operations available on Microsoft.KeyVault resource provider NotActions DataActions Microsoft.KeyVault /vaults/*/read Microsoft.KeyVault /vaults/secrets/readMetadata/action List or view the properties of a secret, but not its value. NotDataActions "description": "Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2", "name": "21090545-7ca7-4776-b22c-e363652d74d2", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.KeyVault/checkNameAvailability/read", "Microsoft.KeyVault/deletedVaults/read", "Microsoft.KeyVault/locations/*/read", "Microsoft.KeyVault/vaults/*/read", "Microsoft.KeyVault/operations/read" "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/*/read", "Microsoft.KeyVault/vaults/secrets/readMetadata/action" "notDataActions": [] "roleName": "Key Vault Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Key Vault Secrets Officer

Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more

Microsoft.KeyVault /checkNameAvailability/read Checks that a key vault name is valid and is not in use Microsoft.KeyVault /deletedVaults/read View the properties of soft deleted key vaults Microsoft.KeyVault /locations/*/read Microsoft.KeyVault /vaults/*/read Microsoft.KeyVault /operations/read Lists operations available on Microsoft.KeyVault resource provider NotActions DataActions Microsoft.KeyVault /vaults/secrets/* NotDataActions "description": "Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7", "name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.KeyVault/checkNameAvailability/read", "Microsoft.KeyVault/deletedVaults/read", "Microsoft.KeyVault/locations/*/read", "Microsoft.KeyVault/vaults/*/read", "Microsoft.KeyVault/operations/read" "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/secrets/*" "notDataActions": [] "roleName": "Key Vault Secrets Officer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Key Vault Secrets User

Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more

Microsoft.KeyVault /vaults/secrets/readMetadata/action List or view the properties of a secret, but not its value. NotDataActions "description": "Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6", "name": "4633458b-17de-408a-b874-0445c86b69e6", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.KeyVault/vaults/secrets/getSecret/action", "Microsoft.KeyVault/vaults/secrets/readMetadata/action" "notDataActions": [] "roleName": "Key Vault Secrets User", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Managed HSM contributor

Lets you manage managed HSM pools, but not access to them. Learn more

Microsoft.KeyVault /locations/deletedManagedHsms/read View the properties of a deleted managed hsm Microsoft.KeyVault /locations/deletedManagedHsms/purge/action Purge a soft deleted managed hsm Microsoft.KeyVault /locations/managedHsmOperationResults/read Check the result of a long run operation NotActions DataActions NotDataActions "description": "Lets you manage managed HSM pools, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d", "name": "18500a29-7fe2-46b2-a342-b16a415e101d", "permissions": [ "actions": [ "Microsoft.KeyVault/managedHSMs/*", "Microsoft.KeyVault/deletedManagedHsms/read", "Microsoft.KeyVault/locations/deletedManagedHsms/read", "Microsoft.KeyVault/locations/deletedManagedHsms/purge/action", "Microsoft.KeyVault/locations/managedHsmOperationResults/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Managed HSM contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Microsoft Sentinel Automation Contributor

Microsoft Sentinel Automation Contributor Learn more

Microsoft.Logic /workflows/triggers/listCallbackUrl/action Gets the callback URL for trigger. Microsoft.Logic /workflows/runs/read Reads the workflow run. Microsoft.Web /sites/hostruntime/webhooks/api/workflows/triggers/read List Web Apps Hostruntime Workflow Triggers. Microsoft.Web /sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action Get Web Apps Hostruntime Workflow Trigger Uri. Microsoft.Web /sites/hostruntime/webhooks/api/workflows/runs/read List Web Apps Hostruntime Workflow Runs. NotActions DataActions NotDataActions "description": "Microsoft Sentinel Automation Contributor", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a", "name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Logic/workflows/triggers/read", "Microsoft.Logic/workflows/triggers/listCallbackUrl/action", "Microsoft.Logic/workflows/runs/read", "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read", "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action", "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Microsoft Sentinel Automation Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Microsoft Sentinel Contributor

Microsoft Sentinel Contributor Learn more

Microsoft.OperationalInsights /workspaces/query/read Run queries over the data in the workspace Microsoft.OperationalInsights /workspaces/query/*/read Microsoft.OperationalInsights /workspaces/dataSources/read Get data source under a workspace. Microsoft.OperationalInsights /querypacks/*/read Microsoft.Insights /workbooks/* Microsoft.Insights /myworkbooks/read Read a private Workbook Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions Microsoft.SecurityInsights /ConfidentialWatchlists/* Microsoft.OperationalInsights /workspaces/query/ConfidentialWatchlist/* DataActions NotDataActions "description": "Microsoft Sentinel Contributor", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", "name": "ab8e14d6-4a74-4a29-9ba8-549422addade", "permissions": [ "actions": [ "Microsoft.SecurityInsights/*", "Microsoft.OperationalInsights/workspaces/analytics/query/action", "Microsoft.OperationalInsights/workspaces/*/read", "Microsoft.OperationalInsights/workspaces/savedSearches/*", "Microsoft.OperationsManagement/solutions/read", "Microsoft.OperationalInsights/workspaces/query/read", "Microsoft.OperationalInsights/workspaces/query/*/read", "Microsoft.OperationalInsights/workspaces/dataSources/read", "Microsoft.OperationalInsights/querypacks/*/read", "Microsoft.Insights/workbooks/*", "Microsoft.Insights/myworkbooks/read", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [ "Microsoft.SecurityInsights/ConfidentialWatchlists/*", "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*" "dataActions": [], "notDataActions": [] "roleName": "Microsoft Sentinel Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Microsoft Sentinel Playbook Operator

Microsoft Sentinel Playbook Operator Learn more

Microsoft.Logic /workflows/triggers/listCallbackUrl/action Gets the callback URL for trigger. Microsoft.Web /sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action Get Web Apps Hostruntime Workflow Trigger Uri. Microsoft.Web /sites/read Get the properties of a Web App NotActions DataActions NotDataActions "description": "Microsoft Sentinel Playbook Operator", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-4900-b93f-92e23144cca5", "name": "51d6186e-6489-4900-b93f-92e23144cca5", "permissions": [ "actions": [ "Microsoft.Logic/workflows/read", "Microsoft.Logic/workflows/triggers/listCallbackUrl/action", "Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action", "Microsoft.Web/sites/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Microsoft Sentinel Playbook Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Microsoft Sentinel Reader

Microsoft Sentinel Reader Learn more

Microsoft.SecurityInsights /dataConnectorsCheckRequirements/action Check user authorization and license Microsoft.SecurityInsights /threatIntelligence/indicators/query/action Query Threat Intelligence Indicators Microsoft.SecurityInsights /threatIntelligence/queryIndicators/action Query Threat Intelligence Indicators Microsoft.OperationalInsights /workspaces/analytics/query/action Search using new engine. Microsoft.OperationalInsights /workspaces/*/read View log analytics data Microsoft.OperationalInsights /workspaces/LinkedServices/read Get linked services under given workspace. Microsoft.OperationalInsights /workspaces/savedSearches/read Gets a saved search query. Microsoft.OperationsManagement /solutions/read Get exiting OMS solution Microsoft.OperationalInsights /workspaces/query/read Run queries over the data in the workspace Microsoft.OperationalInsights /workspaces/query/*/read Microsoft.OperationalInsights /querypacks/*/read Microsoft.OperationalInsights /workspaces/dataSources/read Get data source under a workspace. Microsoft.Insights /workbooks/read Read a workbook Microsoft.Insights /myworkbooks/read Read a private Workbook Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Resources /templateSpecs/*/read Get or list template specs and template spec versions Microsoft.Support /* Create and update a support ticket NotActions Microsoft.SecurityInsights /ConfidentialWatchlists/* Microsoft.OperationalInsights /workspaces/query/ConfidentialWatchlist/* DataActions NotDataActions "description": "Microsoft Sentinel Reader", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", "name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb", "permissions": [ "actions": [ "Microsoft.SecurityInsights/*/read", "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action", "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action", "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action", "Microsoft.OperationalInsights/workspaces/analytics/query/action", "Microsoft.OperationalInsights/workspaces/*/read", "Microsoft.OperationalInsights/workspaces/LinkedServices/read", "Microsoft.OperationalInsights/workspaces/savedSearches/read", "Microsoft.OperationsManagement/solutions/read", "Microsoft.OperationalInsights/workspaces/query/read", "Microsoft.OperationalInsights/workspaces/query/*/read", "Microsoft.OperationalInsights/querypacks/*/read", "Microsoft.OperationalInsights/workspaces/dataSources/read", "Microsoft.Insights/workbooks/read", "Microsoft.Insights/myworkbooks/read", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/templateSpecs/*/read", "Microsoft.Support/*" "notActions": [ "Microsoft.SecurityInsights/ConfidentialWatchlists/*", "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*" "dataActions": [], "notDataActions": [] "roleName": "Microsoft Sentinel Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Microsoft Sentinel Responder

Microsoft Sentinel Responder Learn more

Microsoft.SecurityInsights /dataConnectorsCheckRequirements/action Check user authorization and license Microsoft.SecurityInsights /automationRules/* Microsoft.SecurityInsights /cases/* Microsoft.SecurityInsights /incidents/* Microsoft.SecurityInsights /threatIntelligence/indicators/appendTags/action Append tags to Threat Intelligence Indicator Microsoft.SecurityInsights /threatIntelligence/indicators/query/action Query Threat Intelligence Indicators Microsoft.SecurityInsights /threatIntelligence/bulkTag/action Bulk Tags Threat Intelligence Microsoft.SecurityInsights /threatIntelligence/indicators/appendTags/action Append tags to Threat Intelligence Indicator Microsoft.SecurityInsights /threatIntelligence/indicators/replaceTags/action Replace Tags of Threat Intelligence Indicator Microsoft.SecurityInsights /threatIntelligence/queryIndicators/action Query Threat Intelligence Indicators Microsoft.OperationalInsights /workspaces/analytics/query/action Search using new engine. Microsoft.OperationalInsights /workspaces/*/read View log analytics data Microsoft.OperationalInsights /workspaces/dataSources/read Get data source under a workspace. Microsoft.OperationalInsights /workspaces/savedSearches/read Gets a saved search query. Microsoft.OperationsManagement /solutions/read Get exiting OMS solution Microsoft.OperationalInsights /workspaces/query/read Run queries over the data in the workspace Microsoft.OperationalInsights /workspaces/query/*/read Microsoft.OperationalInsights /workspaces/dataSources/read Get data source under a workspace. Microsoft.OperationalInsights /querypacks/*/read Microsoft.Insights /workbooks/read Read a workbook Microsoft.Insights /myworkbooks/read Read a private Workbook Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions Microsoft.SecurityInsights /cases/*/Delete Microsoft.SecurityInsights /incidents/*/Delete Microsoft.SecurityInsights /ConfidentialWatchlists/* Microsoft.OperationalInsights /workspaces/query/ConfidentialWatchlist/* DataActions NotDataActions "description": "Microsoft Sentinel Responder", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", "name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056", "permissions": [ "actions": [ "Microsoft.SecurityInsights/*/read", "Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action", "Microsoft.SecurityInsights/automationRules/*", "Microsoft.SecurityInsights/cases/*", "Microsoft.SecurityInsights/incidents/*", "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action", "Microsoft.SecurityInsights/threatIntelligence/indicators/query/action", "Microsoft.SecurityInsights/threatIntelligence/bulkTag/action", "Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action", "Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action", "Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action", "Microsoft.OperationalInsights/workspaces/analytics/query/action", "Microsoft.OperationalInsights/workspaces/*/read", "Microsoft.OperationalInsights/workspaces/dataSources/read", "Microsoft.OperationalInsights/workspaces/savedSearches/read", "Microsoft.OperationsManagement/solutions/read", "Microsoft.OperationalInsights/workspaces/query/read", "Microsoft.OperationalInsights/workspaces/query/*/read", "Microsoft.OperationalInsights/workspaces/dataSources/read", "Microsoft.OperationalInsights/querypacks/*/read", "Microsoft.Insights/workbooks/read", "Microsoft.Insights/myworkbooks/read", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [ "Microsoft.SecurityInsights/cases/*/Delete", "Microsoft.SecurityInsights/incidents/*/Delete", "Microsoft.SecurityInsights/ConfidentialWatchlists/*", "Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*" "dataActions": [], "notDataActions": [] "roleName": "Microsoft Sentinel Responder", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Security Admin

View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.

