last sync: 2024-Dec-05 18:53:40 UTC

All Azure RBAC Role definitions

Id Name Description Condition Effective operations Actions (control plane) NotActions (control plane) DataActions (data plane) NotDataActions (data plane) Used in Policy
76cc9ee4-d5d3-4a45-a930-26add3d73475 Access Review Operator Service Role Lets you grant Access Review System app permissions to discover and revoke access as needed by the access review process. False 00003 effective control plane operations (unique)

•action: 1
•delete: 1
•read: 1
Actions: 003
resolved operations: 3
effective operations: 3
•action: 1
•delete: 1
•read: 1

•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleAssignments/delete
•Microsoft.Management/getEntities/action
c2f4ef07-c644-48eb-af81-4b1b4947fb11 AcrDelete acr delete False 00001 effective control plane operations (unique)

•delete: 1
Actions: 001
resolved operations: 1
effective operations: 1
•delete: 1

•Microsoft.ContainerRegistry/registries/artifacts/delete
6cef56e8-d556-48e5-a04f-b8e64114680f AcrImageSigner acr image signer False 00002 effective control plane and data plane operations (unique)

•write: 2
Actions: 001
resolved operations: 1
effective operations: 1
•write: 1

•Microsoft.ContainerRegistry/registries/sign/write
DataActions: 001
resolved data operations: 1
effective data operations: 1
•write: 1

•Microsoft.ContainerRegistry/registries/trustedCollections/write
7f951dda-4ed3-4680-a7ca-43fe172d538d AcrPull acr pull False 00001 effective control plane operations (unique)

•read: 1
Actions: 001
resolved operations: 1
effective operations: 1
•read: 1

•Microsoft.ContainerRegistry/registries/pull/read
8311e382-0749-4cb8-b61a-304f252e45ec AcrPush acr push False 00002 effective control plane operations (unique)

•read: 1
•write: 1
Actions: 002
resolved operations: 2
effective operations: 2
•read: 1
•write: 1

•Microsoft.ContainerRegistry/registries/pull/read
•Microsoft.ContainerRegistry/registries/push/write
cdda3590-29a3-44f6-95f2-9f980659eb04 AcrQuarantineReader acr quarantine data reader False 00002 effective control plane and data plane operations (unique)

•read: 2
Actions: 001
resolved operations: 1
effective operations: 1
•read: 1

•Microsoft.ContainerRegistry/registries/quarantine/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•read: 1

•Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read
c8d4ff99-41c3-41a8-9f60-21dfdad59608 AcrQuarantineWriter acr quarantine data writer False 00004 effective control plane and data plane operations (unique)

•read: 2
•write: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 1
•write: 1

•Microsoft.ContainerRegistry/registries/quarantine/read
•Microsoft.ContainerRegistry/registries/quarantine/write
DataActions: 002
resolved data operations: 2
effective data operations: 2
•read: 1
•write: 1

•Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read
•Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write
6b534d80-e337-47c4-864f-140f5c7f593d Advisor Recommendations Contributor (Assessments and Reviews) View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started). False 00003 effective control plane operations (unique)

•action: 1
•read: 1
•write: 1
Actions: 003
resolved operations: 3
effective operations: 3
•action: 1
•read: 1
•write: 1

•Microsoft.Advisor/recommendations/read
•Microsoft.Advisor/recommendations/write
•Microsoft.Advisor/recommendations/available/action
8aac15f0-d885-4138-8afa-bfb5872f7d13 Advisor Reviews Contributor View reviews for a workload and triage recommendations linked to them. False 00050 effective control plane operations (unique)

•: 1
•action: 10
•Delete: 2
•read: 35
•Write: 2
Actions: 009
resolved operations: 50
effective operations: 50
•: 1
•action: 10
•Delete: 2
•read: 35
•Write: 2

•Microsoft.Advisor/resiliencyReviews/read
•Microsoft.Advisor/triageRecommendations/read
•Microsoft.Advisor/triageRecommendations/approve/action
•Microsoft.Advisor/triageRecommendations/reject/action
•Microsoft.Advisor/triageRecommendations/reset/action
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
c64499e0-74c3-47ad-921c-13865957895c Advisor Reviews Reader View reviews for a workload and recommendations linked to them. False 00002 effective control plane operations (unique)

•read: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.Advisor/resiliencyReviews/read
•Microsoft.Advisor/triageRecommendations/read
a8d4b70f-0fb9-4f72-b267-b87b2f990aec AgFood Platform Dataset Admin Provides access to Dataset APIs False 00012 effective data plane operations (unique)

•action: 6
•delete: 2
•read: 2
•write: 2
DataActions: 002
resolved data operations: 12
effective data operations: 12
•action: 6
•delete: 2
•read: 2
•write: 2

•Microsoft.AgFoodPlatform/farmBeats/datasets/*
•Microsoft.AgFoodPlatform/farmBeats/datasetRecords/*
6b77f0a0-0d89-41cc-acd1-579c22c17a67 AgFood Platform Sensor Partner Contributor Provides contribute access to manage sensor related entities in AgFood Platform Service False 00018 effective data plane operations (unique)

•action: 4
•delete: 3
•read: 6
•write: 5
DataActions: 001
resolved data operations: 19
effective data operations: 18
•action: 4
•delete: 3
•read: 6
•write: 5

•Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/*
NotDataActions: 001
resolved not data operations: 1
effective not data operations: 3285

•Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/delete
f8da80de-1ff9-4747-ad80-a19b7f6079e3 AgFood Platform Service Admin Provides admin access to AgFood Platform Service False 00335 effective data plane operations (unique)

•action: 101
•delete: 58
•read: 89
•write: 87
DataActions: 001
resolved data operations: 335
effective data operations: 335
•action: 101
•delete: 58
•read: 89
•write: 87

•Microsoft.AgFoodPlatform/*
8508508a-4469-4e45-963b-2518ee0bb728 AgFood Platform Service Contributor Provides contribute access to AgFood Platform Service False 00251 effective data plane operations (unique)

•action: 98
•read: 89
•write: 64
DataActions: 003
resolved data operations: 277
effective data operations: 251
•action: 98
•read: 89
•write: 64

•Microsoft.AgFoodPlatform/*/action
•Microsoft.AgFoodPlatform/*/read
•Microsoft.AgFoodPlatform/*/write
NotDataActions: 006
resolved not data operations: 26
effective not data operations: 3052

•Microsoft.AgFoodPlatform/farmBeats/farmers/write
•Microsoft.AgFoodPlatform/farmBeats/deletionJobs/*/write
•Microsoft.AgFoodPlatform/farmBeats/parties/write
•Microsoft.AgFoodPlatform/farmBeats/datasets/write
•Microsoft.AgFoodPlatform/farmBeats/datasetRecords/write
•Microsoft.AgFoodPlatform/farmBeats/datasets/access/*/action
7ec7ccdc-f61e-41fe-9aaf-980df0a44eba AgFood Platform Service Reader Provides read access to AgFood Platform Service False 00185 effective data plane operations (unique)

•action: 96
•read: 89
DataActions: 006
resolved data operations: 185
effective data operations: 185
•action: 96
•read: 89

•Microsoft.AgFoodPlatform/*/list/action
•Microsoft.AgFoodPlatform/*/read
•Microsoft.AgFoodPlatform/*/search/action
•Microsoft.AgFoodPlatform/*/download/action
•Microsoft.AgFoodPlatform/*/overlap/action
•Microsoft.AgFoodPlatform/*/checkConsent/action
a2138dac-4907-4679-a376-736901ed8ad8 AnyBuild Builder Basic user role for AnyBuild. This role allows listing of agent information and execution of remote build capabilities. False 00002 effective data plane operations (unique)

•read: 1
•write: 1
DataActions: 002
resolved data operations: 2
effective data operations: 2
•read: 1
•write: 1

•Microsoft.AnyBuild/clusters/build/write
•Microsoft.AnyBuild/clusters/build/read
c031e6a8-4391-4de0-8d69-4706a7ed3729 API Management Developer Portal Content Editor Can customize the developer portal, edit its content, and publish it. False 00008 effective control plane operations (unique)

•delete: 2
•read: 3
•write: 3
Actions: 008
resolved operations: 8
effective operations: 8
•delete: 2
•read: 3
•write: 3

•Microsoft.ApiManagement/service/portalRevisions/read
•Microsoft.ApiManagement/service/portalRevisions/write
•Microsoft.ApiManagement/service/contentTypes/read
•Microsoft.ApiManagement/service/contentTypes/delete
•Microsoft.ApiManagement/service/contentTypes/write
•Microsoft.ApiManagement/service/contentTypes/contentItems/read
•Microsoft.ApiManagement/service/contentTypes/contentItems/write
•Microsoft.ApiManagement/service/contentTypes/contentItems/delete
312a565d-c81f-4fd8-895a-4e21e48d571c API Management Service Contributor Can manage service and the APIs False 00516 effective control plane operations (unique)

•: 1
•action: 68
•delete: 119
•read: 201
•write: 127
Actions: 007
resolved operations: 516
effective operations: 516
•: 1
•action: 68
•delete: 119
•read: 201
•write: 127

•Microsoft.ApiManagement/service/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 001
Configure API Management services to disable access to API Management public service configuration endpoints
e022efe7-f5ba-4159-bbe4-b44f577e9b61 API Management Service Operator Role Can manage service but not the APIs False 00223 effective control plane operations (unique)

•: 1
•action: 15
•delete: 3
•read: 200
•write: 4
Actions: 015
resolved operations: 224
effective operations: 223
•: 1
•action: 15
•delete: 3
•read: 200
•write: 4

•Microsoft.ApiManagement/service/*/read
•Microsoft.ApiManagement/service/backup/action
•Microsoft.ApiManagement/service/delete
•Microsoft.ApiManagement/service/managedeployments/action
•Microsoft.ApiManagement/service/read
•Microsoft.ApiManagement/service/restore/action
•Microsoft.ApiManagement/service/updatecertificate/action
•Microsoft.ApiManagement/service/updatehostname/action
•Microsoft.ApiManagement/service/write
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
NotActions: 001
resolved not operations: 1
effective not operations: 15969

•Microsoft.ApiManagement/service/users/keys/read
71522526-b88f-4d52-b57f-d31fc3546d0d API Management Service Reader Role Read-only access to service and APIs False 00216 effective control plane operations (unique)

•: 1
•Action: 10
•Delete: 2
•read: 200
•Write: 3
Actions: 008
resolved operations: 217
effective operations: 216
•: 1
•Action: 10
•Delete: 2
•read: 200
•Write: 3

•Microsoft.ApiManagement/service/*/read
•Microsoft.ApiManagement/service/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
NotActions: 001
resolved not operations: 1
effective not operations: 15976

•Microsoft.ApiManagement/service/users/keys/read
9565a273-41b9-4368-97d2-aeb0c976a9b3 API Management Service Workspace API Developer Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. False 00043 effective control plane operations (unique)

•delete: 4
•read: 35
•write: 4
Actions: 009
resolved operations: 43
effective operations: 43
•delete: 4
•read: 35
•write: 4

•Microsoft.ApiManagement/service/tags/read
•Microsoft.ApiManagement/service/tags/apiLinks/*
•Microsoft.ApiManagement/service/tags/operationLinks/*
•Microsoft.ApiManagement/service/tags/productLinks/*
•Microsoft.ApiManagement/service/products/read
•Microsoft.ApiManagement/service/products/apiLinks/*
•Microsoft.ApiManagement/service/read
•Microsoft.ApiManagement/service/authorizationServers/read
•Microsoft.Authorization/*/read
d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da API Management Service Workspace API Product Manager Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. False 00048 effective control plane operations (unique)

•delete: 5
•read: 38
•write: 5
Actions: 012
resolved operations: 48
effective operations: 48
•delete: 5
•read: 38
•write: 5

•Microsoft.ApiManagement/service/users/read
•Microsoft.ApiManagement/service/tags/read
•Microsoft.ApiManagement/service/tags/apiLinks/*
•Microsoft.ApiManagement/service/tags/operationLinks/*
•Microsoft.ApiManagement/service/tags/productLinks/*
•Microsoft.ApiManagement/service/products/read
•Microsoft.ApiManagement/service/products/apiLinks/*
•Microsoft.ApiManagement/service/groups/read
•Microsoft.ApiManagement/service/groups/users/*
•Microsoft.ApiManagement/service/read
•Microsoft.ApiManagement/service/authorizationServers/read
•Microsoft.Authorization/*/read
56328988-075d-4c6a-8766-d93edd6725b6 API Management Workspace API Developer Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. False 00133 effective control plane operations (unique)

•action: 5
•delete: 29
•read: 69
•write: 30
Actions: 014
resolved operations: 133
effective operations: 133
•action: 5
•delete: 29
•read: 69
•write: 30

•Microsoft.ApiManagement/service/workspaces/*/read
•Microsoft.ApiManagement/service/workspaces/apis/*
•Microsoft.ApiManagement/service/workspaces/apiVersionSets/*
•Microsoft.ApiManagement/service/workspaces/policies/*
•Microsoft.ApiManagement/service/workspaces/schemas/*
•Microsoft.ApiManagement/service/workspaces/products/*
•Microsoft.ApiManagement/service/workspaces/policyFragments/*
•Microsoft.ApiManagement/service/workspaces/namedValues/*
•Microsoft.ApiManagement/service/workspaces/tags/*
•Microsoft.ApiManagement/service/workspaces/backends/*
•Microsoft.ApiManagement/service/workspaces/certificates/*
•Microsoft.ApiManagement/service/workspaces/diagnostics/*
•Microsoft.ApiManagement/service/workspaces/loggers/*
•Microsoft.Authorization/*/read
73c2c328-d004-4c5e-938c-35c6f5679a1f API Management Workspace API Product Manager Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. False 00106 effective control plane operations (unique)

•action: 4
•delete: 16
•read: 69
•write: 17
Actions: 007
resolved operations: 106
effective operations: 106
•action: 4
•delete: 16
•read: 69
•write: 17

•Microsoft.ApiManagement/service/workspaces/*/read
•Microsoft.ApiManagement/service/workspaces/products/*
•Microsoft.ApiManagement/service/workspaces/subscriptions/*
•Microsoft.ApiManagement/service/workspaces/groups/*
•Microsoft.ApiManagement/service/workspaces/tags/*
•Microsoft.ApiManagement/service/workspaces/notifications/*
•Microsoft.Authorization/*/read
0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 API Management Workspace Contributor Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. False 00154 effective control plane operations (unique)

•action: 10
•delete: 36
•read: 70
•write: 38
Actions: 002
resolved operations: 154
effective operations: 154
•action: 10
•delete: 36
•read: 70
•write: 38

•Microsoft.ApiManagement/service/workspaces/*
•Microsoft.Authorization/*/read
ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2 API Management Workspace Reader Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. False 00069 effective control plane operations (unique)

•read: 69
Actions: 002
resolved operations: 69
effective operations: 69
•read: 69

•Microsoft.ApiManagement/service/workspaces/*/read
•Microsoft.Authorization/*/read
0f37683f-2463-46b6-9ce7-9b788b988ba2 App Compliance Automation Administrator Create, read, download, modify and delete reports objects and related other resource objects. False 07008 effective control plane operations (unique)

•action: 22
•delete: 6
•read: 6968
•write: 12
Actions: 028
resolved operations: 7008
effective operations: 7008
•action: 22
•delete: 6
•read: 6968
•write: 12

•Microsoft.AppComplianceAutomation/*
•Microsoft.Storage/storageAccounts/blobServices/write
•Microsoft.Storage/storageAccounts/fileservices/write
•Microsoft.Storage/storageAccounts/listKeys/action
•Microsoft.Storage/storageAccounts/write
•Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/blobServices/containers/write
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.PolicyInsights/policyStates/queryResults/action
•Microsoft.PolicyInsights/policyStates/triggerEvaluation/action
•Microsoft.Resources/resources/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourceGroups/resources/read
•Microsoft.Resources/subscriptions/resources/read
•Microsoft.Resources/subscriptions/resourceGroups/delete
•Microsoft.Resources/subscriptions/resourceGroups/write
•Microsoft.Resources/tags/read
•Microsoft.Resources/deployments/validate/action
•Microsoft.Security/automations/read
•Microsoft.Resources/deployments/write
•Microsoft.Security/automations/delete
•Microsoft.Security/automations/write
•Microsoft.Security/register/action
•Microsoft.Security/unregister/action
•*/read
ffc6bbe0-e443-4c3b-bf54-26581bb2f78e App Compliance Automation Reader Read, download the reports objects and related other resource objects. False 06968 effective control plane operations (unique)

•read: 6968
Actions: 001
resolved operations: 6968
effective operations: 6968
•read: 6968

•*/read
fe86443c-f201-4fc4-9d2a-ac61149fbda0 App Configuration Contributor Grants permission for all management operations, except purge, for App Configuration resources. False 00089 effective control plane operations (unique)

•: 1
•action: 20
•delete: 9
•read: 49
•write: 10
Actions: 005
resolved operations: 90
effective operations: 89
•: 1
•action: 20
•delete: 9
•read: 49
•write: 10

•Microsoft.AppConfiguration/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
NotActions: 001
resolved not operations: 1
effective not operations: 16103

•Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action
5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b App Configuration Data Owner Allows full access to App Configuration data. False 00006 effective data plane operations (unique)

•action: 1
•delete: 1
•read: 2
•write: 2
DataActions: 004
resolved data operations: 7
effective data operations: 6
•action: 1
•delete: 1
•read: 2
•write: 2

•Microsoft.AppConfiguration/configurationStores/*/read
•Microsoft.AppConfiguration/configurationStores/*/write
•Microsoft.AppConfiguration/configurationStores/*/delete
•Microsoft.AppConfiguration/configurationStores/*/action
NotDataActions: 001
resolved not data operations: 1
effective not data operations: 3297

•Microsoft.AppConfiguration/configurationStores/useSasAuth/action
516239f1-63e1-4d78-a4de-a74fb236a071 App Configuration Data Reader Allows read access to App Configuration data. False 00002 effective data plane operations (unique)

•read: 2
DataActions: 001
resolved data operations: 2
effective data operations: 2
•read: 2

•Microsoft.AppConfiguration/configurationStores/*/read
7fd69092-c9bc-4b59-9e2e-bca63317e147 App Configuration Data SAS User Allows the usage of SAS tokens for authentication. False 00001 effective data plane operations (unique)

•action: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.AppConfiguration/configurationStores/useSasAuth/action
175b81b9-6e0d-490a-85e4-0d422273c10c App Configuration Reader Grants permission for read operations for App Configuration resources. False 00046 effective control plane operations (unique)

•read: 46
Actions: 005
resolved operations: 46
effective operations: 46
•read: 46

•Microsoft.AppConfiguration/*/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/subscriptions/resourceGroups/read
8ea85a25-eb16-4e29-ab4d-6f2a26c711a2 App Service Environment Contributor Manage App Service Environments but not the App Service Plans or Websites that it hosts. False 00101 effective control plane operations (unique)

•: 1
•Action: 15
•Delete: 6
•read: 68
•Write: 11
Actions: 006
resolved operations: 101
effective operations: 101
•: 1
•Action: 15
•Delete: 6
•read: 68
•Write: 11

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Web/hostingEnvironments/*
fbc52c3f-28ad-4303-a892-8a056630b8f1 AppGw for Containers Configuration Manager Allows access and configuration updates to Application Gateway for Containers resource. False 00016 effective control plane and data plane operations (unique)

•delete: 4
•read: 7
•write: 5
Actions: 016
resolved operations: 13
effective operations: 13
•delete: 3
•read: 6
•write: 4

•Microsoft.ServiceNetworking/trafficControllers/read
•Microsoft.ServiceNetworking/trafficControllers/write
•Microsoft.ServiceNetworking/trafficControllers/delete
•Microsoft.ServiceNetworking/trafficControllers/frontends/read
•Microsoft.ServiceNetworking/trafficControllers/frontends/write
•Microsoft.ServiceNetworking/trafficControllers/frontends/delete
•Microsoft.ServiceNetworking/trafficControllers/associations/read
•Microsoft.ServiceNetworking/trafficControllers/associations/write
•Microsoft.ServiceNetworking/trafficControllers/associations/delete
•Microsoft.ServiceNetworking/trafficControllers/*/read
•Microsoft.ServiceNetworking/trafficControllers/*/write
•Microsoft.ServiceNetworking/trafficControllers/*/delete
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
DataActions: 003
resolved data operations: 3
effective data operations: 3
•delete: 1
•read: 1
•write: 1

•Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/read
•Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/write
•Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/delete
ca6382a4-1721-4bcf-a114-ff0c70227b6b Application Group Contributor Contributor of the Application Group. False 00074 effective control plane operations (unique)

•: 1
•action: 11
•delete: 5
•read: 49
•write: 8
Actions: 009
resolved operations: 74
effective operations: 74
•: 1
•action: 11
•delete: 5
•read: 49
•write: 8

•Microsoft.DesktopVirtualization/applicationgroups/*
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.DesktopVirtualization/workspaces/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
ae349356-3a1b-4a5e-921d-050484c6347e Application Insights Component Contributor Can manage Application Insights components False 00139 effective control plane operations (unique)

•: 1
•Action: 17
•Delete: 16
•read: 84
•Write: 21
Actions: 013
resolved operations: 139
effective operations: 139
•: 1
•Action: 17
•Delete: 16
•read: 84
•Write: 21

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/generateLiveToken/read
•Microsoft.Insights/metricAlerts/*
•Microsoft.Insights/components/*
•Microsoft.Insights/scheduledqueryrules/*
•Microsoft.Insights/topology/read
•Microsoft.Insights/transactions/read
•Microsoft.Insights/webtests/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 001
Configure Azure Application Insights components to disable public network access for log ingestion and querying
08954f03-6346-4c2e-81c0-ec3a5cfae23b Application Insights Snapshot Debugger Gives user permission to use Application Insights Snapshot Debugger features False 00086 effective control plane operations (unique)

•: 1
•Action: 10
•Delete: 2
•read: 70
•Write: 3
Actions: 006
resolved operations: 86
effective operations: 86
•: 1
•Action: 10
•Delete: 2
•read: 70
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/components/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
bbf86eb8-f7b4-4cce-96e4-18cddf81d86e Attestation Contributor Can read write or delete the attestation provider instance False 00003 effective control plane operations (unique)

•delete: 1
•read: 1
•write: 1
Actions: 003
resolved operations: 3
effective operations: 3
•delete: 1
•read: 1
•write: 1

•Microsoft.Attestation/attestationProviders/attestation/read
•Microsoft.Attestation/attestationProviders/attestation/write
•Microsoft.Attestation/attestationProviders/attestation/delete
fd1bd22b-8476-40bc-a0bc-69b95687b9f3 Attestation Reader Can read the attestation provider properties False 00002 effective control plane operations (unique)

•read: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.Attestation/attestationProviders/attestation/read
•Microsoft.Attestation/attestationProviders/read
f353d9bd-d4a6-484e-a77a-8050b599b867 Automation Contributor Manage azure automation resources and other resources using azure automation. False 00204 effective control plane operations (unique)

•action: 34
•delete: 32
•read: 99
•write: 39
Actions: 011
resolved operations: 204
effective operations: 204
•action: 34
•delete: 32
•read: 99
•write: 39

•Microsoft.Automation/automationAccounts/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/ActionGroups/*
•Microsoft.Insights/ActivityLogAlerts/*
•Microsoft.Insights/MetricAlerts/*
•Microsoft.Insights/ScheduledQueryRules/*
•Microsoft.Insights/diagnosticSettings/*
•Microsoft.OperationalInsights/workspaces/sharedKeys/action
4fe576fe-1146-4730-92eb-48519fa6bf9f Automation Job Operator Create and Manage Jobs using Automation Runbooks. False 00063 effective control plane operations (unique)

•: 1
•action: 13
•Delete: 2
•read: 43
•write: 4
Actions: 013
resolved operations: 63
effective operations: 63
•: 1
•action: 13
•Delete: 2
•read: 43
•write: 4

•Microsoft.Authorization/*/read
•Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read
•Microsoft.Automation/automationAccounts/jobs/read
•Microsoft.Automation/automationAccounts/jobs/resume/action
•Microsoft.Automation/automationAccounts/jobs/stop/action
•Microsoft.Automation/automationAccounts/jobs/streams/read
•Microsoft.Automation/automationAccounts/jobs/suspend/action
•Microsoft.Automation/automationAccounts/jobs/write
•Microsoft.Automation/automationAccounts/jobs/output/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
d3881f73-407a-4167-8283-e981cbba0404 Automation Operator Automation Operators are able to start, stop, suspend, and resume jobs False 00071 effective control plane operations (unique)

•: 1
•action: 13
•Delete: 2
•read: 49
•write: 6
Actions: 021
resolved operations: 71
effective operations: 71
•: 1
•action: 13
•Delete: 2
•read: 49
•write: 6

•Microsoft.Authorization/*/read
•Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read
•Microsoft.Automation/automationAccounts/jobs/read
•Microsoft.Automation/automationAccounts/jobs/resume/action
•Microsoft.Automation/automationAccounts/jobs/stop/action
•Microsoft.Automation/automationAccounts/jobs/streams/read
•Microsoft.Automation/automationAccounts/jobs/suspend/action
•Microsoft.Automation/automationAccounts/jobs/write
•Microsoft.Automation/automationAccounts/jobSchedules/read
•Microsoft.Automation/automationAccounts/jobSchedules/write
•Microsoft.Automation/automationAccounts/linkedWorkspace/read
•Microsoft.Automation/automationAccounts/read
•Microsoft.Automation/automationAccounts/runbooks/read
•Microsoft.Automation/automationAccounts/schedules/read
•Microsoft.Automation/automationAccounts/schedules/write
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Automation/automationAccounts/jobs/output/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 Automation Runbook Operator Read Runbook properties - to be able to create Jobs of the runbook. False 00056 effective control plane operations (unique)

•: 1
•Action: 10
•Delete: 2
•read: 40
•Write: 3
Actions: 006
resolved operations: 56
effective operations: 56
•: 1
•Action: 10
•Delete: 2
•read: 40
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Automation/automationAccounts/runbooks/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
b8b15564-4fa6-4a59-ab12-03e1d9594795 Autonomous Development Platform Data Contributor (Preview) Grants permissions to upload and manage new Autonomous Development Platform measurements. False 00029 effective control plane and data plane operations (unique)

•read: 29
Actions: 003
resolved operations: 28
effective operations: 28
•read: 28

•Microsoft.AutonomousDevelopmentPlatform/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 012
resolved data operations: 3
effective data operations: 1
•read: 1

•Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/discoveries/*
•Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/uploads/*
•Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/*
•Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurementCollections/*
•Microsoft.AutonomousDevelopmentPlatform/accounts/measurementCollections/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/read
•Microsoft.AutonomousDevelopmentPlatform/workspaces/discoveries/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/uploads/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/classifications/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/dataStreams/classifications/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/measurementCollections/*
NotDataActions: 002
resolved not data operations: 2
effective not data operations: 3302

•Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/changeState/action
•Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/changeState/action
27f8b550-c507-4db9-86f2-f4b8e816d59d Autonomous Development Platform Data Owner (Preview) Grants full access to Autonomous Development Platform data. False 00031 effective control plane and data plane operations (unique)

•action: 2
•read: 29
Actions: 003
resolved operations: 28
effective operations: 28
•read: 28

•Microsoft.AutonomousDevelopmentPlatform/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 001
resolved data operations: 3
effective data operations: 3
•action: 2
•read: 1

•Microsoft.AutonomousDevelopmentPlatform/*
d63b75f7-47ea-4f27-92ac-e0d173aaf093 Autonomous Development Platform Data Reader (Preview) Grants read access to Autonomous Development Platform data. False 00029 effective control plane and data plane operations (unique)

•read: 29
Actions: 003
resolved operations: 28
effective operations: 28
•read: 28

•Microsoft.AutonomousDevelopmentPlatform/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•read: 1

•Microsoft.AutonomousDevelopmentPlatform/*/read
4f8fab4f-1852-4a58-a46a-8eaf358af14a Avere Contributor Can create and manage an Avere vFXT cluster. False 00715 effective control plane and data plane operations (unique)

•: 1
•action: 78
•delete: 28
•read: 563
•write: 45
Actions: 020
resolved operations: 712
effective operations: 712
•: 1
•action: 78
•delete: 27
•read: 562
•write: 44

•Microsoft.Authorization/*/read
•Microsoft.Compute/*/read
•Microsoft.Compute/availabilitySets/*
•Microsoft.Compute/proximityPlacementGroups/*
•Microsoft.Compute/virtualMachines/*
•Microsoft.Compute/disks/*
•Microsoft.Network/*/read
•Microsoft.Network/networkInterfaces/*
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Resources/deployments/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/*/read
•Microsoft.Storage/storageAccounts/*
•Microsoft.Support/*
•Microsoft.Resources/subscriptions/resourceGroups/resources/read
DataActions: 003
resolved data operations: 3
effective data operations: 3
•delete: 1
•read: 1
•write: 1

•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 Avere Operator Used by the Avere vFXT cluster to manage the cluster False 00014 effective control plane and data plane operations (unique)

•action: 2
•delete: 2
•read: 7
•write: 3
Actions: 011
resolved operations: 11
effective operations: 11
•action: 2
•delete: 1
•read: 6
•write: 2

•Microsoft.Compute/virtualMachines/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/blobServices/containers/delete
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/blobServices/containers/write
DataActions: 003
resolved data operations: 3
effective data operations: 3
•delete: 1
•read: 1
•write: 1

•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
d715fb95-a0f0-4f1c-8be6-5ad2d2767f67 AVS Orchestrator Role Custom role for AVS to manage customer resources used for AVS scenarios. True 00055 effective control plane operations (unique)

