AzRoleAdvertizer

last sync: 2025-Apr-29 17:15:48 UTC

Azure Stack HCI Administrator

Azure BuiltIn RBAC Role definition

Name

Azure Stack HCI Administrator
Microsoft Learn

bda0d508-adf1-4af0-9c28-88919fc3ae06

Description

Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader

Category

Hybrid + multicloud
Microsoft Learn

CreatedOn

2023-02-03 05:08:48 UTC

UpdatedOn

2025-01-30 17:46:12 UTC

Permissions summary

Effective control plane and data plane operations: 240 (unique operations)
•Action: 56
•delete: 36
•read: 110
•write: 38

Actions: 98
Resolved control plane operations from Actions: 240
Effective control plane operations: 240
•Action: 56
•delete: 36
•read: 110
•write: 38

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 16250

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3371

Actions

Operation	Description
Microsoft.Authorization/*/read	wildcarded / no description
Microsoft.Authorization/roleAssignments/delete conditioned	Delete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditioned	Create a role assignment at the specified scope.
Microsoft.AzureStackHCI/*	wildcarded / no description
Microsoft.AzureStackHCI/clusters/*	wildcarded / no description
Microsoft.AzureStackHCI/DevicePools/*	wildcarded / no description
Microsoft.AzureStackHCI/EdgeMachines/*	wildcarded / no description
Microsoft.AzureStackHCI/NetworkSecurityGroups/Delete	Deletes a network security group resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/join/action	Joins network security group resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/Read	Gets/Lists a network security group resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Delete	Deletes a security rule resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read	Gets/Lists security rule resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Write	Creates/Updates security rule resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/Write	Creates/Updates a network security group resource
Microsoft.AzureStackHCI/register/action	no description given
Microsoft.AzureStackHCI/StorageContainers/Read	Gets/Lists storage containers resource
Microsoft.AzureStackHCI/StorageContainers/Write	Creates/Updates storage containers resource
Microsoft.AzureStackHCI/Unregister/Action	no description given
Microsoft.EdgeMarketplace/offers/read	Get a Offer
Microsoft.EdgeMarketplace/publishers/read	Get a Publisher
Microsoft.ExtendedLocation/customLocations/delete	Deletes Custom Location resource
Microsoft.ExtendedLocation/customLocations/deploy/action	Deploy permissions to a Custom Location resource
Microsoft.ExtendedLocation/customLocations/read	Gets an Custom Location resource
Microsoft.ExtendedLocation/customLocations/write	Creates or Updates Custom Location resource
Microsoft.ExtendedLocation/register/action	Registers the subscription for Custom Location resource provider and enables the creation of Custom Location.
Microsoft.GuestConfiguration/guestConfigurationAssignments/read	Get guest configuration assignment.
Microsoft.GuestConfiguration/register/action	Registers the subscription for the Microsoft.GuestConfiguration resource provider.
Microsoft.HybridCompute/licenses/delete	Deletes an Azure Arc licenses
Microsoft.HybridCompute/licenses/read	Reads any Azure Arc licenses
Microsoft.HybridCompute/licenses/write	Installs or Updates an Azure Arc licenses
Microsoft.HybridCompute/locations/operationresults/read	Reads the status of an operation on Microsoft.HybridCompute Resource Provider
Microsoft.HybridCompute/locations/operationstatus/read	Reads the status of an operation on Microsoft.HybridCompute Resource Provider
Microsoft.HybridCompute/locations/updateCenterOperationResults/read	Reads the status of an update center operation on machines
Microsoft.HybridCompute/machines/assessPatches/action	Assesses any Azure Arc machines to get missing software patches
Microsoft.HybridCompute/machines/delete	Deletes an Azure Arc machines
Microsoft.HybridCompute/machines/extensions/delete	Deletes an Azure Arc extensions
Microsoft.HybridCompute/machines/extensions/read	Reads any Azure Arc extensions
Microsoft.HybridCompute/machines/extensions/write	Installs or Updates an Azure Arc extensions
Microsoft.HybridCompute/machines/hybridIdentityMetadata/read	Read any Azure Arc machines's Hybrid Identity Metadata
Microsoft.HybridCompute/machines/installPatches/action	Installs patches on any Azure Arc machines
Microsoft.HybridCompute/machines/licenseProfiles/delete	Deletes an Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/read	Reads any Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/write	Installs or Updates an Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/patchAssessmentResults/read	Reads any Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read	Reads any Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read	Reads any Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read	Reads any Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/machines/read	Read any Azure Arc machines