For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT monitoring . Learn more

Microsoft.Management /managementGroups/read List management groups for the authenticated user. Microsoft.operationalInsights /workspaces/*/read View log analytics data Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Security /* Create and manage security components and policies Microsoft.IoTSecurity /* Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Security Admin Role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", "name": "fb1c8493-542b-48eb-b624-b4c8fea62acd", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Authorization/policyAssignments/*", "Microsoft.Authorization/policyDefinitions/*", "Microsoft.Authorization/policyExemptions/*", "Microsoft.Authorization/policySetDefinitions/*", "Microsoft.Insights/alertRules/*", "Microsoft.Management/managementGroups/read", "Microsoft.operationalInsights/workspaces/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Security/*", "Microsoft.IoTSecurity/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Security Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Security Assessment Contributor

Lets you push assessments to Microsoft Defender for Cloud

Microsoft.Security /assessments/write Create or update security assessments on your subscription NotActions DataActions NotDataActions "description": "Lets you push assessments to Security Center", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", "name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5", "permissions": [ "actions": [ "Microsoft.Security/assessments/write" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Security Assessment Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Security Manager (Legacy)

This is a legacy role. Please use Security Admin instead.

Microsoft.ClassicCompute /virtualMachines/*/write Write configuration for classic virtual machines Microsoft.ClassicNetwork /*/read Read configuration information about classic network Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Security /* Create and manage security components and policies Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "This is a legacy role. Please use Security Administrator instead", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", "name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.ClassicCompute/*/read", "Microsoft.ClassicCompute/virtualMachines/*/write", "Microsoft.ClassicNetwork/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Security/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Security Manager (Legacy)", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Security Reader

View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.

For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT monitoring . Learn more

Microsoft.Security /iotDefenderSettings/packageDownloads/action Gets downloadable IoT Defender packages information Microsoft.Security /iotDefenderSettings/downloadManagerActivation/action Download manager activation file with subscription quota data Microsoft.Security /iotSensors/downloadResetPassword/action Downloads reset password file for IoT Sensors Microsoft.IoTSecurity /defenderSettings/packageDownloads/action Gets downloadable IoT Defender packages information Microsoft.IoTSecurity /defenderSettings/downloadManagerActivation/action Download manager activation file Microsoft.Management /managementGroups/read List management groups for the authenticated user. NotActions DataActions NotDataActions "description": "Security Reader Role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", "name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/read", "Microsoft.operationalInsights/workspaces/*/read", "Microsoft.Resources/deployments/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Security/*/read", "Microsoft.IoTSecurity/*/read", "Microsoft.Support/*/read", "Microsoft.Security/iotDefenderSettings/packageDownloads/action", "Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action", "Microsoft.Security/iotSensors/downloadResetPassword/action", "Microsoft.IoTSecurity/defenderSettings/packageDownloads/action", "Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action", "Microsoft.Management/managementGroups/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Security Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

DevOps

DevTest Labs User

Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. Learn more

Microsoft.Compute /virtualMachines/*/read Read the properties of a virtual machine (VM sizes, runtime status, VM extensions, etc.) Microsoft.Compute /virtualMachines/deallocate/action Powers off the virtual machine and releases the compute resources Microsoft.Compute /virtualMachines/read Get the properties of a virtual machine Microsoft.Compute /virtualMachines/restart/action Restarts the virtual machine Microsoft.Compute /virtualMachines/start/action Starts the virtual machine Microsoft.DevTestLab /*/read Read the properties of a lab Microsoft.DevTestLab /labs/claimAnyVm/action Claim a random claimable virtual machine in the lab. Microsoft.DevTestLab /labs/createEnvironment/action Create virtual machines in a lab. Microsoft.DevTestLab /labs/ensureCurrentUserProfile/action Ensure the current user has a valid profile in the lab. Microsoft.DevTestLab /labs/formulas/delete Delete formulas. Microsoft.DevTestLab /labs/formulas/read Read formulas. Microsoft.DevTestLab /labs/formulas/write Add or modify formulas. Microsoft.DevTestLab /labs/policySets/evaluatePolicies/action Evaluates lab policy. Microsoft.DevTestLab /labs/virtualMachines/claim/action Take ownership of an existing virtual machine Microsoft.DevTestLab /labs/virtualmachines/listApplicableSchedules/action Lists the applicable start/stop schedules, if any. Microsoft.DevTestLab /labs/virtualMachines/getRdpFileContents/action Gets a string that represents the contents of the RDP file for the virtual machine Microsoft.Network /loadBalancers/backendAddressPools/join/action Joins a load balancer backend address pool. Not Alertable. Microsoft.Network /loadBalancers/inboundNatRules/join/action Joins a load balancer inbound nat rule. Not Alertable. Microsoft.Network /networkInterfaces/*/read Read the properties of a network interface (for example, all the load balancers that the network interface is a part of) Microsoft.Network /networkInterfaces/join/action Joins a Virtual Machine to a network interface. Not Alertable. Microsoft.Network /networkInterfaces/read Gets a network interface definition. Microsoft.Network /networkInterfaces/write Creates a network interface or updates an existing network interface. Microsoft.Network /publicIPAddresses/*/read Read the properties of a public IP address Microsoft.Network /publicIPAddresses/join/action Joins a public ip address. Not Alertable. Microsoft.Network /publicIPAddresses/read Gets a public ip address definition. Microsoft.Network /virtualNetworks/subnets/join/action Joins a virtual network. Not Alertable. Microsoft.Resources /deployments/operations/read Gets or lists deployment operations. Microsoft.Resources /deployments/read Gets or lists deployments. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage /storageAccounts/listKeys/action Returns the access keys for the specified storage account. NotActions Microsoft.Compute /virtualMachines/vmSizes/read Lists available sizes the virtual machine can be updated to DataActions NotDataActions "description": "Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", "name": "76283e04-6283-4c54-8f91-bcf1374a3c64", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Compute/availabilitySets/read", "Microsoft.Compute/virtualMachines/*/read", "Microsoft.Compute/virtualMachines/deallocate/action", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/restart/action", "Microsoft.Compute/virtualMachines/start/action", "Microsoft.DevTestLab/*/read", "Microsoft.DevTestLab/labs/claimAnyVm/action", "Microsoft.DevTestLab/labs/createEnvironment/action", "Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action", "Microsoft.DevTestLab/labs/formulas/delete", "Microsoft.DevTestLab/labs/formulas/read", "Microsoft.DevTestLab/labs/formulas/write", "Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action", "Microsoft.DevTestLab/labs/virtualMachines/claim/action", "Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action", "Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action", "Microsoft.Network/loadBalancers/backendAddressPools/join/action", "Microsoft.Network/loadBalancers/inboundNatRules/join/action", "Microsoft.Network/networkInterfaces/*/read", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/publicIPAddresses/*/read", "Microsoft.Network/publicIPAddresses/join/action", "Microsoft.Network/publicIPAddresses/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Resources/deployments/operations/read", "Microsoft.Resources/deployments/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/listKeys/action" "notActions": [ "Microsoft.Compute/virtualMachines/vmSizes/read" "dataActions": [], "notDataActions": [] "roleName": "DevTest Labs User", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Lab Assistant

Enables you to view an existing lab, perform actions on the lab VMs and send invitations to the lab. Learn more

Microsoft.LabServices /labs/users/invite/action Send email invitation to a user to join the lab. Microsoft.LabServices /labs/virtualMachines/read Get the properties of a virtual machine. Microsoft.LabServices /labs/virtualMachines/start/action Start a virtual machine. Microsoft.LabServices /labs/virtualMachines/stop/action Stop and deallocate a virtual machine. Microsoft.LabServices /labs/virtualMachines/reimage/action Reimage a virtual machine to the last published image. Microsoft.LabServices /labs/virtualMachines/redeploy/action Redeploy a virtual machine to a different compute node. Microsoft.LabServices /locations/usages/read Get Usage in a location Microsoft.LabServices /skus/read Get the properties of a Lab Services SKU. Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. NotActions DataActions NotDataActions "description": "The lab assistant role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-4313-a93f-9b28290b72e1", "name": "ce40b423-cede-4313-a93f-9b28290b72e1", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.LabServices/labPlans/images/read", "Microsoft.LabServices/labPlans/read", "Microsoft.LabServices/labs/read", "Microsoft.LabServices/labs/schedules/read", "Microsoft.LabServices/labs/users/read", "Microsoft.LabServices/labs/users/invite/action", "Microsoft.LabServices/labs/virtualMachines/read", "Microsoft.LabServices/labs/virtualMachines/start/action", "Microsoft.LabServices/labs/virtualMachines/stop/action", "Microsoft.LabServices/labs/virtualMachines/reimage/action", "Microsoft.LabServices/labs/virtualMachines/redeploy/action", "Microsoft.LabServices/locations/usages/read", "Microsoft.LabServices/skus/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Lab Assistant", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Lab Contributor

Applied at lab level, enables you to manage the lab. Applied at a resource group, enables you to create and manage labs. Learn more

Microsoft.LabServices /labPlans/saveImage/action Create an image from a virtual machine in the gallery attached to the lab plan. Microsoft.LabServices /labs/read Get the properties of a lab. Microsoft.LabServices /labs/write Create new or update an existing lab. Microsoft.LabServices /labs/delete Delete the lab and all its users, schedules and virtual machines. Microsoft.LabServices /labs/publish/action Publish a lab by propagating image of the template virtual machine to all virtual machines in the lab. Microsoft.LabServices /labs/syncGroup/action Updates the list of users from the Active Directory group assigned to the lab. Microsoft.LabServices /labs/schedules/read Get the properties of a schedule. Microsoft.LabServices /labs/schedules/write Create new or update an existing schedule. Microsoft.LabServices /labs/schedules/delete Delete the schedule. Microsoft.LabServices /labs/users/read Get the properties of a user. Microsoft.LabServices /labs/users/write Create new or update an existing user. Microsoft.LabServices /labs/users/delete Delete the user. Microsoft.LabServices /labs/users/invite/action Send email invitation to a user to join the lab. Microsoft.LabServices /labs/virtualMachines/read Get the properties of a virtual machine. Microsoft.LabServices /labs/virtualMachines/start/action Start a virtual machine. Microsoft.LabServices /labs/virtualMachines/stop/action Stop and deallocate a virtual machine. Microsoft.LabServices /labs/virtualMachines/reimage/action Reimage a virtual machine to the last published image. Microsoft.LabServices /labs/virtualMachines/redeploy/action Redeploy a virtual machine to a different compute node. Microsoft.LabServices /labs/virtualMachines/resetPassword/action Reset local user's password on a virtual machine. Microsoft.LabServices /locations/usages/read Get Usage in a location Microsoft.LabServices /skus/read Get the properties of a Lab Services SKU. Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. NotActions DataActions Microsoft.LabServices /labPlans/createLab/action Create a new lab from a lab plan. NotDataActions "description": "The lab contributor role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-407c-9122-bba179798270", "name": "5daaa2af-1fe8-407c-9122-bba179798270", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.LabServices/labPlans/images/read", "Microsoft.LabServices/labPlans/read", "Microsoft.LabServices/labPlans/saveImage/action", "Microsoft.LabServices/labs/read", "Microsoft.LabServices/labs/write", "Microsoft.LabServices/labs/delete", "Microsoft.LabServices/labs/publish/action", "Microsoft.LabServices/labs/syncGroup/action", "Microsoft.LabServices/labs/schedules/read", "Microsoft.LabServices/labs/schedules/write", "Microsoft.LabServices/labs/schedules/delete", "Microsoft.LabServices/labs/users/read", "Microsoft.LabServices/labs/users/write", "Microsoft.LabServices/labs/users/delete", "Microsoft.LabServices/labs/users/invite/action", "Microsoft.LabServices/labs/virtualMachines/read", "Microsoft.LabServices/labs/virtualMachines/start/action", "Microsoft.LabServices/labs/virtualMachines/stop/action", "Microsoft.LabServices/labs/virtualMachines/reimage/action", "Microsoft.LabServices/labs/virtualMachines/redeploy/action", "Microsoft.LabServices/labs/virtualMachines/resetPassword/action", "Microsoft.LabServices/locations/usages/read", "Microsoft.LabServices/skus/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [ "Microsoft.LabServices/labPlans/createLab/action" "notDataActions": [] "roleName": "Lab Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Lab Creator