•action: 7
•delete: 13
•read: 20
•write: 15
Actions: 057
resolved operations: 55
effective operations: 55
•action: 7
•delete: 13
•read: 20
•write: 15

•Microsoft.Authorization/roleAssignments/read
•Microsoft.Resources/subscriptions/resourcegroups/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/operationStatuses/read
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/read
•Microsoft.Network/virtualHubs/delete
•Microsoft.Network/publicIPAddresses/delete
•Microsoft.Network/networkInterfaces/delete
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/networkInterfaces/join/action
•Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete
•Microsoft.Network/virtualNetworks/subnets/delete
•Microsoft.Network/networkIntentPolicies/read
•Microsoft.Network/networkIntentPolicies/delete
•Microsoft.Network/networkIntentPolicies/write
•Microsoft.Network/networkSecurityGroups/delete
•Microsoft.Network/networkSecurityGroups/write
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Network/networkSecurityGroups/securityRules/read
•Microsoft.Network/networkSecurityGroups/securityRules/write
•Microsoft.Network/networkSecurityGroups/securityRules/delete
•Microsoft.Network/virtualNetworks/subnets/write
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/write
•Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/read
•Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete
•Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action
•Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action
•Microsoft.Network/virtualHubs/write
•Microsoft.Network/publicIPAddresses/write
•Microsoft.Network/publicIPAddresses/read
•Microsoft.Network/virtualHubs/ipConfigurations/write
•Microsoft.Network/networkSecurityGroups/securityRules/read
•Microsoft.Network/virtualHubs/ipConfigurations/read
•Microsoft.Network/virtualHubs/bgpConnections/write
•Microsoft.Network/virtualHubs/bgpConnections/read
•Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
•Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
•Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete
•Microsoft.Network/virtualNetworks/peer/action
•Microsoft.Network/locations/operations/read
•Microsoft.Network/locations/operationResults/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/write
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/routeTables/read
•Microsoft.Network/routeTables/write
•Microsoft.Network/routeTables/delete
•Microsoft.Network/routeTables/join/action
•Microsoft.Network/routeTables/routes/read
•Microsoft.Network/routeTables/routes/write
•Microsoft.Network/routeTables/routes/delete
•Microsoft.Authorization/roleAssignments/delete conditioned
b78c5d69-af96-48a3-bf8d-a8b4d589de94 Azure AI Administrator A Built-In Role that has all control plane permissions to work with Azure AI and its dependencies. False 01239 effective control plane operations (unique)

•: 1
•action: 261
•delete: 187
•read: 534
•write: 256
Actions: 037
resolved operations: 1239
effective operations: 1239
•: 1
•action: 261
•delete: 187
•read: 534
•write: 256

•Microsoft.Authorization/*/read
•Microsoft.CognitiveServices/*
•Microsoft.ContainerRegistry/registries/*
•Microsoft.DocumentDb/databaseAccounts/*
•Microsoft.Features/features/read
•Microsoft.Features/providers/features/read
•Microsoft.Features/providers/features/register/action
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/components/*
•Microsoft.Insights/diagnosticSettings/*
•Microsoft.Insights/generateLiveToken/read
•Microsoft.Insights/logDefinitions/read
•Microsoft.Insights/metricAlerts/*
•Microsoft.Insights/metricdefinitions/read
•Microsoft.Insights/metrics/read
•Microsoft.Insights/scheduledqueryrules/*
•Microsoft.Insights/topology/read
•Microsoft.Insights/transactions/read
•Microsoft.Insights/webtests/*
•Microsoft.KeyVault/*
•Microsoft.MachineLearningServices/workspaces/*
•Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourceGroups/write
•Microsoft.Storage/storageAccounts/*
•Microsoft.Support/*
•Microsoft.Search/searchServices/write
•Microsoft.Search/searchServices/read
•Microsoft.Search/searchServices/delete
•Microsoft.Search/searchServices/indexes/*
•Microsoft.DataFactory/factories/*
64702f94-c441-49e6-a78b-ef80e0188fee Azure AI Developer Can perform all actions within an Azure AI resource besides managing the resource itself. False 00496 effective control plane and data plane operations (unique)

•action: 107
•delete: 84
•read: 197
•write: 108
Actions: 007
resolved operations: 317
effective operations: 312
•action: 57
•delete: 56
•read: 132
•write: 67

•Microsoft.MachineLearningServices/workspaces/*/read
•Microsoft.MachineLearningServices/workspaces/*/action
•Microsoft.MachineLearningServices/workspaces/*/delete
•Microsoft.MachineLearningServices/workspaces/*/write
•Microsoft.MachineLearningServices/locations/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
NotActions: 007
resolved not operations: 7
effective not operations: 15880

•Microsoft.MachineLearningServices/workspaces/delete
•Microsoft.MachineLearningServices/workspaces/write
•Microsoft.MachineLearningServices/workspaces/listKeys/action
•Microsoft.MachineLearningServices/workspaces/hubs/write
•Microsoft.MachineLearningServices/workspaces/hubs/delete
•Microsoft.MachineLearningServices/workspaces/featurestores/write
•Microsoft.MachineLearningServices/workspaces/featurestores/delete
DataActions: 003
resolved data operations: 184
effective data operations: 184
•action: 50
•delete: 28
•read: 65
•write: 41

•Microsoft.CognitiveServices/accounts/OpenAI/*
•Microsoft.CognitiveServices/accounts/SpeechServices/*
•Microsoft.CognitiveServices/accounts/ContentSafety/*
b556d68e-0be0-4f35-a333-ad7ee1ce17ea Azure AI Enterprise Network Connection Approver Can approve private endpoint connections to Azure AI common dependency resources False 00041 effective control plane operations (unique)

•action: 7
•read: 25
•write: 9
Actions: 041
resolved operations: 41
effective operations: 41
•action: 7
•read: 25
•write: 9

•Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action
•Microsoft.ContainerRegistry/registries/privateEndpointConnections/read
•Microsoft.ContainerRegistry/registries/privateEndpointConnections/write
•Microsoft.Cache/redis/read
•Microsoft.Cache/redis/privateEndpointConnections/read
•Microsoft.Cache/redis/privateEndpointConnections/write
•Microsoft.Cache/redis/privateLinkResources/read
•Microsoft.Cache/redis/privateEndpointConnectionsApproval/action
•Microsoft.Cache/redisEnterprise/read
•Microsoft.Cache/redisEnterprise/privateEndpointConnections/read
•Microsoft.Cache/redisEnterprise/privateEndpointConnections/write
•Microsoft.Cache/redisEnterprise/privateLinkResources/read
•Microsoft.Cache/redisEnterprise/privateEndpointConnectionsApproval/action
•Microsoft.CognitiveServices/accounts/read
•Microsoft.CognitiveServices/accounts/privateEndpointConnections/read
•Microsoft.CognitiveServices/accounts/privateEndpointConnections/write
•Microsoft.CognitiveServices/accounts/privateLinkResources/read
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnectionsApproval/action
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/read
•Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/write
•Microsoft.DocumentDB/databaseAccounts/privateLinkResources/read
•Microsoft.DocumentDB/databaseAccounts/read
•Microsoft.KeyVault/vaults/privateEndpointConnectionsApproval/action
•Microsoft.KeyVault/vaults/privateEndpointConnections/read
•Microsoft.KeyVault/vaults/privateEndpointConnections/write
•Microsoft.KeyVault/vaults/privateLinkResources/read
•Microsoft.KeyVault/vaults/read
•Microsoft.MachineLearningServices/workspaces/privateEndpointConnectionsApproval/action
•Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/read
•Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/write
•Microsoft.MachineLearningServices/workspaces/privateLinkResources/read
•Microsoft.MachineLearningServices/workspaces/read
•Microsoft.Storage/storageAccounts/privateEndpointConnections/read
•Microsoft.Storage/storageAccounts/privateEndpointConnections/write
•Microsoft.Storage/storageAccounts/privateLinkResources/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.Sql/servers/privateEndpointConnectionsApproval/action
•Microsoft.Sql/servers/privateEndpointConnections/read
•Microsoft.Sql/servers/privateEndpointConnections/write
•Microsoft.Sql/servers/privateLinkResources/read
•Microsoft.Sql/servers/read
3afb7f49-54cb-416e-8c09-6dc049efa503 Azure AI Inference Deployment Operator Can perform all actions required to create a resource deployment within a resource group. False 00037 effective control plane operations (unique)

•action: 4
•delete: 1
•read: 30
•Write: 2
Actions: 003
resolved operations: 37
effective operations: 37
•action: 4
•delete: 1
•read: 30
•Write: 2

•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Insights/AutoscaleSettings/write
ede9aaa3-4627-494e-be13-4aa7c256148d Azure API Center Compliance Manager Allows managing API compliance in Azure API Center service. False 00018 effective control plane operations (unique)

•action: 2
•read: 16
Actions: 003
resolved operations: 18
effective operations: 18
•action: 2
•read: 16

•Microsoft.ApiCenter/services/*/read
•Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAnalysisState/action
•Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action
c7244dfb-f447-457d-b2ba-3999044d1706 Azure API Center Data Reader Allows for access to Azure API Center data plane read operations. False 00006 effective data plane operations (unique)

•action: 1
•read: 5
DataActions: 002
resolved data operations: 6
effective data operations: 6
•action: 1
•read: 5

•Microsoft.ApiCenter/services/*/read
•Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action
dd24193f-ef65-44e5-8a7e-6fa6e03f7713 Azure API Center Service Contributor Allows managing Azure API Center service. False 00095 effective control plane operations (unique)

•: 1
•action: 17
•delete: 13
•read: 51
•write: 13
Actions: 006
resolved operations: 96
effective operations: 95
•: 1
•action: 17
•delete: 13
•read: 51
•write: 13

•Microsoft.ApiCenter/services/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
NotActions: 001
resolved not operations: 1
effective not operations: 16097

•Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAnalysisState/action
6cba8790-29c5-48e5-bab1-c7541b01cb04 Azure API Center Service Reader Allows read-only access to Azure API Center service. False 00063 effective control plane operations (unique)

•: 1
•action: 8
•Delete: 2
•read: 50
•Write: 2
Actions: 007
resolved operations: 63
effective operations: 63
•: 1
•action: 8
•Delete: 2
•read: 50
•Write: 2

•Microsoft.ApiCenter/services/*/read
•Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
00493d72-78f6-4148-b6c5-d3ce8e4799dd Azure Arc Enabled Kubernetes Cluster User Role List cluster user credentials action. False 00051 effective control plane operations (unique)

•: 1
•Action: 8
•Delete: 1
•read: 38
•Write: 3
Actions: 009
resolved operations: 51
effective operations: 51
•: 1
•Action: 8
•Delete: 1
•read: 38
•Write: 3

•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
•Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action
dffb1e0c-446f-4dde-a09f-99eb5cc68b96 Azure Arc Kubernetes Admin Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. False 00135 effective control plane and data plane operations (unique)

•: 1
•Action: 10
•Delete: 26
•read: 69
•Write: 29
Actions: 007
resolved operations: 49
effective operations: 49
•: 1
•Action: 6
•Delete: 1
•read: 38
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
DataActions: 033
resolved data operations: 86
effective data operations: 86
•action: 4
•delete: 25
•read: 31
•write: 26

•Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
•Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
•Microsoft.Kubernetes/connectedClusters/apps/deployments/*
•Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
•Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
•Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write
•Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
•Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
•Microsoft.Kubernetes/connectedClusters/batch/jobs/*
•Microsoft.Kubernetes/connectedClusters/configmaps/*
•Microsoft.Kubernetes/connectedClusters/endpoints/*
•Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
•Microsoft.Kubernetes/connectedClusters/events/read
•Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
•Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
•Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
•Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
•Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
•Microsoft.Kubernetes/connectedClusters/limitranges/read
•Microsoft.Kubernetes/connectedClusters/namespaces/read
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
•Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
•Microsoft.Kubernetes/connectedClusters/pods/*
•Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
•Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*
•Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
•Microsoft.Kubernetes/connectedClusters/resourcequotas/read
•Microsoft.Kubernetes/connectedClusters/secrets/*
•Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
•Microsoft.Kubernetes/connectedClusters/services/*
8393591c-06b9-48a2-a542-1bd6b377f6a2 Azure Arc Kubernetes Cluster Admin Lets you manage all resources in the cluster. False 00359 effective control plane and data plane operations (unique)

•: 1
•Action: 16
•Delete: 58
•read: 218
•Write: 66
Actions: 007
resolved operations: 49
effective operations: 49
•: 1
•Action: 6
•Delete: 1
•read: 38
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
DataActions: 001
resolved data operations: 310
effective data operations: 310
•action: 10
•delete: 57
•read: 180
•write: 63

•Microsoft.Kubernetes/connectedClusters/*
63f0a09d-1495-4db4-a681-037d84835eb4 Azure Arc Kubernetes Viewer Lets you view all resources in cluster/namespace, except secrets. False 00077 effective control plane and data plane operations (unique)

•: 1
•Action: 6
•Delete: 1
•read: 66
•Write: 3
Actions: 007
resolved operations: 49
effective operations: 49
•: 1
•Action: 6
•Delete: 1
•read: 38
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
DataActions: 029
resolved data operations: 28
effective data operations: 28
•read: 28

•Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
•Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read
•Microsoft.Kubernetes/connectedClusters/apps/deployments/read
•Microsoft.Kubernetes/connectedClusters/apps/replicasets/read
•Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read
•Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read
•Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read
•Microsoft.Kubernetes/connectedClusters/batch/jobs/read
•Microsoft.Kubernetes/connectedClusters/configmaps/read
•Microsoft.Kubernetes/connectedClusters/endpoints/read
•Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
•Microsoft.Kubernetes/connectedClusters/events/read
•Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read
•Microsoft.Kubernetes/connectedClusters/extensions/deployments/read
•Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read
•Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read
•Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read
•Microsoft.Kubernetes/connectedClusters/limitranges/read
•Microsoft.Kubernetes/connectedClusters/namespaces/read
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read
•Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read
•Microsoft.Kubernetes/connectedClusters/pods/read
•Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read
•Microsoft.Kubernetes/connectedClusters/resourcequotas/read
•Microsoft.Kubernetes/connectedClusters/serviceaccounts/read
•Microsoft.Kubernetes/connectedClusters/services/read
5b999177-9696-4545-85c7-50de3797e5a1 Azure Arc Kubernetes Writer Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. False 00126 effective control plane and data plane operations (unique)

•: 1
•Action: 8
•Delete: 24
•read: 67
•Write: 26
Actions: 007
resolved operations: 49
effective operations: 49
•: 1
•Action: 6
•Delete: 1
•read: 38
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
DataActions: 030
resolved data operations: 77
effective data operations: 77
•action: 2
•delete: 23
•read: 29
•write: 23

•Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
•Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
•Microsoft.Kubernetes/connectedClusters/apps/deployments/*
•Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
•Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
•Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
•Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
•Microsoft.Kubernetes/connectedClusters/batch/jobs/*
•Microsoft.Kubernetes/connectedClusters/configmaps/*
•Microsoft.Kubernetes/connectedClusters/endpoints/*
•Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
•Microsoft.Kubernetes/connectedClusters/events/read
•Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
•Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
•Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
•Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
•Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
•Microsoft.Kubernetes/connectedClusters/limitranges/read
•Microsoft.Kubernetes/connectedClusters/namespaces/read
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
•Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
•Microsoft.Kubernetes/connectedClusters/pods/*
•Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
•Microsoft.Kubernetes/connectedClusters/resourcequotas/read
•Microsoft.Kubernetes/connectedClusters/secrets/*
•Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
•Microsoft.Kubernetes/connectedClusters/services/*
a92dfd61-77f9-4aec-a531-19858b406c87 Azure Arc ScVmm Administrator role Arc ScVmm VM Administrator has permissions to perform all ScVmm actions. False 00124 effective control plane operations (unique)

•action: 23
•delete: 16
•read: 68
•write: 17
Actions: 057
resolved operations: 124
effective operations: 124
•action: 23
•delete: 16
•read: 68
•write: 17

•Microsoft.ScVmm/*
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
•Microsoft.HybridCompute/machines/assessPatches/action
•Microsoft.HybridCompute/machines/installPatches/action
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/operations/read
•Microsoft.HybridCompute/locations/operationresults/read
•Microsoft.HybridCompute/locations/operationstatus/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read
•Microsoft.HybridCompute/machines/patchInstallationResults/read
•Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read
•Microsoft.HybridCompute/locations/updateCenterOperationResults/read
•Microsoft.HybridCompute/machines/hybridIdentityMetadata/read
•Microsoft.HybridCompute/osType/agentVersions/read
•Microsoft.HybridCompute/osType/agentVersions/latest/read
•Microsoft.HybridCompute/machines/runcommands/read
•Microsoft.HybridCompute/machines/runcommands/write
•Microsoft.HybridCompute/machines/runcommands/delete
•Microsoft.HybridCompute/machines/licenseProfiles/read
•Microsoft.HybridCompute/machines/licenseProfiles/write
•Microsoft.HybridCompute/machines/licenseProfiles/delete
•Microsoft.HybridCompute/licenses/read
•Microsoft.HybridCompute/licenses/write
•Microsoft.HybridCompute/licenses/delete
c0781e91-8102-4553-8951-97c6d4243cda Azure Arc ScVmm Private Cloud User Azure Arc ScVmm Private Cloud User has permissions to use the ScVmm resources to deploy VMs. False 00060 effective control plane operations (unique)

•action: 11
•Delete: 2
•read: 44
•Write: 3
Actions: 034
resolved operations: 60
effective operations: 60
•action: 11
•Delete: 2
•read: 44
•Write: 3

•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•microsoft.scvmm/virtualnetworks/join/action
•microsoft.scvmm/virtualnetworks/Read
•microsoft.scvmm/virtualmachinetemplates/clone/action
•microsoft.scvmm/virtualmachinetemplates/Read
•microsoft.scvmm/clouds/deploy/action
•microsoft.scvmm/clouds/Read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.ExtendedLocation/customLocations/enabledresourcetypes/read
6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9 Azure Arc ScVmm Private Clouds Onboarding Azure Arc ScVmm Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vmm server instances to Azure. False 00056 effective control plane operations (unique)

•action: 8
•Delete: 3
•read: 41
•Write: 4
Actions: 030
resolved operations: 56
effective operations: 56
•action: 8
•Delete: 3
•read: 41
•Write: 4

•microsoft.scvmm/vmmservers/Read
•microsoft.scvmm/vmmservers/Write
•microsoft.scvmm/vmmservers/Delete
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/deploy/action
e582369a-e17b-42a5-b10c-874c387c530b Azure Arc ScVmm VM Contributor Arc ScVmm VM Contributor has permissions to perform all VM actions. False 00096 effective control plane operations (unique)

•action: 17
•delete: 10
•read: 59
•write: 10
Actions: 058
resolved operations: 96
effective operations: 96
•action: 17
•delete: 10
•read: 59
•write: 10

•microsoft.scvmm/virtualmachines/*
•microsoft.scvmm/virtualMachineInstances/*
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
•Microsoft.HybridCompute/machines/assessPatches/action
•Microsoft.HybridCompute/machines/installPatches/action
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/operations/read
•Microsoft.HybridCompute/locations/operationresults/read
•Microsoft.HybridCompute/locations/operationstatus/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read
•Microsoft.HybridCompute/machines/patchInstallationResults/read
•Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read
•Microsoft.HybridCompute/locations/updateCenterOperationResults/read
•Microsoft.HybridCompute/machines/hybridIdentityMetadata/read
•Microsoft.HybridCompute/osType/agentVersions/read
•Microsoft.HybridCompute/osType/agentVersions/latest/read
•Microsoft.HybridCompute/machines/runcommands/read
•Microsoft.HybridCompute/machines/runcommands/write
•Microsoft.HybridCompute/machines/runcommands/delete
•Microsoft.HybridCompute/machines/licenseProfiles/read
•Microsoft.HybridCompute/machines/licenseProfiles/write
•Microsoft.HybridCompute/machines/licenseProfiles/delete
•Microsoft.HybridCompute/licenses/read
•Microsoft.HybridCompute/licenses/write
•Microsoft.HybridCompute/licenses/delete
ddc140ed-e463-4246-9145-7c664192013f Azure Arc VMware Administrator role Arc VMware VM Contributor has permissions to perform all connected VMwarevSphere actions. False 00143 effective control plane operations (unique)

•action: 26
•Delete: 20
•read: 75
•Write: 22
Actions: 058
resolved operations: 143
effective operations: 143
•action: 26
•Delete: 20
•read: 75
•Write: 22

•Microsoft.ConnectedVMwarevSphere/*
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
•Microsoft.HybridCompute/machines/assessPatches/action
•Microsoft.HybridCompute/machines/installPatches/action
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/operations/read
•Microsoft.HybridCompute/locations/operationresults/read
•Microsoft.HybridCompute/locations/operationstatus/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read
•Microsoft.HybridCompute/machines/patchInstallationResults/read
•Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read
•Microsoft.HybridCompute/locations/updateCenterOperationResults/read
•Microsoft.HybridCompute/machines/hybridIdentityMetadata/read
•Microsoft.HybridCompute/osType/agentVersions/read
•Microsoft.HybridCompute/osType/agentVersions/latest/read
•Microsoft.HybridCompute/machines/runcommands/read
•Microsoft.HybridCompute/machines/runcommands/write
•Microsoft.HybridCompute/machines/runcommands/delete
•Microsoft.HybridCompute/machines/licenseProfiles/read
•Microsoft.HybridCompute/machines/licenseProfiles/write
•Microsoft.HybridCompute/machines/licenseProfiles/delete
•Microsoft.HybridCompute/licenses/read
•Microsoft.HybridCompute/licenses/write
•Microsoft.HybridCompute/licenses/delete
•Microsoft.ExtendedLocation/customLocations/read
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.KubernetesConfiguration/extensions/read
ce551c02-7c42-47e0-9deb-e3b6fc3a9a83 Azure Arc VMware Private Cloud User Azure Arc VMware Private Cloud User has permissions to use the VMware cloud resources to deploy VMs. False 00066 effective control plane operations (unique)

•action: 14
•Delete: 2
•read: 47
•Write: 3
Actions: 040
resolved operations: 66
effective operations: 66
•action: 14
•Delete: 2
•read: 47
•Write: 3

•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ConnectedVMwarevSphere/virtualnetworks/join/action
•Microsoft.ConnectedVMwarevSphere/virtualnetworks/Read
•Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/clone/action
•Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/Read
•Microsoft.ConnectedVMwarevSphere/resourcepools/deploy/action
•Microsoft.ConnectedVMwarevSphere/resourcepools/Read
•Microsoft.ConnectedVMwarevSphere/hosts/deploy/action
•Microsoft.ConnectedVMwarevSphere/hosts/Read
•Microsoft.ConnectedVMwarevSphere/clusters/deploy/action
•Microsoft.ConnectedVMwarevSphere/clusters/Read
•Microsoft.ConnectedVMwarevSphere/datastores/allocateSpace/action
•Microsoft.ConnectedVMwarevSphere/datastores/Read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.KubernetesConfiguration/extensions/read
67d33e57-3129-45e6-bb0b-7cc522f762fa Azure Arc VMware Private Clouds Onboarding Azure Arc VMware Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vCenter instances to Azure. False 00070 effective control plane operations (unique)

•action: 9
•delete: 7
•read: 46
•write: 8
Actions: 044
resolved operations: 70
effective operations: 70
•action: 9
•delete: 7
•read: 46
•write: 8

•Microsoft.ConnectedVMwarevSphere/vcenters/Write
•Microsoft.ConnectedVMwarevSphere/vcenters/Read
•Microsoft.ConnectedVMwarevSphere/vcenters/Delete
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.KubernetesConfiguration/extensions/Write
•Microsoft.KubernetesConfiguration/extensions/Read
•Microsoft.KubernetesConfiguration/extensions/Delete
•Microsoft.KubernetesConfiguration/operations/read
•Microsoft.KubernetesConfiguration/extensions/operations/read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/Write
•Microsoft.ExtendedLocation/customLocations/Delete
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.ResourceConnector/appliances/Read
•Microsoft.ResourceConnector/appliances/Write
•Microsoft.ResourceConnector/appliances/Delete
•Microsoft.ResourceConnector/appliances/listClusterUserCredential/action
•Microsoft.BackupSolutions/vmwareapplications/write
•Microsoft.BackupSolutions/vmwareapplications/delete
•Microsoft.BackupSolutions/vmwareapplications/read
b748a06d-6150-4f8a-aaa9-ce3940cd96cb Azure Arc VMware VM Contributor Arc VMware VM Contributor has permissions to perform all VM actions. False 00101 effective control plane operations (unique)

•action: 16
•Delete: 12
•read: 60
•Write: 13
Actions: 056
resolved operations: 101
effective operations: 101
•action: 16
•Delete: 12
•read: 60
•Write: 13

•Microsoft.ConnectedVMwarevSphere/virtualmachines/*
•Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/*
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
•Microsoft.HybridCompute/machines/assessPatches/action
•Microsoft.HybridCompute/machines/installPatches/action
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/operations/read
•Microsoft.HybridCompute/locations/operationresults/read
•Microsoft.HybridCompute/locations/operationstatus/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read
•Microsoft.HybridCompute/machines/patchInstallationResults/read
•Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read
•Microsoft.HybridCompute/locations/updateCenterOperationResults/read
•Microsoft.HybridCompute/machines/hybridIdentityMetadata/read
•Microsoft.HybridCompute/osType/agentVersions/read
•Microsoft.HybridCompute/osType/agentVersions/latest/read
•Microsoft.HybridCompute/machines/runcommands/read
•Microsoft.HybridCompute/machines/runcommands/write
•Microsoft.HybridCompute/machines/runcommands/delete
•Microsoft.HybridCompute/machines/licenseProfiles/read
•Microsoft.HybridCompute/machines/licenseProfiles/write
•Microsoft.HybridCompute/machines/licenseProfiles/delete
•Microsoft.HybridCompute/licenses/read
•Microsoft.HybridCompute/licenses/write
•Microsoft.HybridCompute/licenses/delete
8d6517c1-e434-405c-9f3f-e0ae65085d76 Azure Automanage Contributor Azure Automanage Contributor False 00033 effective control plane operations (unique)

•Action: 2
•Delete: 8
•Read: 14
•Write: 9
Actions: 001
resolved operations: 33
effective operations: 33
•Action: 2
•Delete: 8
•Read: 14
•Write: 9

•Microsoft.Automanage/*
29fe4964-1e60-436b-bd3a-77fd4c178b3c Azure Batch Account Contributor Grants full access to manage all Batch resources, including Batch accounts, pools and jobs. False 00099 effective control plane and data plane operations (unique)

•: 1
•action: 17
•delete: 12
•read: 56
•write: 13
Actions: 005
resolved operations: 93
effective operations: 93
•: 1
•action: 17
•delete: 10
•read: 54
•write: 11

•Microsoft.Authorization/*/read
•Microsoft.Batch/batchAccounts/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 001
resolved data operations: 6
effective data operations: 6
•delete: 2
•read: 2
•write: 2

•Microsoft.Batch/batchAccounts/*
11076f67-66f6-4be0-8f6b-f0609fd05cc9 Azure Batch Account Reader Lets you view all resources including pools and jobs in the Batch account. False 00024 effective control plane and data plane operations (unique)

•read: 24
Actions: 003
resolved operations: 22
effective operations: 22
•read: 22

•Microsoft.Batch/batchAccounts/read
•Microsoft.Batch/batchAccounts/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 001
resolved data operations: 2
effective data operations: 2
•read: 2

•Microsoft.Batch/batchAccounts/*/read
6aaa78f1-f7de-44ca-8722-c64a23943cae Azure Batch Data Contributor Grants permissions to manage Batch pools and jobs but not to modify accounts. False 00073 effective control plane and data plane operations (unique)

•: 1
•action: 11
•delete: 8
•read: 45
•write: 8
Actions: 011
resolved operations: 67
effective operations: 67
•: 1
•action: 11
•delete: 6
•read: 43
•write: 6

•Microsoft.Authorization/*/read
•Microsoft.Batch/batchAccounts/read
•Microsoft.Batch/batchAccounts/applications/*
•Microsoft.Batch/batchAccounts/certificates/*
•Microsoft.Batch/batchAccounts/certificateOperationResults/*
•Microsoft.Batch/batchAccounts/pools/*
•Microsoft.Batch/batchAccounts/poolOperationResults/*
•Microsoft.Batch/locations/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 002
resolved data operations: 6
effective data operations: 6
•delete: 2
•read: 2
•write: 2

•Microsoft.Batch/batchAccounts/jobSchedules/*
•Microsoft.Batch/batchAccounts/jobs/*
48e5e92e-a480-4e71-aa9c-2778f4c13781 Azure Batch Job Submitter Lets you submit and manage jobs in the Batch account. False 00018 effective control plane and data plane operations (unique)

•: 1
•Action: 3
•delete: 3
•read: 8
•write: 3
Actions: 005
resolved operations: 12
effective operations: 12
•: 1
•Action: 3
•Delete: 1
•read: 6
•Write: 1

•Microsoft.Batch/batchAccounts/applications/read
•Microsoft.Batch/batchAccounts/applications/versions/read
•Microsoft.Batch/batchAccounts/pools/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 002
resolved data operations: 6
effective data operations: 6
•delete: 2
•read: 2
•write: 2

•Microsoft.Batch/batchAccounts/jobSchedules/*
•Microsoft.Batch/batchAccounts/jobs/*
a35466a1-cfd6-450a-b35e-683fcdf30363 Azure Batch Service Orchestration Role Grants the required permissions to Azure Batch Resource Provider to manage compute and other backing resources in the subscription. False 00048 effective control plane operations (unique)

•: 1
•action: 15
•delete: 6
•read: 20
•write: 6
Actions: 033
resolved operations: 48
effective operations: 48
•: 1
•action: 15
•delete: 6
•read: 20
•write: 6

