AzRoleAdvertizer

last sync: 2025-Oct-30 18:22:48 UTC

Azure Migrate Owner

Azure BuiltIn RBAC Role definition

Name

Azure Migrate Owner

fd8ea4d5-6509-4db0-bada-356ab233b4fa

Description

Grants full access to create and manage Azure Migrate projects including appliance-based discovery, creation of business case & assessment report and execution of migrations; Also grants ability to assign Azure Migrate specific roles in Azure RBAC.

Category

None

CreatedOn

2025-09-08 16:26:58 UTC

UpdatedOn

2025-10-20 15:12:57 UTC

Permissions summary

Effective control plane and data plane operations: 1121 (unique operations)
•: 1
•action: 271
•delete: 136
•read: 503
•write: 210

Actions: 68
Resolved control plane operations from Actions: 1121
Effective control plane operations: 1121
•: 1
•action: 271
•delete: 136
•read: 503
•write: 210

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 16344

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 4081

Actions

Operation	Description
Microsoft.ApplicationMigration/*	wildcarded / no description
Microsoft.Authorization/*/read	wildcarded / no description
Microsoft.Authorization/locks/delete	Delete locks at the specified scope.
Microsoft.Authorization/locks/write	Add locks at the specified scope.
Microsoft.Authorization/roleAssignments/delete conditioned	Delete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditioned	Create a role assignment at the specified scope.
Microsoft.AzureArcData/register/action	Register the subscription for Microsoft.AzureArcData
Microsoft.Compute/availabilitySets/read	Get the properties of an availability set
Microsoft.Compute/availabilitySets/vmSizes/read	List available sizes for creating or updating a virtual machine in the availability set
Microsoft.Compute/diskEncryptionSets/read	Get the properties of a disk encryption set
Microsoft.Compute/disks/delete	Deletes the Disk
Microsoft.Compute/disks/read	Get the properties of a Disk
Microsoft.Compute/disks/write	Creates a new Disk or updates an existing one
Microsoft.Compute/register/action	Registers Subscription with Microsoft.Compute resource provider
Microsoft.Compute/skus/read	Gets the list of Microsoft.Compute SKUs available for your Subscription
Microsoft.Compute/virtualMachines/delete	Deletes the virtual machine
Microsoft.Compute/virtualMachines/read	Get the properties of a virtual machine
Microsoft.Compute/virtualMachines/write	Creates a new virtual machine or updates an existing virtual machine
Microsoft.DataReplication/*/read	wildcarded / no description
Microsoft.DataReplication/register/action	Registers the subscription for the Microsoft.DataReplication resource provider
Microsoft.DataReplication/replicationVaults/write	Updates any vault
Microsoft.DependencyMap/*	wildcarded / no description
Microsoft.GuestConfiguration/register/action	Registers the subscription for the Microsoft.GuestConfiguration resource provider.
Microsoft.HybridCompute/machines/delete	Deletes an Azure Arc machines
Microsoft.HybridCompute/machines/read	Read any Azure Arc machines
Microsoft.HybridCompute/machines/write	Writes an Azure Arc machines
Microsoft.HybridCompute/register/action	Registers the subscription for the Microsoft.HybridCompute Resource Provider
Microsoft.HybridConnectivity/register/action	Register the subscription for Microsoft.HybridConnectivity
Microsoft.Insights/alertRules/*	wildcarded / no description
Microsoft.KeyVault/checkNameAvailability/read	Checks that a key vault name is valid and is not in use
Microsoft.KeyVault/register/action	Registers a subscription
Microsoft.KeyVault/vaults/*	wildcarded / no description
Microsoft.Migrate/*	wildcarded / no description
Microsoft.MySQLDiscovery/*	wildcarded / no description
Microsoft.Network/networkInterfaces/delete	Deletes a network interface
Microsoft.Network/networkInterfaces/read	Gets a network interface definition.
Microsoft.Network/networkInterfaces/write	Creates a network interface or updates an existing network interface.
Microsoft.Network/networkSecurityGroups/join/action	Joins a network security group. Not Alertable.
Microsoft.Network/privateDnsZones/A/write	Create or update a record set of type ‘A’ within a Private DNS zone. The records specified will replace the current records in the record set.
Microsoft.Network/privateDnsZones/join/action	Joins a Private DNS Zone
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write	Create or update a Private DNS zone link to virtual network.
Microsoft.Network/privateDnsZones/write	Create or update a Private DNS zone within a resource group. Note that this command cannot be used to create or update virtual network links or record sets within the zone.
Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read	Gets a Private DNS Zone Group
Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write	Puts a Private DNS Zone Group
Microsoft.Network/privateEndpoints/read	Gets an private endpoint resource.
Microsoft.Network/privateEndpoints/write	Creates a new private endpoint, or updates an existing private endpoint.
Microsoft.Network/register/action	Registers the subscription
Microsoft.Network/virtualNetworks/join/action	Joins a virtual network. Not Alertable.
Microsoft.Network/virtualNetworks/read	Get the virtual network definition
Microsoft.Network/virtualNetworks/subnets/join/action	Joins a virtual network. Not Alertable.
Microsoft.Network/virtualNetworks/subnets/read	Gets a virtual network subnet definition
Microsoft.Network/virtualNetworks/subnets/write	Creates a virtual network subnet or updates an existing virtual network subnet
Microsoft.OffAzure/*	wildcarded / no description
Microsoft.RecoveryServices/operations/read	Operation returns the list of Operations for a Resource Provider
Microsoft.RecoveryServices/register/action	Registers subscription for given Resource Provider
Microsoft.RecoveryServices/vaults/*	wildcarded / no description
Microsoft.Resources/checkResourceName/action	Check the resource name for validity.
Microsoft.Resources/deployments/*	wildcarded / no description
Microsoft.Resources/deploymentScripts/read	Gets or lists deployment scripts
Microsoft.Resources/deploymentScripts/write	Creates or updates a deployment script
Microsoft.Resources/links/read	Gets or lists resource links.
Microsoft.Resources/links/write	Creates or updates a resource link.
Microsoft.Resources/subscriptions/locations/read	Gets the list of locations supported.
Microsoft.Resources/subscriptions/read	Gets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/read	Gets or lists resource groups.
Microsoft.Resources/subscriptions/resourceGroups/write	Creates or updates a resource group.
Microsoft.Storage/storageAccounts/*	wildcarded / no description
Microsoft.Support/*	wildcarded / no description

