AzRoleAdvertizer

last sync: 2025-Apr-29 17:15:48 UTC

Defender for Storage Scanner Operator

Azure BuiltIn RBAC Role definition

NameDefender for Storage Scanner Operator
Id0f641de8-0b88-4198-bdef-bd8b45ceba96
DescriptionLets you enable and configure Microsoft Defender for Storage's malware scanning and sensitive data discovery features on your storage accounts. Includes an ABAC condition to limit role assignments.
CategoryNone
CreatedOn2023-11-10 10:31:03 UTC
UpdatedOn2024-06-28 20:57:41 UTC
Permissions summary Effective control plane and data plane operations: 67 (unique operations)
•action: 7
•delete: 4
•read: 48
•write: 8

Actions: 22
Resolved control plane operations from Actions: 67
Effective control plane operations: 67
•action: 7
•delete: 4
•read: 48
•write: 8

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 16423

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3371
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.Authorization/roleAssignments/delete conditionedDelete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditionedCreate a role assignment at the specified scope.
Microsoft.EventGrid/eventSubscriptions/deleteDelete a eventSubscription
Microsoft.EventGrid/eventSubscriptions/readRead a eventSubscription
Microsoft.EventGrid/eventSubscriptions/writeCreate or update a eventSubscription
Microsoft.EventGrid/topics/readRead a topic
Microsoft.Management/managementGroups/readList management groups for the authenticated user.
Microsoft.Resources/deployments/*wildcarded / no description
Microsoft.Resources/deployments/*wildcarded / no description
Microsoft.Resources/subscriptions/readGets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
Microsoft.Security/advancedThreatProtectionSettings/readGets the Advanced Threat Protection Settings for the resource
Microsoft.Security/advancedThreatProtectionSettings/writeUpdates the Advanced Threat Protection Settings for the resource
Microsoft.Security/dataScanners/deleteDeletes the datascanners for the scope
Microsoft.Security/datascanners/readGets the datascanners for the scope
Microsoft.Security/datascanners/writeCreates or updates the datascanners for the scope
Microsoft.Security/defenderforstoragesettings/readGets the defenderforstoragesettings for the scope
Microsoft.Security/defenderforstoragesettings/writeCreates or updates the defenderforstoragesettings for the scope
Microsoft.Storage/storageAccounts/readReturns the list of storage accounts or gets the properties for the specified storage account.
Microsoft.Storage/storageAccounts/writeCreates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account.
Microsoft.Support/*wildcarded / no description
NotActions n/a
DataActions n/a
NotDataActions n/a
Used in
BuiltIn Policy		 none
History
Date/Time (UTC ymd) (i) Change Change detail
2024-07-01 18:19:32 change: Actions Actions: 'add Microsoft.Security/advancedThreatProtectionSettings/read; add Microsoft.Security/advancedThreatProtectionSettings/write; add Microsoft.Security/datascanners/read; add Microsoft.Security/datascanners/write; add Microsoft.Security/dataScanners/delete'
2024-04-30 17:48:19 add: Role 0f641de8-0b88-4198-bdef-bd8b45ceba96
JSON
api-version=2023-07-01-preview
Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 (Defender for Storage Data Scanner),
            d5a91429-5739-47e2-a06b-3470a27159e7 (EventGrid Data Sender)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 (Defender for Storage Data Scanner),
            d5a91429-5739-47e2-a06b-3470a27159e7 (EventGrid Data Sender)
            }
        )
    )