Lets you create new labs under your Azure Lab Accounts. Learn more

Microsoft.LabServices /labAccounts/getPricingAndAvailability/action Get the pricing and availability of combinations of sizes, geographies, and operating systems for the lab account. Microsoft.LabServices /labAccounts/getRestrictionsAndUsage/action Get core restrictions and usage for this subscription Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.LabServices /labPlans/images/read Get the properties of an image. Microsoft.LabServices /labPlans/read Get the properties of a lab plan. Microsoft.LabServices /labPlans/saveImage/action Create an image from a virtual machine in the gallery attached to the lab plan. Microsoft.LabServices /labs/read Get the properties of a lab. Microsoft.LabServices /labs/schedules/read Get the properties of a schedule. Microsoft.LabServices /labs/users/read Get the properties of a user. Microsoft.LabServices /labs/virtualMachines/read Get the properties of a virtual machine. Microsoft.LabServices /locations/usages/read Get Usage in a location Microsoft.LabServices /skus/read Get the properties of a Lab Services SKU. Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions Microsoft.LabServices /labPlans/createLab/action Create a new lab from a lab plan. NotDataActions "description": "Lets you create new labs under your Azure Lab Accounts.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", "name": "b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.LabServices/labAccounts/*/read", "Microsoft.LabServices/labAccounts/createLab/action", "Microsoft.LabServices/labAccounts/getPricingAndAvailability/action", "Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action", "Microsoft.Insights/alertRules/*", "Microsoft.LabServices/labPlans/images/read", "Microsoft.LabServices/labPlans/read", "Microsoft.LabServices/labPlans/saveImage/action", "Microsoft.LabServices/labs/read", "Microsoft.LabServices/labs/schedules/read", "Microsoft.LabServices/labs/users/read", "Microsoft.LabServices/labs/virtualMachines/read", "Microsoft.LabServices/locations/usages/read", "Microsoft.LabServices/skus/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [ "Microsoft.LabServices/labPlans/createLab/action" "notDataActions": [] "roleName": "Lab Creator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Lab Operator

Gives you limited ability to manage existing labs. Learn more

Microsoft.LabServices /labPlans/saveImage/action Create an image from a virtual machine in the gallery attached to the lab plan. Microsoft.LabServices /labs/publish/action Publish a lab by propagating image of the template virtual machine to all virtual machines in the lab. Microsoft.LabServices /labs/read Get the properties of a lab. Microsoft.LabServices /labs/schedules/read Get the properties of a schedule. Microsoft.LabServices /labs/schedules/write Create new or update an existing schedule. Microsoft.LabServices /labs/schedules/delete Delete the schedule. Microsoft.LabServices /labs/users/read Get the properties of a user. Microsoft.LabServices /labs/users/write Create new or update an existing user. Microsoft.LabServices /labs/users/delete Delete the user. Microsoft.LabServices /labs/users/invite/action Send email invitation to a user to join the lab. Microsoft.LabServices /labs/virtualMachines/read Get the properties of a virtual machine. Microsoft.LabServices /labs/virtualMachines/start/action Start a virtual machine. Microsoft.LabServices /labs/virtualMachines/stop/action Stop and deallocate a virtual machine. Microsoft.LabServices /labs/virtualMachines/reimage/action Reimage a virtual machine to the last published image. Microsoft.LabServices /labs/virtualMachines/redeploy/action Redeploy a virtual machine to a different compute node. Microsoft.LabServices /labs/virtualMachines/resetPassword/action Reset local user's password on a virtual machine. Microsoft.LabServices /locations/usages/read Get Usage in a location Microsoft.LabServices /skus/read Get the properties of a Lab Services SKU. Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. NotActions DataActions NotDataActions "description": "The lab operator role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-4b12-8e9f-ef4b474d304d", "name": "a36e6959-b6be-4b12-8e9f-ef4b474d304d", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.LabServices/labPlans/images/read", "Microsoft.LabServices/labPlans/read", "Microsoft.LabServices/labPlans/saveImage/action", "Microsoft.LabServices/labs/publish/action", "Microsoft.LabServices/labs/read", "Microsoft.LabServices/labs/schedules/read", "Microsoft.LabServices/labs/schedules/write", "Microsoft.LabServices/labs/schedules/delete", "Microsoft.LabServices/labs/users/read", "Microsoft.LabServices/labs/users/write", "Microsoft.LabServices/labs/users/delete", "Microsoft.LabServices/labs/users/invite/action", "Microsoft.LabServices/labs/virtualMachines/read", "Microsoft.LabServices/labs/virtualMachines/start/action", "Microsoft.LabServices/labs/virtualMachines/stop/action", "Microsoft.LabServices/labs/virtualMachines/reimage/action", "Microsoft.LabServices/labs/virtualMachines/redeploy/action", "Microsoft.LabServices/labs/virtualMachines/resetPassword/action", "Microsoft.LabServices/locations/usages/read", "Microsoft.LabServices/skus/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Lab Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Lab Services Contributor

Enables you to fully control all Lab Services scenarios in the resource group. Learn more

"description": "The lab services contributor role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-41d6-b77a-a4bc3c0a966f", "name": "f69b8690-cc87-41d6-b77a-a4bc3c0a966f", "permissions": [ "actions": [ "Microsoft.LabServices/*", "Microsoft.Insights/alertRules/*", "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [ "Microsoft.LabServices/labPlans/createLab/action" "notDataActions": [] "roleName": "Lab Services Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Lab Services Reader

Enables you to view, but not change, all lab plans and lab resources. Learn more

"description": "The lab services reader role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc", "name": "2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc", "permissions": [ "actions": [ "Microsoft.LabServices/*/read", "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Lab Services Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Monitor

Application Insights Component Contributor

Can manage Application Insights components Learn more

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Can manage Application Insights components", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", "name": "ae349356-3a1b-4a5e-921d-050484c6347e", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/generateLiveToken/read", "Microsoft.Insights/metricAlerts/*", "Microsoft.Insights/components/*", "Microsoft.Insights/scheduledqueryrules/*", "Microsoft.Insights/topology/read", "Microsoft.Insights/transactions/read", "Microsoft.Insights/webtests/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Application Insights Component Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Application Insights Snapshot Debugger

Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the Owner or Contributor roles. When giving users the Application Insights Snapshot Debugger role, you must grant the role directly to the user. The role is not recognized when it is added to a custom role. Learn more

"description": "Gives user permission to use Application Insights Snapshot Debugger features", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", "name": "08954f03-6346-4c2e-81c0-ec3a5cfae23b", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Insights/components/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Application Insights Snapshot Debugger", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Monitoring Contributor

Can read all monitoring data and edit monitoring settings. See also Get started with roles, permissions, and security with Azure Monitor . Learn more

Microsoft.Insights /DiagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.Insights /eventtypes/* List Activity Log events (management events) in a subscription. This permission is applicable to both programmatic and portal access to the Activity Log. Microsoft.Insights /LogDefinitions/* This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. Microsoft.Insights /metricalerts/* Microsoft.Insights /MetricDefinitions/* Read metric definitions (list of available metric types for a resource). Microsoft.Insights /Metrics/* Read metrics for a resource. Microsoft.Insights /notificationStatus/* Microsoft.Insights /Register/Action Register the Microsoft Insights provider Microsoft.Insights /scheduledqueryrules/* Microsoft.Insights /webtests/* Create and manage Insights web tests Microsoft.Insights /workbooks/* Microsoft.Insights /workbooktemplates/* Microsoft.Insights /privateLinkScopes/* Microsoft.Insights /privateLinkScopeOperationStatuses/* Microsoft.OperationalInsights /workspaces/write Creates a new workspace or links to an existing workspace by providing the customer id from the existing workspace. Microsoft.OperationalInsights /workspaces/intelligencepacks/* Read/write/delete log analytics solution packs. Microsoft.OperationalInsights /workspaces/savedSearches/* Read/write/delete log analytics saved searches. Microsoft.OperationalInsights /workspaces/search/action Executes a search query Microsoft.OperationalInsights /workspaces/sharedKeys/action Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. Microsoft.OperationalInsights /workspaces/storageinsightconfigs/* Read/write/delete log analytics storage insight configurations. Microsoft.Support /* Create and update a support ticket Microsoft.WorkloadMonitor/monitors/* Get information about guest VM health monitors. Microsoft.AlertsManagement /smartDetectorAlertRules/* Microsoft.AlertsManagement /actionRules/* Microsoft.AlertsManagement /smartGroups/* Microsoft.AlertsManagement /migrateFromSmartDetection/* NotActions DataActions NotDataActions "description": "Can read all monitoring data and update monitoring settings.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", "name": "749f88d5-cbae-40b8-bcfc-e573ddc772fa", "permissions": [ "actions": [ "*/read", "Microsoft.AlertsManagement/alerts/*", "Microsoft.AlertsManagement/alertsSummary/*", "Microsoft.Insights/actiongroups/*", "Microsoft.Insights/activityLogAlerts/*", "Microsoft.Insights/AlertRules/*", "Microsoft.Insights/components/*", "Microsoft.Insights/createNotifications/*", "Microsoft.Insights/dataCollectionEndpoints/*", "Microsoft.Insights/dataCollectionRules/*", "Microsoft.Insights/dataCollectionRuleAssociations/*", "Microsoft.Insights/DiagnosticSettings/*", "Microsoft.Insights/eventtypes/*", "Microsoft.Insights/LogDefinitions/*", "Microsoft.Insights/metricalerts/*", "Microsoft.Insights/MetricDefinitions/*", "Microsoft.Insights/Metrics/*", "Microsoft.Insights/notificationStatus/*", "Microsoft.Insights/Register/Action", "Microsoft.Insights/scheduledqueryrules/*", "Microsoft.Insights/webtests/*", "Microsoft.Insights/workbooks/*", "Microsoft.Insights/workbooktemplates/*", "Microsoft.Insights/privateLinkScopes/*", "Microsoft.Insights/privateLinkScopeOperationStatuses/*", "Microsoft.OperationalInsights/workspaces/write", "Microsoft.OperationalInsights/workspaces/intelligencepacks/*", "Microsoft.OperationalInsights/workspaces/savedSearches/*", "Microsoft.OperationalInsights/workspaces/search/action", "Microsoft.OperationalInsights/workspaces/sharedKeys/action", "Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*", "Microsoft.Support/*", "Microsoft.WorkloadMonitor/monitors/*", "Microsoft.AlertsManagement/smartDetectorAlertRules/*", "Microsoft.AlertsManagement/actionRules/*", "Microsoft.AlertsManagement/smartGroups/*", "Microsoft.AlertsManagement/migrateFromSmartDetection/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Monitoring Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Monitoring Metrics Publisher

