AzRoleAdvertizer

last sync: 2025-Apr-29 17:15:48 UTC

AVS Orchestrator Role

Azure BuiltIn RBAC Role definition

Name

AVS Orchestrator Role

d715fb95-a0f0-4f1c-8be6-5ad2d2767f67

Description

Do not remove this role from your resource group because it is critical to enable your AVS private cloud to operate. If the role is removed, it will cause your AVS private cloud control plane to no longer operate correctly. The role is used to enable the AVS private cloud control plane to create the supporting resources in the resource group of the private clouds attached virtual network and bind them to the attached virtual network. This role is not intended for use cases outside of assignment to the associated AVS identity in your entra-id tenant.

Category

None

CreatedOn

2024-08-27 15:13:33 UTC

UpdatedOn

2025-02-13 20:38:23 UTC

Permissions summary

Effective control plane and data plane operations: 56 (unique operations)
•action: 8
•delete: 13
•read: 20
•write: 15

Actions: 58
Resolved control plane operations from Actions: 56
Effective control plane operations: 56
•action: 8
•delete: 13
•read: 20
•write: 15

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 16434

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3371

Actions

Operation	Description
Microsoft.Authorization/roleAssignments/delete conditioned	Delete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/read	Get information about a role assignment.
Microsoft.Network/locations/operationResults/read	Gets operation result of an async POST or DELETE operation
Microsoft.Network/locations/operations/read	Gets operation resource that represents status of an asynchronous operation
Microsoft.Network/networkIntentPolicies/delete	Deletes an Network Intent Policy
Microsoft.Network/networkIntentPolicies/read	Gets an Network Intent Policy Description
Microsoft.Network/networkIntentPolicies/write	Creates an Network Intent Policy or updates an existing Network Intent Policy
Microsoft.Network/networkInterfaces/delete	Deletes a network interface
Microsoft.Network/networkInterfaces/join/action	Joins a Virtual Machine to a network interface. Not Alertable.
Microsoft.Network/networkInterfaces/read	Gets a network interface definition.
Microsoft.Network/networkInterfaces/write	Creates a network interface or updates an existing network interface.
Microsoft.Network/networkSecurityGroups/delete	Deletes a network security group
Microsoft.Network/networkSecurityGroups/join/action	Joins a network security group. Not Alertable.
Microsoft.Network/networkSecurityGroups/read	Gets a network security group definition
Microsoft.Network/networkSecurityGroups/securityRules/delete	Deletes a security rule
Microsoft.Network/networkSecurityGroups/securityRules/read	Gets a security rule definition
Microsoft.Network/networkSecurityGroups/securityRules/read	Gets a security rule definition
Microsoft.Network/networkSecurityGroups/securityRules/write	Creates a security rule or updates an existing security rule
Microsoft.Network/networkSecurityGroups/write	Creates a network security group or updates an existing network security group
Microsoft.Network/publicIPAddresses/delete	Deletes a public Ip address.
Microsoft.Network/publicIPAddresses/read	Gets a public ip address definition.
Microsoft.Network/publicIPAddresses/write	Creates a public Ip address or updates an existing public Ip address.
Microsoft.Network/routeTables/delete	Deletes a route table definition
Microsoft.Network/routeTables/join/action	Joins a route table. Not Alertable.
Microsoft.Network/routeTables/read	Gets a route table definition
Microsoft.Network/routeTables/routes/delete	Deletes a route definition
Microsoft.Network/routeTables/routes/read	Gets a route definition
Microsoft.Network/routeTables/routes/write	Creates a route or Updates an existing route
Microsoft.Network/routeTables/write	Creates a route table or Updates an existing rotue table
Microsoft.Network/virtualHubs/bgpConnections/read	Gets a Hub Bgp Connection child resource of Virtual Hub
Microsoft.Network/virtualHubs/bgpConnections/write	Creates or Updates a Hub Bgp Connection child resource of Virtual Hub
Microsoft.Network/virtualHubs/delete	Deletes a Virtual Hub
Microsoft.Network/virtualHubs/ipConfigurations/read	Gets a Hub IpConfiguration child resource of Virtual Hub
Microsoft.Network/virtualHubs/ipConfigurations/write	Creates or Updates a Hub IpConfiguration child resource of Virtual Hub
Microsoft.Network/virtualHubs/write	Create or update a Virtual Hub
Microsoft.Network/virtualNetworks/join/action	Joins a virtual network. Not Alertable.
Microsoft.Network/virtualNetworks/peer/action	Peers a virtual network with another virtual network
Microsoft.Network/virtualNetworks/read	Get the virtual network definition
Microsoft.Network/virtualNetworks/subnets/delete	Deletes a virtual network subnet
Microsoft.Network/virtualNetworks/subnets/join/action	Joins a virtual network. Not Alertable.
Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action	Prepares a subnet by applying necessary Network Policies
Microsoft.Network/virtualNetworks/subnets/read	Gets a virtual network subnet definition
Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete	no description given
Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete	no description given
Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/read	no description given
Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/write	no description given
Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action	Unprepare a subnet by removing the applied Network Policies
Microsoft.Network/virtualNetworks/subnets/write	Creates a virtual network subnet or updates an existing virtual network subnet
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete	Deletes a virtual network peering
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read	Gets a virtual network peering definition
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write	Creates a virtual network peering or updates an existing virtual network peering
Microsoft.Network/virtualNetworks/write	Creates a virtual network or updates an existing virtual network
Microsoft.Resources/deployments/delete	Deletes a deployment.
Microsoft.Resources/deployments/operations/read	Gets or lists deployment operations.
Microsoft.Resources/deployments/operationStatuses/read	Gets or lists deployment operation statuses.
Microsoft.Resources/deployments/read	Gets or lists deployments.
Microsoft.Resources/deployments/write	Creates or updates an deployment.
Microsoft.Resources/subscriptions/resourcegroups/read	Gets or lists resource groups.

NotActions

n/a

DataActions

n/a

NotDataActions

n/a

Used in
BuiltIn Policy

none

History

Date/Time (UTC ymd) (i)	Change	Change detail
2025-02-14 18:36:54	change: Actions	Actions: 'add Microsoft.Network/virtualNetworks/join/action'
2024-10-04 17:51:49	add: Role	d715fb95-a0f0-4f1c-8be6-5ad2d2767f67

JSON

api-version=2023-07-01-preview

Condition

    (
        !
        (
            ActionMatches {
            'Microsoft.Authorization/roleAssignments/delete'
            }
        )
    )
    OR@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
    d715fb95-a0f0-4f1c-8be6-5ad2d2767f67 (AVS Orchestrator Role),
    4d97b98b-1d4f-4787-a291-c67834d212e7 (Network Contributor),
    49fc33c1-886f-4b21-a00e-1d9993234734 (AVS on Fleet VIS Role)
    }