AzRoleAdvertizer

last sync: 2025-Apr-29 17:15:48 UTC

Virtual Machine Contributor

Azure BuiltIn RBAC Role definition

NameVirtual Machine Contributor
Microsoft Learn
Id9980e02c-c2be-4d73-94e8-173b1dc7cf3c
DescriptionLets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.
CategoryCompute
Microsoft Learn
CreatedOn2015-06-02 00:18:27 UTC
UpdatedOn2025-02-06 01:34:42 UTC
Permissions summary Effective control plane and data plane operations: 371 (unique operations)
•action: 141
•delete: 21
•read: 175
•write: 34

Actions: 45
Resolved control plane operations from Actions: 371
Effective control plane operations: 371
•action: 141
•delete: 21
•read: 175
•write: 34

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 16119

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3371
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.Compute/availabilitySets/*wildcarded / no description
Microsoft.Compute/cloudServices/*wildcarded / no description
Microsoft.Compute/disks/deleteDeletes the Disk
Microsoft.Compute/disks/readGet the properties of a Disk
Microsoft.Compute/disks/writeCreates a new Disk or updates an existing one
Microsoft.Compute/hostgroups/hosts/writeCreates a new host or updates an existing host
Microsoft.Compute/hostgroups/writeCreates a new host group or updates an existing host group
Microsoft.Compute/locations/*wildcarded / no description
Microsoft.Compute/virtualMachines/*wildcarded / no description
Microsoft.Compute/virtualMachineScaleSets/*wildcarded / no description
Microsoft.DevTestLab/schedules/*wildcarded / no description
Microsoft.Insights/alertRules/*wildcarded / no description
Microsoft.Network/applicationGateways/backendAddressPools/join/actionJoins an application gateway backend address pool. Not Alertable.
Microsoft.Network/loadBalancers/backendAddressPools/join/actionJoins a load balancer backend address pool. Not Alertable.
Microsoft.Network/loadBalancers/inboundNatPools/join/actionJoins a load balancer inbound NAT pool. Not alertable.
Microsoft.Network/loadBalancers/inboundNatRules/join/actionJoins a load balancer inbound nat rule. Not Alertable.
Microsoft.Network/loadBalancers/probes/join/actionAllows using probes of a load balancer. For example, with this permission healthProbe property of VM scale set can reference the probe. Not alertable.
Microsoft.Network/loadBalancers/readGets a load balancer definition
Microsoft.Network/locations/*wildcarded / no description
Microsoft.Network/networkInterfaces/*wildcarded / no description
Microsoft.Network/networkSecurityGroups/join/actionJoins a network security group. Not Alertable.
Microsoft.Network/networkSecurityGroups/readGets a network security group definition
Microsoft.Network/publicIPAddresses/join/actionJoins a public ip address. Not Alertable.
Microsoft.Network/publicIPAddresses/readGets a public ip address definition.
Microsoft.Network/virtualNetworks/readGet the virtual network definition
Microsoft.Network/virtualNetworks/subnets/join/actionJoins a virtual network. Not Alertable.
Microsoft.RecoveryServices/locations/*wildcarded / no description
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/writeCreate a backup Protection Intent
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/readwildcarded / no description
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/readReturns object details of the Protected Item
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/writeCreate a backup Protected Item
Microsoft.RecoveryServices/Vaults/backupPolicies/readReturns all Protection Policies
Microsoft.RecoveryServices/Vaults/backupPolicies/writeCreates Protection Policy
Microsoft.RecoveryServices/Vaults/readThe Get Vault operation gets an object representing the Azure resource of type 'vault'
Microsoft.RecoveryServices/Vaults/usages/readRead any Vault Usages
Microsoft.RecoveryServices/Vaults/writeCreate Vault operation creates an Azure resource of type 'vault'
Microsoft.ResourceHealth/availabilityStatuses/readGets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/*wildcarded / no description
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
Microsoft.SerialConsole/serialPorts/connect/actionConnect to a serial port
Microsoft.SqlVirtualMachine/*wildcarded / no description
Microsoft.Storage/storageAccounts/listKeys/actionReturns the access keys for the specified storage account.
Microsoft.Storage/storageAccounts/readReturns the list of storage accounts or gets the properties for the specified storage account.
Microsoft.Support/*wildcarded / no description
NotActions n/a
DataActions n/a
NotDataActions n/a
Used in
BuiltIn Policy
Policy DisplayName Policy Id Category State
[Deprecated]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent 6654c8c4-e6f8-43f8-8869-54327af7ce32 Security Center Deprecated
[Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent 5f8eb305-9c9f-4abe-9bb0-df220d9faba2 Security Center Deprecated
[Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent 1537496a-b1e8-482b-a06a-1cc2415cdc7b Security Center Deprecated