Microsoft.HybridCompute/machines/runcommands/delete	Deletes an Azure Arc runcommands
Microsoft.HybridCompute/machines/runcommands/read	Reads any Azure Arc runcommands
Microsoft.HybridCompute/machines/runcommands/write	Installs or Updates an Azure Arc runcommands
Microsoft.HybridCompute/machines/UpgradeExtensions/action	Upgrades Extensions on Azure Arc machines
Microsoft.HybridCompute/machines/write	Writes an Azure Arc machines
Microsoft.HybridCompute/operations/read	Read all Operations for Azure Arc for Servers
Microsoft.HybridCompute/osType/agentVersions/latest/read	no description given
Microsoft.HybridCompute/osType/agentVersions/read	no description given
Microsoft.HybridCompute/register/action	Registers the subscription for the Microsoft.HybridCompute Resource Provider
Microsoft.HybridConnectivity/register/action	Register the subscription for Microsoft.HybridConnectivity
Microsoft.HybridContainerService/register/action	Register the subscription for Microsoft.HybridContainerService
Microsoft.Insights/AlertRules/Activated/Action	Classic metric alert activated
Microsoft.Insights/AlertRules/Delete	Delete a classic metric alert
Microsoft.Insights/AlertRules/Incidents/Read	Read a classic metric alert incident
Microsoft.Insights/AlertRules/Read	Read a classic metric alert
Microsoft.Insights/AlertRules/Resolved/Action	Classic metric alert resolved
Microsoft.Insights/AlertRules/Throttled/Action	Classic metric alert rule throttled
Microsoft.Insights/AlertRules/Write	Create or update a classic metric alert
Microsoft.Kubernetes/register/action	Registers Subscription with Microsoft.Kubernetes resource provider
Microsoft.KubernetesConfiguration/extensions/delete	Deletes extension instance resource.
Microsoft.KubernetesConfiguration/extensions/operations/read	Gets Async Operation status.
Microsoft.KubernetesConfiguration/extensions/read	Gets extension instance resource.
Microsoft.KubernetesConfiguration/extensions/write	Creates or updates extension resource.
Microsoft.KubernetesConfiguration/namespaces/read	Get Namespace Resource
Microsoft.KubernetesConfiguration/operations/read	Gets available operations of the Microsoft.KubernetesConfiguration resource provider.
Microsoft.KubernetesConfiguration/register/action	Registers subscription to Microsoft.KubernetesConfiguration resource provider.
Microsoft.Management/managementGroups/read	List management groups for the authenticated user.
Microsoft.ResourceConnector/appliances/delete	Deletes Appliance resource
Microsoft.ResourceConnector/appliances/listClusterUserCredential/action	Get an appliance cluster user credential
Microsoft.ResourceConnector/appliances/listKeys/action	Get an appliance cluster customer user keys
Microsoft.ResourceConnector/appliances/read	Gets an Appliance resource
Microsoft.ResourceConnector/appliances/write	Creates or Updates Appliance resource
Microsoft.ResourceConnector/locations/operationresults/read	Get result of Appliance operation
Microsoft.ResourceConnector/locations/operationsstatus/read	Get result of Appliance operation
Microsoft.ResourceConnector/operations/read	Gets list of Available Operations for Appliances
Microsoft.ResourceConnector/register/action	Registers the subscription for Appliances resource provider and enables the creation of Appliance.
Microsoft.ResourceHealth/availabilityStatuses/read	Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/*	wildcarded / no description
Microsoft.Resources/subscriptions/operationresults/read	Get the subscription operation results.
Microsoft.Resources/subscriptions/read	Gets the list of subscriptions.
Microsoft.Resources/subscriptions/read	Gets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/delete	Deletes a resource group and all its resources.
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read	Gets or lists deployment operations.
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read	Gets or lists deployment operation statuses.
Microsoft.Resources/subscriptions/resourcegroups/deployments/read	Gets or lists deployments.
Microsoft.Resources/subscriptions/resourcegroups/deployments/write	Creates or updates an deployment.
Microsoft.Resources/subscriptions/resourceGroups/read	Gets or lists resource groups.
Microsoft.Resources/subscriptions/resourceGroups/read	Gets or lists resource groups.
Microsoft.Resources/subscriptions/resourceGroups/write	Creates or updates a resource group.
Microsoft.Support/*	wildcarded / no description