•Microsoft.Security/assessments/read
•Microsoft.AzureFleet/fleets/write
•Microsoft.AzureFleet/fleets/read
•Microsoft.AzureFleet/fleets/delete
•Microsoft.Compute/locations/DiskOperations/read
•Microsoft.Compute/locations/operations/read
•Microsoft.Compute/virtualMachineScaleSets/approveRollingUpgrade/action
•Microsoft.Compute/virtualMachineScaleSets/deallocate/action
•Microsoft.Compute/virtualMachineScaleSets/delete
•Microsoft.Compute/virtualMachineScaleSets/delete/action
•Microsoft.Compute/VirtualMachineScaleSets/read
•Microsoft.Compute/virtualMachineScaleSets/reimage/action
•Microsoft.Compute/virtualMachineScaleSets/reimageall/action
•Microsoft.Compute/virtualMachineScaleSets/restart/action
•Microsoft.Compute/virtualMachineScaleSets/start/action
•Microsoft.Compute/virtualMachineScaleSets/write
•Microsoft.Compute/virtualMachineScaleSets/extensions/read
•microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read
•Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
•Microsoft.Compute/virtualMachineScaleSets/virtualmachines/restart/action
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/dataCollectionRuleAssociations/read
•Microsoft.Resources/deployments/*
•Microsoft.Insights/diagnosticSettings/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourceGroups/delete
•Microsoft.Resources/subscriptions/resourceGroups/write
•Microsoft.Resources/subscriptions/resourceGroups/resources/read
•Microsoft.Network/networkWatchers/read
•Microsoft.Network/virtualNetworks/delete
•Microsoft.Network/virtualNetworks/write
9fc6112f-f48e-4e27-8b09-72a5c94e4ae9 Azure Bot Service Contributor Role To perform actions on the bots by copilot studio platform and extensibility team False 00077 effective control plane operations (unique)

•: 1
•action: 16
•delete: 8
•read: 36
•write: 16
Actions: 036
resolved operations: 77
effective operations: 77
•: 1
•action: 16
•delete: 8
•read: 36
•write: 16

•Microsoft.BotService/listAuthServiceProviders/action
•Microsoft.BotService/listauthserviceproviders/providers/Microsoft.Insights/diagnosticSettings/write
•Microsoft.BotService/botServices/read
•Microsoft.BotService/botServices/write
•Microsoft.BotService/botServices/delete
•Microsoft.BotService/botServices/channels/write
•Microsoft.BotService/botServices/channels/read
•Microsoft.BotService/botServices/channels/listchannelwithkeys/action
•Microsoft.BotService/botServices/channels/delete
•Microsoft.BotService/botServices/channels/providers/Microsoft.Insights/diagnosticSettings/write
•Microsoft.BotService/botServices/connections/read
•Microsoft.BotService/botServices/connections/write
•Microsoft.BotService/botServices/connections/delete
•Microsoft.BotService/botServices/connections/listwithsecrets/write
•Microsoft.BotService/botServices/connections/providers/Microsoft.Insights/diagnosticSettings/write
•Microsoft.BotService/botServices/createemailsigninurl/action
•Microsoft.BotService/botServices/privateEndpointConnectionsApproval/action
•Microsoft.BotService/botServices/joinPerimeter/action
•Microsoft.BotService/botServices/providers/Microsoft.Insights/diagnosticSettings/write
•Microsoft.BotService/checknameavailability/providers/Microsoft.Insights/diagnosticSettings/write
•Microsoft.BotService/hostsettings/providers/Microsoft.Insights/diagnosticSettings/write
•Microsoft.BotService/botServices/privateEndpointConnectionProxies/write
•Microsoft.BotService/botServices/privateEndpointConnectionProxies/delete
•Microsoft.BotService/botServices/privateEndpointConnectionProxies/validate/action
•Microsoft.BotService/botServices/privateEndpointConnections/write
•Microsoft.BotService/botServices/privateEndpointConnections/delete
•Microsoft.BotService/listqnamakerendpointkeys/providers/Microsoft.Insights/diagnosticSettings/write
•Microsoft.BotService/botServices/networkSecurityPerimeterConfigurations/reconcile/action
•Microsoft.BotService/botServices/networkSecurityPerimeterAssociationProxies/write
•Microsoft.BotService/botServices/networkSecurityPerimeterAssociationProxies/delete
•Microsoft.BotService/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.BotService/botServices/channels/regeneratekeys/action
7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7 Azure Center for SAP solutions administrator This role provides read and write access to all capabilities of Azure Center for SAP solutions. False 00117 effective control plane and data plane operations (unique)

•: 1
•Action: 19
•delete: 8
•read: 78
•write: 11
Actions: 057
resolved operations: 116
effective operations: 116
•: 1
•Action: 19
•delete: 8
•read: 77
•write: 11

•Microsoft.Advisor/configurations/read
•Microsoft.Advisor/recommendations/read
•Microsoft.Workloads/sapvirtualInstances/*/read
•Microsoft.Workloads/sapVirtualInstances/*/write
•Microsoft.Workloads/sapVirtualInstances/*/delete
•Microsoft.Workloads/Locations/*/action
•Microsoft.Workloads/Locations/*/read
•Microsoft.Workloads/sapVirtualInstances/*/start/action
•Microsoft.Workloads/sapVirtualInstances/*/stop/action
•Microsoft.Workloads/connectors/*/read
•Microsoft.Workloads/connectors/*/write
•Microsoft.Workloads/connectors/*/delete
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/write
•Microsoft.Network/virtualNetworks/subnets/virtualMachines/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/ipconfigurations/read
•Microsoft.Network/networkInterfaces/loadBalancers/read
•Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/backendAddressPools/read
•Microsoft.Network/loadBalancers/frontendIPConfigurations/read
•Microsoft.Network/loadBalancers/loadBalancingRules/read
•Microsoft.Network/loadBalancers/inboundNatRules/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read
•Microsoft.Network/loadBalancers/networkInterfaces/read
•Microsoft.Network/loadBalancers/outboundRules/read
•Microsoft.Network/loadBalancers/virtualMachines/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/privateEndpoints/read
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Network/routeTables/join/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/fileServices/read
•Microsoft.Storage/storageAccounts/fileServices/shares/read
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/availabilitySets/read
•Microsoft.Compute/sshPublicKeys/read
•Microsoft.Compute/sshPublicKeys/write
•Microsoft.Compute/sshPublicKeys/*/generateKeyPair/action
•Microsoft.Compute/virtualMachines/extensions/read
•Microsoft.Compute/virtualMachines/extensions/delete
•Microsoft.Compute/disks/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•read: 1

•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
6d949e1d-41e2-46e3-8920-c6e4f31a8310 Azure Center for SAP solutions Management role This role has permissions which allow users to register existing systems, view and manage systems. False n/a
05352d14-a920-4328-a0de-4cbe7430e26b Azure Center for SAP solutions reader This role provides read access to all capabilities of Azure Center for SAP solutions. False 00070 effective control plane operations (unique)

•read: 70
Actions: 043
resolved operations: 70
effective operations: 70
•read: 70

•Microsoft.Advisor/configurations/read
•Microsoft.Advisor/recommendations/read
•Microsoft.Workloads/sapvirtualInstances/*/read
•Microsoft.Workloads/Locations/*/read
•Microsoft.Workloads/Operations/read
•Microsoft.Workloads/Locations/OperationStatuses/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/alertRules/read
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
•Microsoft.Resources/deployments/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/virtualMachines/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/ipconfigurations/read
•Microsoft.Network/networkInterfaces/loadBalancers/read
•Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/backendAddressPools/read
•Microsoft.Network/loadBalancers/frontendIPConfigurations/read
•Microsoft.Network/loadBalancers/loadBalancingRules/read
•Microsoft.Network/loadBalancers/inboundNatRules/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read
•Microsoft.Network/loadBalancers/networkInterfaces/read
•Microsoft.Network/loadBalancers/outboundRules/read
•Microsoft.Network/loadBalancers/virtualMachines/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/privateEndpoints/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/fileServices/read
•Microsoft.Storage/storageAccounts/fileServices/shares/read
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/availabilitySets/read
•Microsoft.Compute/virtualMachines/extensions/read
•Microsoft.Compute/disks/read
aabbc5dd-1af0-458b-a942-81af88f9c138 Azure Center for SAP solutions service role Azure Center for SAP solutions service role - This role is intended to be used for providing the permissions to user assigned managed identity. Azure Center for SAP solutions will use this identity to deploy and manage SAP systems. False 00066 effective control plane operations (unique)

•action: 11
•delete: 2
•read: 39
•write: 14
Actions: 055
resolved operations: 66
effective operations: 66
•action: 11
•delete: 2
•read: 39
•write: 14

•Microsoft.Resources/subscriptions/resourceGroups/write
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/*
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/write
•Microsoft.Network/loadBalancers/backendAddressPools/read
•Microsoft.Network/loadBalancers/backendAddressPools/write
•Microsoft.Network/loadBalancers/frontendIPConfigurations/read
•Microsoft.Network/loadBalancers/loadBalancingRules/read
•Microsoft.Network/loadBalancers/inboundNatRules/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read
•Microsoft.Network/loadBalancers/networkInterfaces/read
•Microsoft.Network/loadBalancers/outboundRules/read
•Microsoft.Network/loadBalancers/virtualMachines/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/networkInterfaces/ipconfigurations/read
•Microsoft.Network/networkInterfaces/loadBalancers/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/virtualMachines/read
•Microsoft.Network/virtualNetworks/virtualMachines/read
•Microsoft.Network/networkInterfaces/ipconfigurations/join/action
•Microsoft.Network/privateEndpoints/read
•Microsoft.Network/privateEndpoints/write
•Microsoft.Network/networkInterfaces/join/action
•Microsoft.Network/loadBalancers/backendAddressPools/join/action
•Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/write
•Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/fileServices/read
•Microsoft.Storage/storageAccounts/fileServices/write
•Microsoft.Storage/storageAccounts/fileServices/shares/read
•Microsoft.Storage/storageAccounts/fileServices/shares/write
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/write
•Microsoft.Compute/virtualMachines/instanceView/read
•Microsoft.Compute/availabilitySets/read
•Microsoft.Compute/availabilitySets/write
•Microsoft.Compute/skus/read
•Microsoft.Compute/sshPublicKeys/read
•Microsoft.Compute/virtualMachines/extensions/read
•Microsoft.Compute/virtualMachines/extensions/write
•Microsoft.Compute/virtualMachines/extensions/delete
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/write
0105a6b0-4bb9-43d2-982a-12806f9faddb Azure Center for SAP solutions Service role for management This role has permissions that the user assigned managed identity must have to enable registration for the existing systems. False n/a
b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 Azure Connected Machine Onboarding Can onboard Azure Connected Machines. False 00004 effective control plane operations (unique)

•read: 3
•write: 1
Actions: 004
resolved operations: 4
effective operations: 4
•read: 3
•write: 1

•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/privateLinkScopes/read
•Microsoft.GuestConfiguration/guestConfigurationAssignments/read
cd570a14-e51a-42ad-bac8-bafd67325302 Azure Connected Machine Resource Administrator Can read, write, delete and re-onboard Azure Connected Machines. False 00062 effective control plane operations (unique)

•action: 14
•delete: 10
•read: 28
•write: 10
Actions: 010
resolved operations: 62
effective operations: 62
•action: 14
•delete: 10
•read: 28
•write: 10

•Microsoft.HybridCompute/machines/*
•Microsoft.HybridCompute/machines/extensions/*
•Microsoft.HybridCompute/machines/licenseProfiles/*
•Microsoft.HybridCompute/machines/runCommands/*
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
•Microsoft.HybridCompute/privateLinkScopes/*
•Microsoft.HybridCompute/licenses/*
•Microsoft.HybridCompute/locations/*
•Microsoft.HybridCompute/*/read
•Microsoft.Resources/deployments/*
count: 011
Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent
Configure Azure Arc Private Link Scopes to disable public network access
Configure Azure Arc Private Link Scopes with private endpoints
Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope
Configure ChangeTracking Extension for Linux Arc machines
Configure ChangeTracking Extension for Windows Arc machines
Configure Linux Arc-enabled machines to run Azure Monitor Agent
Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory
Configure periodic checking for missing system updates on azure Arc-enabled servers
Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory
Configure Windows Arc-enabled machines to run Azure Monitor Agent
f5819b54-e033-4d82-ac66-4fec3cbf3f4c Azure Connected Machine Resource Manager Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group False 00079 effective control plane operations (unique)

•action: 3
•delete: 5
•read: 63
•write: 8
Actions: 032
resolved operations: 79
effective operations: 79
•action: 3
•delete: 5
•read: 63
•write: 8

•Microsoft.Authorization/*/read
•Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read
•Microsoft.GuestConfiguration/guestConfigurationAssignments/read
•Microsoft.GuestConfiguration/guestConfigurationAssignments/write
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/*/read
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/licenseProfiles/delete
•Microsoft.HybridCompute/machines/licenseProfiles/read
•Microsoft.HybridCompute/machines/licenseProfiles/write
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridConnectivity/endpoints/read
•Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read
•Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write
•Microsoft.HybridConnectivity/endpoints/write
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.EdgeMarketplace/locations/operationStatuses/read
•Microsoft.EdgeMarketPlace/offers/getAccessToken/action
•Microsoft.EdgeMarketPlace/offers/generateAccessToken/action
•Microsoft.EdgeMarketplace/publishers/read
•Microsoft.EdgeMarketplace/offers/read
•Microsoft.ExtendedLocation/customLocations/read
•Microsoft.Attestation/attestationProviders/write
•Microsoft.Attestation/attestationProviders/read
•Microsoft.Attestation/attestationProviders/delete
•Microsoft.Attestation/attestationProviders/attestation/read
•Microsoft.Attestation/attestationProviders/attestation/write
•Microsoft.Attestation/attestationProviders/attestation/delete
e8113dce-c529-4d33-91fa-e9b972617508 Azure Connected SQL Server Onboarding Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS. False 00002 effective control plane operations (unique)

•read: 1
•write: 1
Actions: 002
resolved operations: 2
effective operations: 2
•read: 1
•write: 1

•Microsoft.AzureArcData/sqlServerInstances/read
•Microsoft.AzureArcData/sqlServerInstances/write
5d977122-f97e-4b4d-a52f-6b43003ddb4d Azure Container Instances Contributor Role Grants read/write access to container groups provided by Azure Container Instances False 00062 effective control plane operations (unique)

•: 1
•action: 13
•delete: 3
•read: 41
•write: 4
Actions: 005
resolved operations: 62
effective operations: 62
•: 1
•action: 13
•delete: 3
•read: 41
•write: 4

•Microsoft.ContainerInstance/containerGroups/*
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/subscriptions/resourceGroups/read
96062cf7-95ca-4f89-9b9d-2a2aa47356af Azure Container Registry secure supply chain operator service role Grants Microsoft Defender for Cloud access to Azure Container Registry for security assessment of container images False 00009 effective control plane and data plane operations (unique)

•delete: 3
•read: 3
•write: 3
Actions: 003
resolved operations: 3
effective operations: 3
•delete: 1
•read: 1
•write: 1

•Microsoft.ContainerRegistry/registries/pull/read
•Microsoft.ContainerRegistry/registries/push/write
•Microsoft.ContainerRegistry/registries/artifacts/delete
DataActions: 006
resolved data operations: 6
effective data operations: 6
•delete: 2
•read: 2
•write: 2

•Microsoft.ContainerRegistry/registries/repositories/metadata/read
•Microsoft.ContainerRegistry/registries/repositories/content/read
•Microsoft.ContainerRegistry/registries/repositories/metadata/write
•Microsoft.ContainerRegistry/registries/repositories/content/write
•Microsoft.ContainerRegistry/registries/repositories/metadata/delete
•Microsoft.ContainerRegistry/registries/repositories/content/delete
95dd08a6-00bd-4661-84bf-f6726f83a4d0 Azure Container Storage Contributor Lets you install Azure Container Storage and manage its storage resources True 00055 effective control plane operations (unique)

•action: 7
•delete: 3
•read: 41
•write: 4
Actions: 012
resolved operations: 55
effective operations: 55
•action: 7
•delete: 3
•read: 41
•write: 4

•Microsoft.KubernetesConfiguration/extensions/write
•Microsoft.KubernetesConfiguration/extensions/read
•Microsoft.KubernetesConfiguration/extensions/delete
•Microsoft.KubernetesConfiguration/extensions/operations/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Management/managementGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
•Microsoft.Authorization/roleAssignments/write conditioned
•Microsoft.Authorization/roleAssignments/delete conditioned
08d4c71a-cc63-4ce4-a9c8-5dd251b4d619 Azure Container Storage Operator Role required by a Managed Identity for Azure Container Storage operations False 00039 effective control plane operations (unique)

•action: 7
•delete: 7
•read: 14
•write: 11
Actions: 018
resolved operations: 39
effective operations: 39
•action: 7
•delete: 7
•read: 14
•write: 11

•Microsoft.ElasticSan/elasticSans/*
•Microsoft.ElasticSan/locations/asyncoperations/read
•Microsoft.Network/routeTables/join/action
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Network/virtualNetworks/write
•Microsoft.Network/virtualNetworks/delete
•Microsoft.Network/virtualNetworks/join/action
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/write
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/write
•Microsoft.Compute/virtualMachineScaleSets/read
•Microsoft.Compute/virtualMachineScaleSets/write
•Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write
•Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
•Microsoft.Resources/subscriptions/providers/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Network/virtualNetworks/read
95de85bd-744d-4664-9dde-11430bc34793 Azure Container Storage Owner Lets you install Azure Container Storage and grants access to its storage resources True 00078 effective control plane operations (unique)

•action: 11
•delete: 9
•read: 48
•write: 10
Actions: 017
resolved operations: 78
effective operations: 78
•action: 11
•delete: 9
•read: 48
•write: 10

•Microsoft.ElasticSan/elasticSans/*
•Microsoft.ElasticSan/locations/*
•Microsoft.ElasticSan/elasticSans/volumeGroups/*
•Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*
•Microsoft.ElasticSan/locations/asyncoperations/read
•Microsoft.KubernetesConfiguration/extensions/write
•Microsoft.KubernetesConfiguration/extensions/read
•Microsoft.KubernetesConfiguration/extensions/delete
•Microsoft.KubernetesConfiguration/extensions/operations/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Management/managementGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
•Microsoft.Authorization/roleAssignments/write conditioned
•Microsoft.Authorization/roleAssignments/delete conditioned
0fb8eba5-a2bb-4abe-b1c1-49dfad359bb0 Azure ContainerApps Session Executor Create and execute sessions in a sessionPool False 00045 effective control plane and data plane operations (unique)

•: 1
•action: 7
•delete: 2
•read: 34
•Write: 1
Actions: 004
resolved operations: 37
effective operations: 37
•: 1
•action: 4
•Delete: 1
•read: 30
•Write: 1

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.App/sessionPools/*/read
•Microsoft.App/sessionPools/sessions/generatesessions/action
DataActions: 005
resolved data operations: 8
effective data operations: 8
•action: 3
•delete: 1
•read: 4

•Microsoft.App/sessionPools/*/read
•Microsoft.App/sessionPools/interpreters/execute/action
•Microsoft.App/sessionPools/interpreters/read
•Microsoft.App/sessionPools/executions/*
•Microsoft.App/sessionPools/files/*
4dae6930-7baf-46f5-909e-0383bc931c46 Azure Customer Lockbox Approver for Subscription Can approve Microsoft support requests to access specific resources contained within a subscription, or the subscription itself, when Customer Lockbox for Microsoft Azure is enabled on the tenant where the subscription resides. False 00032 effective control plane operations (unique)

•action: 1
•read: 31
Actions: 006
resolved operations: 32
effective operations: 32
•action: 1
•read: 31

•Microsoft.Resources/subscriptions/read
•Microsoft.CustomerLockbox/requests/UpdateApproval/action
•Microsoft.CustomerLockbox/requests/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/eventtypes/values/read
bf7f8882-3383-422a-806a-6526c631a88a Azure Deployment Stack Contributor Allows a user to manage deployment stacks, but cannot create or delete deny assignments within the deployment stack. False 00047 effective control plane operations (unique)

•: 1
•Action: 7
•Delete: 2
•read: 34
•Write: 3
Actions: 006
resolved operations: 47
effective operations: 47
•: 1
•Action: 7
•Delete: 2
•read: 34
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deploymentStacks/write
•Microsoft.Resources/deploymentStacks/read
adb29209-aa1d-457b-a786-c913953d2891 Azure Deployment Stack Owner Allows a user to manage deployment stacks, including those with deny assignments. False 00049 effective control plane operations (unique)

•: 1
•Action: 8
•Delete: 3
•read: 34
•Write: 3
Actions: 005
resolved operations: 49
effective operations: 49
•: 1
•Action: 8
•Delete: 3
•read: 34
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deploymentStacks/*
2a740172-0fc2-4039-972c-b31864cd47d6 Azure Device Update Agent Provide full access to all Azure Device Update agent operations False 00001 effective data plane operations (unique)

•action: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.DeviceUpdate/updateAccounts/agents/requestUpdate/action
bcd981a7-7f74-457b-83e1-cceb9e632ffe Azure Digital Twins Data Owner Full access role for Digital Twins data-plane False 00023 effective data plane operations (unique)

•action: 3
•delete: 5
•read: 8
•write: 7
DataActions: 007
resolved data operations: 23
effective data operations: 23
•action: 3
•delete: 5
•read: 8
•write: 7

•Microsoft.DigitalTwins/digitaltwins/*
•Microsoft.DigitalTwins/digitaltwins/commands/*
•Microsoft.DigitalTwins/digitaltwins/relationships/*
•Microsoft.DigitalTwins/eventroutes/*
•Microsoft.DigitalTwins/jobs/*
•Microsoft.DigitalTwins/models/*
•Microsoft.DigitalTwins/query/*
d57506d4-4c8d-48b1-8587-93c323f6a5a3 Azure Digital Twins Data Reader Read-only role for Digital Twins data-plane properties False 00008 effective data plane operations (unique)

•action: 1
•read: 7
DataActions: 008
resolved data operations: 8
effective data operations: 8
•action: 1
•read: 7

•Microsoft.DigitalTwins/digitaltwins/read
•Microsoft.DigitalTwins/digitaltwins/relationships/read
•Microsoft.DigitalTwins/eventroutes/read
•Microsoft.DigitalTwins/jobs/import/read
•Microsoft.DigitalTwins/jobs/imports/read
•Microsoft.DigitalTwins/jobs/deletions/read
•Microsoft.DigitalTwins/models/read
•Microsoft.DigitalTwins/query/action
9295f069-25d0-4f44-bb6a-3da70d11aa00 Azure Edge Hardware Center Administrator Grants you access to take actions as an edge order administrator False 00025 effective control plane operations (unique)

•action: 9
•delete: 3
•read: 10
•write: 3
Actions: 001
resolved operations: 25
effective operations: 25
•action: 9
•delete: 3
•read: 10
•write: 3

•Microsoft.EdgeOrder/*
207bcc4b-86a6-4487-9141-d6c1f4c238aa Azure Edge On-Site Deployment Engineer Grants you access to take actions as an on-site person to assist in the provisioning of an edge device False 00001 effective control plane operations (unique)

•read: 1
Actions: 001
resolved operations: 1
effective operations: 1
•read: 1

•Microsoft.EdgeOrder/orderItems/read
f526a384-b230-433a-b45c-95f59c4a2dec Azure Event Hubs Data Owner Allows for full access to Azure Event Hubs resources. False 00087 effective control plane and data plane operations (unique)

•action: 23
•delete: 15
•read: 32
•write: 17
Actions: 001
resolved operations: 82
effective operations: 82
•action: 21
•delete: 14
•read: 31
•write: 16

•Microsoft.EventHub/*
DataActions: 001
resolved data operations: 5
effective data operations: 5
•action: 2
•delete: 1
•read: 1
•write: 1

•Microsoft.EventHub/*
count: 142
Configure Azure Event Hub namespaces to disable local authentication
Configure Event Hub namespaces with private endpoints
Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Event Hub
Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Event Hub
Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Event Hub
Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub
Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub
Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Event Hub
Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Event Hub
Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Event Hub
Enable logging by category group for Application Insights (microsoft.insights/components) to Event Hub
Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub
Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub
Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub
Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Event Hub
Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Event Hub
Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub
Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Event Hub
Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Event Hub
Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Event Hub
Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub
Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Event Hub
Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Event Hub
Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub
Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Event Hub
Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub
Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Event Hub
Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Event Hub
Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Event Hub
Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Event Hub
Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Event Hub
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub
Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Event Hub
Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Event Hub
Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Event Hub
Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Event Hub
Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Event Hub
Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub
Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Event Hub
Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Event Hub
Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Event Hub
Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Event Hub
Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub
Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Event Hub
Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Event Hub
Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Event Hub
Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Event Hub
Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Event Hub
Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Event Hub
Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Event Hub
Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Event Hub
Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Event Hub
Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub
Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub
Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Event Hub
Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Event Hub
Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub
Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub
Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Event Hub
Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Event Hub
Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Event Hub
Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Event Hub
Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub
Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Event Hub
Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Event Hub
Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Event Hub
Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub
Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub
Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Event Hub
Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Event Hub
Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub
Enable logging by category group for Logic apps (microsoft.logic/workflows) to Event Hub
Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Event Hub
Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Event Hub
Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub
Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub
Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Event Hub
Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub
Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Event Hub
Enable logging by category group for microsoft.azuresphere/catalogs to Event Hub
Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Event Hub
Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Event Hub
Enable logging by category group for microsoft.community/communitytrainings to Event Hub
Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Event Hub
Enable logging by category group for microsoft.customproviders/resourceproviders to Event Hub
Enable logging by category group for microsoft.d365customerinsights/instances to Event Hub
Enable logging by category group for microsoft.dbformysql/flexibleservers to Event Hub
Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Event Hub
Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Event Hub
Enable logging by category group for microsoft.dbforpostgresql/servers to Event Hub
Enable logging by category group for microsoft.devices/provisioningservices to Event Hub
Enable logging by category group for microsoft.documentdb/cassandraclusters to Event Hub
Enable logging by category group for microsoft.documentdb/mongoclusters to Event Hub
Enable logging by category group for microsoft.insights/autoscalesettings to Event Hub
Enable logging by category group for microsoft.machinelearningservices/registries to Event Hub
Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Event Hub
Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Event Hub
Enable logging by category group for microsoft.network/dnsresolverpolicies to Event Hub
Enable logging by category group for microsoft.network/networkmanagers/ipampools to Event Hub
Enable logging by category group for microsoft.network/networksecurityperimeters to Event Hub
Enable logging by category group for microsoft.network/p2svpngateways to Event Hub
Enable logging by category group for microsoft.network/vpngateways to Event Hub
Enable logging by category group for microsoft.networkanalytics/dataproducts to Event Hub
Enable logging by category group for microsoft.networkcloud/baremetalmachines to Event Hub
Enable logging by category group for microsoft.networkcloud/clusters to Event Hub
Enable logging by category group for microsoft.networkcloud/storageappliances to Event Hub
Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Event Hub
Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Event Hub
Enable logging by category group for microsoft.openenergyplatform/energyservices to Event Hub
Enable logging by category group for microsoft.powerbi/tenants/workspaces to Event Hub
Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Event Hub
Enable logging by category group for microsoft.synapse/workspaces/kustopools to Event Hub
Enable logging by category group for microsoft.timeseriesinsights/environments to Event Hub
Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Event Hub
Enable logging by category group for microsoft.workloads/sapvirtualinstances to Event Hub
Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Event Hub
Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Event Hub
Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Event Hub
Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Event Hub
Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Event Hub
Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub
Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Event Hub
Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Event Hub
Enable logging by category group for Relays (microsoft.relay/namespaces) to Event Hub
Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Event Hub
Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Event Hub
Enable logging by category group for Search services (microsoft.search/searchservices) to Event Hub
Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub
Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub
Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub
Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub
Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Event Hub
Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Event Hub
Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Event Hub
Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Event Hub
Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub
Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub
Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Event Hub
Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub
Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub
Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Event Hub
a638d3c7-ab3a-418d-83e6-5f17a39d4fde Azure Event Hubs Data Receiver Allows receive access to Azure Event Hubs resources. False 00002 effective control plane and data plane operations (unique)

•action: 1
•read: 1
Actions: 001
resolved operations: 1
effective operations: 1
•read: 1

•Microsoft.EventHub/*/eventhubs/consumergroups/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.EventHub/*/receive/action
2b629674-e913-4c01-ae53-ef4638d8f975 Azure Event Hubs Data Sender Allows send access to Azure Event Hubs resources. False 00002 effective control plane and data plane operations (unique)

•action: 1
•read: 1
Actions: 001
resolved operations: 1
effective operations: 1
•read: 1

•Microsoft.EventHub/*/eventhubs/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.EventHub/*/send/action
7392c568-9289-4bde-aaaa-b7131215889d Azure Extension for SQL Server Deployment Microsoft.AzureArcData service role to enable deployment of Azure Extension for SQL Server False 00002 effective control plane operations (unique)

•write: 2
Actions: 002
resolved operations: 2
effective operations: 2
•write: 2

•Microsoft.Resources/deployments/write
•Microsoft.HybridCompute/machines/extensions/write
count: 002
[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.
Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates.
0ab34830-df19-4f8c-b84e-aa85b8afa6e8 Azure Front Door Domain Contributor For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users. False 00005 effective control plane operations (unique)

•delete: 1
•read: 3
•write: 1
Actions: 005
resolved operations: 5
effective operations: 5
•delete: 1
•read: 3
•write: 1