Enables publishing metrics against Azure resources Learn more

"description": "Enables publishing metrics against Azure resources", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", "name": "3913510d-42f4-4e42-8a64-420c390055eb", "permissions": [ "actions": [ "Microsoft.Insights/Register/Action", "Microsoft.Support/*", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [ "Microsoft.Insights/Metrics/Write", "Microsoft.Insights/Telemetry/Write" "notDataActions": [] "roleName": "Monitoring Metrics Publisher", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Monitoring Reader

Can read all monitoring data (metrics, logs, etc.). See also Get started with roles, permissions, and security with Azure Monitor . Learn more

"description": "Can read all monitoring data.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", "name": "43d0d8ad-25c7-4714-9337-8ba259a9fe05", "permissions": [ "actions": [ "*/read", "Microsoft.OperationalInsights/workspaces/search/action", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Monitoring Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Workbook Contributor

Can save shared workbooks. Learn more

"description": "Can save shared workbooks.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", "name": "e8ddcd69-c73f-4f9f-9844-4100522f16ad", "permissions": [ "actions": [ "Microsoft.Insights/workbooks/write", "Microsoft.Insights/workbooks/delete", "Microsoft.Insights/workbooks/read", "Microsoft.Insights/workbooks/revisions/read", "Microsoft.Insights/workbooktemplates/write", "Microsoft.Insights/workbooktemplates/delete", "Microsoft.Insights/workbooktemplates/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Workbook Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Workbook Reader

Can read workbooks. Learn more

"description": "Can read workbooks.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d", "name": "b279062a-9be3-42a0-92ae-8b3cf002ec4d", "permissions": [ "actions": [ "microsoft.insights/workbooks/read", "microsoft.insights/workbooks/revisions/read", "microsoft.insights/workbooktemplates/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Workbook Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Management and governance

Automation Contributor

Manage Azure Automation resources and other resources using Azure Automation. Learn more

Microsoft.Insights /diagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.OperationalInsights /workspaces/sharedKeys/action Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. NotActions DataActions NotDataActions "description": "Manage azure automation resources and other resources using azure automation.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867", "name": "f353d9bd-d4a6-484e-a77a-8050b599b867", "permissions": [ "actions": [ "Microsoft.Automation/automationAccounts/*", "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Insights/ActionGroups/*", "Microsoft.Insights/ActivityLogAlerts/*", "Microsoft.Insights/MetricAlerts/*", "Microsoft.Insights/ScheduledQueryRules/*", "Microsoft.Insights/diagnosticSettings/*", "Microsoft.OperationalInsights/workspaces/sharedKeys/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Automation Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Automation Job Operator

Create and Manage Jobs using Automation Runbooks. Learn more

Microsoft.Automation /automationAccounts/hybridRunbookWorkerGroups/read Reads a Hybrid Runbook Worker Group Microsoft.Automation /automationAccounts/jobs/read Gets an Azure Automation job Microsoft.Automation /automationAccounts/jobs/resume/action Resumes an Azure Automation job Microsoft.Automation /automationAccounts/jobs/stop/action Stops an Azure Automation job Microsoft.Automation /automationAccounts/jobs/streams/read Gets an Azure Automation job stream Microsoft.Automation /automationAccounts/jobs/suspend/action Suspends an Azure Automation job Microsoft.Automation /automationAccounts/jobs/write Creates an Azure Automation job Microsoft.Automation /automationAccounts/jobs/output/read Gets the output of a job Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Create and Manage Jobs using Automation Runbooks.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", "name": "4fe576fe-1146-4730-92eb-48519fa6bf9f", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read", "Microsoft.Automation/automationAccounts/jobs/read", "Microsoft.Automation/automationAccounts/jobs/resume/action", "Microsoft.Automation/automationAccounts/jobs/stop/action", "Microsoft.Automation/automationAccounts/jobs/streams/read", "Microsoft.Automation/automationAccounts/jobs/suspend/action", "Microsoft.Automation/automationAccounts/jobs/write", "Microsoft.Automation/automationAccounts/jobs/output/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Automation Job Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Automation Operator

Automation Operators are able to start, stop, suspend, and resume jobs Learn more

Microsoft.Automation /automationAccounts/hybridRunbookWorkerGroups/read Reads a Hybrid Runbook Worker Group Microsoft.Automation /automationAccounts/jobs/read Gets an Azure Automation job Microsoft.Automation /automationAccounts/jobs/resume/action Resumes an Azure Automation job Microsoft.Automation /automationAccounts/jobs/stop/action Stops an Azure Automation job Microsoft.Automation /automationAccounts/jobs/streams/read Gets an Azure Automation job stream Microsoft.Automation /automationAccounts/jobs/suspend/action Suspends an Azure Automation job Microsoft.Automation /automationAccounts/jobs/write Creates an Azure Automation job Microsoft.Automation /automationAccounts/jobSchedules/read Gets an Azure Automation job schedule Microsoft.Automation /automationAccounts/jobSchedules/write Creates an Azure Automation job schedule Microsoft.Automation /automationAccounts/linkedWorkspace/read Gets the workspace linked to the automation account Microsoft.Automation /automationAccounts/read Gets an Azure Automation account Microsoft.Automation /automationAccounts/runbooks/read Gets an Azure Automation runbook Microsoft.Automation /automationAccounts/schedules/read Gets an Azure Automation schedule asset Microsoft.Automation /automationAccounts/schedules/write Creates or updates an Azure Automation schedule asset Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Automation /automationAccounts/jobs/output/read Gets the output of a job Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Automation Operators are able to start, stop, suspend, and resume jobs", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", "name": "d3881f73-407a-4167-8283-e981cbba0404", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read", "Microsoft.Automation/automationAccounts/jobs/read", "Microsoft.Automation/automationAccounts/jobs/resume/action", "Microsoft.Automation/automationAccounts/jobs/stop/action", "Microsoft.Automation/automationAccounts/jobs/streams/read", "Microsoft.Automation/automationAccounts/jobs/suspend/action", "Microsoft.Automation/automationAccounts/jobs/write", "Microsoft.Automation/automationAccounts/jobSchedules/read", "Microsoft.Automation/automationAccounts/jobSchedules/write", "Microsoft.Automation/automationAccounts/linkedWorkspace/read", "Microsoft.Automation/automationAccounts/read", "Microsoft.Automation/automationAccounts/runbooks/read", "Microsoft.Automation/automationAccounts/schedules/read", "Microsoft.Automation/automationAccounts/schedules/write", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Automation/automationAccounts/jobs/output/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Automation Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Automation Runbook Operator

Read Runbook properties - to be able to create Jobs of the runbook. Learn more

"description": "Read Runbook properties - to be able to create Jobs of the runbook.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", "name": "5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Automation/automationAccounts/runbooks/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Automation Runbook Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Arc Enabled Kubernetes Cluster User Role

List cluster user credentials action.

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Kubernetes /connectedClusters/listClusterUserCredentials/action List clusterUser credential(preview) Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Support /* Create and update a support ticket Microsoft.Kubernetes /connectedClusters/listClusterUserCredential/action List clusterUser credential NotActions DataActions NotDataActions "description": "List cluster user credentials action.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd", "name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd", "permissions": [ "actions": [ "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Support/*", "Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Azure Arc Enabled Kubernetes Cluster User Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Arc Kubernetes Admin

Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. Learn more

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions Microsoft.Kubernetes /connectedClusters/apps/controllerrevisions/read Reads controllerrevisions Microsoft.Kubernetes /connectedClusters/apps/daemonsets/* Microsoft.Kubernetes /connectedClusters/apps/deployments/* Microsoft.Kubernetes /connectedClusters/apps/replicasets/* Microsoft.Kubernetes /connectedClusters/apps/statefulsets/* Microsoft.Kubernetes /connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write Writes localsubjectaccessreviews Microsoft.Kubernetes /connectedClusters/autoscaling/horizontalpodautoscalers/* Microsoft.Kubernetes /connectedClusters/batch/cronjobs/* Microsoft.Kubernetes /connectedClusters/batch/jobs/* Microsoft.Kubernetes /connectedClusters/configmaps/* Microsoft.Kubernetes /connectedClusters/endpoints/* Microsoft.Kubernetes /connectedClusters/events.k8s.io/events/read Reads events Microsoft.Kubernetes /connectedClusters/events/read Reads events Microsoft.Kubernetes /connectedClusters/extensions/daemonsets/* Microsoft.Kubernetes /connectedClusters/extensions/deployments/* Microsoft.Kubernetes /connectedClusters/extensions/ingresses/* Microsoft.Kubernetes /connectedClusters/extensions/networkpolicies/* Microsoft.Kubernetes /connectedClusters/extensions/replicasets/* Microsoft.Kubernetes /connectedClusters/limitranges/read Reads limitranges Microsoft.Kubernetes /connectedClusters/namespaces/read Reads namespaces Microsoft.Kubernetes /connectedClusters/networking.k8s.io/ingresses/* Microsoft.Kubernetes /connectedClusters/networking.k8s.io/networkpolicies/* Microsoft.Kubernetes /connectedClusters/persistentvolumeclaims/* Microsoft.Kubernetes /connectedClusters/pods/* Microsoft.Kubernetes /connectedClusters/policy/poddisruptionbudgets/* Microsoft.Kubernetes /connectedClusters/rbac.authorization.k8s.io/rolebindings/* Microsoft.Kubernetes /connectedClusters/rbac.authorization.k8s.io/roles/* Microsoft.Kubernetes /connectedClusters/replicationcontrollers/* Microsoft.Kubernetes /connectedClusters/replicationcontrollers/* Microsoft.Kubernetes /connectedClusters/resourcequotas/read Reads resourcequotas Microsoft.Kubernetes /connectedClusters/secrets/* Microsoft.Kubernetes /connectedClusters/serviceaccounts/* Microsoft.Kubernetes /connectedClusters/services/* NotDataActions "description": "Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96", "name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [ "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read", "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*", "Microsoft.Kubernetes/connectedClusters/apps/deployments/*", "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*", "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*", "Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write", "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*", "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*", "Microsoft.Kubernetes/connectedClusters/batch/jobs/*", "Microsoft.Kubernetes/connectedClusters/configmaps/*", "Microsoft.Kubernetes/connectedClusters/endpoints/*", "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read", "Microsoft.Kubernetes/connectedClusters/events/read", "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*", "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*", "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*", "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*", "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*", "Microsoft.Kubernetes/connectedClusters/limitranges/read", "Microsoft.Kubernetes/connectedClusters/namespaces/read", "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*", "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*", "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*", "Microsoft.Kubernetes/connectedClusters/pods/*", "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*", "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*", "Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*", "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", "Microsoft.Kubernetes/connectedClusters/resourcequotas/read", "Microsoft.Kubernetes/connectedClusters/secrets/*", "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*", "Microsoft.Kubernetes/connectedClusters/services/*" "notDataActions": [] "roleName": "Azure Arc Kubernetes Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Arc Kubernetes Cluster Admin

Lets you manage all resources in the cluster. Learn more

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions Microsoft.Kubernetes /connectedClusters/* NotDataActions "description": "Lets you manage all resources in the cluster.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2", "name": "8393591c-06b9-48a2-a542-1bd6b377f6a2", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [ "Microsoft.Kubernetes/connectedClusters/*" "notDataActions": [] "roleName": "Azure Arc Kubernetes Cluster Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Arc Kubernetes Viewer