NotActions

n/a

DataActions

n/a

NotDataActions

n/a

Used in
BuiltIn Policy

none

History

Date/Time (UTC ymd) (i)	Change	Change detail
2025-10-23 17:22:49	add: Role	fd8ea4d5-6509-4db0-bada-356ab233b4fa

JSON

api-version=2023-07-01-preview

Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            7859c0b0-0bb9-4994-bd12-cd529af7d646 (Azure Migrate Decide and Plan Expert),
            1cfa4eac-9a23-481c-a793-bfb6958e836b (Azure Migrate Execute Expert),
            17d1049b-9a84-46fb-8f53-869881c3d3ab (Storage Account Contributor),
            ba92f5b4-2d11-453d-a403-e96b0029c9fe (Storage Blob Data Contributor),
            ba480ccd-6499-4709-b581-8f38bb215c63 (Azure Migrate Service Reader)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            7859c0b0-0bb9-4994-bd12-cd529af7d646 (Azure Migrate Decide and Plan Expert),
            1cfa4eac-9a23-481c-a793-bfb6958e836b (Azure Migrate Execute Expert),
            17d1049b-9a84-46fb-8f53-869881c3d3ab (Storage Account Contributor),
            ba92f5b4-2d11-453d-a403-e96b0029c9fe (Storage Blob Data Contributor),
            ba480ccd-6499-4709-b581-8f38bb215c63 (Azure Migrate Service Reader)
            }
        )
    )