•Microsoft.Cdn/operationresults/profileresults/customdomainresults/read
•Microsoft.Cdn/profiles/customdomains/read
•Microsoft.Cdn/profiles/customdomains/write
•Microsoft.Cdn/profiles/customdomains/delete
•Microsoft.Resources/subscriptions/resourceGroups/read
0f99d363-226e-4dca-9920-b807cf8e1a5f Azure Front Door Domain Reader For internal use within Azure. Can view Azure Front Door domains, but can't make changes. False 00003 effective control plane operations (unique)

•read: 3
Actions: 003
resolved operations: 3
effective operations: 3
•read: 3

•Microsoft.Cdn/operationresults/profileresults/customdomainresults/read
•Microsoft.Cdn/profiles/customdomains/read
•Microsoft.Resources/subscriptions/resourceGroups/read
662802e2-50f6-46b0-aed2-e834bacc6d12 Azure Front Door Profile Reader Can view AFD standard and premium profiles and their endpoints, but can't make changes. False 00153 effective control plane operations (unique)

•: 1
•action: 42
•delete: 18
•read: 74
•write: 18
Actions: 017
resolved operations: 153
effective operations: 153
•: 1
•action: 42
•delete: 18
•read: 74
•write: 18

•Microsoft.Authorization/*/read
•Microsoft.Cdn/edgenodes/read
•Microsoft.Cdn/operationresults/*
•Microsoft.Cdn/profiles/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action
•Microsoft.Cdn/profiles/queryloganalyticsmetrics/action
•Microsoft.Cdn/profiles/queryloganalyticsrankings/action
•Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action
•Microsoft.Cdn/profiles/querywafloganalyticsrankings/action
•Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action
•Microsoft.Cdn/profiles/Usages/action
•Microsoft.Cdn/profiles/afdendpoints/Usages/action
•Microsoft.Cdn/profiles/origingroups/Usages/action
•Microsoft.Cdn/profiles/rulesets/Usages/action
3f2eb865-5811-4578-b90a-6fc6fa0df8e5 Azure Front Door Secret Contributor For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users. False 00005 effective control plane operations (unique)

•delete: 1
•read: 3
•write: 1
Actions: 005
resolved operations: 5
effective operations: 5
•delete: 1
•read: 3
•write: 1

•Microsoft.Cdn/operationresults/profileresults/secretresults/read
•Microsoft.Cdn/profiles/secrets/read
•Microsoft.Cdn/profiles/secrets/write
•Microsoft.Cdn/profiles/secrets/delete
•Microsoft.Resources/subscriptions/resourceGroups/read
0db238c4-885e-4c4f-a933-aa2cef684fca Azure Front Door Secret Reader For internal use within Azure. Can view Azure Front Door secrets, but can't make changes. False 00003 effective control plane operations (unique)

•read: 3
Actions: 003
resolved operations: 3
effective operations: 3
•read: 3

•Microsoft.Cdn/operationresults/profileresults/secretresults/read
•Microsoft.Cdn/profiles/secrets/read
•Microsoft.Resources/subscriptions/resourceGroups/read
5d9c6a55-fc0e-4e21-ae6f-f7b095497342 Azure Hybrid Database Administrator - Read Only Service Role Read only access to Azure hybrid database services resources. False 00016 effective control plane operations (unique)

•action: 2
•read: 14
Actions: 006
resolved operations: 16
effective operations: 16
•action: 2
•read: 14

•Microsoft.AzureArcData/*/read
•Microsoft.AzureArcData/sqlServerInstances/getTelemetry/action
•Microsoft.AzureArcData/sqlServerInstances/availabilityGroups/getDetailView/action
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
dfb2f09d-25f8-4558-8986-497084006d7a Azure impact-insight reader built-in role for azure impact-insight read access False 00001 effective control plane operations (unique)

•Read: 1
Actions: 001
resolved operations: 1
effective operations: 1
•Read: 1

•Microsoft.Impact/WorkloadImpacts/*/read
63bb64ad-9799-4770-b5c3-24ed299a07bf Azure Kubernetes Fleet Manager Contributor Role Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc. False 00027 effective control plane operations (unique)

•action: 7
•delete: 6
•read: 8
•write: 6
Actions: 002
resolved operations: 27
effective operations: 27
•action: 7
•delete: 6
•read: 8
•write: 6

•Microsoft.ContainerService/fleets/*
•Microsoft.Resources/deployments/*
434fb43a-c01c-447e-9f67-c3ad923cfaba Azure Kubernetes Fleet Manager RBAC Admin Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. False 00114 effective control plane and data plane operations (unique)

•action: 4
•delete: 23
•read: 63
•write: 24
Actions: 006
resolved operations: 32
effective operations: 32
•action: 1
•read: 31

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/fleets/read
•Microsoft.ContainerService/fleets/listCredentials/action
DataActions: 034
resolved data operations: 82
effective data operations: 82
•action: 3
•delete: 23
•read: 32
•write: 24

•Microsoft.ContainerService/fleets/apps/controllerrevisions/read
•Microsoft.ContainerService/fleets/apps/daemonsets/*
•Microsoft.ContainerService/fleets/apps/deployments/*
•Microsoft.ContainerService/fleets/apps/statefulsets/*
•Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write
•Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
•Microsoft.ContainerService/fleets/batch/cronjobs/*
•Microsoft.ContainerService/fleets/batch/jobs/*
•Microsoft.ContainerService/fleets/configmaps/*
•Microsoft.ContainerService/fleets/endpoints/*
•Microsoft.ContainerService/fleets/events.k8s.io/events/read
•Microsoft.ContainerService/fleets/events/read
•Microsoft.ContainerService/fleets/extensions/daemonsets/*
•Microsoft.ContainerService/fleets/extensions/deployments/*
•Microsoft.ContainerService/fleets/extensions/ingresses/*
•Microsoft.ContainerService/fleets/extensions/networkpolicies/*
•Microsoft.ContainerService/fleets/limitranges/read
•Microsoft.ContainerService/fleets/namespaces/read
•Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
•Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
•Microsoft.ContainerService/fleets/persistentvolumeclaims/*
•Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
•Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*
•Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*
•Microsoft.ContainerService/fleets/replicationcontrollers/*
•Microsoft.ContainerService/fleets/replicationcontrollers/*
•Microsoft.ContainerService/fleets/resourcequotas/read
•Microsoft.ContainerService/fleets/secrets/*
•Microsoft.ContainerService/fleets/serviceaccounts/*
•Microsoft.ContainerService/fleets/services/*
•Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/*
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read
18ab4d3d-a1bf-4477-8ad9-8359bc988f69 Azure Kubernetes Fleet Manager RBAC Cluster Admin Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster. False 00351 effective control plane and data plane operations (unique)

•action: 10
•delete: 60
•read: 215
•write: 66
Actions: 006
resolved operations: 32
effective operations: 32
•action: 1
•read: 31

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/fleets/read
•Microsoft.ContainerService/fleets/listCredentials/action
DataActions: 001
resolved data operations: 319
effective data operations: 319
•action: 9
•delete: 60
•read: 184
•write: 66

•Microsoft.ContainerService/fleets/*
bd80684d-2f5f-4130-892a-0955546282de Azure Kubernetes Fleet Manager RBAC Cluster Reader Grants read-only access to most Kubernetes cluster-scoped resources in the fleet-managed hub cluster. False 00037 effective control plane and data plane operations (unique)

•action: 1
•read: 36
Actions: 002
resolved operations: 2
effective operations: 2
•action: 1
•read: 1

•Microsoft.ContainerService/fleets/read
•Microsoft.ContainerService/fleets/listCredentials/action
DataActions: 035
resolved data operations: 35
effective data operations: 35
•read: 35

•Microsoft.ContainerService/fleets/apiextensions.k8s.io/customresourcedefinitions/read
•Microsoft.ContainerService/fleets/apps/controllerrevisions/read
•Microsoft.ContainerService/fleets/apps/daemonsets/read
•Microsoft.ContainerService/fleets/apps/deployments/read
•Microsoft.ContainerService/fleets/apps/statefulsets/read
•Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read
•Microsoft.ContainerService/fleets/batch/cronjobs/read
•Microsoft.ContainerService/fleets/batch/jobs/read
•Microsoft.ContainerService/fleets/configmaps/read
•Microsoft.ContainerService/fleets/endpoints/read
•Microsoft.ContainerService/fleets/events.k8s.io/events/read
•Microsoft.ContainerService/fleets/events/read
•Microsoft.ContainerService/fleets/extensions/daemonsets/read
•Microsoft.ContainerService/fleets/extensions/deployments/read
•Microsoft.ContainerService/fleets/extensions/ingresses/read
•Microsoft.ContainerService/fleets/extensions/networkpolicies/read
•Microsoft.ContainerService/fleets/limitranges/read
•Microsoft.ContainerService/fleets/namespaces/read
•Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read
•Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read
•Microsoft.ContainerService/fleets/nodes/read
•Microsoft.ContainerService/fleets/persistentvolumes/read
•Microsoft.ContainerService/fleets/persistentvolumeclaims/read
•Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read
•Microsoft.ContainerService/fleets/replicationcontrollers/read
•Microsoft.ContainerService/fleets/resourcequotas/read
•Microsoft.ContainerService/fleets/serviceaccounts/read
•Microsoft.ContainerService/fleets/services/read
•Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/memberclusters/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceplacements/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourcebindings/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourcesnapshots/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterschedulingpolicysnapshots/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceoverrides/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceoverridesnapshots/read
1dc4cd5a-de51-4ee4-bc8e-b40e9c17e320 Azure Kubernetes Fleet Manager RBAC Cluster Writer Grants read/write access to most Kubernetes cluster-scoped resources in the fleet-managed hub cluster. False 00063 effective control plane and data plane operations (unique)

•action: 1
•read: 37
•write: 25
Actions: 002
resolved operations: 2
effective operations: 2
•action: 1
•read: 1

•Microsoft.ContainerService/fleets/read
•Microsoft.ContainerService/fleets/listCredentials/action
DataActions: 061
resolved data operations: 61
effective data operations: 61
•read: 36
•write: 25

•Microsoft.ContainerService/fleets/apiextensions.k8s.io/customresourcedefinitions/read
•Microsoft.ContainerService/fleets/apps/controllerrevisions/read
•Microsoft.ContainerService/fleets/apps/daemonsets/read
•Microsoft.ContainerService/fleets/apps/daemonsets/write
•Microsoft.ContainerService/fleets/apps/deployments/read
•Microsoft.ContainerService/fleets/apps/deployments/write
•Microsoft.ContainerService/fleets/apps/statefulsets/read
•Microsoft.ContainerService/fleets/apps/statefulsets/write
•Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read
•Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write
•Microsoft.ContainerService/fleets/batch/cronjobs/read
•Microsoft.ContainerService/fleets/batch/cronjobs/write
•Microsoft.ContainerService/fleets/batch/jobs/read
•Microsoft.ContainerService/fleets/batch/jobs/write
•Microsoft.ContainerService/fleets/configmaps/read
•Microsoft.ContainerService/fleets/configmaps/write
•Microsoft.ContainerService/fleets/endpoints/read
•Microsoft.ContainerService/fleets/endpoints/write
•Microsoft.ContainerService/fleets/events.k8s.io/events/read
•Microsoft.ContainerService/fleets/events/read
•Microsoft.ContainerService/fleets/extensions/daemonsets/read
•Microsoft.ContainerService/fleets/extensions/daemonsets/write
•Microsoft.ContainerService/fleets/extensions/deployments/read
•Microsoft.ContainerService/fleets/extensions/deployments/write
•Microsoft.ContainerService/fleets/extensions/ingresses/read
•Microsoft.ContainerService/fleets/extensions/ingresses/write
•Microsoft.ContainerService/fleets/extensions/networkpolicies/read
•Microsoft.ContainerService/fleets/extensions/networkpolicies/write
•Microsoft.ContainerService/fleets/limitranges/read
•Microsoft.ContainerService/fleets/namespaces/read
•Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read
•Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write
•Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read
•Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write
•Microsoft.ContainerService/fleets/nodes/read
•Microsoft.ContainerService/fleets/nodes/write
•Microsoft.ContainerService/fleets/persistentvolumes/read
•Microsoft.ContainerService/fleets/persistentvolumes/write
•Microsoft.ContainerService/fleets/persistentvolumeclaims/read
•Microsoft.ContainerService/fleets/persistentvolumeclaims/write
•Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read
•Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write
•Microsoft.ContainerService/fleets/replicationcontrollers/read
•Microsoft.ContainerService/fleets/replicationcontrollers/write
•Microsoft.ContainerService/fleets/resourcequotas/read
•Microsoft.ContainerService/fleets/secrets/read
•Microsoft.ContainerService/fleets/secrets/write
•Microsoft.ContainerService/fleets/serviceaccounts/read
•Microsoft.ContainerService/fleets/serviceaccounts/write
•Microsoft.ContainerService/fleets/services/read
•Microsoft.ContainerService/fleets/services/write
•Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/memberclusters/read
•Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/memberclusters/write
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceplacements/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceplacements/write
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourcebindings/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourcesnapshots/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterschedulingpolicysnapshots/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceoverrides/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceoverrides/write
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceoverridesnapshots/read
30b27cfc-9c84-438e-b0ce-70e35255df80 Azure Kubernetes Fleet Manager RBAC Reader Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. False 00061 effective control plane and data plane operations (unique)

•action: 1
•read: 60
Actions: 006
resolved operations: 32
effective operations: 32
•action: 1
•read: 31

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/fleets/read
•Microsoft.ContainerService/fleets/listCredentials/action
DataActions: 030
resolved data operations: 29
effective data operations: 29
•read: 29

•Microsoft.ContainerService/fleets/apps/controllerrevisions/read
•Microsoft.ContainerService/fleets/apps/daemonsets/read
•Microsoft.ContainerService/fleets/apps/deployments/read
•Microsoft.ContainerService/fleets/apps/statefulsets/read
•Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read
•Microsoft.ContainerService/fleets/batch/cronjobs/read
•Microsoft.ContainerService/fleets/batch/jobs/read
•Microsoft.ContainerService/fleets/configmaps/read
•Microsoft.ContainerService/fleets/endpoints/read
•Microsoft.ContainerService/fleets/events.k8s.io/events/read
•Microsoft.ContainerService/fleets/events/read
•Microsoft.ContainerService/fleets/extensions/daemonsets/read
•Microsoft.ContainerService/fleets/extensions/deployments/read
•Microsoft.ContainerService/fleets/extensions/ingresses/read
•Microsoft.ContainerService/fleets/extensions/networkpolicies/read
•Microsoft.ContainerService/fleets/limitranges/read
•Microsoft.ContainerService/fleets/namespaces/read
•Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read
•Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read
•Microsoft.ContainerService/fleets/persistentvolumeclaims/read
•Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read
•Microsoft.ContainerService/fleets/replicationcontrollers/read
•Microsoft.ContainerService/fleets/replicationcontrollers/read
•Microsoft.ContainerService/fleets/resourcequotas/read
•Microsoft.ContainerService/fleets/serviceaccounts/read
•Microsoft.ContainerService/fleets/services/read
•Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read
5af6afb3-c06c-4fa4-8848-71a8aee05683 Azure Kubernetes Fleet Manager RBAC Writer Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. False 00083 effective control plane and data plane operations (unique)

•action: 1
•read: 61
•write: 21
Actions: 006
resolved operations: 32
effective operations: 32
•action: 1
•read: 31

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/fleets/read
•Microsoft.ContainerService/fleets/listCredentials/action
DataActions: 051
resolved data operations: 51
effective data operations: 51
•read: 30
•write: 21

•Microsoft.ContainerService/fleets/apps/controllerrevisions/read
•Microsoft.ContainerService/fleets/apps/daemonsets/read
•Microsoft.ContainerService/fleets/apps/daemonsets/write
•Microsoft.ContainerService/fleets/apps/deployments/read
•Microsoft.ContainerService/fleets/apps/deployments/write
•Microsoft.ContainerService/fleets/apps/statefulsets/read
•Microsoft.ContainerService/fleets/apps/statefulsets/write
•Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read
•Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write
•Microsoft.ContainerService/fleets/batch/cronjobs/read
•Microsoft.ContainerService/fleets/batch/cronjobs/write
•Microsoft.ContainerService/fleets/batch/jobs/read
•Microsoft.ContainerService/fleets/batch/jobs/write
•Microsoft.ContainerService/fleets/configmaps/read
•Microsoft.ContainerService/fleets/configmaps/write
•Microsoft.ContainerService/fleets/endpoints/read
•Microsoft.ContainerService/fleets/endpoints/write
•Microsoft.ContainerService/fleets/events.k8s.io/events/read
•Microsoft.ContainerService/fleets/events/read
•Microsoft.ContainerService/fleets/extensions/daemonsets/read
•Microsoft.ContainerService/fleets/extensions/daemonsets/write
•Microsoft.ContainerService/fleets/extensions/deployments/read
•Microsoft.ContainerService/fleets/extensions/deployments/write
•Microsoft.ContainerService/fleets/extensions/ingresses/read
•Microsoft.ContainerService/fleets/extensions/ingresses/write
•Microsoft.ContainerService/fleets/extensions/networkpolicies/read
•Microsoft.ContainerService/fleets/extensions/networkpolicies/write
•Microsoft.ContainerService/fleets/limitranges/read
•Microsoft.ContainerService/fleets/namespaces/read
•Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read
•Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write
•Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read
•Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write
•Microsoft.ContainerService/fleets/persistentvolumeclaims/read
•Microsoft.ContainerService/fleets/persistentvolumeclaims/write
•Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read
•Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write
•Microsoft.ContainerService/fleets/replicationcontrollers/read
•Microsoft.ContainerService/fleets/replicationcontrollers/write
•Microsoft.ContainerService/fleets/resourcequotas/read
•Microsoft.ContainerService/fleets/secrets/read
•Microsoft.ContainerService/fleets/secrets/write
•Microsoft.ContainerService/fleets/serviceaccounts/read
•Microsoft.ContainerService/fleets/serviceaccounts/write
•Microsoft.ContainerService/fleets/services/read
•Microsoft.ContainerService/fleets/services/write
•Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read
•Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read
b29efa5f-7782-4dc3-9537-4d5bc70a5e9f Azure Kubernetes Service Arc Cluster Admin Role List cluster admin credential action. False 00003 effective control plane operations (unique)

•action: 1
•read: 2
Actions: 003
resolved operations: 3
effective operations: 3
•action: 1
•read: 2

•Microsoft.HybridContainerService/provisionedClusterInstances/read
•Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action
•Microsoft.Kubernetes/connectedClusters/Read
233ca253-b031-42ff-9fba-87ef12d6b55f Azure Kubernetes Service Arc Cluster User Role List cluster user credential action. False 00003 effective control plane operations (unique)

•action: 1
•read: 2
Actions: 003
resolved operations: 3
effective operations: 3
•action: 1
•read: 2

•Microsoft.HybridContainerService/provisionedClusterInstances/read
•Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action
•Microsoft.Kubernetes/connectedClusters/Read
5d3f1697-4507-4d08-bb4a-477695db5f82 Azure Kubernetes Service Arc Contributor Role Grants access to read and write Azure Kubernetes Services hybrid clusters False 00025 effective control plane operations (unique)

•action: 2
•delete: 6
•Read: 11
•write: 6
Actions: 025
resolved operations: 25
effective operations: 25
•action: 2
•delete: 6
•Read: 11
•write: 6

•Microsoft.HybridContainerService/Locations/operationStatuses/read
•Microsoft.HybridContainerService/Operations/read
•Microsoft.HybridContainerService/kubernetesVersions/read
•Microsoft.HybridContainerService/kubernetesVersions/write
•Microsoft.HybridContainerService/kubernetesVersions/delete
•Microsoft.HybridContainerService/provisionedClusterInstances/read
•Microsoft.HybridContainerService/provisionedClusterInstances/write
•Microsoft.HybridContainerService/provisionedClusterInstances/delete
•Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read
•Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write
•Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete
•Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read
•Microsoft.HybridContainerService/skus/read
•Microsoft.HybridContainerService/skus/write
•Microsoft.HybridContainerService/skus/delete
•Microsoft.HybridContainerService/virtualNetworks/read
•Microsoft.HybridContainerService/virtualNetworks/write
•Microsoft.HybridContainerService/virtualNetworks/delete
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.ExtendedLocation/customLocations/read
•Microsoft.Kubernetes/connectedClusters/Read
•Microsoft.Kubernetes/connectedClusters/Write
•Microsoft.Kubernetes/connectedClusters/Delete
•Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action
•Microsoft.AzureStackHCI/clusters/read
0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 Azure Kubernetes Service Cluster Admin Role List cluster admin credential action. False 00004 effective control plane operations (unique)

•action: 3
•read: 1
Actions: 004
resolved operations: 4
effective operations: 4
•action: 3
•read: 1

•Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
•Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action
•Microsoft.ContainerService/managedClusters/read
•Microsoft.ContainerService/managedClusters/runcommand/action
1afdec4b-e479-420e-99e7-f82237c7c5e6 Azure Kubernetes Service Cluster Monitoring User List cluster monitoring user credential action. False 00002 effective control plane operations (unique)

•action: 1
•read: 1
Actions: 002
resolved operations: 2
effective operations: 2
•action: 1
•read: 1

•Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action
•Microsoft.ContainerService/managedClusters/read
4abbcc35-e782-43d8-92c5-2d3f1bd2253f Azure Kubernetes Service Cluster User Role List cluster user credential action. False 00002 effective control plane operations (unique)

•action: 1
•read: 1
Actions: 002
resolved operations: 2
effective operations: 2
•action: 1
•read: 1

•Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
•Microsoft.ContainerService/managedClusters/read
ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 Azure Kubernetes Service Contributor Role Grants access to read and write Azure Kubernetes Service clusters False 00118 effective control plane operations (unique)

•: 1
•action: 23
•delete: 13
•read: 66
•write: 15
Actions: 008
resolved operations: 118
effective operations: 118
•: 1
•action: 23
•delete: 13
•read: 66
•write: 15

•Microsoft.Authorization/*/read
•Microsoft.ContainerService/locations/*
•Microsoft.ContainerService/managedClusters/*
•Microsoft.ContainerService/managedclustersnapshots/*
•Microsoft.ContainerService/snapshots/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 006
[Preview]: Deploy Image Integrity on Azure Kubernetes Service
Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access
Configure Node OS Auto upgrade on Azure Kubernetes Cluster
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
Deploy Image Cleaner on Azure Kubernetes Service
Disable Command Invoke on Azure Kubernetes Service clusters
b5092dac-c796-4349-8681-1a322a31c3f9 Azure Kubernetes Service Hybrid Cluster Admin Role List cluster admin credential action. False 00003 effective control plane operations (unique)

•action: 1
•read: 2
Actions: 003
resolved operations: 3
effective operations: 3
•action: 1
•read: 2

•Microsoft.HybridContainerService/provisionedClusterInstances/read
•Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action
•Microsoft.Kubernetes/connectedClusters/Read
fc3f91a1-40bf-4439-8c46-45edbd83563a Azure Kubernetes Service Hybrid Cluster User Role List cluster user credential action. False 00003 effective control plane operations (unique)

•action: 1
•read: 2
Actions: 003
resolved operations: 3
effective operations: 3
•action: 1
•read: 2

•Microsoft.HybridContainerService/provisionedClusterInstances/read
•Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action
•Microsoft.Kubernetes/connectedClusters/Read
e7037d40-443a-4434-a3fb-8cd202011e1d Azure Kubernetes Service Hybrid Contributor Role Grants access to read and write Azure Kubernetes Services hybrid clusters False 00024 effective control plane operations (unique)

•action: 2
•delete: 6
•read: 10
•write: 6
Actions: 024
resolved operations: 24
effective operations: 24
•action: 2
•delete: 6
•read: 10
•write: 6

•Microsoft.HybridContainerService/Locations/operationStatuses/read
•Microsoft.HybridContainerService/Operations/read
•Microsoft.HybridContainerService/kubernetesVersions/read
•Microsoft.HybridContainerService/kubernetesVersions/write
•Microsoft.HybridContainerService/kubernetesVersions/delete
•Microsoft.HybridContainerService/provisionedClusterInstances/read
•Microsoft.HybridContainerService/provisionedClusterInstances/write
•Microsoft.HybridContainerService/provisionedClusterInstances/delete
•Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read
•Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write
•Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete
•Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read
•Microsoft.HybridContainerService/skus/read
•Microsoft.HybridContainerService/skus/write
•Microsoft.HybridContainerService/skus/delete
•Microsoft.HybridContainerService/virtualNetworks/read
•Microsoft.HybridContainerService/virtualNetworks/write
•Microsoft.HybridContainerService/virtualNetworks/delete
•Microsoft.Kubernetes/connectedClusters/Read
•Microsoft.Kubernetes/connectedClusters/Write
•Microsoft.Kubernetes/connectedClusters/Delete
•Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.ExtendedLocation/customLocations/read
18ed5180-3e48-46fd-8541-4ea054d57064 Azure Kubernetes Service Policy Add-on Deployment Deploy the Azure Policy add-on on Azure Kubernetes Service clusters False 00014 effective control plane operations (unique)

•action: 7
•delete: 1
•read: 4
•write: 2
Actions: 006
resolved operations: 14
effective operations: 14
•action: 7
•delete: 1
•read: 4
•write: 2

•Microsoft.Resources/deployments/*
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/publicIPPrefixes/join/action
•Microsoft.Network/publicIPAddresses/join/action
•Microsoft.Compute/diskEncryptionSets/read
•Microsoft.Compute/proximityPlacementGroups/write
count: 006
[Preview]: Deploy Image Integrity on Azure Kubernetes Service
Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access
Configure Node OS Auto upgrade on Azure Kubernetes Cluster
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
Deploy Image Cleaner on Azure Kubernetes Service
Disable Command Invoke on Azure Kubernetes Service clusters
3498e952-d568-435e-9b2c-8d77e338d7f7 Azure Kubernetes Service RBAC Admin Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. False 00371 effective control plane and data plane operations (unique)

•action: 11
•delete: 66
•read: 222
•write: 72
Actions: 005
resolved operations: 31
effective operations: 31
•action: 1
•read: 30

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
DataActions: 001
resolved data operations: 344
effective data operations: 340
•action: 10
•delete: 66
•read: 192
•write: 72

•Microsoft.ContainerService/managedClusters/*
NotDataActions: 004
resolved not data operations: 4
effective not data operations: 2963

•Microsoft.ContainerService/managedClusters/resourcequotas/write
•Microsoft.ContainerService/managedClusters/resourcequotas/delete
•Microsoft.ContainerService/managedClusters/namespaces/write
•Microsoft.ContainerService/managedClusters/namespaces/delete
b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b Azure Kubernetes Service RBAC Cluster Admin Lets you manage all resources in the cluster. False 00375 effective control plane and data plane operations (unique)

•action: 11
•delete: 68
•read: 222
•write: 74
Actions: 005
resolved operations: 31
effective operations: 31
•action: 1
•read: 30

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
DataActions: 001
resolved data operations: 344
effective data operations: 344
•action: 10
•delete: 68
•read: 192
•write: 74

•Microsoft.ContainerService/managedClusters/*
7f6c6a51-bcf8-42ba-9220-52d62157d7db Azure Kubernetes Service RBAC Reader Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. False 00061 effective control plane and data plane operations (unique)

•read: 61
Actions: 004
resolved operations: 30
effective operations: 30
•read: 30

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 031
resolved data operations: 31
effective data operations: 31
•read: 31

•Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read
•Microsoft.ContainerService/managedClusters/apps/daemonsets/read
•Microsoft.ContainerService/managedClusters/apps/deployments/read
•Microsoft.ContainerService/managedClusters/apps/replicasets/read
•Microsoft.ContainerService/managedClusters/apps/statefulsets/read
•Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read
•Microsoft.ContainerService/managedClusters/batch/cronjobs/read
•Microsoft.ContainerService/managedClusters/batch/jobs/read
•Microsoft.ContainerService/managedClusters/configmaps/read
•Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read
•Microsoft.ContainerService/managedClusters/endpoints/read
•Microsoft.ContainerService/managedClusters/events.k8s.io/events/read
•Microsoft.ContainerService/managedClusters/events/read
•Microsoft.ContainerService/managedClusters/extensions/daemonsets/read
•Microsoft.ContainerService/managedClusters/extensions/deployments/read
•Microsoft.ContainerService/managedClusters/extensions/ingresses/read
•Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read
•Microsoft.ContainerService/managedClusters/extensions/replicasets/read
•Microsoft.ContainerService/managedClusters/limitranges/read
•Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read
•Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read
•Microsoft.ContainerService/managedClusters/namespaces/read
•Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read
•Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read
•Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read
•Microsoft.ContainerService/managedClusters/pods/read
•Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read
•Microsoft.ContainerService/managedClusters/replicationcontrollers/read
•Microsoft.ContainerService/managedClusters/resourcequotas/read
•Microsoft.ContainerService/managedClusters/serviceaccounts/read
•Microsoft.ContainerService/managedClusters/services/read
a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb Azure Kubernetes Service RBAC Writer Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. False 00115 effective control plane and data plane operations (unique)

•action: 2
•delete: 25
•read: 63
•write: 25
Actions: 004
resolved operations: 30
effective operations: 30
•read: 30

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 035
resolved data operations: 85
effective data operations: 85
•action: 2
•delete: 25
•read: 33
•write: 25

•Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read
•Microsoft.ContainerService/managedClusters/apps/daemonsets/*
•Microsoft.ContainerService/managedClusters/apps/deployments/*
•Microsoft.ContainerService/managedClusters/apps/replicasets/*
•Microsoft.ContainerService/managedClusters/apps/statefulsets/*
•Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*
•Microsoft.ContainerService/managedClusters/batch/cronjobs/*
•Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read
•Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write
•Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete
•Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read
•Microsoft.ContainerService/managedClusters/batch/jobs/*
•Microsoft.ContainerService/managedClusters/configmaps/*
•Microsoft.ContainerService/managedClusters/endpoints/*
•Microsoft.ContainerService/managedClusters/events.k8s.io/events/read
•Microsoft.ContainerService/managedClusters/events/*
•Microsoft.ContainerService/managedClusters/extensions/daemonsets/*
•Microsoft.ContainerService/managedClusters/extensions/deployments/*
•Microsoft.ContainerService/managedClusters/extensions/ingresses/*
•Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*
•Microsoft.ContainerService/managedClusters/extensions/replicasets/*
•Microsoft.ContainerService/managedClusters/limitranges/read
•Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read
•Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read
•Microsoft.ContainerService/managedClusters/namespaces/read
•Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*
•Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*
•Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*
•Microsoft.ContainerService/managedClusters/pods/*
•Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*
•Microsoft.ContainerService/managedClusters/replicationcontrollers/*
•Microsoft.ContainerService/managedClusters/resourcequotas/read
•Microsoft.ContainerService/managedClusters/secrets/*
•Microsoft.ContainerService/managedClusters/serviceaccounts/*
•Microsoft.ContainerService/managedClusters/services/*
ea01e6af-a1c1-4350-9563-ad00f8c72ec5 Azure Machine Learning Workspace Connection Secrets Reader Can list workspace connection secrets False 00002 effective control plane operations (unique)

•action: 1
•read: 1
Actions: 002
resolved operations: 2
effective operations: 2
•action: 1
•read: 1

•Microsoft.MachineLearningServices/workspaces/connections/listsecrets/action
•Microsoft.MachineLearningServices/workspaces/metadata/secrets/read
5c2d7e57-b7c2-4d8a-be4f-82afa42c6e95 Azure Managed Grafana Workspace Contributor Can manage Azure Managed Grafana resources, without providing access to the workspaces themselves. False 00056 effective control plane operations (unique)

•action: 10
•delete: 6
•read: 33
•write: 7
Actions: 030
resolved operations: 56
effective operations: 56
•action: 10
•delete: 6
•read: 33
•write: 7

•Microsoft.Dashboard/grafana/write
•Microsoft.Dashboard/grafana/delete
•Microsoft.Dashboard/grafana/PrivateEndpointConnectionsApproval/action
•Microsoft.Dashboard/grafana/managedPrivateEndpoints/action
•Microsoft.Dashboard/locations/operationStatuses/write
•Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/validate/action
•Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/write
•Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/delete
•Microsoft.Dashboard/grafana/privateEndpointConnections/write
•Microsoft.Dashboard/grafana/privateEndpointConnections/delete
•Microsoft.Dashboard/grafana/managedPrivateEndpoints/write
•Microsoft.Dashboard/grafana/managedPrivateEndpoints/delete
•Microsoft.Authorization/*/read
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourceGroups/read
dba33070-676a-4fb0-87fa-064dc56ff7fb Azure Maps Contributor Grants access all Azure Maps resource management. False 00062 effective control plane operations (unique)

•action: 10
•delete: 5
•read: 41
•write: 6
Actions: 004
resolved operations: 62
effective operations: 62
•action: 10
•delete: 5
•read: 41
•write: 6

•Microsoft.Maps/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 Azure Maps Data Contributor Grants access to read, write, and delete access to map related data from an Azure maps account. False 00019 effective data plane operations (unique)

•action: 1
•delete: 2
•read: 12
•write: 4
DataActions: 004
resolved data operations: 19
effective data operations: 19
•action: 1
•delete: 2
•read: 12
•write: 4

•Microsoft.Maps/accounts/*/read
•Microsoft.Maps/accounts/*/write
•Microsoft.Maps/accounts/*/delete
•Microsoft.Maps/accounts/*/action
d6470a16-71bd-43ab-86b3-6f3a73f4e787 Azure Maps Data Read and Batch Role This role can be used to assign read and batch actions on Azure Maps. False 00013 effective data plane operations (unique)

•action: 1
•read: 12
DataActions: 002
resolved data operations: 13
effective data operations: 13
•action: 1
•read: 12

•Microsoft.Maps/accounts/services/*/read
•Microsoft.Maps/accounts/services/batch/action
423170ca-a8f6-4b0f-8487-9e4eb8f49bfa Azure Maps Data Reader Grants access to read map related data from an Azure maps account. False 00012 effective data plane operations (unique)

•read: 12
DataActions: 001
resolved data operations: 12
effective data operations: 12
•read: 12

•Microsoft.Maps/accounts/*/read
6be48352-4f82-47c9-ad5e-0acacefdb005 Azure Maps Search and Render Data Reader Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs. False 00002 effective data plane operations (unique)

•read: 2
DataActions: 002
resolved data operations: 2
effective data operations: 2
•read: 2

•Microsoft.Maps/accounts/services/render/read
•Microsoft.Maps/accounts/services/search/read
f27b7598-bc64-41f7-8a44-855ff16326c2 Azure Messaging Catalog Data Owner Allows for full access to Azure Messaging Catalog resources. False 00009 effective control plane and data plane operations (unique)

•delete: 3
•read: 3
•write: 3
Actions: 001
resolved operations: n/a
effective operations: n/a


•Microsoft.MessagingCatalog/*
DataActions: 001
resolved data operations: 9
effective data operations: 9
•delete: 3
•read: 3
•write: 3

•Microsoft.MessagingCatalog/*
ff478a4e-8633-416e-91bc-ec33ce7c9516 Azure Messaging Connectors Owner Allows for full access to Azure Messaging Connectors resources. False 00005 effective control plane and data plane operations (unique)

•action: 2
•delete: 1
•read: 1
•write: 1
Actions: 001
resolved operations: 5
effective operations: 5
•action: 2
•delete: 1
•read: 1
•write: 1

•Microsoft.MessagingConnectors/*
DataActions: 001
resolved data operations: n/a
effective data operations: n/a


•Microsoft.MessagingConnectors/*
c20923c5-b089-47a5-bf67-fd89569c4ad9 Azure Programmable Connectivity Gateway Dataplane User Allows access to all Gateway dataplane APIs. False 00040 effective control plane and data plane operations (unique)

•: 1
•action: 4
•delete: 1
•NetworkAPIAccess: 1
•read: 32
•write: 1
Actions: 005
resolved operations: 39
effective operations: 39
•: 1
•action: 4
•delete: 1
•read: 32
•write: 1

•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/
•Microsoft.Resources/deployments/*
DataActions: 001
resolved data operations: 1
effective data operations: 1
•NetworkAPIAccess: 1

•Microsoft.ProgrammableConnectivity/Gateways/NetworkAPIAccess
609c0c20-e0a0-4a71-b99f-e7e755ac493d Azure Programmable Connectivity Gateway User Allows access to all Gateway dataplane APIs. False 00046 effective control plane operations (unique)

•: 1
•Action: 7
•Delete: 2
•read: 34
•Write: 2
Actions: 005
resolved operations: 46
effective operations: 46
•: 1
•Action: 7
•Delete: 2
•read: 34
•Write: 2

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
0d7aedc0-15fd-4a67-a412-efad370c947e Azure Red Hat OpenShift Azure Files Storage Operator Role Enables permissions to set OpenShift cluster-wide storage defaults. It ensures a default storageclass exists for clusters. It also installs Container Storage Interface (CSI) drivers which enable your cluster to use Azure Files. False 00011 effective control plane operations (unique)

•action: 2
•delete: 2
•read: 4
•write: 3
Actions: 011
resolved operations: 11
effective operations: 11
•action: 2
•delete: 2
•read: 4
•write: 3

•Microsoft.Storage/storageAccounts/delete
•Microsoft.Storage/storageAccounts/fileServices/read
•Microsoft.Storage/storageAccounts/fileServices/shares/delete
•Microsoft.Storage/storageAccounts/fileServices/shares/read
•Microsoft.Storage/storageAccounts/fileServices/shares/write
•Microsoft.Storage/storageAccounts/listKeys/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/write
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/write
a1f96423-95ce-4224-ab27-4e3dc72facd4 Azure Red Hat OpenShift Cloud Controller Manager Role Enables permissions for the operator to manage and update the cloud controller managers deployed on top of OpenShift. False 00013 effective control plane operations (unique)

•action: 3
•read: 6
•write: 4
Actions: 013
resolved operations: 13
effective operations: 13
•action: 3
•read: 6
•write: 4

•Microsoft.Compute/virtualMachines/read
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/write
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/networkSecurityGroups/write
•Microsoft.Network/publicIPAddresses/join/action
•Microsoft.Network/publicIPAddresses/read
•Microsoft.Network/publicIPAddresses/write
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/loadBalancers/backendAddressPools/join/action
•Microsoft.Network/networkInterfaces/write
0336e1d3-7a87-462b-b6db-342b63f7802c Azure Red Hat OpenShift Cluster Ingress Operator Role Enables permissions for the operator to configure and manage the OpenShift router. False 00004 effective control plane operations (unique)

•delete: 2
•write: 2
Actions: 004
resolved operations: 4
effective operations: 4
•delete: 2
•write: 2

•Microsoft.Network/dnsZones/A/delete
•Microsoft.Network/dnsZones/A/write
•Microsoft.Network/privateDnsZones/A/delete
•Microsoft.Network/privateDnsZones/A/write
ef318e2a-8334-4a05-9e4a-295a196c6a6e Azure Red Hat OpenShift Federated Credential Role This role grants the permissions required in order to patch cluster managed identities with the federated credential to build a trust relationship between the managed identity, OIDC, and the service account. False 00003 effective control plane operations (unique)

•read: 2
•write: 1
Actions: 003
resolved operations: 3
effective operations: 3
•read: 2
•write: 1

•Microsoft.ManagedIdentity/userAssignedIdentities/read
•Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read
•Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write
8b32b316-c2f5-4ddf-b05b-83dacd2d08b5 Azure Red Hat OpenShift Image Registry Operator Role Enables permissions for the operator to manage a singleton instance of the OpenShift image registry. It manages all configuration of the registry, including creating storage. False 00014 effective control plane and data plane operations (unique)

•action: 4
•delete: 2
•read: 4
•write: 4
Actions: 009
resolved operations: 9
effective operations: 9
•action: 2
•delete: 1
•read: 3
•write: 3

•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/blobServices/containers/write
•Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/write
•Microsoft.Storage/storageAccounts/delete
•Microsoft.Storage/storageAccounts/listKeys/action
•Microsoft.Resources/tags/write
DataActions: 005
resolved data operations: 5
effective data operations: 5
•action: 2
•delete: 1
•read: 1
•write: 1

•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action
0358943c-7e01-48ba-8889-02cc51d78637 Azure Red Hat OpenShift Machine API Operator Role Enables permissions for the operator to manage the lifecycle of specific purpose custom resource definitions (CRD), controllers, and RBAC objects that extend the Kubernetes API. This declares the desired state of machines in a cluster. False 00033 effective control plane operations (unique)

•action: 6
•delete: 6
•read: 15
•write: 6
Actions: 033
resolved operations: 33
effective operations: 33
•action: 6
•delete: 6
•read: 15
•write: 6

•Microsoft.Compute/availabilitySets/delete
•Microsoft.Compute/availabilitySets/read
•Microsoft.Compute/availabilitySets/write
•Microsoft.Compute/diskEncryptionSets/read
•Microsoft.Compute/disks/delete
•Microsoft.Compute/galleries/images/versions/read
•Microsoft.Compute/skus/read
•Microsoft.Compute/virtualMachines/delete
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/write
•Microsoft.Compute/capacityReservationGroups/deploy/action
•Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
•Microsoft.Network/applicationSecurityGroups/read
•Microsoft.Network/loadBalancers/backendAddressPools/join/action
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/write
•Microsoft.Network/networkInterfaces/delete
•Microsoft.Network/networkInterfaces/join/action
•Microsoft.Network/networkInterfaces/loadBalancers/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/networkSecurityGroups/write
•Microsoft.Network/publicIPAddresses/delete
•Microsoft.Network/publicIPAddresses/join/action
•Microsoft.Network/publicIPAddresses/read
•Microsoft.Network/publicIPAddresses/write
•Microsoft.Network/routeTables/read
•Microsoft.Network/virtualNetworks/delete
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Resources/subscriptions/resourceGroups/read
be7a6435-15ae-4171-8f30-4a343eff9e8f Azure Red Hat OpenShift Network Operator Role Enables permissions to install and upgrade the networking components on an OpenShift cluster. False 00006 effective control plane operations (unique)

•action: 2
•read: 3
•write: 1
Actions: 006
resolved operations: 6
effective operations: 6
•action: 2
•read: 3
•write: 1

•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/loadBalancers/backendAddressPools/join/action
•Microsoft.Compute/virtualMachines/read
4436bae4-7702-4c84-919b-c4069ff25ee2 Azure Red Hat OpenShift Service Operator Role The ARO Operator is responsible for maintaining features, checks, and resources that are specific to an Azure Red Hat OpenShift cluster's continued functionality as a managed service. This includes, but is not limited to, machine management and health, network configuration, and monitoring. False 00007 effective control plane operations (unique)

•action: 4
•read: 2
•write: 1
Actions: 007
resolved operations: 7
effective operations: 7
•action: 4
•read: 2
•write: 1

•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/write
•Microsoft.Network/natGateways/join/action
•Microsoft.Network/routeTables/join/action
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Storage/storageAccounts/listKeys/action
•Microsoft.Storage/storageAccounts/read
5b7237c5-45e1-49d6-bc18-a1f62f400748 Azure Red Hat OpenShift Storage Operator Role Enables permissions to set OpenShift cluster-wide storage defaults. It ensures a default storageclass exists for clusters. It also installs Container Storage Interface (CSI) drivers which enable your cluster to use various storage backends. False 00014 effective control plane operations (unique)

•delete: 2
•read: 8
•write: 4
Actions: 014
resolved operations: 14
effective operations: 14
•delete: 2
•read: 8
•write: 4

•Microsoft.Compute/virtualMachines/write
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write
•Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
•Microsoft.Compute/virtualMachineScaleSets/read
•Microsoft.Compute/snapshots/write
•Microsoft.Compute/snapshots/read
•Microsoft.Compute/snapshots/delete
•Microsoft.Compute/locations/operations/read
•Microsoft.Compute/locations/DiskOperations/read
•Microsoft.Compute/disks/write
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/delete
•Microsoft.Resources/subscriptions/resourceGroups/read
26e0b698-aa6d-4085-9386-aadae190014d Azure Relay Listener Allows for listen access to Azure Relay resources. False 00003 effective control plane and data plane operations (unique)

•action: 1
•read: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.Relay/*/wcfRelays/read
•Microsoft.Relay/*/hybridConnections/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.Relay/*/listen/action
2787bf04-f1f5-4bfe-8383-c8a24483ee38 Azure Relay Owner Allows for full access to Azure Relay resources. False 00064 effective control plane and data plane operations (unique)

•action: 22
•delete: 10
•read: 20
•write: 12
Actions: 001
resolved operations: 62
effective operations: 62
•action: 20
•delete: 10
•read: 20
•write: 12

•Microsoft.Relay/*
DataActions: 001
resolved data operations: 2
effective data operations: 2
•action: 2

•Microsoft.Relay/*
26baccc8-eea7-41f1-98f4-1762cc7f685d Azure Relay Sender Allows for send access to Azure Relay resources. False 00003 effective control plane and data plane operations (unique)

•action: 1
•read: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.Relay/*/wcfRelays/read
•Microsoft.Relay/*/hybridConnections/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.Relay/*/send/action
7b1f81f9-4196-4058-8aae-762e593270df Azure Resource Bridge Deployment Role Azure Resource Bridge Deployment Role False 00036 effective control plane operations (unique)

•Action: 10
•delete: 3
•read: 17
•Write: 6
Actions: 036
resolved operations: 36
effective operations: 36
•Action: 10
•delete: 3
•read: 17
•Write: 6

•Microsoft.Authorization/roleassignments/read
•Microsoft.AzureStackHCI/Register/Action
•Microsoft.ResourceConnector/register/action
•Microsoft.ResourceConnector/appliances/read
•Microsoft.ResourceConnector/appliances/write
•Microsoft.ResourceConnector/appliances/delete
•Microsoft.ResourceConnector/locations/operationresults/read
•Microsoft.ResourceConnector/locations/operationsstatus/read
•Microsoft.ResourceConnector/appliances/listClusterUserCredential/action
•Microsoft.ResourceConnector/appliances/listKeys/action
•Microsoft.ResourceConnector/appliances/upgradeGraphs/read
•Microsoft.ResourceConnector/telemetryconfig/read
•Microsoft.ResourceConnector/operations/read
•Microsoft.ExtendedLocation/register/action
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.ExtendedLocation/customLocations/read
•Microsoft.ExtendedLocation/customLocations/write
•Microsoft.ExtendedLocation/customLocations/delete
•Microsoft.HybridConnectivity/register/action
•Microsoft.Kubernetes/register/action
•Microsoft.KubernetesConfiguration/register/action
•Microsoft.KubernetesConfiguration/extensions/write
•Microsoft.KubernetesConfiguration/extensions/read
•Microsoft.KubernetesConfiguration/extensions/delete
•Microsoft.KubernetesConfiguration/extensions/operations/read
•Microsoft.KubernetesConfiguration/namespaces/read
•Microsoft.KubernetesConfiguration/operations/read
•Microsoft.GuestConfiguration/guestConfigurationAssignments/read
•Microsoft.HybridContainerService/register/action
•Microsoft.HybridContainerService/kubernetesVersions/read
•Microsoft.HybridContainerService/kubernetesVersions/write
•Microsoft.HybridContainerService/skus/read
•Microsoft.HybridContainerService/skus/write
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.AzureStackHCI/StorageContainers/Write
•Microsoft.AzureStackHCI/StorageContainers/Read
0b962ed2-6d56-471c-bd5f-3477d83a7ba4 Azure Resource Notifications System Topics Subscriber Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications False 00008 effective control plane operations (unique)

•action: 6
•write: 2
Actions: 008
resolved operations: 8
effective operations: 8
•action: 6
•write: 2

•Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action
•Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/action
•Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResources/action
•Microsoft.ResourceNotifications/systemTopics/subscribeToComputeResources/action
•Microsoft.ResourceNotifications/systemTopics/subscribeToComputeScheduleResources/action
•Microsoft.ResourceNotifications/systemTopics/subscribeToContainerServiceEventResources/action
•Microsoft.EventGrid/eventSubscriptions/write
•Microsoft.EventGrid/systemTopics/eventSubscriptions/write
090c5cfd-751d-490a-894a-3ce6f1109419 Azure Service Bus Data Owner Allows for full access to Azure Service Bus resources. False 00092 effective control plane and data plane operations (unique)

•action: 26
•delete: 17
•read: 30
•write: 19
Actions: 001
resolved operations: 90
effective operations: 90
•action: 24
•delete: 17
•read: 30
•write: 19

•Microsoft.ServiceBus/*
DataActions: 001
resolved data operations: 2
effective data operations: 2
•action: 2

•Microsoft.ServiceBus/*
count: 002
Configure Azure Service Bus namespaces to disable local authentication
Configure Service Bus namespaces with private endpoints
4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 Azure Service Bus Data Receiver Allows for receive access to Azure Service Bus resources. False 00004 effective control plane and data plane operations (unique)

•action: 1
•read: 3
Actions: 003
resolved operations: 3
effective operations: 3
•read: 3

•Microsoft.ServiceBus/*/queues/read
•Microsoft.ServiceBus/*/topics/read
•Microsoft.ServiceBus/*/topics/subscriptions/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.ServiceBus/*/receive/action
69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 Azure Service Bus Data Sender Allows for send access to Azure Service Bus resources. False 00004 effective control plane and data plane operations (unique)

•action: 1
•read: 3
Actions: 003
resolved operations: 3
effective operations: 3
•read: 3

•Microsoft.ServiceBus/*/queues/read
•Microsoft.ServiceBus/*/topics/read
•Microsoft.ServiceBus/*/topics/subscriptions/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.ServiceBus/*/send/action
8b9dfcab-4b77-4632-a6df-94bd07820648 Azure Sphere Contributor Allows user read and write access to Azure Sphere resources. False 00086 effective control plane operations (unique)

•: 1
•action: 22
•delete: 9
•read: 44
•write: 10
Actions: 007
resolved operations: 86
effective operations: 86
•: 1
•action: 22
•delete: 9
•read: 44
•write: 10

•Microsoft.AzureSphere/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/DiagnosticSettings/*
•Microsoft.Insights/DiagnosticSettingsCategories/Read
5a382001-fe36-41ff-bba4-8bf06bd54da9 Azure Sphere Owner Allows user read and write access to Azure Sphere resources and RBAC configuration, includes an ABAC condition to constrain role assignments. True 00100 effective control plane operations (unique)

•: 1
•action: 25
•delete: 10
•read: 52
•write: 12
Actions: 015
resolved operations: 100
effective operations: 100
•: 1
•action: 25
•delete: 10
•read: 52
•write: 12

•Microsoft.AzureSphere/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/alertRules/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Management/managementGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
•Microsoft.Insights/DiagnosticSettings/*
•Microsoft.Insights/DiagnosticSettingsCategories/Read
•Microsoft.Authorization/roleAssignments/write
•Microsoft.Authorization/roleAssignments/delete
6d994134-994b-4a59-9974-f479f0b227fb Azure Sphere Publisher Allows user to read and download Azure Sphere resources and upload images. False 00048 effective control plane operations (unique)

•action: 9
•read: 38
•write: 1
Actions: 014
resolved operations: 48
effective operations: 48
•action: 9
•read: 38
•write: 1

•Microsoft.AzureSphere/*/read
•Microsoft.AzureSphere/catalogs/countDevices/action
•Microsoft.AzureSphere/catalogs/listDeviceGroups/action
•Microsoft.AzureSphere/catalogs/listDeviceInsights/action
•Microsoft.AzureSphere/catalogs/listDevices/action
•Microsoft.AzureSphere/catalogs/products/countDevices/action
•Microsoft.AzureSphere/catalogs/products/deviceGroups/countDevices/action
•Microsoft.AzureSphere/catalogs/certificates/retrieveProofOfPossessionNonce/action
•Microsoft.AzureSphere/catalogs/certificates/retrieveCertChain/action
•Microsoft.AzureSphere/catalogs/images/write
•Microsoft.AzureSphere/catalogs/uploadImage/action
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/DiagnosticSettings/Read
c8ae6279-5a0b-4cb2-b3f0-d4d62845742c Azure Sphere Reader Allows user to read Azure Sphere resources. False 00046 effective control plane operations (unique)

•action: 8
•read: 38
Actions: 012
resolved operations: 46
effective operations: 46
•action: 8
•read: 38

•Microsoft.AzureSphere/*/read
•Microsoft.AzureSphere/catalogs/countDevices/action
•Microsoft.AzureSphere/catalogs/listDeviceGroups/action
•Microsoft.AzureSphere/catalogs/listDeviceInsights/action
•Microsoft.AzureSphere/catalogs/listDevices/action
•Microsoft.AzureSphere/catalogs/listDeployments/action
•Microsoft.AzureSphere/catalogs/products/countDevices/action
•Microsoft.AzureSphere/catalogs/products/deviceGroups/countDevices/action
•Microsoft.AzureSphere/catalogs/certificates/retrieveCertChain/action
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/DiagnosticSettings/Read
25211fc6-dc78-40b6-b205-e4ac934fd9fd Azure Spring Apps Application Configuration Service Config File Pattern Reader Role Read content of config file pattern for Application Configuration Service in Azure Spring Apps False 00003 effective control plane and data plane operations (unique)

•read: 3
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.AppPlatform/Spring/read
•Microsoft.AppPlatform/Spring/configurationServices/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•read: 1

•Microsoft.AppPlatform/Spring/ApplicationConfigurationService/read
6593e776-2a30-40f9-8a32-4fe28b77655d Azure Spring Apps Application Configuration Service Log Reader Role Read real-time logs for Application Configuration Service in Azure Spring Apps False 00003 effective control plane and data plane operations (unique)

•action: 1
•read: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.AppPlatform/Spring/read
•Microsoft.AppPlatform/Spring/configurationServices/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.AppPlatform/Spring/ApplicationConfigurationService/logstream/action
80558df3-64f9-4c0f-b32d-e5094b036b0b Azure Spring Apps Connect Role Azure Spring Apps Connect Role False 00001 effective data plane operations (unique)

•action: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.AppPlatform/Spring/apps/deployments/connect/action
91422e52-bb88-4415-bb4a-90f5b71f6dcb Azure Spring Apps Job Execution Instance List Role List instances for job executions in Azure Spring Apps False 00001 effective data plane operations (unique)

•action: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.AppPlatform/Spring/jobs/executions/listInstances/action
b459aa1d-e3c8-436f-ae21-c0531140f43e Azure Spring Apps Job Log Reader Role Read real-time logs for jobs in Azure Spring Apps False 00005 effective control plane and data plane operations (unique)

•action: 2
•read: 3
Actions: 003
resolved operations: 3
effective operations: 3
•read: 3

•Microsoft.AppPlatform/Spring/read
•Microsoft.AppPlatform/Spring/jobs/read
•Microsoft.AppPlatform/Spring/jobs/executions/read
DataActions: 002
resolved data operations: 2
effective data operations: 2
•action: 2

•Microsoft.AppPlatform/Spring/jobs/executions/logstream/action
•Microsoft.AppPlatform/Spring/jobs/executions/listInstances/action
52fd16bd-6ed5-46af-9c40-29cbd7952a29 Azure Spring Apps Managed Components Log Reader Role Read real-time logs for all managed components in Azure Spring Apps False 00001 effective data plane operations (unique)

•action: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.AppPlatform/Spring/managedComponents/logstream/action
a99b0159-1064-4c22-a57b-c9b3caa1c054 Azure Spring Apps Remote Debugging Role Azure Spring Apps Remote Debugging Role False 00001 effective data plane operations (unique)

•action: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.AppPlatform/Spring/apps/deployments/remotedebugging/action
74252426-c508-480e-9345-4607bbebead4 Azure Spring Apps Spring Cloud Config Server Log Reader Role Read real-time logs for Spring Cloud Config Server in Azure Spring Apps False 00003 effective control plane and data plane operations (unique)

•action: 1
•read: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.AppPlatform/Spring/read
•Microsoft.AppPlatform/Spring/configServers/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.AppPlatform/Spring/configService/logstream/action
4301dc2a-25a9-44b0-ae63-3636cf7f2bd2 Azure Spring Apps Spring Cloud Gateway Log Reader Role Read real-time logs for Spring Cloud Gateway in Azure Spring Apps False 00003 effective control plane and data plane operations (unique)

•action: 1
•read: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.AppPlatform/Spring/read
•Microsoft.AppPlatform/Spring/gateways/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.AppPlatform/Spring/SpringCloudGateway/logstream/action
a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b Azure Spring Cloud Config Server Contributor Allow read, write and delete access to Azure Spring Cloud Config Server False 00003 effective data plane operations (unique)

•delete: 1
•read: 1
•write: 1
DataActions: 003
resolved data operations: 3
effective data operations: 3
•delete: 1
•read: 1
•write: 1

•Microsoft.AppPlatform/Spring/configService/read
•Microsoft.AppPlatform/Spring/configService/write
•Microsoft.AppPlatform/Spring/configService/delete
d04c6db6-4947-4782-9e91-30a88feb7be7 Azure Spring Cloud Config Server Reader Allow read access to Azure Spring Cloud Config Server False 00001 effective data plane operations (unique)

•read: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•read: 1

•Microsoft.AppPlatform/Spring/configService/read
b5537268-8956-4941-a8f0-646150406f0c Azure Spring Cloud Data Reader Allow read access to Azure Spring Cloud Data False 00004 effective data plane operations (unique)

•read: 4
DataActions: 001
resolved data operations: 4
effective data operations: 4
•read: 4

•Microsoft.AppPlatform/Spring/*/read
f5880b48-c26d-48be-b172-7927bfa1c8f1 Azure Spring Cloud Service Registry Contributor Allow read, write and delete access to Azure Spring Cloud Service Registry False 00003 effective data plane operations (unique)

•delete: 1
•read: 1
•write: 1
DataActions: 003
resolved data operations: 3
effective data operations: 3
•delete: 1
•read: 1
•write: 1

•Microsoft.AppPlatform/Spring/eurekaService/read
•Microsoft.AppPlatform/Spring/eurekaService/write
•Microsoft.AppPlatform/Spring/eurekaService/delete
cff1b556-2399-4e7e-856d-a8f754be7b65 Azure Spring Cloud Service Registry Reader Allow read access to Azure Spring Cloud Service Registry False 00001 effective data plane operations (unique)

•read: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•read: 1

•Microsoft.AppPlatform/Spring/eurekaService/read
bda0d508-adf1-4af0-9c28-88919fc3ae06 Azure Stack HCI Administrator Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader True 00215 effective control plane operations (unique)

•Action: 50
•delete: 31
•read: 101
•write: 33
Actions: 096
resolved operations: 215
effective operations: 215
•Action: 50
•delete: 31
•read: 101
•write: 33