Lets you view all resources in cluster/namespace, except secrets. Learn more

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions Microsoft.Kubernetes /connectedClusters/apps/controllerrevisions/read Reads controllerrevisions Microsoft.Kubernetes /connectedClusters/apps/daemonsets/read Reads daemonsets Microsoft.Kubernetes /connectedClusters/apps/deployments/read Reads deployments Microsoft.Kubernetes /connectedClusters/apps/replicasets/read Reads replicasets Microsoft.Kubernetes /connectedClusters/apps/statefulsets/read Reads statefulsets Microsoft.Kubernetes /connectedClusters/autoscaling/horizontalpodautoscalers/read Reads horizontalpodautoscalers Microsoft.Kubernetes /connectedClusters/batch/cronjobs/read Reads cronjobs Microsoft.Kubernetes /connectedClusters/batch/jobs/read Reads jobs Microsoft.Kubernetes /connectedClusters/configmaps/read Reads configmaps Microsoft.Kubernetes /connectedClusters/endpoints/read Reads endpoints Microsoft.Kubernetes /connectedClusters/events.k8s.io/events/read Reads events Microsoft.Kubernetes /connectedClusters/events/read Reads events Microsoft.Kubernetes /connectedClusters/extensions/daemonsets/read Reads daemonsets Microsoft.Kubernetes /connectedClusters/extensions/deployments/read Reads deployments Microsoft.Kubernetes /connectedClusters/extensions/ingresses/read Reads ingresses Microsoft.Kubernetes /connectedClusters/extensions/networkpolicies/read Reads networkpolicies Microsoft.Kubernetes /connectedClusters/extensions/replicasets/read Reads replicasets Microsoft.Kubernetes /connectedClusters/limitranges/read Reads limitranges Microsoft.Kubernetes /connectedClusters/namespaces/read Reads namespaces Microsoft.Kubernetes /connectedClusters/networking.k8s.io/ingresses/read Reads ingresses Microsoft.Kubernetes /connectedClusters/networking.k8s.io/networkpolicies/read Reads networkpolicies Microsoft.Kubernetes /connectedClusters/persistentvolumeclaims/read Reads persistentvolumeclaims Microsoft.Kubernetes /connectedClusters/pods/read Reads pods Microsoft.Kubernetes /connectedClusters/policy/poddisruptionbudgets/read Reads poddisruptionbudgets Microsoft.Kubernetes /connectedClusters/replicationcontrollers/read Reads replicationcontrollers Microsoft.Kubernetes /connectedClusters/replicationcontrollers/read Reads replicationcontrollers Microsoft.Kubernetes /connectedClusters/resourcequotas/read Reads resourcequotas Microsoft.Kubernetes /connectedClusters/serviceaccounts/read Reads serviceaccounts Microsoft.Kubernetes /connectedClusters/services/read Reads services NotDataActions "description": "Lets you view all resources in cluster/namespace, except secrets.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4", "name": "63f0a09d-1495-4db4-a681-037d84835eb4", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [ "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read", "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read", "Microsoft.Kubernetes/connectedClusters/apps/deployments/read", "Microsoft.Kubernetes/connectedClusters/apps/replicasets/read", "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read", "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read", "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read", "Microsoft.Kubernetes/connectedClusters/batch/jobs/read", "Microsoft.Kubernetes/connectedClusters/configmaps/read", "Microsoft.Kubernetes/connectedClusters/endpoints/read", "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read", "Microsoft.Kubernetes/connectedClusters/events/read", "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read", "Microsoft.Kubernetes/connectedClusters/extensions/deployments/read", "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read", "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read", "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read", "Microsoft.Kubernetes/connectedClusters/limitranges/read", "Microsoft.Kubernetes/connectedClusters/namespaces/read", "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read", "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read", "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read", "Microsoft.Kubernetes/connectedClusters/pods/read", "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read", "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read", "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read", "Microsoft.Kubernetes/connectedClusters/resourcequotas/read", "Microsoft.Kubernetes/connectedClusters/serviceaccounts/read", "Microsoft.Kubernetes/connectedClusters/services/read" "notDataActions": [] "roleName": "Azure Arc Kubernetes Viewer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Arc Kubernetes Writer

Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. Learn more

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions Microsoft.Kubernetes /connectedClusters/apps/controllerrevisions/read Reads controllerrevisions Microsoft.Kubernetes /connectedClusters/apps/daemonsets/* Microsoft.Kubernetes /connectedClusters/apps/deployments/* Microsoft.Kubernetes /connectedClusters/apps/replicasets/* Microsoft.Kubernetes /connectedClusters/apps/statefulsets/* Microsoft.Kubernetes /connectedClusters/autoscaling/horizontalpodautoscalers/* Microsoft.Kubernetes /connectedClusters/batch/cronjobs/* Microsoft.Kubernetes /connectedClusters/batch/jobs/* Microsoft.Kubernetes /connectedClusters/configmaps/* Microsoft.Kubernetes /connectedClusters/endpoints/* Microsoft.Kubernetes /connectedClusters/events.k8s.io/events/read Reads events Microsoft.Kubernetes /connectedClusters/events/read Reads events Microsoft.Kubernetes /connectedClusters/extensions/daemonsets/* Microsoft.Kubernetes /connectedClusters/extensions/deployments/* Microsoft.Kubernetes /connectedClusters/extensions/ingresses/* Microsoft.Kubernetes /connectedClusters/extensions/networkpolicies/* Microsoft.Kubernetes /connectedClusters/extensions/replicasets/* Microsoft.Kubernetes /connectedClusters/limitranges/read Reads limitranges Microsoft.Kubernetes /connectedClusters/namespaces/read Reads namespaces Microsoft.Kubernetes /connectedClusters/networking.k8s.io/ingresses/* Microsoft.Kubernetes /connectedClusters/networking.k8s.io/networkpolicies/* Microsoft.Kubernetes /connectedClusters/persistentvolumeclaims/* Microsoft.Kubernetes /connectedClusters/pods/* Microsoft.Kubernetes /connectedClusters/policy/poddisruptionbudgets/* Microsoft.Kubernetes /connectedClusters/replicationcontrollers/* Microsoft.Kubernetes /connectedClusters/replicationcontrollers/* Microsoft.Kubernetes /connectedClusters/resourcequotas/read Reads resourcequotas Microsoft.Kubernetes /connectedClusters/secrets/* Microsoft.Kubernetes /connectedClusters/serviceaccounts/* Microsoft.Kubernetes /connectedClusters/services/* NotDataActions "description": "Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1", "name": "5b999177-9696-4545-85c7-50de3797e5a1", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [ "Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read", "Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*", "Microsoft.Kubernetes/connectedClusters/apps/deployments/*", "Microsoft.Kubernetes/connectedClusters/apps/replicasets/*", "Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*", "Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*", "Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*", "Microsoft.Kubernetes/connectedClusters/batch/jobs/*", "Microsoft.Kubernetes/connectedClusters/configmaps/*", "Microsoft.Kubernetes/connectedClusters/endpoints/*", "Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read", "Microsoft.Kubernetes/connectedClusters/events/read", "Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*", "Microsoft.Kubernetes/connectedClusters/extensions/deployments/*", "Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*", "Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*", "Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*", "Microsoft.Kubernetes/connectedClusters/limitranges/read", "Microsoft.Kubernetes/connectedClusters/namespaces/read", "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*", "Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*", "Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*", "Microsoft.Kubernetes/connectedClusters/pods/*", "Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*", "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", "Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*", "Microsoft.Kubernetes/connectedClusters/resourcequotas/read", "Microsoft.Kubernetes/connectedClusters/secrets/*", "Microsoft.Kubernetes/connectedClusters/serviceaccounts/*", "Microsoft.Kubernetes/connectedClusters/services/*" "notDataActions": [] "roleName": "Azure Arc Kubernetes Writer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Connected Machine Onboarding

Can onboard Azure Connected Machines. Learn more

Microsoft.GuestConfiguration /guestConfigurationAssignments/read Get guest configuration assignment. NotActions DataActions NotDataActions "description": "Can onboard Azure Connected Machines.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", "name": "b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", "permissions": [ "actions": [ "Microsoft.HybridCompute/machines/read", "Microsoft.HybridCompute/machines/write", "Microsoft.HybridCompute/privateLinkScopes/read", "Microsoft.GuestConfiguration/guestConfigurationAssignments/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Azure Connected Machine Onboarding", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Connected Machine Resource Administrator

Can read, write, delete and re-onboard Azure Connected Machines.

Microsoft.HybridCompute /machines/UpgradeExtensions/action Upgrades Extensions on Azure Arc machines Microsoft.HybridCompute /machines/extensions/read Reads any Azure Arc extensions Microsoft.HybridCompute /machines/extensions/write Installs or Updates an Azure Arc extensions Microsoft.HybridCompute /machines/extensions/delete Deletes an Azure Arc extensions Microsoft.HybridCompute /privateLinkScopes/* Microsoft.HybridCompute /*/read Microsoft.Resources /deployments/* Create and manage a deployment NotActions DataActions NotDataActions "description": "Can read, write, delete and re-onboard Azure Connected Machines.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", "name": "cd570a14-e51a-42ad-bac8-bafd67325302", "permissions": [ "actions": [ "Microsoft.HybridCompute/machines/read", "Microsoft.HybridCompute/machines/write", "Microsoft.HybridCompute/machines/delete", "Microsoft.HybridCompute/machines/UpgradeExtensions/action", "Microsoft.HybridCompute/machines/extensions/read", "Microsoft.HybridCompute/machines/extensions/write", "Microsoft.HybridCompute/machines/extensions/delete", "Microsoft.HybridCompute/privateLinkScopes/*", "Microsoft.HybridCompute/*/read", "Microsoft.Resources/deployments/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Azure Connected Machine Resource Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Billing Reader

Allows read access to billing data Learn more

Microsoft.Management /managementGroups/read List management groups for the authenticated user. Microsoft.CostManagement /*/read Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Allows read access to billing data", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", "name": "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Billing/*/read", "Microsoft.Commerce/*/read", "Microsoft.Consumption/*/read", "Microsoft.Management/managementGroups/read", "Microsoft.CostManagement/*/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Billing Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Blueprint Contributor

Can manage blueprint definitions, but not assign them. Learn more

Microsoft.Blueprint /blueprints/* Create and manage blueprint definitions or blueprint artifacts. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Can manage blueprint definitions, but not assign them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", "name": "41077137-e803-4205-871c-5a86e6a753b4", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Blueprint/blueprints/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Blueprint Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Blueprint Operator

Can assign existing published blueprints, but cannot create new blueprints. Note that this only works if the assignment is done with a user-assigned managed identity. Learn more

"description": "Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", "name": "437d2ced-4a38-4302-8479-ed2bcb43d090", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Blueprint/blueprintAssignments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Blueprint Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cost Management Contributor

Can view costs and manage cost configuration (e.g. budgets, exports) Learn more

Microsoft.Management /managementGroups/read List management groups for the authenticated user. Microsoft.Billing /billingProperty/read NotActions DataActions NotDataActions "description": "Can view costs and manage cost configuration (e.g. budgets, exports)", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", "name": "434105ed-43f6-45c7-a02f-909b2ba83430", "permissions": [ "actions": [ "Microsoft.Consumption/*", "Microsoft.CostManagement/*", "Microsoft.Billing/billingPeriods/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Advisor/configurations/read", "Microsoft.Advisor/recommendations/read", "Microsoft.Management/managementGroups/read", "Microsoft.Billing/billingProperty/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Cost Management Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Cost Management Reader

Can view cost data and configuration (e.g. budgets, exports) Learn more

Microsoft.Management /managementGroups/read List management groups for the authenticated user. Microsoft.Billing /billingProperty/read NotActions DataActions NotDataActions "description": "Can view cost data and configuration (e.g. budgets, exports)", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", "name": "72fafb9e-0641-4937-9268-a91bfd8191a3", "permissions": [ "actions": [ "Microsoft.Consumption/*/read", "Microsoft.CostManagement/*/read", "Microsoft.Billing/billingPeriods/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "Microsoft.Advisor/configurations/read", "Microsoft.Advisor/recommendations/read", "Microsoft.Management/managementGroups/read", "Microsoft.Billing/billingProperty/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Cost Management Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Hierarchy Settings Administrator