[Deprecated]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent 808a7dc4-49f2-4e7b-af75-d14e561c244a Security Center Deprecated
[Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets 1288c8d7-4b05-4e3a-bc88-9053caefc021 Security Center Preview
[Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets 4bb303db-d051-4099-95d2-e3e1428a4d2c Security Center Preview
[Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity b73e81f3-6303-48ad-9822-b69fc00c15ef ChangeTrackingAndInventory Preview
[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension 57c2e3f0-98cf-4c3b-aa6b-e8f70726e74e Security Center Preview
[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot 95406fc3-1f69-47b0-8105-4c03b276ec5c Security Center Preview
[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension 6074e9a3-c711-4856-976d-24d51f9e065b Security Center Preview
[Preview]: Configure supported virtual machines to automatically enable vTPM e494853f-93c3-4e44-9210-d12f61a64b34 Security Center Preview
[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension c9b2ae08-09e2-4f0e-bb43-b60bf0135bdf Security Center Preview
[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot 7cb1b219-61c6-47e0-b80c-4472cadeeb5f Security Center Preview
[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension 98ea2fc7-6fc6-4fd1-9d8d-6331154da071 Security Center Preview
[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs 17b3de92-f710-4cf4-aa55-0e7859f1ed7b Monitoring Preview
[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension 496e010e-fa91-4c00-be4b-92b481f67b58 Security Center Preview
[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension 009259b0-12e8-42c9-94e7-7af86aa58d13 Security Center Preview
[Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity 4485d24b-a9d3-4206-b691-1fad83bc5007 ChangeTrackingAndInventory Preview
Assign System Assigned identity to SQL Virtual Machines 813e1e44-914e-436d-a2ab-84c4529a6084 Security Center GA
Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy 83644c87-93dd-49fe-bf9f-6aff8fd0834e Backup GA
Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location 345fa903-145c-4fe1-8bcd-93ec2adccde8 Backup GA
Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 Backup GA
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location 09ce66bc-1220-4153-8104-e3f51c936913 Backup GA
Configure ChangeTracking Extension for Linux virtual machines ec88097d-843f-4a92-8471-78016d337ba4 Security Center GA
Configure ChangeTracking Extension for Windows virtual machines f08f556c-12ff-464d-a7de-40cb5b6cccec Security Center GA
Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication 56a3e4f8-649b-4fac-887e-5564d11e8d3a Monitoring GA
Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication 59c3d93f-900b-4827-a8bd-562e7b956e7c Monitoring GA
Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication a4034bc6-ae50-406d-bf76-50f4ee5a7811 Monitoring GA
Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication ae8a10e6-19d6-44a3-a02d-a2bdfc707742 Monitoring GA
Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity 56d0ed2b-60fc-44bf-af81-a78c851b5fe1 ChangeTrackingAndInventory GA
Configure SQL Virtual Machines to automatically install Azure Monitor Agent f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Security Center GA
Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity 4efbd9d8-6bc6-45f6-9be2-7fe9dd5d89ff Monitoring GA
Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication 98569e20-8f32-4f31-bf34-0e91590ae9d3 Monitoring GA
Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity ca817e41-e85a-4783-bc7f-dc532d36235e Monitoring GA
Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication 637125fd-7c39-4b94-bb0a-d331faf333a9 Monitoring GA
Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity ad1eeff9-20d7-4c82-a04e-903acab0bfc1 ChangeTrackingAndInventory GA
Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets 3be22e3b-d919-47aa-805e-8985dbeb0ad9 Monitoring GA
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets 3c1b3629-c8f8-4bf6-862c-037cb9094038 Monitoring GA
Deploy default Microsoft IaaSAntimalware extension for Windows Server 2835b622-407b-4114-9198-6f7064cbe0dc Compute GA
Deploy Dependency agent for Linux virtual machine scale sets 765266ab-e40e-4c61-bcb2-5a5275d0b7c0 Monitoring GA
Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings 2fea0c12-e7d4-4e03-b7bf-c34b2b8d787d Monitoring GA
Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings af0082fd-fa58-4349-b916-b0e47abb0935 Monitoring GA
Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below 5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069 Monitoring GA
History
Date/Time (UTC ymd) (i) Change Change detail
2025-02-06 19:31:19 change: Actions Actions: 'add Microsoft.Compute/hostgroups/write; add Microsoft.Compute/hostgroups/hosts/write'
2021-10-01 15:34:12 change: Actions Actions: 'add Microsoft.Compute/cloudServices/*'
2021-08-19 16:32:19 change: Actions Actions: 'add Microsoft.SerialConsole/serialPorts/connect/action'
JSON
api-version=2023-07-01-preview
Condition none