•Microsoft.AzureStackHCI/register/action
•Microsoft.AzureStackHCI/Unregister/Action
•Microsoft.AzureStackHCI/clusters/*
•Microsoft.AzureStackHCI/NetworkSecurityGroups/Read
•Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read
•Microsoft.AzureStackHCI/NetworkSecurityGroups/Write
•Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Write
•Microsoft.AzureStackHCI/NetworkSecurityGroups/Delete
•Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Delete
•Microsoft.AzureStackHCI/NetworkSecurityGroups/join/action
•Microsoft.HybridCompute/register/action
•Microsoft.GuestConfiguration/register/action
•Microsoft.GuestConfiguration/guestConfigurationAssignments/read
•Microsoft.Resources/subscriptions/resourceGroups/write
•Microsoft.Resources/subscriptions/resourceGroups/delete
•Microsoft.HybridConnectivity/register/action
•Microsoft.Authorization/roleAssignments/write conditioned
•Microsoft.Authorization/roleAssignments/delete conditioned
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Management/managementGroups/read
•Microsoft.Support/*
•Microsoft.AzureStackHCI/*
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
•Microsoft.HybridCompute/machines/assessPatches/action
•Microsoft.HybridCompute/machines/installPatches/action
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/operations/read
•Microsoft.HybridCompute/locations/operationresults/read
•Microsoft.HybridCompute/locations/operationstatus/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read
•Microsoft.HybridCompute/machines/patchInstallationResults/read
•Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read
•Microsoft.HybridCompute/locations/updateCenterOperationResults/read
•Microsoft.HybridCompute/machines/hybridIdentityMetadata/read
•Microsoft.HybridCompute/osType/agentVersions/read
•Microsoft.HybridCompute/osType/agentVersions/latest/read
•Microsoft.HybridCompute/machines/runcommands/read
•Microsoft.HybridCompute/machines/runcommands/write
•Microsoft.HybridCompute/machines/runcommands/delete
•Microsoft.HybridCompute/machines/licenseProfiles/read
•Microsoft.HybridCompute/machines/licenseProfiles/write
•Microsoft.HybridCompute/machines/licenseProfiles/delete
•Microsoft.HybridCompute/licenses/read
•Microsoft.HybridCompute/licenses/write
•Microsoft.HybridCompute/licenses/delete
•Microsoft.ResourceConnector/register/action
•Microsoft.ResourceConnector/appliances/read
•Microsoft.ResourceConnector/appliances/write
•Microsoft.ResourceConnector/appliances/delete
•Microsoft.ResourceConnector/locations/operationresults/read
•Microsoft.ResourceConnector/locations/operationsstatus/read
•Microsoft.ResourceConnector/appliances/listClusterUserCredential/action
•Microsoft.ResourceConnector/appliances/listKeys/action
•Microsoft.ResourceConnector/operations/read
•Microsoft.ExtendedLocation/register/action
•Microsoft.ExtendedLocation/customLocations/read
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.ExtendedLocation/customLocations/write
•Microsoft.ExtendedLocation/customLocations/delete
•Microsoft.EdgeMarketplace/offers/read
•Microsoft.EdgeMarketplace/publishers/read
•Microsoft.Kubernetes/register/action
•Microsoft.KubernetesConfiguration/register/action
•Microsoft.KubernetesConfiguration/extensions/write
•Microsoft.KubernetesConfiguration/extensions/read
•Microsoft.KubernetesConfiguration/extensions/delete
•Microsoft.KubernetesConfiguration/extensions/operations/read
•Microsoft.KubernetesConfiguration/namespaces/read
•Microsoft.KubernetesConfiguration/operations/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.AzureStackHCI/StorageContainers/Write
•Microsoft.AzureStackHCI/StorageContainers/Read
•Microsoft.HybridContainerService/register/action
c99c945f-8bd1-4fb1-a903-01460aae6068 Azure Stack HCI Connected InfraVMs Role of Arc Integration for Azure Stack HCI Infrastructure Virtual Machines. False 00030 effective control plane operations (unique)

•action: 1
•delete: 2
•read: 25
•write: 2
Actions: 007
resolved operations: 30
effective operations: 30
•action: 1
•delete: 2
•read: 25
•write: 2

•Microsoft.HybridCompute/*/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
865ae368-6a45-4bd1-8fbf-0d5151f56fc1 Azure Stack HCI Device Management Role Microsoft.AzureStackHCI Device Management Role False 00035 effective control plane operations (unique)

•Action: 10
•Delete: 7
•Read: 11
•Write: 7
Actions: 003
resolved operations: 35
effective operations: 35
•Action: 10
•Delete: 7
•Read: 11
•Write: 7

•Microsoft.AzureStackHCI/Clusters/*
•Microsoft.AzureStackHCI/EdgeDevices/*
•Microsoft.Resources/subscriptions/resourceGroups/read
874d1c73-6003-4e60-a13a-cb31ea190a85 Azure Stack HCI VM Contributor Grants permissions to perform all VM actions False 00123 effective control plane operations (unique)

•action: 24
•Delete: 12
•read: 74
•Write: 13
Actions: 075
resolved operations: 123
effective operations: 123
•action: 24
•Delete: 12
•read: 74
•Write: 13

•Microsoft.AzureStackHCI/VirtualMachines/*
•Microsoft.AzureStackHCI/virtualMachineInstances/*
•Microsoft.AzureStackHCI/NetworkInterfaces/*
•Microsoft.AzureStackHCI/VirtualHardDisks/*
•Microsoft.AzureStackHCI/VirtualNetworks/Read
•Microsoft.AzureStackHCI/VirtualNetworks/join/action
•Microsoft.AzureStackHCI/LogicalNetworks/Read
•Microsoft.AzureStackHCI/LogicalNetworks/join/action
•Microsoft.AzureStackHCI/GalleryImages/Read
•Microsoft.AzureStackHCI/GalleryImages/deploy/action
•Microsoft.AzureStackHCI/StorageContainers/Read
•Microsoft.AzureStackHCI/StorageContainers/deploy/action
•Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read
•Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action
•Microsoft.AzureStackHCI/Clusters/Read
•Microsoft.AzureStackHCI/Clusters/ArcSettings/Read
•Microsoft.AzureStackHCI/NetworkSecurityGroups/Read
•Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
•Microsoft.HybridCompute/machines/assessPatches/action
•Microsoft.HybridCompute/machines/installPatches/action
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/operations/read
•Microsoft.HybridCompute/locations/operationresults/read
•Microsoft.HybridCompute/locations/operationstatus/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read
•Microsoft.HybridCompute/machines/patchInstallationResults/read
•Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read
•Microsoft.HybridCompute/locations/updateCenterOperationResults/read
•Microsoft.HybridCompute/machines/hybridIdentityMetadata/read
•Microsoft.HybridCompute/osType/agentVersions/read
•Microsoft.HybridCompute/osType/agentVersions/latest/read
•Microsoft.HybridCompute/machines/runcommands/read
•Microsoft.HybridCompute/machines/runcommands/write
•Microsoft.HybridCompute/machines/runcommands/delete
•Microsoft.HybridCompute/machines/licenseProfiles/read
•Microsoft.HybridCompute/machines/licenseProfiles/write
•Microsoft.HybridCompute/machines/licenseProfiles/delete
•Microsoft.HybridCompute/licenses/read
•Microsoft.HybridCompute/licenses/write
•Microsoft.HybridCompute/licenses/delete
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.KubernetesConfiguration/extensions/read
4b3fe76c-f777-4d24-a2d7-b027b0f7b273 Azure Stack HCI VM Reader Grants permissions to view VMs False 00068 effective control plane operations (unique)

•Action: 4
•Delete: 1
•read: 62
•Write: 1
Actions: 042
resolved operations: 68
effective operations: 68
•Action: 4
•Delete: 1
•read: 62
•Write: 1

•Microsoft.AzureStackHCI/VirtualMachines/Read
•Microsoft.AzureStackHCI/virtualMachineInstances/Read
•Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read
•Microsoft.AzureStackHCI/VirtualNetworks/Read
•Microsoft.AzureStackHCI/LogicalNetworks/Read
•Microsoft.AzureStackHCI/NetworkInterfaces/Read
•Microsoft.AzureStackHCI/VirtualHardDisks/Read
•Microsoft.AzureStackHCI/StorageContainers/Read
•Microsoft.AzureStackHCI/GalleryImages/Read
•Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read
•Microsoft.AzureStackHCI/NetworkSecurityGroups/Read
•Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read
•Microsoft.HybridCompute/licenses/read
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/licenseProfiles/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read
•Microsoft.HybridCompute/machines/patchInstallationResults/read
•Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read
•Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read
•Microsoft.HybridCompute/privateLinkScopes/read
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
6f12a6df-dd06-4f3e-bcb1-ce8be600526a Azure Stack Registration Owner Lets you manage Azure Stack registrations. False 00007 effective control plane operations (unique)

•action: 4
•read: 3
Actions: 004
resolved operations: 7
effective operations: 7
•action: 4
•read: 3

•Microsoft.AzureStack/edgeSubscriptions/read
•Microsoft.AzureStack/registrations/products/*/action
•Microsoft.AzureStack/registrations/products/read
•Microsoft.AzureStack/registrations/read
f0310ce6-e953-4cf8-b892-fb1c87eaf7f6 Azure Usage Billing Data Sender Azure Usage Billing shared BuiltIn role to be used for all Customer Account Authentication False 00001 effective data plane operations (unique)

•action: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.UsageBilling/accounts/inputs/send/action
6ae96244-5829-4925-a7d3-5975537d91dd Azure VM Managed identities restore Contributor Azure VM Managed identities restore Contributors are allowed to perform Azure VM Restores with managed identities both user and system False 00027 effective control plane operations (unique)

•read: 27
Actions: 001
resolved operations: 27
effective operations: 27
•read: 27

•Microsoft.Authorization/*/read
e503ece1-11d0-4e8e-8e2c-7a6c3bf38815 AzureML Compute Operator Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). False 00018 effective control plane operations (unique)

•action: 12
•delete: 2
•read: 2
•write: 2
Actions: 002
resolved operations: 18
effective operations: 18
•action: 12
•delete: 2
•read: 2
•write: 2

•Microsoft.MachineLearningServices/workspaces/computes/*
•Microsoft.MachineLearningServices/workspaces/notebooks/vm/*
f6c7c914-8db3-469d-8ca1-694a8f32e121 AzureML Data Scientist Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. False 00268 effective control plane operations (unique)

•action: 52
•delete: 55
•read: 95
•write: 66
Actions: 004
resolved operations: 274
effective operations: 268
•action: 52
•delete: 55
•read: 95
•write: 66

•Microsoft.MachineLearningServices/workspaces/*/read
•Microsoft.MachineLearningServices/workspaces/*/action
•Microsoft.MachineLearningServices/workspaces/*/delete
•Microsoft.MachineLearningServices/workspaces/*/write
NotActions: 010
resolved not operations: 8
effective not operations: 15924

•Microsoft.MachineLearningServices/workspaces/delete
•Microsoft.MachineLearningServices/workspaces/write
•Microsoft.MachineLearningServices/workspaces/computes/*/write
•Microsoft.MachineLearningServices/workspaces/computes/*/delete
•Microsoft.MachineLearningServices/workspaces/computes/listKeys/action
•Microsoft.MachineLearningServices/workspaces/listKeys/action
•Microsoft.MachineLearningServices/workspaces/hubs/write
•Microsoft.MachineLearningServices/workspaces/hubs/delete
•Microsoft.MachineLearningServices/workspaces/featurestores/write
•Microsoft.MachineLearningServices/workspaces/featurestores/delete
635dd51f-9968-44d3-b7fb-6d9a6bd613ae AzureML Metrics Writer (preview) Lets you write metrics to AzureML workspace False 00001 effective control plane operations (unique)

•write: 1
Actions: 001
resolved operations: 1
effective operations: 1
•write: 1

•Microsoft.MachineLearningServices/workspaces/metrics/*/write
1823dd4f-9b8c-4ab6-ab4e-7397a3684615 AzureML Registry User Can perform all actions on Machine Learning Services Registry assets as well as get Registry resources. False 00005 effective control plane operations (unique)

•delete: 1
•read: 2
•write: 2
Actions: 002
resolved operations: 5
effective operations: 5
•delete: 1
•read: 2
•write: 2

•Microsoft.MachineLearningServices/registries/read
•Microsoft.MachineLearningServices/registries/assets/*
5e467623-bb1f-42f4-a55d-6e525e11384b Backup Contributor Lets you manage backups, but can't delete vaults and give access to others False 00179 effective control plane operations (unique)

•action: 48
•delete: 11
•read: 99
•write: 21
Actions: 086
resolved operations: 179
effective operations: 179
•action: 48
•delete: 11
•read: 99
•write: 21

•Microsoft.Authorization/*/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.RecoveryServices/locations/*
•Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*
•Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action
•Microsoft.RecoveryServices/Vaults/backupJobs/*
•Microsoft.RecoveryServices/Vaults/backupJobsExport/action
•Microsoft.RecoveryServices/Vaults/backupOperationResults/*
•Microsoft.RecoveryServices/Vaults/backupPolicies/*
•Microsoft.RecoveryServices/Vaults/backupProtectableItems/*
•Microsoft.RecoveryServices/Vaults/backupProtectedItems/*
•Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*
•Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*
•Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
•Microsoft.RecoveryServices/Vaults/certificates/*
•Microsoft.RecoveryServices/Vaults/extendedInformation/*
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
•Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
•Microsoft.RecoveryServices/Vaults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/*
•Microsoft.RecoveryServices/Vaults/usages/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
•Microsoft.RecoveryServices/Vaults/backupconfig/*
•Microsoft.RecoveryServices/Vaults/backupValidateOperation/action
•Microsoft.RecoveryServices/Vaults/write
•Microsoft.RecoveryServices/Vaults/backupOperations/read
•Microsoft.RecoveryServices/Vaults/backupEngines/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read
•Microsoft.RecoveryServices/vaults/operationStatus/read
•Microsoft.RecoveryServices/vaults/operationResults/read
•Microsoft.RecoveryServices/locations/backupStatus/action
•Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
•Microsoft.RecoveryServices/locations/backupValidateFeatures/action
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
•Microsoft.RecoveryServices/operations/read
•Microsoft.RecoveryServices/locations/operationStatus/read
•Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
•Microsoft.Support/*
•Microsoft.DataProtection/locations/getBackupStatus/action
•Microsoft.DataProtection/backupVaults/backupInstances/write
•Microsoft.DataProtection/backupVaults/backupInstances/delete
•Microsoft.DataProtection/backupVaults/backupInstances/read
•Microsoft.DataProtection/backupVaults/backupInstances/read
•Microsoft.DataProtection/backupVaults/deletedBackupInstances/read
•Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action
•Microsoft.DataProtection/backupVaults/backupInstances/backup/action
•Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action
•Microsoft.DataProtection/backupVaults/backupInstances/restore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action
•Microsoft.DataProtection/backupVaults/backupPolicies/write
•Microsoft.DataProtection/backupVaults/backupPolicies/delete
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
•Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read
•Microsoft.DataProtection/backupVaults/write
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/operationResults/read
•Microsoft.DataProtection/backupVaults/operationStatus/read
•Microsoft.DataProtection/locations/checkNameAvailability/action
•Microsoft.DataProtection/locations/checkFeatureSupport/action
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/locations/operationStatus/read
•Microsoft.DataProtection/locations/operationResults/read
•Microsoft.DataProtection/backupVaults/validateForBackup/action
•Microsoft.DataProtection/operations/read
•Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete
•Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read
•Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action
•Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action
count: 011
[Preview]: Configure Azure Recovery Services vaults to disable public network access
[Preview]: Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region
[Preview]: Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region
[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region
[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region
[Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults
[Preview]: Disable Cross Subscription Restore for Backup Vaults
Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy
Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location
Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location
c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8 Backup MUA Admin Backup MultiUser-Authorization. Can create/delete ResourceGuard False 00070 effective control plane operations (unique)

•action: 7
•delete: 3
•read: 56
•write: 4
Actions: 026
resolved operations: 70
effective operations: 70
•action: 7
•delete: 3
•read: 56
•write: 4

•Microsoft.DataProtection/*/read
•Microsoft.DataProtection/*/resourceGuards/write
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read
•Microsoft.DataProtection/locations/operationResults/read
•Microsoft.DataProtection/locations/operationStatus/read
•Microsoft.DataProtection/locations/getBackupStatus/action
•Microsoft.DataProtection/locations/checkFeatureSupport/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read
•Microsoft.Authorization/*/read
•Microsoft.Features/features/read
•Microsoft.Features/providers/features/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action
•Microsoft.DataProtection/subscriptions/providers/resourceGuards/read
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read
f54b6d04-23c6-443e-b462-9c16ab7b4a52 Backup MUA Operator Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard False 00068 effective control plane operations (unique)

•action: 24
•read: 44
Actions: 003
resolved operations: 68
effective operations: 68
•action: 24
•read: 44

•Microsoft.DataProtection/*/action
•Microsoft.DataProtection/*/read
•Microsoft.Authorization/*/read
00c29273-979b-4161-815c-10b084fb9324 Backup Operator Lets you manage backup services, except removal of backup, vault creation and giving access to others False 00148 effective control plane operations (unique)

•action: 38
•delete: 3
•read: 93
•write: 14
Actions: 102
resolved operations: 148
effective operations: 148
•action: 38
•delete: 3
•read: 93
•write: 14

•Microsoft.Authorization/*/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action
•Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action
•Microsoft.RecoveryServices/Vaults/backupJobs/*
•Microsoft.RecoveryServices/Vaults/backupJobsExport/action
•Microsoft.RecoveryServices/Vaults/backupOperationResults/*
•Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupPolicies/read
•Microsoft.RecoveryServices/Vaults/backupProtectableItems/*
•Microsoft.RecoveryServices/Vaults/backupProtectedItems/read
•Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read
•Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
•Microsoft.RecoveryServices/Vaults/certificates/write
•Microsoft.RecoveryServices/Vaults/extendedInformation/read
•Microsoft.RecoveryServices/Vaults/extendedInformation/write
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
•Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
•Microsoft.RecoveryServices/Vaults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/write
•Microsoft.RecoveryServices/Vaults/usages/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
•Microsoft.RecoveryServices/Vaults/backupValidateOperation/action
•Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action
•Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read
•Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read
•Microsoft.RecoveryServices/Vaults/backupOperations/read
•Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action
•Microsoft.RecoveryServices/Vaults/backupEngines/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write
•Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read
•Microsoft.RecoveryServices/locations/backupStatus/action
•Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
•Microsoft.RecoveryServices/locations/backupValidateFeatures/action
•Microsoft.RecoveryServices/locations/backupAadProperties/read
•Microsoft.RecoveryServices/locations/backupCrrJobs/action
•Microsoft.RecoveryServices/locations/backupCrrJob/action
•Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action
•Microsoft.RecoveryServices/locations/backupCrrOperationResults/read
•Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
•Microsoft.RecoveryServices/operations/read
•Microsoft.RecoveryServices/locations/operationStatus/read
•Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
•Microsoft.Support/*
•Microsoft.DataProtection/backupVaults/backupInstances/read
•Microsoft.DataProtection/backupVaults/backupInstances/read
•Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read
•Microsoft.DataProtection/backupVaults/backupInstances/write
•Microsoft.DataProtection/backupVaults/deletedBackupInstances/read
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/operationResults/read
•Microsoft.DataProtection/backupVaults/operationStatus/read
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/locations/operationStatus/read
•Microsoft.DataProtection/locations/operationResults/read
•Microsoft.DataProtection/operations/read
•Microsoft.DataProtection/backupVaults/validateForBackup/action
•Microsoft.DataProtection/backupVaults/backupInstances/backup/action
•Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action
•Microsoft.DataProtection/backupVaults/backupInstances/restore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action
•Microsoft.DataProtection/locations/checkFeatureSupport/action
•Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete
•Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read
•Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action
•Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete
•Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action
a795c7a0-d4a2-40c1-ae25-d81f01202912 Backup Reader Can view backup services, but can't make changes False 00092 effective control plane operations (unique)

•action: 15
•read: 74
•write: 3
Actions: 068
resolved operations: 92
effective operations: 92
•action: 15
•read: 74
•write: 3

•Microsoft.Authorization/*/read
•Microsoft.RecoveryServices/locations/allocatedStamp/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read
•Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupJobs/read
•Microsoft.RecoveryServices/Vaults/backupJobsExport/action
•Microsoft.RecoveryServices/Vaults/backupOperationResults/read
•Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupPolicies/read
•Microsoft.RecoveryServices/Vaults/backupProtectedItems/read
•Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read
•Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
•Microsoft.RecoveryServices/Vaults/extendedInformation/read
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
•Microsoft.RecoveryServices/Vaults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/read
•Microsoft.RecoveryServices/Vaults/backupstorageconfig/read
•Microsoft.RecoveryServices/Vaults/backupconfig/read
•Microsoft.RecoveryServices/Vaults/backupOperations/read
•Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read
•Microsoft.RecoveryServices/Vaults/backupEngines/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read
•Microsoft.RecoveryServices/locations/backupStatus/action
•Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
•Microsoft.RecoveryServices/operations/read
•Microsoft.RecoveryServices/locations/operationStatus/read
•Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
•Microsoft.RecoveryServices/Vaults/usages/read
•Microsoft.RecoveryServices/locations/backupValidateFeatures/action
•Microsoft.RecoveryServices/locations/backupCrrJobs/action
•Microsoft.RecoveryServices/locations/backupCrrJob/action
•Microsoft.RecoveryServices/locations/backupCrrOperationResults/read
•Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read
•Microsoft.DataProtection/locations/getBackupStatus/action
•Microsoft.DataProtection/backupVaults/backupInstances/write
•Microsoft.DataProtection/backupVaults/backupInstances/read
•Microsoft.DataProtection/backupVaults/deletedBackupInstances/read
•Microsoft.DataProtection/backupVaults/backupInstances/backup/action
•Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action
•Microsoft.DataProtection/backupVaults/backupInstances/restore/action
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read
•Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/operationResults/read
•Microsoft.DataProtection/backupVaults/operationStatus/read
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/locations/operationStatus/read
•Microsoft.DataProtection/locations/operationResults/read
•Microsoft.DataProtection/backupVaults/validateForBackup/action
•Microsoft.DataProtection/operations/read
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action
•Microsoft.DataProtection/locations/checkFeatureSupport/action
39138f76-04e6-41f0-ba6b-c411b59081a9 Bayer Ag Powered Services Crop Id Solution User Role Provide access to Crop Id Solution by Bayer Ag Powered Services False 00019 effective data plane operations (unique)

•action: 5
•delete: 3
•read: 6
•write: 5
DataActions: 007
resolved data operations: 19
effective data operations: 19
•action: 5
•delete: 3
•read: 6
•write: 5

•Microsoft.AgFoodPlatform/farmBeats/parties/fields/read
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/write
•Microsoft.AgFoodPlatform/farmBeats/parties/read
•Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/*
•Microsoft.AgFoodPlatform/farmBeats/scenes/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/*
a9b99099-ead7-47db-8fcf-072597a61dfa Bayer Ag Powered Services CWUM Solution Provide access to CWUM Solution by Bayer Ag Powered Services False 00023 effective data plane operations (unique)

•action: 5
•delete: 3
•read: 8
•write: 7
DataActions: 011
resolved data operations: 23
effective data operations: 23
•action: 5
•delete: 3
•read: 8
•write: 7

•Microsoft.AgFoodPlatform/farmBeats/parties/read
•Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read
•Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/write
•Microsoft.AgFoodPlatform/farmBeats/parties/farms/read
•Microsoft.AgFoodPlatform/farmBeats/parties/farms/write
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/read
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/write
•Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/*
•Microsoft.AgFoodPlatform/farmBeats/scenes/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/*
1af232de-e806-426f-8ca1-c36142449755 Bayer Ag Powered Services Field Imagery Solution Service Role Provide access to Field Imagery Solution by Bayer Ag Powered Services False 00017 effective data plane operations (unique)

•action: 5
•delete: 3
•read: 5
•write: 4
DataActions: 006
resolved data operations: 17
effective data operations: 17
•action: 5
•delete: 3
•read: 5
•write: 4

•Microsoft.AgFoodPlatform/farmBeats/parties/read
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/read
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/write
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/*
•Microsoft.AgFoodPlatform/farmBeats/scenes/*
c4bc862a-3b64-4a35-a021-a380c159b042 Bayer Ag Powered Services GDU Solution Provide access to GDU Solution by Bayer Ag Powered Services False 00013 effective data plane operations (unique)

•action: 3
•delete: 2
•read: 6
•write: 2
DataActions: 006
resolved data operations: 13
effective data operations: 13
•action: 3
•delete: 2
•read: 6
•write: 2

•Microsoft.AgFoodPlatform/farmBeats/parties/read
•Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read
•Microsoft.AgFoodPlatform/farmBeats/parties/farms/read
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/read
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/*
b5b192c1-773c-4543-bfb0-6c59254b74a9 Bayer Ag Powered Services Historical Weather Data Solution User Role Provide access to Historical Weather Data Solution by Bayer Ag Powered Services False 00014 effective data plane operations (unique)

•action: 3
•delete: 2
•read: 5
•write: 4
DataActions: 007
resolved data operations: 14
effective data operations: 14
•action: 3
•delete: 2
•read: 5
•write: 4

•Microsoft.AgFoodPlatform/farmBeats/parties/read
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/read
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/write
•Microsoft.AgFoodPlatform/farmBeats/parties/farms/read
•Microsoft.AgFoodPlatform/farmBeats/parties/farms/write
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/*
ef29765d-0d37-4119-a4f8-f9f9902c9588 Bayer Ag Powered Services Imagery Solution Provide access to Imagery Solution by Bayer Ag Powered Services False 00023 effective data plane operations (unique)

•action: 5
•delete: 3
•read: 8
•write: 7
DataActions: 011
resolved data operations: 23
effective data operations: 23
•action: 5
•delete: 3
•read: 8
•write: 7

•Microsoft.AgFoodPlatform/farmBeats/parties/read
•Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read
•Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/write
•Microsoft.AgFoodPlatform/farmBeats/parties/farms/read
•Microsoft.AgFoodPlatform/farmBeats/parties/farms/write
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/read
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/write
•Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/*
•Microsoft.AgFoodPlatform/farmBeats/scenes/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/*
539283cd-c185-4a9a-9503-d35217a1db7b Bayer Ag Powered Services Smart Boundary Solution User Role Provide access to Smart Boundary Solution by Bayer Ag Powered Services False 00019 effective data plane operations (unique)

•action: 5
•delete: 3
•read: 6
•write: 5
DataActions: 007
resolved data operations: 19
effective data operations: 19
•action: 5
•delete: 3
•read: 6
•write: 5

•Microsoft.AgFoodPlatform/farmBeats/parties/read
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/read
•Microsoft.AgFoodPlatform/farmBeats/parties/fields/write
•Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/*
•Microsoft.AgFoodPlatform/farmBeats/scenes/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/*
fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 Billing Reader Allows read access to billing data False 00183 effective control plane operations (unique)

•action: 3
•read: 179
•write: 1
Actions: 007
resolved operations: 183
effective operations: 183
•action: 3
•read: 179
•write: 1

•Microsoft.Authorization/*/read
•Microsoft.Billing/*/read
•Microsoft.Commerce/*/read
•Microsoft.Consumption/*/read
•Microsoft.Management/managementGroups/read
•Microsoft.CostManagement/*/read
•Microsoft.Support/*
5e3c6656-6cfa-4708-81fe-0de47ac73342 BizTalk Contributor Lets you manage BizTalk services, but not access to them. False 00056 effective control plane operations (unique)

•: 1
•Action: 10
•Delete: 2
•read: 40
•Write: 3
Actions: 007
resolved operations: 56
effective operations: 56
•: 1
•Action: 10
•Delete: 2
•read: 40
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.BizTalkServices/BizTalk/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
31a002a1-acaf-453e-8a5b-297c9ca1ea24 Blockchain Member Node Access (Preview) Allows for access to Blockchain Member nodes False 00002 effective control plane and data plane operations (unique)

•action: 1
•read: 1
Actions: 001
resolved operations: 1
effective operations: 1
•read: 1

•Microsoft.Blockchain/blockchainMembers/transactionNodes/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action
41077137-e803-4205-871c-5a86e6a753b4 Blueprint Contributor Can manage blueprint definitions, but not assign them. False 00057 effective control plane operations (unique)

•action: 7
•delete: 4
•read: 41
•write: 5
Actions: 005
resolved operations: 57
effective operations: 57
•action: 7
•delete: 4
•read: 41
•write: 5

•Microsoft.Authorization/*/read
•Microsoft.Blueprint/blueprints/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
437d2ced-4a38-4302-8479-ed2bcb43d090 Blueprint Operator Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. False 00052 effective control plane operations (unique)

•action: 8
•delete: 2
•read: 39
•write: 3
Actions: 005
resolved operations: 52
effective operations: 52
•action: 8
•delete: 2
•read: 39
•write: 3

•Microsoft.Authorization/*/read
•Microsoft.Blueprint/blueprintAssignments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
fa0d39e6-28e5-40cf-8521-1eb320653a4c Carbon Optimization Reader Allow read access to Azure Carbon Optimization data False 00001 effective control plane operations (unique)

•action: 1
Actions: 001
resolved operations: 1
effective operations: 1
•action: 1

•Microsoft.Carbon/carbonEmissionReports/action
426e0c7f-0c7e-4658-b36f-ff54d6c29b45 CDN Endpoint Contributor Can manage CDN endpoints, but can't grant access to other users. False 00153 effective control plane operations (unique)

•: 1
•action: 44
•delete: 22
•read: 62
•write: 24
Actions: 008
resolved operations: 153
effective operations: 153
•: 1
•action: 44
•delete: 22
•read: 62
•write: 24

•Microsoft.Authorization/*/read
•Microsoft.Cdn/edgenodes/read
•Microsoft.Cdn/operationresults/*
•Microsoft.Cdn/profiles/endpoints/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
871e35f6-b5c1-49cc-a043-bde969a0f2cd CDN Endpoint Reader Can view CDN endpoints, but can't make changes. False 00136 effective control plane operations (unique)

•: 1
•action: 37
•delete: 18
•read: 61
•write: 19
Actions: 009
resolved operations: 136
effective operations: 136
•: 1
•action: 37
•delete: 18
•read: 61
•write: 19

•Microsoft.Authorization/*/read
•Microsoft.Cdn/edgenodes/read
•Microsoft.Cdn/operationresults/*
•Microsoft.Cdn/profiles/endpoints/*/read
•Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
ec156ff8-a8d1-4d15-830c-5b80698ca432 CDN Profile Contributor Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users. False 00215 effective control plane operations (unique)