Allows users to edit and delete Hierarchy Settings

Microsoft.Management /managementGroups/settings/write Creates or updates management group hierarchy settings. Microsoft.Management /managementGroups/settings/delete Deletes management group hierarchy settings. NotActions DataActions NotDataActions "description": "Allows users to edit and delete Hierarchy Settings", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", "name": "350f8d15-c687-4448-8ae1-157740a3936d", "permissions": [ "actions": [ "Microsoft.Management/managementGroups/settings/write", "Microsoft.Management/managementGroups/settings/delete" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Hierarchy Settings Administrator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Kubernetes Cluster - Azure Arc Onboarding

Role definition to authorize any user/service to create connectedClusters resource Learn more

Microsoft.Resources /subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Kubernetes /connectedClusters/Write Writes connectedClusters Microsoft.Kubernetes /connectedClusters/read Read connectedClusters Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Role definition to authorize any user/service to create connectedClusters resource", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", "name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/write", "Microsoft.Resources/subscriptions/operationresults/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Kubernetes/connectedClusters/Write", "Microsoft.Kubernetes/connectedClusters/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Kubernetes Cluster - Azure Arc Onboarding", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Kubernetes Extension Contributor

Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations

Microsoft.KubernetesConfiguration /extensions/write Creates or updates extension resource. Microsoft.KubernetesConfiguration /extensions/read Gets extension instance resource. Microsoft.KubernetesConfiguration /extensions/delete Deletes extension instance resource. Microsoft.KubernetesConfiguration /extensions/operations/read Gets Async Operation status. NotActions DataActions NotDataActions "description": "Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717", "name": "85cb6faf-e071-4c9b-8136-154b5a04f717", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.KubernetesConfiguration/extensions/write", "Microsoft.KubernetesConfiguration/extensions/read", "Microsoft.KubernetesConfiguration/extensions/delete", "Microsoft.KubernetesConfiguration/extensions/operations/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Kubernetes Extension Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Managed Application Contributor Role

Allows for creating managed application resources.

"description": "Allows for creating managed application resources.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", "name": "641177b8-a67a-45b9-a033-47bc880bb21e", "permissions": [ "actions": [ "*/read", "Microsoft.Solutions/applications/*", "Microsoft.Solutions/register/action", "Microsoft.Resources/subscriptions/resourceGroups/*", "Microsoft.Resources/deployments/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Managed Application Contributor Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Managed Application Operator Role

Lets you read and perform actions on Managed Application resources

"description": "Lets you read and perform actions on Managed Application resources", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", "name": "c7393b34-138c-406f-901b-d8cf2b17e6ae", "permissions": [ "actions": [ "*/read", "Microsoft.Solutions/applications/read", "Microsoft.Solutions/*/action" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Managed Application Operator Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Managed Applications Reader

Lets you read resources in a managed app and request JIT access.

"description": "Lets you read resources in a managed app and request JIT access.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", "name": "b9331d33-8a36-4f8c-b097-4f54124fdb44", "permissions": [ "actions": [ "*/read", "Microsoft.Resources/deployments/*", "Microsoft.Solutions/jitRequests/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Managed Applications Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Managed Services Registration assignment Delete Role

Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. Learn more

Microsoft.ManagedServices /registrationAssignments/read Retrieves a list of Managed Services registration assignments. Microsoft.ManagedServices /registrationAssignments/delete Removes Managed Services registration assignment. Microsoft.ManagedServices /operationStatuses/read Reads the operation status for the resource. NotActions DataActions NotDataActions "description": "Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", "name": "91c1777a-f3dc-4fae-b103-61d183457e46", "permissions": [ "actions": [ "Microsoft.ManagedServices/registrationAssignments/read", "Microsoft.ManagedServices/registrationAssignments/delete", "Microsoft.ManagedServices/operationStatuses/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Managed Services Registration assignment Delete Role", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Management Group Contributor

Management Group Contributor Role Learn more

Microsoft.Management /managementGroups/read List management groups for the authenticated user. Microsoft.Management /managementGroups/subscriptions/delete De-associates subscription from the management group. Microsoft.Management /managementGroups/subscriptions/write Associates existing subscription with the management group. Microsoft.Management /managementGroups/write Create or update a management group. Microsoft.Management /managementGroups/subscriptions/read Lists subscription under the given management group. Microsoft.Authorization /*/read Read roles and role assignments NotActions DataActions NotDataActions "description": "Management Group Contributor Role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", "name": "5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", "permissions": [ "actions": [ "Microsoft.Management/managementGroups/delete", "Microsoft.Management/managementGroups/read", "Microsoft.Management/managementGroups/subscriptions/delete", "Microsoft.Management/managementGroups/subscriptions/write", "Microsoft.Management/managementGroups/write", "Microsoft.Management/managementGroups/subscriptions/read", "Microsoft.Authorization/*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Management Group Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Management Group Reader

Management Group Reader Role

Microsoft.Management /managementGroups/read List management groups for the authenticated user. Microsoft.Management /managementGroups/subscriptions/read Lists subscription under the given management group. Microsoft.Authorization /*/read Read roles and role assignments NotActions DataActions NotDataActions "description": "Management Group Reader Role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", "name": "ac63b705-f282-497d-ac71-919bf39d939d", "permissions": [ "actions": [ "Microsoft.Management/managementGroups/read", "Microsoft.Management/managementGroups/subscriptions/read", "Microsoft.Authorization/*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Management Group Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

New Relic APM Account Contributor

Lets you manage New Relic Application Performance Management accounts and applications, but not access to them.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NewRelic.APM/accounts/* NotActions DataActions NotDataActions "description": "Lets you manage New Relic Application Performance Management accounts and applications, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", "name": "5d28c62d-5b37-4476-8438-e587778df237", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*", "NewRelic.APM/accounts/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "New Relic APM Account Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Policy Insights Data Writer (Preview)

Allows read access to resource policies and write access to resource component policy events. Learn more

Microsoft.Authorization /policyassignments/read Get information about a policy assignment. Microsoft.Authorization /policydefinitions/read Get information about a policy definition. Microsoft.Authorization /policyexemptions/read Get information about a policy exemption. Microsoft.Authorization /policysetdefinitions/read Get information about a policy set definition. NotActions DataActions Microsoft.PolicyInsights /checkDataPolicyCompliance/action Check the compliance status of a given component against data policies. Microsoft.PolicyInsights /policyEvents/logDataEvents/action Log the resource component policy events. NotDataActions "description": "Allows read access to resource policies and write access to resource component policy events.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", "name": "66bb4e9e-b016-4a94-8249-4c0511c2be84", "permissions": [ "actions": [ "Microsoft.Authorization/policyassignments/read", "Microsoft.Authorization/policydefinitions/read", "Microsoft.Authorization/policyexemptions/read", "Microsoft.Authorization/policysetdefinitions/read" "notActions": [], "dataActions": [ "Microsoft.PolicyInsights/checkDataPolicyCompliance/action", "Microsoft.PolicyInsights/policyEvents/logDataEvents/action" "notDataActions": [] "roleName": "Policy Insights Data Writer (Preview)", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Quota Request Operator

Read and create quota requests, get quota request status, and create support tickets. Learn more

Microsoft.Capacity /resourceProviders/locations/serviceLimits/read Get the current service limit or quota of the specified resource and location Microsoft.Capacity /resourceProviders/locations/serviceLimits/write Create service limit or quota for the specified resource and location Microsoft.Capacity /resourceProviders/locations/serviceLimitsRequests/read Get any service limit request for the specified resource and location Microsoft.Capacity /register/action Registers the Capacity resource provider and enables the creation of Capacity resources. Microsoft.Quota/usages/read Get the usages for resource providers Microsoft.Quota/quotas/read Get the current Service limit or quota of the specified resource Microsoft.Quota/quotas/write Creates the service limit or quota request for the specified resource Microsoft.Quota/quotaRequests/read Get any service limit request for the specified resource Microsoft.Quota/register/action Register the subscription with Microsoft.Quota Resource Provider Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Read and create quota requests, get quota request status, and create support tickets.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125", "name": "0e5f05e5-9ab9-446b-b98d-1e2157c94125", "permissions": [ "actions": [ "Microsoft.Capacity/resourceProviders/locations/serviceLimits/read", "Microsoft.Capacity/resourceProviders/locations/serviceLimits/write", "Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read", "Microsoft.Capacity/register/action", "Microsoft.Quota/usages/read", "Microsoft.Quota/quotas/read", "Microsoft.Quota/quotas/write", "Microsoft.Quota/quotaRequests/read", "Microsoft.Quota/register/action", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Quota Request Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Reservation Purchaser

Lets you purchase reservations Learn more

Microsoft.Capacity /register/action Registers the Capacity resource provider and enables the creation of Capacity resources. Microsoft.Compute /register/action Registers Subscription with Microsoft.Compute resource provider Microsoft.Consumption /register/action Register to Consumption RP Microsoft.Consumption /reservationRecommendationDetails/read List Reservation Recommendation Details Microsoft.Consumption /reservationRecommendations/read List single or shared recommendations for Reserved instances for a subscription. Microsoft.Resources /subscriptions/read Gets the list of subscriptions. Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.SQL /register/action Registers the subscription for the Microsoft SQL Database resource provider and enables the creation of Microsoft SQL Databases. Microsoft.Support /supporttickets/write Allows creating and updating a support ticket NotActions DataActions NotDataActions "description": "Lets you purchase reservations", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689", "name": "f7b75c60-3036-4b75-91c3-6b41c27c1689", "permissions": [ "actions": [ "Microsoft.Authorization/roleAssignments/read", "Microsoft.Capacity/catalogs/read", "Microsoft.Capacity/register/action", "Microsoft.Compute/register/action", "Microsoft.Consumption/register/action", "Microsoft.Consumption/reservationRecommendationDetails/read", "Microsoft.Consumption/reservationRecommendations/read", "Microsoft.Resources/subscriptions/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.SQL/register/action", "Microsoft.Support/supporttickets/write" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Reservation Purchaser", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Resource Policy Contributor

Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. Learn more

"description": "Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", "name": "36243c78-bf99-498c-9df9-86d9f8d28608", "permissions": [ "actions": [ "*/read", "Microsoft.Authorization/policyassignments/*", "Microsoft.Authorization/policydefinitions/*", "Microsoft.Authorization/policyexemptions/*", "Microsoft.Authorization/policysetdefinitions/*", "Microsoft.PolicyInsights/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Resource Policy Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Site Recovery Contributor

Lets you manage Site Recovery service except vault creation and role assignment Learn more

