AzRoleAdvertizer

last sync: 2025-Sep-15 17:22:50 UTC

Defender for Storage Data Scanner

Azure BuiltIn RBAC Role definition

Name

Defender for Storage Data Scanner
Microsoft Learn

1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40

Description

Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.

Category

Storage
Microsoft Learn

CreatedOn

2023-06-21 15:30:31 UTC

UpdatedOn

2025-09-04 13:19:08 UTC

Permissions summary

Effective control plane and data plane operations: 6 (unique operations)
•delete: 1
•read: 4
•write: 1

Actions: 2
Resolved control plane operations from Actions: 2
Effective control plane operations: 2
•read: 2

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 17130

DataActions: 4
Resolved data plane operations: 4
Effective data plane operations: 4
•delete: 1
•read: 2
•write: 1

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 4058

Actions

Operation	Description
Microsoft.Storage/storageAccounts/blobServices/containers/read	Returns list of containers
Microsoft.Storage/storageAccounts/blobServices/read	Returns blob service properties or statistics

NotActions

n/a

DataActions

Operation	Description
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete	Returns the result of deleting a blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read	Returns a blob or a list of blobs
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read	Returns the result of reading blob tags
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write	Returns the result of writing blob tags

NotDataActions

n/a

Used in
BuiltIn Policy

none

History

Date/Time (UTC ymd) (i)	Change	Change detail
2025-09-04 17:22:36	change: Actions, DataActions	Actions: 'add Microsoft.Storage/storageAccounts/blobServices/read', DataActions: 'add Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete'
2023-07-11 17:57:31	change: DisplayName, Description, Actions, DataActions	New DisplayName: 'Defender for Storage Data Scanner' Old DisplayName: 'Storage Data Scanner', New Description: 'Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.' Old Description: 'Grants all permissions needed for a storage data scanner.', Actions: 'add Microsoft.Storage/storageAccounts/blobServices/containers/read', DataActions: 'add Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read; add Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write; add Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read'
2023-06-22 17:48:48	add: Role	1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40

JSON

api-version=2023-07-01-preview

Condition

none