•: 1
•action: 66
•delete: 32
•read: 81
•write: 35
Actions: 008
resolved operations: 215
effective operations: 215
•: 1
•action: 66
•delete: 32
•read: 81
•write: 35

•Microsoft.Authorization/*/read
•Microsoft.Cdn/edgenodes/read
•Microsoft.Cdn/operationresults/*
•Microsoft.Cdn/profiles/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
8f96442b-4075-438f-813d-ad51ab4019af CDN Profile Reader Can view CDN profiles and their endpoints, but can't make changes. False 00157 effective control plane operations (unique)

•: 1
•action: 39
•delete: 18
•read: 80
•write: 19
Actions: 011
resolved operations: 157
effective operations: 157
•: 1
•action: 39
•delete: 18
•read: 80
•write: 19

•Microsoft.Authorization/*/read
•Microsoft.Cdn/edgenodes/read
•Microsoft.Cdn/operationresults/*
•Microsoft.Cdn/profiles/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Cdn/profiles/CheckResourceUsage/action
•Microsoft.Cdn/profiles/endpoints/CheckResourceUsage/action
4e9b8407-af2e-495b-ae54-bb60a55b1b5a Chamber Admin Lets you manage everything under your Modeling and Simulation Workbench chamber. False 00071 effective control plane and data plane operations (unique)

•action: 21
•delete: 5
•read: 40
•write: 5
Actions: 005
resolved operations: 70
effective operations: 68
•action: 18
•delete: 5
•read: 40
•write: 5

•Microsoft.ModSimWorkbench/*/read
•Microsoft.ModSimWorkbench/workbenches/chambers/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
NotActions: 002
resolved not operations: 2
effective not operations: 16124

•Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/manage/action
•Microsoft.ModSimWorkbench/workbenches/chambers/connector/setCopyPaste/action
DataActions: 002
resolved data operations: 3
effective data operations: 3
•action: 3

•Microsoft.ModSimWorkbench/workbenches/chambers/upload/action
•Microsoft.ModSimWorkbench/workbenches/chambers/files/*
4447db05-44ed-4da3-ae60-6cbece780e32 Chamber User Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes. False 00050 effective control plane and data plane operations (unique)

•action: 10
•delete: 2
•read: 36
•write: 2
Actions: 007
resolved operations: 49
effective operations: 49
•action: 9
•delete: 2
•read: 36
•write: 2

•Microsoft.ModSimWorkbench/workbenches/chambers/*/read
•Microsoft.ModSimWorkbench/workbenches/chambers/workloads/*
•Microsoft.ModSimWorkbench/workbenches/chambers/getUploadUri/action
•Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/getDownloadUri/action
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.ModSimWorkbench/workbenches/chambers/upload/action
7c2e40b7-25eb-482a-82cb-78ba06cb46d5 Chaos Studio Experiment Contributor Can create, run, and see details for experiments, onboard targets, and manage capabilities. False 00066 effective control plane operations (unique)

•: 1
•action: 12
•delete: 5
•read: 43
•write: 5
Actions: 005
resolved operations: 66
effective operations: 66
•: 1
•action: 12
•delete: 5
•read: 43
•write: 5

•Microsoft.Chaos/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
1a40e87e-6645-48e0-b27a-0b115d849a20 Chaos Studio Operator Can run and see details for experiments but cannot create experiments or manage targets and capabilities. False 00058 effective control plane operations (unique)

•: 1
•action: 10
•Delete: 2
•read: 43
•Write: 2
Actions: 010
resolved operations: 58
effective operations: 58
•: 1
•action: 10
•Delete: 2
•read: 43
•Write: 2

•Microsoft.Chaos/*/read
•Microsoft.Chaos/experiments/start/action
•Microsoft.Chaos/experiments/cancel/action
•Microsoft.Chaos/experiments/executions/getExecutionDetails/action
•Microsoft.Chaos/locations/operationResults/read
•Microsoft.Chaos/locations/operationStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
29e2da8a-229c-4157-8ae8-cc72fc506b74 Chaos Studio Reader Can view targets, capabilities, experiments, and experiment details. False 00056 effective control plane operations (unique)

•: 1
•action: 8
•Delete: 2
•read: 43
•Write: 2
Actions: 006
resolved operations: 56
effective operations: 56
•: 1
•action: 8
•Delete: 2
•read: 43
•Write: 2

•Microsoft.Chaos/*/read
•Microsoft.Chaos/experiments/executions/getExecutionDetails/action
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
b34d265f-36f7-4a0d-a4d4-e158ca92e90f Classic Network Contributor Lets you manage classic networks, but not access to them. False 00128 effective control plane operations (unique)

•: 1
•action: 32
•delete: 12
•read: 68
•write: 15
Actions: 007
resolved operations: 128
effective operations: 128
•: 1
•action: 32
•delete: 12
•read: 68
•write: 15

•Microsoft.Authorization/*/read
•Microsoft.ClassicNetwork/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
86e8f5dc-a6e9-4c67-9d15-de283e8eac25 Classic Storage Account Contributor Lets you manage classic storage accounts, but not access to them. False 00100 effective control plane operations (unique)

•: 1
•action: 16
•delete: 7
•read: 63
•write: 13
Actions: 007
resolved operations: 100
effective operations: 100
•: 1
•action: 16
•delete: 7
•read: 63
•write: 13

•Microsoft.Authorization/*/read
•Microsoft.ClassicStorage/storageAccounts/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
985d6b00-f706-48f5-a6fe-d0ca12fb668d Classic Storage Account Key Operator Service Role Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts False 00002 effective control plane operations (unique)

•action: 2
Actions: 002
resolved operations: 2
effective operations: 2
•action: 2

•Microsoft.ClassicStorage/storageAccounts/listkeys/action
•Microsoft.ClassicStorage/storageAccounts/regeneratekey/action
d73bb868-a0df-4d4d-bd69-98a00b01fccb Classic Virtual Machine Contributor Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. False 00161 effective control plane operations (unique)

•: 1
•action: 35
•delete: 11
•read: 90
•write: 24
Actions: 017
resolved operations: 161
effective operations: 161
•: 1
•action: 35
•delete: 11
•read: 90
•write: 24

•Microsoft.Authorization/*/read
•Microsoft.ClassicCompute/domainNames/*
•Microsoft.ClassicCompute/virtualMachines/*
•Microsoft.ClassicNetwork/networkSecurityGroups/join/action
•Microsoft.ClassicNetwork/reservedIps/link/action
•Microsoft.ClassicNetwork/reservedIps/read
•Microsoft.ClassicNetwork/virtualNetworks/join/action
•Microsoft.ClassicNetwork/virtualNetworks/read
•Microsoft.ClassicStorage/storageAccounts/disks/read
•Microsoft.ClassicStorage/storageAccounts/images/read
•Microsoft.ClassicStorage/storageAccounts/listKeys/action
•Microsoft.ClassicStorage/storageAccounts/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
9106cda0-8a86-4e81-b686-29a22c54effe ClearDB MySQL DB Contributor Lets you manage ClearDB MySQL databases, but not access to them. False 00056 effective control plane operations (unique)

•: 1
•Action: 10
•Delete: 2
•read: 40
•Write: 3
Actions: 007
resolved operations: 56
effective operations: 56
•: 1
•Action: 10
•Delete: 2
•read: 40
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•successbricks.cleardb/databases/*
4e9d0bd4-5aab-4f91-92df-9def33fe287c CloudTest Contributor Role Read, write, delete and perform actions on CloudTest Accounts, CloudTest Pools, 1ES Hosted Pools and 1ES Images. False 00060 effective control plane operations (unique)

•: 1
•action: 9
•delete: 6
•read: 38
•write: 6
Actions: 015
resolved operations: 60
effective operations: 60
•: 1
•action: 9
•delete: 6
•read: 38
•write: 6

•Microsoft.CloudTest/*/read
•Microsoft.CloudTest/hostedpools/write
•Microsoft.CloudTest/hostedpools/delete
•Microsoft.CloudTest/images/write
•Microsoft.CloudTest/images/delete
•Microsoft.CloudTest/images/cancel/action
•Microsoft.CloudTest/images/refresh/action
•Microsoft.CloudTest/pools/write
•Microsoft.CloudTest/pools/delete
•Microsoft.CloudTest/accounts/write
•Microsoft.CloudTest/accounts/delete
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/read
7ac06ca7-21ca-47e3-a67b-cbd6e6223baf Cognitive Search Serverless Data Contributor (Deprecated) This role has been deprecated False 00002 effective data plane operations (unique)

•read: 2
DataActions: 002
resolved data operations: 2
effective data operations: 2
•read: 2

•Microsoft.CognitiveSearch/indexes/schema/*
•Microsoft.CognitiveSearch/indexes/documents/*
79b01272-bf9f-4f4c-9517-5506269cf524 Cognitive Search Serverless Data Reader (Deprecated) This role has been deprecated False 00002 effective data plane operations (unique)

•read: 2
DataActions: 002
resolved data operations: 2
effective data operations: 2
•read: 2

•Microsoft.CognitiveSearch/indexes/schema/read
•Microsoft.CognitiveSearch/indexes/documents/read
25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 Cognitive Services Contributor Lets you create, read, update, delete and manage keys of Cognitive Services. False 00152 effective control plane operations (unique)

•: 1
•action: 24
•delete: 18
•read: 88
•write: 21
Actions: 018
resolved operations: 152
effective operations: 152
•: 1
•action: 24
•delete: 18
•read: 88
•write: 21

•Microsoft.Authorization/*/read
•Microsoft.CognitiveServices/*
•Microsoft.Features/features/read
•Microsoft.Features/providers/features/read
•Microsoft.Features/providers/features/register/action
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/diagnosticSettings/*
•Microsoft.Insights/logDefinitions/read
•Microsoft.Insights/metricdefinitions/read
•Microsoft.Insights/metrics/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 003
Configure Azure AI Services resources to disable local key access (disable local authentication)
Configure Azure AI Services resources to disable local key access (disable local authentication)
Configure Cognitive Services accounts with private endpoints
c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 Cognitive Services Custom Vision Contributor Full access to the project, including the ability to view, create, edit, or delete projects. False 00111 effective control plane and data plane operations (unique)

•action: 33
•delete: 11
•read: 60
•write: 7
Actions: 001
resolved operations: 37
effective operations: 37
•read: 37

•Microsoft.CognitiveServices/*/read
DataActions: 001
resolved data operations: 74
effective data operations: 74
•action: 33
•delete: 11
•read: 23
•write: 7

•Microsoft.CognitiveServices/accounts/CustomVision/*
5c4089e1-6d96-4d2f-b296-c1bc7137275f Cognitive Services Custom Vision Deployment Publish, unpublish or export models. Deployment can view the project but can't update. False 00074 effective control plane and data plane operations (unique)

•action: 13
•delete: 2
•read: 59
Actions: 001
resolved operations: 37
effective operations: 37
•read: 37

•Microsoft.CognitiveServices/*/read
DataActions: 007
resolved data operations: 38
effective data operations: 37
•action: 13
•delete: 2
•read: 22

•Microsoft.CognitiveServices/accounts/CustomVision/*/read
•Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*
•Microsoft.CognitiveServices/accounts/CustomVision/classify/*
•Microsoft.CognitiveServices/accounts/CustomVision/detect/*
NotDataActions: 001
resolved not data operations: 1
effective not data operations: 3266

•Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
88424f51-ebe7-446f-bc41-7fa16989e96c Cognitive Services Custom Vision Labeler View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. False 00077 effective control plane and data plane operations (unique)

•action: 13
•delete: 4
•read: 59
•write: 1
Actions: 001
resolved operations: 37
effective operations: 37
•read: 37

•Microsoft.CognitiveServices/*/read
DataActions: 006
resolved data operations: 41
effective data operations: 40
•action: 13
•delete: 4
•read: 22
•write: 1

•Microsoft.CognitiveServices/accounts/CustomVision/*/read
•Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action
•Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action
NotDataActions: 001
resolved not data operations: 1
effective not data operations: 3263

•Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
93586559-c37d-4a6b-ba08-b9f0940c2d73 Cognitive Services Custom Vision Reader Read-only actions in the project. Readers can't create or update the project. False 00060 effective control plane and data plane operations (unique)

•action: 1
•read: 59
Actions: 001
resolved operations: 37
effective operations: 37
•read: 37

•Microsoft.CognitiveServices/*/read
DataActions: 002
resolved data operations: 24
effective data operations: 23
•action: 1
•read: 22

•Microsoft.CognitiveServices/accounts/CustomVision/*/read
•Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action
NotDataActions: 001
resolved not data operations: 1
effective not data operations: 3280

•Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
0a5ae4ab-0d65-4eeb-be61-29fc9b54394b Cognitive Services Custom Vision Trainer View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. False 00107 effective control plane and data plane operations (unique)

•action: 31
•delete: 10
•read: 59
•write: 7
Actions: 001
resolved operations: 37
effective operations: 37
•read: 37

•Microsoft.CognitiveServices/*/read
DataActions: 001
resolved data operations: 74
effective data operations: 70
•action: 31
•delete: 10
•read: 22
•write: 7

•Microsoft.CognitiveServices/accounts/CustomVision/*
NotDataActions: 004
resolved not data operations: 4
effective not data operations: 3233

•Microsoft.CognitiveServices/accounts/CustomVision/projects/action
•Microsoft.CognitiveServices/accounts/CustomVision/projects/delete
•Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action
•Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
19c28022-e58e-450d-a464-0b2a53034789 Cognitive Services Data Contributor (Preview) Allows to call data plane APIs, but not any control plane APIs for Microsoft Cognitive Services. This role is in preview and subject to change. False 01454 effective data plane operations (unique)

•action: 421
•delete: 204
•read: 588
•write: 241
DataActions: 001
resolved data operations: 1454
effective data operations: 1454
•action: 421
•delete: 204
•read: 588
•write: 241

•Microsoft.CognitiveServices/*
b59867f0-fa02-499b-be73-45a86b5b3e1c Cognitive Services Data Reader Lets you read Cognitive Services data. False 00588 effective data plane operations (unique)

•read: 588
DataActions: 001
resolved data operations: 588
effective data operations: 588
•read: 588

•Microsoft.CognitiveServices/*/read
b5b0c71d-aca9-4081-aee2-9b1bb335fc1a Cognitive Services Face Contributor Full access to perform all Face APIs False 00112 effective control plane and data plane operations (unique)

•action: 19
•delete: 16
•read: 63
•write: 14
Actions: 003
resolved operations: 39
effective operations: 39
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 001
resolved data operations: 73
effective data operations: 73
•action: 19
•delete: 16
•read: 24
•write: 14

•Microsoft.CognitiveServices/accounts/Face/*
9894cab4-e18a-44aa-828b-cb588cd6f2d7 Cognitive Services Face Recognizer Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. False 00016 effective data plane operations (unique)

•action: 10
•delete: 2
•read: 4
DataActions: 012
resolved data operations: 16
effective data operations: 16
•action: 10
•delete: 2
•read: 4

•Microsoft.CognitiveServices/accounts/Face/detect/action
•Microsoft.CognitiveServices/accounts/Face/verify/action
•Microsoft.CognitiveServices/accounts/Face/identify/action
•Microsoft.CognitiveServices/accounts/Face/group/action
•Microsoft.CognitiveServices/accounts/Face/findsimilars/action
•Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action
•Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action
•Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action
•Microsoft.CognitiveServices/accounts/Face/*/sessions/action
•Microsoft.CognitiveServices/accounts/Face/*/sessions/delete
•Microsoft.CognitiveServices/accounts/Face/*/sessions/read
•Microsoft.CognitiveServices/accounts/Face/*/sessions/audit/read
b2de6794-95db-4659-8781-7e080d3f2b9d Cognitive Services Immersive Reader User Provides access to create Immersive Reader sessions and call APIs False 00001 effective data plane operations (unique)

•action: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.CognitiveServices/accounts/ImmersiveReader/getcontentmodelforreader/action
f07febfe-79bc-46b1-8b37-790e26e6e498 Cognitive Services Language Owner Has access to all Read, Test, Write, Deploy and Delete functions under Language portal False 00236 effective control plane and data plane operations (unique)

•action: 61
•delete: 12
•read: 149
•write: 14
Actions: 004
resolved operations: 40
effective operations: 40
•action: 1
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.CognitiveServices/accounts/listkeys/action
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 004
resolved data operations: 213
effective data operations: 196
•action: 60
•delete: 12
•read: 110
•write: 14

•Microsoft.CognitiveServices/accounts/LanguageAuthoring/*
•Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*
•Microsoft.CognitiveServices/accounts/Language/*
•Microsoft.CognitiveServices/accounts/TextAnalytics/*
NotDataActions: 001
resolved not data operations: 17
effective not data operations: 3107

•Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*
7628b7b8-a8b2-4cdc-b46f-e9b35248918e Cognitive Services Language Reader Has access to Read and Test functions under Language portal False 00168 effective control plane and data plane operations (unique)

•action: 19
•read: 149
Actions: 003
resolved operations: 39
effective operations: 39
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 016
resolved data operations: 146
effective data operations: 129
•action: 19
•read: 110

•Microsoft.CognitiveServices/accounts/LanguageAuthoring/*/read
•Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*/read
•Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/action
•Microsoft.CognitiveServices/accounts/Language/*/read
•Microsoft.CognitiveServices/accounts/Language/*/projects/export/action
•Microsoft.CognitiveServices/accounts/Language/query-text/action
•Microsoft.CognitiveServices/accounts/Language/query-dataverse/action
•Microsoft.CognitiveServices/accounts/Language/analyze-text/jobs/action
•Microsoft.CognitiveServices/accounts/Language/analyze-text/action
•Microsoft.CognitiveServices/accounts/Language/analyze-text/jobscancel/action
•Microsoft.CognitiveServices/accounts/Language/analyze-conversations/action
•Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobscancel/action
•Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobs/action
•Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/action
•Microsoft.CognitiveServices/accounts/Language/generate/action
•Microsoft.CognitiveServices/accounts/TextAnalytics/*
NotDataActions: 001
resolved not data operations: 17
effective not data operations: 3174

•Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*
f2310ca1-dc64-4889-bb49-c8e0fa3d47a8 Cognitive Services Language Writer Has access to all Read, Test, and Write functions under Language Portal False 00223 effective control plane and data plane operations (unique)

•action: 57
•delete: 7
•read: 149
•write: 10
Actions: 003
resolved operations: 39
effective operations: 39
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 004
resolved data operations: 213
effective data operations: 184
•action: 57
•delete: 7
•read: 110
•write: 10

•Microsoft.CognitiveServices/accounts/LanguageAuthoring/*
•Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*
•Microsoft.CognitiveServices/accounts/Language/*
•Microsoft.CognitiveServices/accounts/TextAnalytics/*
NotDataActions: 007
resolved not data operations: 29
effective not data operations: 3119

•Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/action
•Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/deployments/write
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*
•Microsoft.CognitiveServices/accounts/Language/*/projects/delete
•Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/write
•Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/delete
•Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/swap/action
f72c8140-2111-481c-87ff-72b910f6e3f8 Cognitive Services LUIS Owner Has access to all Read, Test, Write, Deploy and Delete functions under LUIS False 00261 effective control plane and data plane operations (unique)

•action: 19
•delete: 40
•read: 150
•write: 52
Actions: 004
resolved operations: 40
effective operations: 40
•action: 1
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.CognitiveServices/accounts/listkeys/action
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 001
resolved data operations: 221
effective data operations: 221
•action: 18
•delete: 40
•read: 111
•write: 52

•Microsoft.CognitiveServices/accounts/LUIS/*
18e81cdc-4e98-4e29-a639-e7d10c5a6226 Cognitive Services LUIS Reader Has access to Read and Test functions under LUIS. False 00151 effective control plane and data plane operations (unique)

•read: 150
•write: 1
Actions: 003
resolved operations: 39
effective operations: 39
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 002
resolved data operations: 112
effective data operations: 112
•read: 111
•write: 1

•Microsoft.CognitiveServices/accounts/LUIS/*/read
•Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/write
6322a993-d5c9-4bed-b113-e49bbea25b27 Cognitive Services LUIS Writer Has access to all Read, Test, and Write functions under LUIS False 00254 effective control plane and data plane operations (unique)

•action: 15
•delete: 38
•read: 150
•write: 51
Actions: 003
resolved operations: 39
effective operations: 39
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 001
resolved data operations: 221
effective data operations: 215
•action: 15
•delete: 38
•read: 111
•write: 51

•Microsoft.CognitiveServices/accounts/LUIS/*
NotDataActions: 006
resolved not data operations: 6
effective not data operations: 3088

•Microsoft.CognitiveServices/accounts/LUIS/apps/delete
•Microsoft.CognitiveServices/accounts/LUIS/apps/move/action
•Microsoft.CognitiveServices/accounts/LUIS/apps/publish/action
•Microsoft.CognitiveServices/accounts/LUIS/apps/settings/write
•Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/action
•Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/delete
cb43c632-a144-4ec5-977c-e80c4affc34a Cognitive Services Metrics Advisor Administrator Full access to the project, including the system level configuration. False 00091 effective control plane and data plane operations (unique)

•action: 14
•delete: 8
•read: 60
•write: 9
Actions: 001
resolved operations: 37
effective operations: 37
•read: 37

•Microsoft.CognitiveServices/*/read
DataActions: 001
resolved data operations: 54
effective data operations: 54
•action: 14
•delete: 8
•read: 23
•write: 9

•Microsoft.CognitiveServices/accounts/MetricsAdvisor/*
3b20f47b-3825-43cb-8114-4bd2201156a8 Cognitive Services Metrics Advisor User Access to the project. False 00090 effective control plane and data plane operations (unique)

•action: 14
•delete: 8
•read: 59
•write: 9
Actions: 001
resolved operations: 37
effective operations: 37
•read: 37

•Microsoft.CognitiveServices/*/read
DataActions: 001
resolved data operations: 54
effective data operations: 53
•action: 14
•delete: 8
•read: 22
•write: 9

•Microsoft.CognitiveServices/accounts/MetricsAdvisor/*
NotDataActions: 001
resolved not data operations: 1
effective not data operations: 3250

•Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/*
a001fd3d-188f-4b5d-821b-7da978bf7442 Cognitive Services OpenAI Contributor Full access including the ability to fine-tune, deploy and generate text False 00118 effective control plane and data plane operations (unique)

•action: 18
•delete: 15
•read: 64
•write: 21
Actions: 011
resolved operations: 45
effective operations: 45
•delete: 3
•read: 39
•write: 3

•Microsoft.CognitiveServices/*/read
•Microsoft.CognitiveServices/accounts/deployments/write
•Microsoft.CognitiveServices/accounts/deployments/delete
•Microsoft.CognitiveServices/accounts/raiPolicies/read
•Microsoft.CognitiveServices/accounts/raiPolicies/write
•Microsoft.CognitiveServices/accounts/raiPolicies/delete
•Microsoft.CognitiveServices/accounts/commitmentplans/read
•Microsoft.CognitiveServices/accounts/commitmentplans/write
•Microsoft.CognitiveServices/accounts/commitmentplans/delete
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 001
resolved data operations: 73
effective data operations: 73
•action: 18
•delete: 12
•read: 25
•write: 18

•Microsoft.CognitiveServices/accounts/OpenAI/*
count: 002
Configure Azure AI Services resources to disable local key access (disable local authentication)
Configure Azure AI Services resources to disable local key access (disable local authentication)
5e0bd9bd-7b93-4f28-af87-19fc36ad61bd Cognitive Services OpenAI User Ability to view files, models, deployments. Readers can't make any changes They can inference and create images False 00088 effective control plane and data plane operations (unique)

•action: 11
•delete: 6
•read: 63
•write: 8
Actions: 003
resolved operations: 39
effective operations: 39
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 013
resolved data operations: 50
effective data operations: 49
•action: 11
•delete: 6
•read: 24
•write: 8

•Microsoft.CognitiveServices/accounts/OpenAI/*/read
•Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action
•Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action
•Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/audio/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/realtime/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/completions/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action
•Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action
•Microsoft.CognitiveServices/accounts/OpenAI/assistants/*
NotDataActions: 001
resolved not data operations: 1
effective not data operations: 3254

•Microsoft.CognitiveServices/accounts/OpenAI/stored-completions/read
f4cc2bf9-21be-47a1-bdf1-5c5804381025 Cognitive Services QnA Maker Editor Let's you create, edit, import and export a KB. You cannot publish or delete a KB. False 00078 effective control plane and data plane operations (unique)

•action: 9
•read: 57
•write: 12
Actions: 003
resolved operations: 39
effective operations: 39
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 039
resolved data operations: 39
effective data operations: 39
•action: 9
•read: 18
•write: 12

•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action
•Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read
•Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write
•Microsoft.CognitiveServices/accounts/QnAMaker/operations/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read
466ccd10-b268-4a11-b098-b4849f024126 Cognitive Services QnA Maker Reader Let's you read and test a KB only. False 00057 effective control plane and data plane operations (unique)

•action: 3
•read: 54
Actions: 003
resolved operations: 39
effective operations: 39
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 018
resolved data operations: 18
effective data operations: 18
•action: 3
•read: 15

•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read
0e75ca1e-0464-4b4d-8b93-68208a576181 Cognitive Services Speech Contributor Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. False 00221 effective control plane and data plane operations (unique)

•action: 38
•delete: 33
•read: 109
•write: 41
Actions: 003
resolved operations: 39
effective operations: 39
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 007
resolved data operations: 182
effective data operations: 182
•action: 38
•delete: 33
•read: 70
•write: 41

•Microsoft.CognitiveServices/accounts/SpeechServices/*
•Microsoft.CognitiveServices/accounts/CustomVoice/*
•Microsoft.CognitiveServices/accounts/AudioContentCreation/*
•Microsoft.CognitiveServices/accounts/VideoTranslation/*
•Microsoft.CognitiveServices/accounts/CustomAvatar/*
•Microsoft.CognitiveServices/accounts/BatchAvatar/*
•Microsoft.CognitiveServices/accounts/BatchTextToSpeech/*
f2dc8367-1007-4938-bd23-fe263f013447 Cognitive Services Speech User Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. False 00163 effective control plane and data plane operations (unique)

•action: 27
•delete: 14
•read: 107
•write: 15
Actions: 003
resolved operations: 39
effective operations: 39
•read: 39

•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 016
resolved data operations: 126
effective data operations: 124
•action: 27
•delete: 14
•read: 68
•write: 15

•Microsoft.CognitiveServices/accounts/SpeechServices/*/read
•Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/read
•Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/write
•Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/delete
•Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/action
•Microsoft.CognitiveServices/accounts/SpeechServices/*/frontend/action
•Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/*/action
•Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/*/action
•Microsoft.CognitiveServices/accounts/CustomVoice/*/read
•Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/*
•Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/*
•Microsoft.CognitiveServices/accounts/AudioContentCreation/*
•Microsoft.CognitiveServices/accounts/VideoTranslation/*
•Microsoft.CognitiveServices/accounts/CustomAvatar/*/read
•Microsoft.CognitiveServices/accounts/BatchAvatar/*
•Microsoft.CognitiveServices/accounts/BatchTextToSpeech/*
NotDataActions: 002
resolved not data operations: 2
effective not data operations: 3179

•Microsoft.CognitiveServices/accounts/CustomVoice/datasets/files/read
•Microsoft.CognitiveServices/accounts/CustomVoice/datasets/utterances/read
bba48692-92b0-4667-a9ad-c31c7b334ac2 Cognitive Services Usages Reader Minimal permission to view Cognitive Services usages. False 00001 effective control plane operations (unique)

•read: 1
Actions: 001
resolved operations: 1
effective operations: 1
•read: 1

•Microsoft.CognitiveServices/locations/usages/read
a97b65f3-24c7-4388-baec-2e87135dc908 Cognitive Services User Lets you read and list keys of Cognitive Services. False 01512 effective control plane and data plane operations (unique)

•action: 425
•delete: 204
•read: 641
•write: 242
Actions: 013
resolved operations: 58
effective operations: 58
•action: 4
•read: 53
•write: 1

•Microsoft.CognitiveServices/*/read
•Microsoft.CognitiveServices/accounts/listkeys/action
•Microsoft.Insights/alertRules/read
•Microsoft.Insights/diagnosticSettings/read
•Microsoft.Insights/logDefinitions/read
•Microsoft.Insights/metricdefinitions/read
•Microsoft.Insights/metrics/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
DataActions: 001
resolved data operations: 1454
effective data operations: 1454
•action: 421
•delete: 204
•read: 588
•write: 241

•Microsoft.CognitiveServices/*
daa9e50b-21df-454c-94a6-a8050adab352 Collaborative Data Contributor Can manage data packages of a collaborative. False 00057 effective control plane operations (unique)

•: 1
•action: 12
•Delete: 2
•read: 39
•Write: 3
Actions: 013
resolved operations: 57
effective operations: 57
•: 1
•action: 12
•Delete: 2
•read: 39
•Write: 3

•Microsoft.IndustryDataLifecycle/custodianCollaboratives/*/read
•Microsoft.IndustryDataLifecycle/memberCollaboratives/*/read
•Microsoft.IndustryDataLifecycle/locations/dataPackages/*
•Microsoft.IndustryDataLifecycle/custodianCollaboratives/receivedDataPackages/*
•Microsoft.IndustryDataLifecycle/custodianCollaboratives/rejectDataPackage/action
•Microsoft.IndustryDataLifecycle/memberCollaboratives/sharedDataPackages/*
•Microsoft.IndustryDataLifecycle/custodianCollaboratives/dataModels/*
•Microsoft.IndustryDataLifecycle/custodianCollaboratives/auditLogs/action
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
7a6f0e70-c033-4fb1-828c-08514e5f4102 Collaborative Runtime Operator Can manage resources created by AICS at runtime False 00055 effective control plane operations (unique)