NotActions

n/a

DataActions

n/a

NotDataActions

n/a

Used in
BuiltIn Policy

none

History

Date/Time (UTC ymd) (i)	Change	Change detail
2025-01-30 19:27:00	change: Actions	Actions: 'add Microsoft.AzureStackHCI/EdgeMachines/; add Microsoft.AzureStackHCI/DevicePools/'
2024-08-08 18:19:52	change: Actions	Actions: 'add Microsoft.AzureStackHCI/NetworkSecurityGroups/Read; add Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read; add Microsoft.AzureStackHCI/NetworkSecurityGroups/Write; add Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Write; add Microsoft.AzureStackHCI/NetworkSecurityGroups/Delete; add Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Delete; add Microsoft.AzureStackHCI/NetworkSecurityGroups/join/action'
2023-11-28 19:20:58	change: Actions	Actions: 'add Microsoft.ResourceConnector/appliances/listKeys/action; add Microsoft.AzureStackHCI/StorageContainers/Write; add Microsoft.AzureStackHCI/StorageContainers/Read'
2023-11-10 19:40:28	change: DisplayName, Description, Actions	New DisplayName: 'Azure Stack HCI Administrator' Old DisplayName: 'Azure Stack HCI registration role', New Description: 'Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader' Old Description: 'Custom Azure role to allow subscription-level access to register Azure Stack HCI', Actions: 'add Microsoft.GuestConfiguration/guestConfigurationAssignments/read; add Microsoft.Authorization/roleAssignments/write; add Microsoft.Authorization/roleAssignments/delete; add Microsoft.Authorization//read; add Microsoft.Resources/deployments/; add Microsoft.Resources/subscriptions/read; add Microsoft.Management/managementGroups/read; add Microsoft.Support/; add Microsoft.AzureStackHCI/; add Microsoft.Insights/AlertRules/Write; add Microsoft.Insights/AlertRules/Delete; add Microsoft.Insights/AlertRules/Read; add Microsoft.Insights/AlertRules/Activated/Action; add Microsoft.Insights/AlertRules/Resolved/Action; add Microsoft.Insights/AlertRules/Throttled/Action; add Microsoft.Insights/AlertRules/Incidents/Read; add Microsoft.Resources/subscriptions/resourcegroups/deployments/read; add Microsoft.Resources/subscriptions/resourcegroups/deployments/write; add Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read; add Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read; add Microsoft.ResourceHealth/availabilityStatuses/read; add Microsoft.Resources/subscriptions/read; add Microsoft.Resources/subscriptions/operationresults/read; add Microsoft.HybridCompute/machines/read; add Microsoft.HybridCompute/machines/write; add Microsoft.HybridCompute/machines/delete; add Microsoft.HybridCompute/machines/UpgradeExtensions/action; add Microsoft.HybridCompute/machines/assessPatches/action; add Microsoft.HybridCompute/machines/installPatches/action; add Microsoft.HybridCompute/machines/extensions/read; add Microsoft.HybridCompute/machines/extensions/write; add Microsoft.HybridCompute/machines/extensions/delete; add Microsoft.HybridCompute/operations/read; add Microsoft.HybridCompute/locations/operationresults/read; add Microsoft.HybridCompute/locations/operationstatus/read; add Microsoft.HybridCompute/machines/patchAssessmentResults/read; add Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read; add Microsoft.HybridCompute/machines/patchInstallationResults/read; add Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read; add Microsoft.HybridCompute/locations/updateCenterOperationResults/read; add Microsoft.HybridCompute/machines/hybridIdentityMetadata/read; add Microsoft.HybridCompute/osType/agentVersions/read; add Microsoft.HybridCompute/osType/agentVersions/latest/read; add Microsoft.HybridCompute/machines/runcommands/read; add Microsoft.HybridCompute/machines/runcommands/write; add Microsoft.HybridCompute/machines/runcommands/delete; add Microsoft.HybridCompute/machines/licenseProfiles/read; add Microsoft.HybridCompute/machines/licenseProfiles/write; add Microsoft.HybridCompute/machines/licenseProfiles/delete; add Microsoft.HybridCompute/licenses/read; add Microsoft.HybridCompute/licenses/write; add Microsoft.HybridCompute/licenses/delete; add Microsoft.ResourceConnector/register/action; add Microsoft.ResourceConnector/appliances/read; add Microsoft.ResourceConnector/appliances/write; add Microsoft.ResourceConnector/appliances/delete; add Microsoft.ResourceConnector/locations/operationresults/read; add Microsoft.ResourceConnector/locations/operationsstatus/read; add Microsoft.ResourceConnector/appliances/listClusterUserCredential/action; add Microsoft.ResourceConnector/operations/read; add Microsoft.ExtendedLocation/register/action; add Microsoft.ExtendedLocation/customLocations/read; add Microsoft.ExtendedLocation/customLocations/deploy/action; add Microsoft.ExtendedLocation/customLocations/write; add Microsoft.ExtendedLocation/customLocations/delete; add Microsoft.EdgeMarketplace/offers/read; add Microsoft.EdgeMarketplace/publishers/read; add Microsoft.Kubernetes/register/action; add Microsoft.KubernetesConfiguration/register/action; add Microsoft.KubernetesConfiguration/extensions/write; add Microsoft.KubernetesConfiguration/extensions/read; add Microsoft.KubernetesConfiguration/extensions/delete; add Microsoft.KubernetesConfiguration/extensions/operations/read; add Microsoft.KubernetesConfiguration/namespaces/read; add Microsoft.KubernetesConfiguration/operations/read; add Microsoft.HybridContainerService/register/action'
2023-03-29 17:43:30	change: Actions	Actions: 'add Microsoft.Resources/subscriptions/resourceGroups/delete'
2023-03-16 18:42:42	change: Actions	Actions: 'add Microsoft.HybridCompute/register/action; add Microsoft.GuestConfiguration/register/action; add Microsoft.Resources/subscriptions/resourceGroups/read; add Microsoft.Resources/subscriptions/resourceGroups/write; add Microsoft.HybridConnectivity/register/action'
2023-02-06 18:40:05	add: Role	bda0d508-adf1-4af0-9c28-88919fc3ae06

