AzRoleAdvertizer

last sync: 2025-Oct-30 18:22:48 UTC

Azure Migrate Execute Expert

Azure BuiltIn RBAC Role definition

Name

Azure Migrate Execute Expert

1cfa4eac-9a23-481c-a793-bfb6958e836b

Description

Grants restricted access on an Azure Migrate project to only perform migration related operations, including replication, execution of test migrations, tracking and monitoring of migration progress, and initiation of agentless and agent-based migrations.

Category

None

CreatedOn

2025-09-09 08:45:37 UTC

UpdatedOn

2025-10-23 09:42:33 UTC

Permissions summary

Effective control plane and data plane operations: 666 (unique operations)
•: 1
•action: 97
•delete: 28
•read: 463
•write: 77

Actions: 45
Resolved control plane operations from Actions: 672
Effective control plane operations: 666
•: 1
•action: 97
•delete: 28
•read: 463
•write: 77

NotActions: 6
Resolved control plane operations from NotActions: 6
Effective denied control plane operations: 16799

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 4081

Actions

Operation	Description
Microsoft.ApplicationMigration/*/read	wildcarded / no description
Microsoft.Authorization/*/read	wildcarded / no description
Microsoft.Authorization/locks/delete	Delete locks at the specified scope.
Microsoft.Authorization/locks/write	Add locks at the specified scope.
Microsoft.Authorization/roleAssignments/delete conditioned	Delete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditioned	Create a role assignment at the specified scope.
Microsoft.Compute/availabilitySets/read	Get the properties of an availability set
Microsoft.Compute/availabilitySets/vmSizes/read	List available sizes for creating or updating a virtual machine in the availability set
Microsoft.Compute/diskEncryptionSets/read	Get the properties of a disk encryption set
Microsoft.Compute/disks/delete	Deletes the Disk
Microsoft.Compute/disks/read	Get the properties of a Disk
Microsoft.Compute/disks/write	Creates a new Disk or updates an existing one
Microsoft.Compute/register/action	Registers Subscription with Microsoft.Compute resource provider
Microsoft.Compute/skus/read	Gets the list of Microsoft.Compute SKUs available for your Subscription
Microsoft.Compute/virtualMachines/delete	Deletes the virtual machine
Microsoft.Compute/virtualMachines/read	Get the properties of a virtual machine
Microsoft.Compute/virtualMachines/write	Creates a new virtual machine or updates an existing virtual machine
Microsoft.DependencyMap/*/read	wildcarded / no description
Microsoft.DependencyMap/maps/*/action	wildcarded / no description
Microsoft.Insights/alertRules/*	wildcarded / no description
Microsoft.Migrate/*/read	wildcarded / no description
Microsoft.MySQLDiscovery/*/read	wildcarded / no description
Microsoft.Network/networkInterfaces/delete	Deletes a network interface
Microsoft.Network/networkInterfaces/read	Gets a network interface definition.
Microsoft.Network/networkInterfaces/write	Creates a network interface or updates an existing network interface.
Microsoft.Network/virtualNetworks/read	Get the virtual network definition
Microsoft.Network/virtualNetworks/subnets/read	Gets a virtual network subnet definition
Microsoft.OffAzure/*/read	wildcarded / no description
Microsoft.RecoveryServices/operations/read	Operation returns the list of Operations for a Resource Provider
Microsoft.RecoveryServices/register/action	Registers subscription for given Resource Provider
Microsoft.RecoveryServices/vaults/*	wildcarded / no description
Microsoft.Resources/checkResourceName/action	Check the resource name for validity.
Microsoft.Resources/deployments/*	wildcarded / no description
Microsoft.Resources/deploymentScripts/read	Gets or lists deployment scripts
Microsoft.Resources/deploymentScripts/write	Creates or updates a deployment script
Microsoft.Resources/links/read	Gets or lists resource links.
Microsoft.Resources/links/write	Creates or updates a resource link.
Microsoft.Resources/subscriptions/locations/read	Gets the list of locations supported.
Microsoft.Resources/subscriptions/read	Gets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/read	Gets or lists resource groups.
Microsoft.Resources/subscriptions/resourceGroups/write	Creates or updates a resource group.
Microsoft.Storage/storageAccounts/*/read	wildcarded / no description
Microsoft.Storage/storageAccounts/*/write	wildcarded / no description
Microsoft.Storage/storageAccounts/listKeys/action	Returns the access keys for the specified storage account.
Microsoft.Support/*	wildcarded / no description

NotActions

Operation	Description
Microsoft.OffAzure/hypervSites/machines/inventoryinsights/pendingupdates/*	wildcarded / no description
Microsoft.OffAzure/hypervSites/machines/inventoryinsights/vulnerabilities/*	wildcarded / no description
Microsoft.OffAzure/serverSites/machines/inventoryinsights/pendingupdates/*	wildcarded / no description
Microsoft.OffAzure/serverSites/machines/inventoryinsights/vulnerabilities/*	wildcarded / no description
Microsoft.OffAzure/vmwareSites/machines/inventoryinsights/pendingupdates/*	wildcarded / no description
Microsoft.OffAzure/vmwareSites/machines/inventoryinsights/vulnerabilities/*	wildcarded / no description

DataActions

n/a

NotDataActions

n/a

Used in
BuiltIn Policy

none

History

Date/Time (UTC ymd) (i)	Change	Change detail
2025-10-23 17:22:49	add: Role	1cfa4eac-9a23-481c-a793-bfb6958e836b

JSON

api-version=2023-07-01-preview

Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            17d1049b-9a84-46fb-8f53-869881c3d3ab (Storage Account Contributor),
            ba92f5b4-2d11-453d-a403-e96b0029c9fe (Storage Blob Data Contributor)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            17d1049b-9a84-46fb-8f53-869881c3d3ab (Storage Account Contributor),
            ba92f5b4-2d11-453d-a403-e96b0029c9fe (Storage Blob Data Contributor)
            }
        )
    )