Microsoft.RecoveryServices /locations/allocatedStamp/read GetAllocatedStamp is internal operation used by service Microsoft.RecoveryServices /locations/allocateStamp/action AllocateStamp is internal operation used by service Microsoft.RecoveryServices /Vaults/certificates/write The Update Resource Certificate operation updates the resource/vault credential certificate. Microsoft.RecoveryServices /Vaults/extendedInformation/* Create and manage extended info related to vault Microsoft.RecoveryServices /Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices /Vaults/refreshContainers/read Microsoft.RecoveryServices /Vaults/registeredIdentities/* Create and manage registered identities Microsoft.RecoveryServices /vaults/replicationAlertSettings/* Create or Update replication alert settings Microsoft.RecoveryServices /vaults/replicationEvents/read Read any Events Microsoft.RecoveryServices /vaults/replicationFabrics/* Create and manage replication fabrics Microsoft.RecoveryServices /vaults/replicationJobs/* Create and manage replication jobs Microsoft.RecoveryServices /vaults/replicationPolicies/* Create and manage replication policies Microsoft.RecoveryServices /vaults/replicationRecoveryPlans/* Create and manage recovery plans Microsoft.RecoveryServices /vaults/replicationVaultSettings/* Microsoft.RecoveryServices /Vaults/storageConfig/* Create and manage storage configuration of Recovery Services vault Microsoft.RecoveryServices /Vaults/tokenInfo/read Microsoft.RecoveryServices /Vaults/usages/read Returns usage details for a Recovery Services Vault. Microsoft.RecoveryServices /Vaults/vaultTokens/read The Vault Token operation can be used to get Vault Token for vault level backend operations. Microsoft.RecoveryServices /Vaults/monitoringAlerts/* Read alerts for the Recovery services vault Microsoft.RecoveryServices /Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage /storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.RecoveryServices /vaults/replicationOperationStatus/read Read any Vault Replication Operation Status Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage Site Recovery service except vault creation and role assignment", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", "name": "6670b86e-a3f7-4917-ac9b-5d6ab1be4567", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Network/virtualNetworks/read", "Microsoft.RecoveryServices/locations/allocatedStamp/read", "Microsoft.RecoveryServices/locations/allocateStamp/action", "Microsoft.RecoveryServices/Vaults/certificates/write", "Microsoft.RecoveryServices/Vaults/extendedInformation/*", "Microsoft.RecoveryServices/Vaults/read", "Microsoft.RecoveryServices/Vaults/refreshContainers/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/*", "Microsoft.RecoveryServices/vaults/replicationAlertSettings/*", "Microsoft.RecoveryServices/vaults/replicationEvents/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/*", "Microsoft.RecoveryServices/vaults/replicationJobs/*", "Microsoft.RecoveryServices/vaults/replicationPolicies/*", "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*", "Microsoft.RecoveryServices/vaults/replicationVaultSettings/*", "Microsoft.RecoveryServices/Vaults/storageConfig/*", "Microsoft.RecoveryServices/Vaults/tokenInfo/read", "Microsoft.RecoveryServices/Vaults/usages/read", "Microsoft.RecoveryServices/Vaults/vaultTokens/read", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*", "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.RecoveryServices/vaults/replicationOperationStatus/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Site Recovery Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Site Recovery Operator

Lets you failover and failback but not perform other Site Recovery management operations Learn more

Microsoft.RecoveryServices /locations/allocatedStamp/read GetAllocatedStamp is internal operation used by service Microsoft.RecoveryServices /locations/allocateStamp/action AllocateStamp is internal operation used by service Microsoft.RecoveryServices /Vaults/extendedInformation/read The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? Microsoft.RecoveryServices /Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices /Vaults/refreshContainers/read Microsoft.RecoveryServices /Vaults/registeredIdentities/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation Microsoft.RecoveryServices /Vaults/registeredIdentities/read The Get Containers operation can be used get the containers registered for a resource. Microsoft.RecoveryServices /vaults/replicationAlertSettings/read Read any Alerts Settings Microsoft.RecoveryServices /vaults/replicationEvents/read Read any Events Microsoft.RecoveryServices /vaults/replicationFabrics/checkConsistency/action Checks Consistency of the Fabric Microsoft.RecoveryServices /vaults/replicationFabrics/read Read any Fabrics Microsoft.RecoveryServices /vaults/replicationFabrics/reassociateGateway/action Reassociate Gateway Microsoft.RecoveryServices /vaults/replicationFabrics/renewcertificate/action Renew Certificate for Fabric Microsoft.RecoveryServices /vaults/replicationFabrics/replicationNetworks/read Read any Networks Microsoft.RecoveryServices /vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read Read any Network Mappings Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/read Read any Protection Containers Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read Read any Protectable Items Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action Apply Recovery Point Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action Failover Commit Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action Planned Failover Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read Read any Protected Items Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read Read any Replication Recovery Points Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action Repair replication Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action ReProtect Protected Item Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action Switch Protection Container Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action Test Failover Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action Test Failover Cleanup Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action Failover Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action Update Mobility Service Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read Read any Protection Container Mappings Microsoft.RecoveryServices /vaults/replicationFabrics/replicationRecoveryServicesProviders/read Read any Recovery Services Providers Microsoft.RecoveryServices /vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action Refresh Provider Microsoft.RecoveryServices /vaults/replicationFabrics/replicationStorageClassifications/read Read any Storage Classifications Microsoft.RecoveryServices /vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read Read any Storage Classification Mappings Microsoft.RecoveryServices /vaults/replicationFabrics/replicationvCenters/read Read any vCenters Microsoft.RecoveryServices /vaults/replicationJobs/* Create and manage replication jobs Microsoft.RecoveryServices /vaults/replicationPolicies/read Read any Policies Microsoft.RecoveryServices /vaults/replicationRecoveryPlans/failoverCommit/action Failover Commit Recovery Plan Microsoft.RecoveryServices /vaults/replicationRecoveryPlans/plannedFailover/action Planned Failover Recovery Plan Microsoft.RecoveryServices /vaults/replicationRecoveryPlans/read Read any Recovery Plans Microsoft.RecoveryServices /vaults/replicationRecoveryPlans/reProtect/action ReProtect Recovery Plan Microsoft.RecoveryServices /vaults/replicationRecoveryPlans/testFailover/action Test Failover Recovery Plan Microsoft.RecoveryServices /vaults/replicationRecoveryPlans/testFailoverCleanup/action Test Failover Cleanup Recovery Plan Microsoft.RecoveryServices /vaults/replicationRecoveryPlans/unplannedFailover/action Failover Recovery Plan Microsoft.RecoveryServices /vaults/replicationVaultSettings/read Read any Microsoft.RecoveryServices /Vaults/monitoringAlerts/* Read alerts for the Recovery services vault Microsoft.RecoveryServices /Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.RecoveryServices /Vaults/storageConfig/read Microsoft.RecoveryServices /Vaults/tokenInfo/read Microsoft.RecoveryServices /Vaults/usages/read Returns usage details for a Recovery Services Vault. Microsoft.RecoveryServices /Vaults/vaultTokens/read The Vault Token operation can be used to get Vault Token for vault level backend operations. Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage /storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you failover and failback but not perform other Site Recovery management operations", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", "name": "494ae006-db33-4328-bf46-533a6560a3ca", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Network/virtualNetworks/read", "Microsoft.RecoveryServices/locations/allocatedStamp/read", "Microsoft.RecoveryServices/locations/allocateStamp/action", "Microsoft.RecoveryServices/Vaults/extendedInformation/read", "Microsoft.RecoveryServices/Vaults/read", "Microsoft.RecoveryServices/Vaults/refreshContainers/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read", "Microsoft.RecoveryServices/vaults/replicationEvents/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read", "Microsoft.RecoveryServices/vaults/replicationJobs/*", "Microsoft.RecoveryServices/vaults/replicationPolicies/read", "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action", "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action", "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read", "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action", "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action", "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action", "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action", "Microsoft.RecoveryServices/vaults/replicationVaultSettings/read", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/*", "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read", "Microsoft.RecoveryServices/Vaults/storageConfig/read", "Microsoft.RecoveryServices/Vaults/tokenInfo/read", "Microsoft.RecoveryServices/Vaults/usages/read", "Microsoft.RecoveryServices/Vaults/vaultTokens/read", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Site Recovery Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Site Recovery Reader

Lets you view Site Recovery status but not perform other management operations Learn more

Microsoft.RecoveryServices /locations/allocatedStamp/read GetAllocatedStamp is internal operation used by service Microsoft.RecoveryServices /Vaults/extendedInformation/read The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? Microsoft.RecoveryServices /Vaults/monitoringAlerts/read Gets the alerts for the Recovery services vault. Microsoft.RecoveryServices /Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.RecoveryServices /Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices /Vaults/refreshContainers/read Microsoft.RecoveryServices /Vaults/registeredIdentities/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation Microsoft.RecoveryServices /Vaults/registeredIdentities/read The Get Containers operation can be used get the containers registered for a resource. Microsoft.RecoveryServices /vaults/replicationAlertSettings/read Read any Alerts Settings Microsoft.RecoveryServices /vaults/replicationEvents/read Read any Events Microsoft.RecoveryServices /vaults/replicationFabrics/read Read any Fabrics Microsoft.RecoveryServices /vaults/replicationFabrics/replicationNetworks/read Read any Networks Microsoft.RecoveryServices /vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read Read any Network Mappings Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/read Read any Protection Containers Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read Read any Protectable Items Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read Read any Protected Items Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read Read any Replication Recovery Points Microsoft.RecoveryServices /vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read Read any Protection Container Mappings Microsoft.RecoveryServices /vaults/replicationFabrics/replicationRecoveryServicesProviders/read Read any Recovery Services Providers Microsoft.RecoveryServices /vaults/replicationFabrics/replicationStorageClassifications/read Read any Storage Classifications Microsoft.RecoveryServices /vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read Read any Storage Classification Mappings Microsoft.RecoveryServices /vaults/replicationFabrics/replicationvCenters/read Read any vCenters Microsoft.RecoveryServices /vaults/replicationJobs/read Read any Jobs Microsoft.RecoveryServices /vaults/replicationPolicies/read Read any Policies Microsoft.RecoveryServices /vaults/replicationRecoveryPlans/read Read any Recovery Plans Microsoft.RecoveryServices /vaults/replicationVaultSettings/read Read any Microsoft.RecoveryServices /Vaults/storageConfig/read Microsoft.RecoveryServices /Vaults/tokenInfo/read Microsoft.RecoveryServices /Vaults/usages/read Returns usage details for a Recovery Services Vault. Microsoft.RecoveryServices /Vaults/vaultTokens/read The Vault Token operation can be used to get Vault Token for vault level backend operations. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you view Site Recovery status but not perform other management operations", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", "name": "dbaa88c4-0c30-4179-9fb3-46319faa6149", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.RecoveryServices/locations/allocatedStamp/read", "Microsoft.RecoveryServices/Vaults/extendedInformation/read", "Microsoft.RecoveryServices/Vaults/monitoringAlerts/read", "Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read", "Microsoft.RecoveryServices/Vaults/read", "Microsoft.RecoveryServices/Vaults/refreshContainers/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read", "Microsoft.RecoveryServices/Vaults/registeredIdentities/read", "Microsoft.RecoveryServices/vaults/replicationAlertSettings/read", "Microsoft.RecoveryServices/vaults/replicationEvents/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read", "Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read", "Microsoft.RecoveryServices/vaults/replicationJobs/read", "Microsoft.RecoveryServices/vaults/replicationPolicies/read", "Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read", "Microsoft.RecoveryServices/vaults/replicationVaultSettings/read", "Microsoft.RecoveryServices/Vaults/storageConfig/read", "Microsoft.RecoveryServices/Vaults/tokenInfo/read", "Microsoft.RecoveryServices/Vaults/usages/read", "Microsoft.RecoveryServices/Vaults/vaultTokens/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Site Recovery Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Support Request Contributor

Lets you create and manage Support requests Learn more

"description": "Lets you create and manage Support requests", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", "name": "cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Support Request Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Tag Contributor

Lets you manage tags on entities, without providing access to the entities themselves. Learn more

Microsoft.Resources /subscriptions/resourceGroups/resources/read Gets the resources for the resource group. Microsoft.Resources /subscriptions/resources/read Gets resources of a subscription. Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Insights /alertRules/* Create and manage a classic metric alert Microsoft.Support /* Create and update a support ticket Microsoft.Resources /tags/* NotActions DataActions NotDataActions "description": "Lets you manage tags on entities, without providing access to the entities themselves.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", "name": "4a9ae827-6dc8-4573-8ac7-8239d42aa03f", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/subscriptions/resourceGroups/resources/read", "Microsoft.Resources/subscriptions/resources/read", "Microsoft.Resources/deployments/*", "Microsoft.Insights/alertRules/*", "Microsoft.Support/*", "Microsoft.Resources/tags/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Tag Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Template Spec Contributor

Allows full access to Template Spec operations at the assigned scope.

Microsoft.Resources /templateSpecs/* Create and manage template specs and template spec versions Microsoft.Authorization /*/read Read roles and role assignments Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. NotActions DataActions NotDataActions "description": "Allows full access to Template Spec operations at the assigned scope.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1c9b6475-caf0-4164-b5a1-2142a7116f4b", "name": "1c9b6475-caf0-4164-b5a1-2142a7116f4b", "permissions": [ "actions": [ "Microsoft.Resources/templateSpecs/*", "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Template Spec Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Template Spec Reader

Allows read access to Template Specs at the assigned scope.