JSON

api-version=2023-07-01-preview

Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            f5819b54-e033-4d82-ac66-4fec3cbf3f4c (Azure Connected Machine Resource Manager),
            cd570a14-e51a-42ad-bac8-bafd67325302 (Azure Connected Machine Resource Administrator),
            b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 (Azure Connected Machine Onboarding),
            4b3fe76c-f777-4d24-a2d7-b027b0f7b273 (Azure Stack HCI VM Reader),
            874d1c73-6003-4e60-a13a-cb31ea190a85 (Azure Stack HCI VM Contributor),
            865ae368-6a45-4bd1-8fbf-0d5151f56fc1 (Azure Stack HCI Device Management Role),
            7b1f81f9-4196-4058-8aae-762e593270df (Azure Resource Bridge Deployment Role),
            4633458b-17de-408a-b874-0445c86b69e6 (Key Vault Secrets User),
            c99c945f-8bd1-4fb1-a903-01460aae6068 (Azure Stack HCI Connected InfraVMs)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            f5819b54-e033-4d82-ac66-4fec3cbf3f4c (Azure Connected Machine Resource Manager),
            cd570a14-e51a-42ad-bac8-bafd67325302 (Azure Connected Machine Resource Administrator),
            b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 (Azure Connected Machine Onboarding),
            4b3fe76c-f777-4d24-a2d7-b027b0f7b273 (Azure Stack HCI VM Reader),
            874d1c73-6003-4e60-a13a-cb31ea190a85 (Azure Stack HCI VM Contributor),
            865ae368-6a45-4bd1-8fbf-0d5151f56fc1 (Azure Stack HCI Device Management Role),
            7b1f81f9-4196-4058-8aae-762e593270df (Azure Resource Bridge Deployment Role),
            4633458b-17de-408a-b874-0445c86b69e6 (Key Vault Secrets User),
            c99c945f-8bd1-4fb1-a903-01460aae6068 (Azure Stack HCI Connected InfraVMs)
            }
        )
    )