Microsoft.Resources /templateSpecs/*/read Get or list template specs and template spec versions NotActions DataActions NotDataActions "description": "Allows read access to Template Specs at the assigned scope.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/392ae280-861d-42bd-9ea5-08ee6d83b80e", "name": "392ae280-861d-42bd-9ea5-08ee6d83b80e", "permissions": [ "actions": [ "Microsoft.Resources/templateSpecs/*/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Template Spec Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Virtual desktop infrastructure

Desktop Virtualization Application Group Contributor

Contributor of the Desktop Virtualization Application Group. Learn more

"description": "Contributor of the Desktop Virtualization Application Group.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8", "name": "86240b0e-9422-4c43-887b-b61143f32ba8", "permissions": [ "actions": [ "Microsoft.DesktopVirtualization/applicationgroups/*", "Microsoft.DesktopVirtualization/hostpools/read", "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Desktop Virtualization Application Group Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Desktop Virtualization Application Group Reader

Reader of the Desktop Virtualization Application Group. Learn more

"description": "Reader of the Desktop Virtualization Application Group.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55", "name": "aebf23d0-b568-4e86-b8f9-fe83a2c6ab55", "permissions": [ "actions": [ "Microsoft.DesktopVirtualization/applicationgroups/*/read", "Microsoft.DesktopVirtualization/applicationgroups/read", "Microsoft.DesktopVirtualization/hostpools/read", "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/read", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Desktop Virtualization Application Group Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Desktop Virtualization Contributor

Contributor of Desktop Virtualization. Learn more

"description": "Contributor of Desktop Virtualization.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387", "name": "082f0a83-3be5-4ba1-904c-961cca79b387", "permissions": [ "actions": [ "Microsoft.DesktopVirtualization/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Desktop Virtualization Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Desktop Virtualization Host Pool Contributor

Contributor of the Desktop Virtualization Host Pool. Learn more

"description": "Contributor of the Desktop Virtualization Host Pool.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc", "name": "e307426c-f9b6-4e81-87de-d99efb3c32bc", "permissions": [ "actions": [ "Microsoft.DesktopVirtualization/hostpools/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Desktop Virtualization Host Pool Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Desktop Virtualization Host Pool Reader

Reader of the Desktop Virtualization Host Pool. Learn more

"description": "Reader of the Desktop Virtualization Host Pool.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822", "name": "ceadfde2-b300-400a-ab7b-6143895aa822", "permissions": [ "actions": [ "Microsoft.DesktopVirtualization/hostpools/*/read", "Microsoft.DesktopVirtualization/hostpools/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/read", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Desktop Virtualization Host Pool Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Desktop Virtualization Reader

Reader of Desktop Virtualization. Learn more

"description": "Reader of Desktop Virtualization.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868", "name": "49a72310-ab8d-41df-bbb0-79b649203868", "permissions": [ "actions": [ "Microsoft.DesktopVirtualization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/read", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Desktop Virtualization Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Desktop Virtualization Session Host Operator

Operator of the Desktop Virtualization Session Host. Learn more

"description": "Operator of the Desktop Virtualization Session Host.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408", "name": "2ad6aaab-ead9-4eaa-8ac5-da422f562408", "permissions": [ "actions": [ "Microsoft.DesktopVirtualization/hostpools/read", "Microsoft.DesktopVirtualization/hostpools/sessionhosts/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Desktop Virtualization Session Host Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Desktop Virtualization User

Allows user to use the applications in an application group. Learn more

Microsoft.DesktopVirtualization /applicationGroups/useApplications/action Use ApplicationGroup NotDataActions "description": "Allows user to use the applications in an application group.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", "name": "1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.DesktopVirtualization/applicationGroups/useApplications/action" "notDataActions": [] "roleName": "Desktop Virtualization User", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Desktop Virtualization User Session Operator

Operator of the Desktop Virtualization User Session. Learn more

"description": "Operator of the Desktop Virtualization Uesr Session.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6", "name": "ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6", "permissions": [ "actions": [ "Microsoft.DesktopVirtualization/hostpools/read", "Microsoft.DesktopVirtualization/hostpools/sessionhosts/read", "Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Desktop Virtualization User Session Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Desktop Virtualization Workspace Contributor

Contributor of the Desktop Virtualization Workspace. Learn more

"description": "Contributor of the Desktop Virtualization Workspace.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b", "name": "21efdde3-836f-432b-bf3d-3e8e734d4b2b", "permissions": [ "actions": [ "Microsoft.DesktopVirtualization/workspaces/*", "Microsoft.DesktopVirtualization/applicationgroups/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Desktop Virtualization Workspace Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Desktop Virtualization Workspace Reader

Reader of the Desktop Virtualization Workspace. Learn more

"description": "Reader of the Desktop Virtualization Workspace.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d", "name": "0fa44ee9-7a7d-466b-9bb2-2bf446b1204d", "permissions": [ "actions": [ "Microsoft.DesktopVirtualization/workspaces/read", "Microsoft.DesktopVirtualization/applicationgroups/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/read", "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Desktop Virtualization Workspace Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Other

Azure Digital Twins Data Owner

Full access role for Digital Twins data-plane Learn more

Microsoft.DigitalTwins /digitaltwins/relationships/* Read, create, update, or delete any Digital Twin Relationship Microsoft.DigitalTwins /eventroutes/* Read, delete, create, or update any Event Route Microsoft.DigitalTwins /jobs/* Microsoft.DigitalTwins /models/* Read, create, update, or delete any Model Microsoft.DigitalTwins /query/* Query any Digital Twins Graph NotDataActions "description": "Full access role for Digital Twins data-plane", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", "name": "bcd981a7-7f74-457b-83e1-cceb9e632ffe", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.DigitalTwins/digitaltwins/*", "Microsoft.DigitalTwins/digitaltwins/commands/*", "Microsoft.DigitalTwins/digitaltwins/relationships/*", "Microsoft.DigitalTwins/eventroutes/*", "Microsoft.DigitalTwins/jobs/*", "Microsoft.DigitalTwins/models/*", "Microsoft.DigitalTwins/query/*" "notDataActions": [] "roleName": "Azure Digital Twins Data Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Azure Digital Twins Data Reader

Read-only role for Digital Twins data-plane properties Learn more

Microsoft.DigitalTwins /digitaltwins/relationships/read Read any Digital Twin Relationship Microsoft.DigitalTwins /eventroutes/read Read any Event Route Microsoft.DigitalTwins /jobs/import/read Read any Bulk Import Job Microsoft.DigitalTwins /models/read Read any Model Microsoft.DigitalTwins /query/action Query any Digital Twins Graph NotDataActions "description": "Read-only role for Digital Twins data-plane properties", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", "name": "d57506d4-4c8d-48b1-8587-93c323f6a5a3", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.DigitalTwins/digitaltwins/read", "Microsoft.DigitalTwins/digitaltwins/relationships/read", "Microsoft.DigitalTwins/eventroutes/read", "Microsoft.DigitalTwins/jobs/import/read", "Microsoft.DigitalTwins/models/read", "Microsoft.DigitalTwins/query/action" "notDataActions": [] "roleName": "Azure Digital Twins Data Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

BizTalk Contributor

Lets you manage BizTalk services, but not access to them.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage BizTalk services, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", "name": "5e3c6656-6cfa-4708-81fe-0de47ac73342", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.BizTalkServices/BizTalk/*", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "BizTalk Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Grafana Admin

Perform all Grafana operations, including the ability to manage data sources, create dashboards, and manage role assignments within Grafana. Learn more

"description": "Built-in Grafana admin role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41", "name": "22926164-76b3-42b3-bc55-97df8dab3e41", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action" "notDataActions": [] "roleName": "Grafana Admin", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Grafana Editor

View and edit a Grafana instance, including its dashboards and alerts. Learn more

"description": "Built-in Grafana Editor role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f", "name": "a79a5197-3a5c-4973-a920-486035ffd60f", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action" "notDataActions": [] "roleName": "Grafana Editor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Grafana Viewer

View a Grafana instance, including its dashboards and alerts. Learn more

"description": "Built-in Grafana Viewer role", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769", "name": "60921a7e-fef1-4a43-9b16-a26c52ad4769", "permissions": [ "actions": [], "notActions": [], "dataActions": [ "Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action" "notDataActions": [] "roleName": "Grafana Viewer", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Load Test Contributor

View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. Learn more

"description": "View, create, update, delete and execute load tests. View and list load test resources but can not make any changes.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-491b-bb21-08924219302e", "name": "749a398d-560b-491b-bb21-08924219302e", "permissions": [ "actions": [ "Microsoft.LoadTestService/*/read", "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*" "notActions": [], "dataActions": [ "Microsoft.LoadTestService/loadtests/*" "notDataActions": [] "roleName": "Load Test Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Load Test Owner

Execute all operations on load test resources and load tests Learn more

"description": "Execute all operations on load test resources and load tests", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-4e78-afaa-a07599b003f6", "name": "45bb0b16-2f0c-4e78-afaa-a07599b003f6", "permissions": [ "actions": [ "Microsoft.LoadTestService/*", "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*" "notActions": [], "dataActions": [ "Microsoft.LoadTestService/*" "notDataActions": [] "roleName": "Load Test Owner", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Load Test Reader

View and list all load tests and load test resources but can not make any changes Learn more

"description": "View and list all load tests and load test resources but can not make any changes", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-4ccd-bf80-542e7b26e081", "name": "3ae3fb29-0000-4ccd-bf80-542e7b26e081", "permissions": [ "actions": [ "Microsoft.LoadTestService/*/read", "Microsoft.Authorization/*/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Insights/alertRules/*" "notActions": [], "dataActions": [ "Microsoft.LoadTestService/loadtests/readTest/action" "notDataActions": [] "roleName": "Load Test Reader", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Scheduler Job Collections Contributor

Lets you manage Scheduler job collections, but not access to them.

Microsoft.ResourceHealth /availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources /deployments/* Create and manage a deployment Microsoft.Resources /subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Scheduler/jobcollections/* Create and manage job collections Microsoft.Support /* Create and update a support ticket NotActions DataActions NotDataActions "description": "Lets you manage Scheduler job collections, but not access to them.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", "name": "188a0f2f-5c9e-469b-ae67-2aa5ce574b94", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Insights/alertRules/*", "Microsoft.ResourceHealth/availabilityStatuses/read", "Microsoft.Resources/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Scheduler/jobcollections/*", "Microsoft.Support/*" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Scheduler Job Collections Contributor", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Services Hub Operator

Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. Learn more

Microsoft.ServicesHub /connectors/checkAssessmentEntitlement/action Lists the Assessment Entitlements for a given Services Hub Workspace Microsoft.ServicesHub /supportOfferingEntitlement/read View the Support Offering Entitlements for a given Services Hub Workspace Microsoft.ServicesHub /workspaces/read List the Services Hub Workspaces for a given User NotActions DataActions NotDataActions "description": "Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors.", "id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b", "name": "82200a5b-e217-47a5-b665-6d8765ee745b", "permissions": [ "actions": [ "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/deployments/*", "Microsoft.ServicesHub/connectors/write", "Microsoft.ServicesHub/connectors/read", "Microsoft.ServicesHub/connectors/delete", "Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action", "Microsoft.ServicesHub/supportOfferingEntitlement/read", "Microsoft.ServicesHub/workspaces/read" "notActions": [], "dataActions": [], "notDataActions": [] "roleName": "Services Hub Operator", "roleType": "BuiltInRole", "type": "Microsoft.Authorization/roleDefinitions"

Next steps

Assign Azure roles using the Azure portal

Azure custom roles

Permissions in Microsoft Defender for Cloud