•: 1
•Action: 10
•Delete: 2
•read: 39
•Write: 3
Actions: 008
resolved operations: 55
effective operations: 55
•: 1
•Action: 10
•Delete: 2
•read: 39
•Write: 3

•Microsoft.IndustryDataLifecycle/derivedModels/*
•Microsoft.IndustryDataLifecycle/pipelineSets/*
•Microsoft.IndustryDataLifecycle/modelMappings/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
09976791-48a7-449e-bb21-39d1a415f350 Communication and Email Service Owner Create, read, modify, and delete Communications and Email Service resources. False 00031 effective control plane operations (unique)

•action: 7
•Delete: 7
•Read: 9
•Write: 8
Actions: 031
resolved operations: 31
effective operations: 31
•action: 7
•Delete: 7
•Read: 9
•Write: 8

•Microsoft.Communication/CheckNameAvailability/action
•Microsoft.Communication/Locations/OperationStatuses/read
•Microsoft.Communication/Locations/OperationStatuses/write
•Microsoft.Communication/Operations/read
•Microsoft.Communication/CommunicationServices/read
•Microsoft.Communication/CommunicationServices/write
•Microsoft.Communication/CommunicationServices/delete
•Microsoft.Communication/CommunicationServices/ListKeys/action
•Microsoft.Communication/CommunicationServices/RegenerateKey/action
•Microsoft.Communication/CommunicationServices/LinkNotificationHub/action
•Microsoft.Communication/CommunicationServices/EventGridFilters/read
•Microsoft.Communication/CommunicationServices/EventGridFilters/write
•Microsoft.Communication/CommunicationServices/EventGridFilters/delete
•Microsoft.Communication/EmailServices/read
•Microsoft.Communication/EmailServices/write
•Microsoft.Communication/EmailServices/delete
•Microsoft.Communication/EmailServices/Domains/read
•Microsoft.Communication/EmailServices/Domains/write
•Microsoft.Communication/EmailServices/Domains/delete
•Microsoft.Communication/EmailServices/Domains/SenderUsernames/read
•Microsoft.Communication/EmailServices/Domains/SenderUsernames/write
•Microsoft.Communication/EmailServices/Domains/SenderUsernames/delete
•Microsoft.Communication/EmailServices/Domains/SuppressionLists/read
•Microsoft.Communication/EmailServices/Domains/SuppressionLists/write
•Microsoft.Communication/EmailServices/Domains/SuppressionLists/delete
•Microsoft.Communication/EmailServices/Domains/SuppressionLists/SuppressionListAddresses/read
•Microsoft.Communication/EmailServices/Domains/SuppressionLists/SuppressionListAddresses/write
•Microsoft.Communication/EmailServices/Domains/SuppressionLists/SuppressionListAddresses/delete
•Microsoft.Communication/EmailServices/Domains/InitiateVerification/action
•Microsoft.Communication/EmailServices/Domains/CancelVerification/action
•Microsoft.Communication/EmailServices/Domains/*
49435da6-99fe-48a5-a235-fc668b9dc04a Community Contributor Role Community Contributor Role to access the resources of Microsoft.Mission stored with RPSAAS. False 00064 effective control plane operations (unique)

•action: 2
•read: 50
•write: 12
Actions: 038
resolved operations: 64
effective operations: 64
•action: 2
•read: 50
•write: 12

•Microsoft.Mission/register/action
•Microsoft.Mission/unregister/action
•Microsoft.Mission/Locations/OperationStatuses/read
•Microsoft.Mission/Locations/OperationStatuses/write
•Microsoft.Mission/Operations/read
•Microsoft.Mission/catalogs/read
•Microsoft.Mission/catalogs/write
•Microsoft.Mission/communities/read
•Microsoft.Mission/communities/write
•Microsoft.Mission/internalConnections/read
•Microsoft.Mission/internalConnections/write
•Microsoft.Mission/externalConnections/read
•Microsoft.Mission/externalConnections/write
•Microsoft.Mission/virtualEnclaves/read
•Microsoft.Mission/virtualEnclaves/write
•Microsoft.Mission/virtualEnclaves/endpoints/read
•Microsoft.Mission/virtualEnclaves/endpoints/write
•Microsoft.Mission/virtualEnclaves/workloads/read
•Microsoft.Mission/virtualEnclaves/workloads/write
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Features/providers/features/read
•Microsoft.Features/features/read
•Microsoft.Mission/communities/communityEndpoints/read
•Microsoft.Mission/communities/communityEndpoints/write
•Microsoft.Mission/communities/transitHubs/read
•Microsoft.Mission/communities/transitHubs/write
•Microsoft.Mission/enclaveConnections/read
•Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read
•Microsoft.Mission/approvals/read
•Microsoft.Mission/approvals/write
5e28a61e-8040-49db-b175-bb5b88af6239 Community Owner Role Community Owner Role to access the resources of Microsoft.Mission stored with RPSAAS. False 00068 effective control plane operations (unique)

•action: 2
•delete: 8
•read: 48
•write: 10
Actions: 042
resolved operations: 68
effective operations: 68
•action: 2
•delete: 8
•read: 48
•write: 10

•Microsoft.Mission/register/action
•Microsoft.Mission/unregister/action
•Microsoft.Mission/Locations/OperationStatuses/read
•Microsoft.Mission/Locations/OperationStatuses/write
•Microsoft.Mission/Operations/read
•Microsoft.Mission/catalogs/read
•Microsoft.Mission/catalogs/write
•Microsoft.Mission/catalogs/delete
•Microsoft.Mission/communities/read
•Microsoft.Mission/communities/write
•Microsoft.Mission/communities/delete
•Microsoft.Mission/internalConnections/read
•Microsoft.Mission/internalConnections/write
•Microsoft.Mission/internalConnections/delete
•Microsoft.Mission/virtualEnclaves/read
•Microsoft.Mission/virtualEnclaves/write
•Microsoft.Mission/virtualEnclaves/delete
•Microsoft.Mission/virtualEnclaves/workloads/read
•Microsoft.Mission/virtualEnclaves/workloads/write
•Microsoft.Mission/virtualEnclaves/workloads/delete
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Features/providers/features/read
•Microsoft.Features/features/read
•Microsoft.Mission/communities/communityEndpoints/read
•Microsoft.Mission/communities/communityEndpoints/write
•Microsoft.Mission/communities/communityEndpoints/delete
•Microsoft.Mission/communities/transitHubs/read
•Microsoft.Mission/communities/transitHubs/write
•Microsoft.Mission/communities/transitHubs/delete
•Microsoft.Mission/enclaveConnections/read
•Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read
•Microsoft.Mission/approvals/read
•Microsoft.Mission/approvals/write
•Microsoft.Mission/approvals/delete
e6aadb6b-e64f-41c0-9392-d2bba3bc3ebc Community Reader Role Community Reader Role to access the resources of Microsoft.Mission stored with RPSAAS. False 00065 effective control plane operations (unique)

•: 1
•Action: 7
•Delete: 2
•read: 53
•Write: 2
Actions: 024
resolved operations: 65
effective operations: 65
•: 1
•Action: 7
•Delete: 2
•read: 53
•Write: 2

•Microsoft.Mission/Locations/OperationStatuses/read
•Microsoft.Mission/Operations/read
•Microsoft.Mission/catalogs/read
•Microsoft.Mission/communities/read
•Microsoft.Mission/internalConnections/read
•Microsoft.Mission/externalConnections/read
•Microsoft.Mission/virtualEnclaves/read
•Microsoft.Mission/virtualEnclaves/endpoints/read
•Microsoft.Mission/virtualEnclaves/workloads/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Features/providers/features/read
•Microsoft.Features/features/read
•Microsoft.Mission/communities/communityEndpoints/read
•Microsoft.Mission/communities/transitHubs/read
•Microsoft.Mission/enclaveConnections/read
•Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read
•Microsoft.Mission/approvals/read
df2711a6-406d-41cf-b366-b0250bff9ad1 Compute Diagnostics Role Grants permissions to execute diagnostics provided by Compute Diagnostic Service for Compute Resources. False 00029 effective control plane operations (unique)

•action: 2
•read: 27
Actions: 003
resolved operations: 29
effective operations: 29
•action: 2
•read: 27

•Microsoft.Authorization/*/read
•Microsoft.Compute/disks/beginGetAccess/action
•Microsoft.Compute/virtualmachinescalesets/disks/beginGetAccess/action
85a2d0d9-2eba-4c9c-b355-11c2cc0788ab Compute Gallery Artifacts Publisher This is the role for publishing gallery artifacts. False 00079 effective control plane operations (unique)

•: 1
•action: 8
•delete: 10
•read: 48
•write: 12
Actions: 011
resolved operations: 80
effective operations: 79
•: 1
•action: 8
•delete: 10
•read: 48
•write: 12

•Microsoft.Compute/galleries/*
•Microsoft.Compute/locations/capsOperations/read
•Microsoft.Compute/locations/communityGalleries/*
•Microsoft.Compute/locations/sharedGalleries/*
•Microsoft.Compute/images/*
•Microsoft.Compute/virtualMachines/write
•Microsoft.Compute/disks/write
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
NotActions: 001
resolved not operations: 1
effective not operations: 16113

•Microsoft.Compute/galleries/share/action
cf7c76d2-98a3-4358-a134-615aa78bf44d Compute Gallery Image Reader This is the role for reading gallery images. False 00002 effective control plane operations (unique)

•read: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.Compute/galleries/images/read
•Microsoft.Compute/galleries/images/versions/read
1ef6a3be-d0ac-425d-8c01-acb62866290b Compute Gallery Sharing Admin This role allows user to share gallery to another subscription/tenant or share it to the public. False 00001 effective control plane operations (unique)

•action: 1
Actions: 001
resolved operations: 1
effective operations: 1
•action: 1

•Microsoft.Compute/galleries/share/action
e82342c9-ac7f-422b-af64-e426d2e12b2d Compute Recommendations Role Grants permissions to call Compute Recommendations APIs provided by Compute Diagnostic Resource Provider service. False 00001 effective control plane operations (unique)

•action: 1
Actions: 001
resolved operations: 1
effective operations: 1
•action: 1

•Microsoft.Compute/locations/placementScores/generate/action
65a14201-8f6c-4c28-bec4-12619c5a9aaa Connected Cluster Managed Identity CheckAccess Reader Built-in role that allows a Connected Cluster managed identity to call the checkAccess API False 00027 effective control plane operations (unique)

•read: 27
Actions: 001
resolved operations: 27
effective operations: 27
•read: 27

•Microsoft.Authorization/*/read
6cdbb904-5ff3-429d-8169-7d7818b91bd8 Connector Reader Read connectors and their associated resources, such as impacts and insights. False 00003 effective control plane operations (unique)

•Read: 3
Actions: 003
resolved operations: 3
effective operations: 3
•Read: 3

•Microsoft.Impact/Connectors/Read
•Microsoft.Impact/WorkloadImpacts/Read
•Microsoft.Impact/WorkloadImpacts/Insights/Read
6f4fe6fc-f04f-4d97-8528-8bc18c848dca Container Apps ConnectedEnvironments Contributor Full management of Container Apps ConnectedEnvironments, including creation, deletion, and updates. False 00059 effective control plane operations (unique)

•: 1
•action: 10
•delete: 6
•read: 36
•write: 6
Actions: 009
resolved operations: 59
effective operations: 59
•: 1
•action: 10
•delete: 6
•read: 36
•write: 6

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.App/connectedEnvironments/*
•Microsoft.App/connectedEnvironments/*/read
•Microsoft.App/connectedEnvironments/*/write
•Microsoft.App/connectedEnvironments/*/delete
•Microsoft.App/connectedEnvironments/*/action
•Microsoft.App/connectedEnvironments/daprComponents/listSecrets/action
•Microsoft.Resources/deployments/*
d5adeb5b-107f-4aca-99ea-4e3f4fc008d5 Container Apps ConnectedEnvironments Reader Read access to Container Apps ConnectedEnvironments. False 00049 effective control plane operations (unique)

•: 1
•Action: 7
•Delete: 2
•read: 37
•Write: 2
Actions: 006
resolved operations: 49
effective operations: 49
•: 1
•Action: 7
•Delete: 2
•read: 37
•Write: 2

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.App/connectedEnvironments/read
•Microsoft.App/connectedEnvironments/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
358470bc-b998-42bd-ab17-a7e34c199c0f Container Apps Contributor Full management of Container Apps, including creation, deletion, and updates. False 00095 effective control plane operations (unique)

•: 1
•action: 19
•delete: 8
•read: 61
•write: 6
Actions: 014
resolved operations: 95
effective operations: 95
•: 1
•action: 19
•delete: 8
•read: 61
•write: 6

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.App/containerApps/*/read
•Microsoft.App/containerApps/*/write
•Microsoft.App/containerApps/*/delete
•Microsoft.App/containerApps/*/action
•Microsoft.App/managedEnvironments/read
•Microsoft.App/managedEnvironments/*/read
•Microsoft.App/managedEnvironments/join/action
•Microsoft.App/managedEnvironments/checknameavailability/action
•Microsoft.App/connectedEnvironments/read
•Microsoft.App/connectedEnvironments/*/read
•Microsoft.App/connectedEnvironments/join/action
•Microsoft.App/connectedEnvironments/checknameavailability/action
4e3d2b60-56ae-4dc6-a233-09c8e5a82e68 Container Apps Jobs Contributor Full management of Container Apps jobs, including creation, deletion, and updates. False 00084 effective control plane operations (unique)

•: 1
•action: 20
•delete: 3
•read: 57
•write: 3
Actions: 016
resolved operations: 84
effective operations: 84
•: 1
•action: 20
•delete: 3
•read: 57
•write: 3

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•microsoft.app/jobs/read
•Microsoft.App/jobs/*/read
•Microsoft.App/jobs/*/action
•Microsoft.App/jobs/write
•Microsoft.App/jobs/delete
•Microsoft.app/managedenvironments/read
•Microsoft.App/managedenvironments/*/read
•Microsoft.App/managedenvironments/join/action
•Microsoft.App/managedenvironments/checknameavailability/action
•Microsoft.app/connectedEnvironments/read
•Microsoft.App/connectedEnvironments/*/read
•Microsoft.App/connectedEnvironments/join/action
•Microsoft.App/connectedEnvironments/checknameavailability/action
•Microsoft.Resources/deployments/*
b9a307c4-5aa3-4b52-ba60-2b17c136cd7b Container Apps Jobs Operator Read, start, and stop Container Apps jobs. False 00075 effective control plane and data plane operations (unique)

•: 1
•action: 18
•Delete: 1
•read: 54
•Write: 1
Actions: 013
resolved operations: 73
effective operations: 73
•: 1
•action: 16
•Delete: 1
•read: 54
•Write: 1

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•microsoft.app/jobs/read
•Microsoft.App/jobs/*/read
•Microsoft.App/jobs/*/action
•Microsoft.app/managedenvironments/read
•Microsoft.App/managedenvironments/*/read
•Microsoft.App/managedenvironments/join/action
•Microsoft.App/managedenvironments/checknameavailability/action
•Microsoft.app/connectedEnvironments/read
•Microsoft.App/connectedEnvironments/*/read
•Microsoft.App/connectedEnvironments/join/action
•Microsoft.App/connectedEnvironments/checknameavailability/action
DataActions: 002
resolved data operations: 2
effective data operations: 2
•action: 2

•Microsoft.App/jobs/logstream/action
•Microsoft.App/jobs/exec/action
edd66693-d32a-450b-997d-0158c03976b0 Container Apps Jobs Reader Read access to ContainerApps jobs False 00005 effective control plane operations (unique)

•read: 5
Actions: 003
resolved operations: 5
effective operations: 5
•read: 5

•microsoft.app/jobs/read
•Microsoft.App/jobs/*/read
•Microsoft.App/managedenvironments/read
57cc5028-e6a7-4284-868d-0611c5923f8d Container Apps ManagedEnvironments Contributor Full management of Container Apps ManagedEnvironments, including creation, deletion, and updates. False 00089 effective control plane operations (unique)

•: 1
•action: 12
•delete: 14
•read: 48
•write: 14
Actions: 007
resolved operations: 89
effective operations: 89
•: 1
•action: 12
•delete: 14
•read: 48
•write: 14

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.App/managedEnvironments/*/read
•Microsoft.App/managedEnvironments/*/write
•Microsoft.App/managedEnvironments/*/delete
•Microsoft.App/managedEnvironments/*/action
•Microsoft.Resources/deployments/*
1b32c00b-7eff-4c22-93e6-93d11d72d2d8 Container Apps ManagedEnvironments Reader Read access to ContainerApps managedenvironments. False 00051 effective control plane operations (unique)

•: 1
•Action: 3
•Delete: 1
•read: 45
•Write: 1
Actions: 003
resolved operations: 51
effective operations: 51
•: 1
•Action: 3
•Delete: 1
•read: 45
•Write: 1

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.App/managedEnvironments/*/read
f3bd1b5c-91fa-40e7-afe7-0c11d331232c Container Apps Operator Read, logstream and exec into Container Apps. False 00086 effective control plane and data plane operations (unique)

•: 1
•action: 22
•Delete: 1
•read: 61
•Write: 1
Actions: 012
resolved operations: 83
effective operations: 83
•: 1
•action: 19
•Delete: 1
•read: 61
•Write: 1

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.App/containerApps/*/read
•Microsoft.App/containerApps/*/action
•Microsoft.App/managedEnvironments/read
•Microsoft.App/managedEnvironments/*/read
•Microsoft.App/managedEnvironments/join/action
•Microsoft.App/managedEnvironments/checknameavailability/action
•Microsoft.App/connectedEnvironments/read
•Microsoft.App/connectedEnvironments/*/read
•Microsoft.App/connectedEnvironments/join/action
•Microsoft.App/connectedEnvironments/checknameavailability/action
DataActions: 003
resolved data operations: 3
effective data operations: 3
•action: 3

•Microsoft.App/containerApps/logstream/action
•Microsoft.App/containerApps/exec/action
•Microsoft.App/containerApps/debug/action
f7669afb-68b2-44b4-9c5f-6d2a47fddda0 Container Apps SessionPools Contributor Full management of Container Apps SessionPools, including creation, deletion, and updates. False 00071 effective control plane operations (unique)

•: 1
•action: 12
•Delete: 2
•read: 54
•Write: 2
Actions: 015
resolved operations: 71
effective operations: 71
•: 1
•action: 12
•Delete: 2
•read: 54
•Write: 2

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.App/sessionPools/*/read
•Microsoft.App/sessionPools/*/write
•Microsoft.App/sessionPools/*/delete
•Microsoft.App/sessionPools/*/action
•microsoft.App/managedEnvironments/read
•Microsoft.App/managedEnvironments/*/read
•Microsoft.App/managedEnvironments/join/action
•Microsoft.App/managedEnvironments/checknameavailability/action
•microsoft.App/connectedEnvironments/read
•Microsoft.App/connectedEnvironments/*/read
•Microsoft.App/connectedEnvironments/join/action
•Microsoft.App/connectedEnvironments/checknameavailability/action
•Microsoft.Resources/deployments/*
af61e8fc-2633-4b95-bed3-421ad6826515 Container Apps SessionPools Reader Read access to ContainerApps sessionpools. False 00036 effective control plane operations (unique)

•: 1
•Action: 3
•Delete: 1
•read: 30
•Write: 1
Actions: 003
resolved operations: 36
effective operations: 36
•: 1
•Action: 3
•Delete: 1
•read: 30
•Write: 1

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.App/sessionPools/*/read
69b07be0-09bf-439a-b9a6-e73de851bd59 Container Registry Configuration Reader and Data Access Configuration Reader Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks. False 00027 effective control plane operations (unique)

•action: 6
•Delete: 1
•read: 18
•write: 2
Actions: 027
resolved operations: 27
effective operations: 27
•action: 6
•Delete: 1
•read: 18
•write: 2

•Microsoft.ContainerRegistry/registries/operationStatuses/read
•Microsoft.ContainerRegistry/registries/read
•Microsoft.ContainerRegistry/registries/privateEndpointConnections/read
•Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read
•Microsoft.ContainerRegistry/registries/listCredentials/action
•Microsoft.ContainerRegistry/registries/tokens/read
•Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
•Microsoft.ContainerRegistry/registries/scopeMaps/read
•Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read
•Microsoft.ContainerRegistry/registries/webhooks/read
•Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action
•Microsoft.ContainerRegistry/registries/webhooks/listEvents/action
•Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read
•Microsoft.ContainerRegistry/registries/replications/read
•Microsoft.ContainerRegistry/registries/replications/operationStatuses/read
•Microsoft.ContainerRegistry/registries/connectedRegistries/read
•Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read
•Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write
•Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read
•Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
3bc748fc-213d-45c1-8d91-9da5725539b9 Container Registry Contributor and Data Access Configuration Administrator Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks. False 00089 effective control plane operations (unique)

•action: 16
•delete: 9
•read: 52
•write: 12
Actions: 055
resolved operations: 89
effective operations: 89
•action: 16
•delete: 9
•read: 52
•write: 12

•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerRegistry/registries/operationStatuses/read
•Microsoft.ContainerRegistry/registries/read
•Microsoft.ContainerRegistry/registries/write
•Microsoft.ContainerRegistry/registries/delete
•Microsoft.ContainerRegistry/registries/listCredentials/action
•Microsoft.ContainerRegistry/registries/regenerateCredential/action
•Microsoft.ContainerRegistry/registries/generateCredentials/action
•Microsoft.ContainerRegistry/registries/replications/read
•Microsoft.ContainerRegistry/registries/replications/write
•Microsoft.ContainerRegistry/registries/replications/delete
•Microsoft.ContainerRegistry/registries/replications/operationStatuses/read
•Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action
•Microsoft.ContainerRegistry/registries/privateEndpointConnections/read
•Microsoft.ContainerRegistry/registries/privateEndpointConnections/write
•Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete
•Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read
•Microsoft.ContainerRegistry/registries/tokens/read
•Microsoft.ContainerRegistry/registries/tokens/write
•Microsoft.ContainerRegistry/registries/tokens/delete
•Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read
•Microsoft.ContainerRegistry/registries/scopeMaps/read
•Microsoft.ContainerRegistry/registries/scopeMaps/write
•Microsoft.ContainerRegistry/registries/scopeMaps/delete
•Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read
•Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read
•Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write
•Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read
•Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.ContainerRegistry/registries/connectedRegistries/read
•Microsoft.ContainerRegistry/registries/connectedRegistries/write
•Microsoft.ContainerRegistry/registries/connectedRegistries/delete
•Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action
•Microsoft.ContainerRegistry/registries/webhooks/read
•Microsoft.ContainerRegistry/registries/webhooks/write
•Microsoft.ContainerRegistry/registries/webhooks/delete
•Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action
•Microsoft.ContainerRegistry/registries/webhooks/ping/action
•Microsoft.ContainerRegistry/registries/webhooks/listEvents/action
•Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.ContainerRegistry/locations/operationResults/read
•Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/write
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write
577a9874-89fd-4f24-9dbd-b5034d0ad23a Container Registry Data Importer and Data Reader Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules. False 00003 effective control plane operations (unique)

•action: 1
•read: 2
Actions: 003
resolved operations: 3
effective operations: 3
•action: 1
•read: 2

•Microsoft.ContainerRegistry/registries/importImage/action
•Microsoft.ContainerRegistry/registries/read
•Microsoft.ContainerRegistry/registries/pull/read
bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7 Container Registry Repository Catalog Lister Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change. False 00001 effective data plane operations (unique)

•read: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•read: 1

•Microsoft.ContainerRegistry/registries/catalog/read
2efddaa5-3f1f-4df3-97df-af3f13818f4c Container Registry Repository Contributor Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change. False 00006 effective data plane operations (unique)

•delete: 2
•read: 2
•write: 2
DataActions: 006
resolved data operations: 6
effective data operations: 6
•delete: 2
•read: 2
•write: 2

•Microsoft.ContainerRegistry/registries/repositories/metadata/read
•Microsoft.ContainerRegistry/registries/repositories/content/read
•Microsoft.ContainerRegistry/registries/repositories/metadata/write
•Microsoft.ContainerRegistry/registries/repositories/content/write
•Microsoft.ContainerRegistry/registries/repositories/metadata/delete
•Microsoft.ContainerRegistry/registries/repositories/content/delete
b93aa761-3e63-49ed-ac28-beffa264f7ac Container Registry Repository Reader Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change. False 00002 effective data plane operations (unique)

•read: 2
DataActions: 002
resolved data operations: 2
effective data operations: 2
•read: 2

•Microsoft.ContainerRegistry/registries/repositories/metadata/read
•Microsoft.ContainerRegistry/registries/repositories/content/read
2a1e307c-b015-4ebd-883e-5b7698a07328 Container Registry Repository Writer Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change. False 00004 effective data plane operations (unique)

•read: 2
•write: 2
DataActions: 004
resolved data operations: 4
effective data operations: 4
•read: 2
•write: 2

•Microsoft.ContainerRegistry/registries/repositories/metadata/read
•Microsoft.ContainerRegistry/registries/repositories/content/read
•Microsoft.ContainerRegistry/registries/repositories/metadata/write
•Microsoft.ContainerRegistry/registries/repositories/content/write
bf94e731-3a51-4a7c-8c54-a1ab9971dfc1 Container Registry Transfer Pipeline Contributor Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments. False 00010 effective control plane operations (unique)

•delete: 3
•read: 4
•write: 3
Actions: 010
resolved operations: 10
effective operations: 10
•delete: 3
•read: 4
•write: 3

•Microsoft.ContainerRegistry/registries/exportPipelines/read
•Microsoft.ContainerRegistry/registries/exportPipelines/write
•Microsoft.ContainerRegistry/registries/exportPipelines/delete
•Microsoft.ContainerRegistry/registries/importPipelines/read
•Microsoft.ContainerRegistry/registries/importPipelines/write
•Microsoft.ContainerRegistry/registries/importPipelines/delete
•Microsoft.ContainerRegistry/registries/pipelineRuns/read
•Microsoft.ContainerRegistry/registries/pipelineRuns/write
•Microsoft.ContainerRegistry/registries/pipelineRuns/delete
•Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read
ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b ContainerApp Reader View all containerapp resources, but does not allow you to make any changes. False 00057 effective control plane operations (unique)

•: 1
•Action: 7
•Delete: 2
•read: 45
•Write: 2
Actions: 006
resolved operations: 57
effective operations: 57
•: 1
•Action: 7
•Delete: 2
•read: 45
•Write: 2

•Microsoft.App/containerApps/*/read
•Microsoft.App/containerApps/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
b24988ac-6180-42a0-ab88-20f7382dd24c Contributor Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. False 16152 effective control plane operations (unique)

•: 1
•action: 3637
•delete: 2478
•read: 6968
•write: 3068
Actions: 001
resolved operations: 16192
effective operations: 16152
•: 1
•action: 3637
•delete: 2478
•read: 6968
•write: 3068

•*
NotActions: 011
resolved not operations: 40
effective not operations: 40

•Microsoft.Authorization/*/Delete
•Microsoft.Authorization/*/Write
•Microsoft.Authorization/elevateAccess/Action
•Microsoft.Blueprint/blueprintAssignments/write
•Microsoft.Blueprint/blueprintAssignments/delete
•Microsoft.Compute/galleries/share/action
•Microsoft.Purview/consents/write
•Microsoft.Purview/consents/delete
•Microsoft.Resources/deploymentStacks/manageDenySetting/action
•Microsoft.Subscription/cancel/action
•Microsoft.Subscription/enable/action
count: 204
[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent
[Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent
[Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent
[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage
[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent
[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords
[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644
[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed
[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords
[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed
[Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'
[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members
[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members
[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members
[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant
[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected
[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one
[Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running'
[Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled
[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords
[Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain
[Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone
[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption
[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days
[Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed
[Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot
[Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols
[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines
[Preview]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace
[Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace
[Preview]: Configure Azure Defender for SQL agent on virtual machine
[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines
[Preview]: Enable system-assigned identity to SQL VM
[Preview]: Set prerequisite for Scheduling recurring updates on Azure virtual machines.
Add a tag to resource groups
Add a tag to resources
Add or replace a tag on resource groups
Add or replace a tag on resources
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers
Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers
Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers
Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers
Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers
Configure App Configuration stores to disable local authentication methods
Configure App Configuration to disable public network access
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
Configure Azure Automation account to disable local authentication
Configure Azure Automation accounts to disable public network access
Configure Azure Cache for Redis Enterprise with private endpoints
Configure Azure Databricks Workspaces with private endpoints
Configure Azure Device Update for IoT Hub accounts to disable public network access
Configure Azure Device Update for IoT Hub accounts to use private DNS zones
Configure Azure Device Update for IoT Hub accounts with private endpoint
Configure Azure File Sync with private endpoints
Configure Azure HDInsight clusters with private endpoints
Configure Azure IoT Hub to disable local authentication
Configure Azure Machine Learning Computes to disable local authentication methods
Configure Azure Machine Learning Workspaces to disable public network access
Configure Azure Managed Grafana workspaces to disable public network access
Configure Azure Managed Grafana workspaces with private endpoints
Configure Azure Monitor Private Link Scope to block access to non private link resources
Configure Azure Monitor Private Link Scopes with private endpoints
Configure Azure Synapse Workspace Dedicated SQL minimum TLS version
Configure Azure Synapse workspaces to disable public network access
Configure Azure Synapse workspaces with private endpoints
Configure Azure Virtual Desktop hostpools with private endpoints
Configure Azure Virtual Desktop workspaces with private endpoints
Configure Batch accounts to disable local authentication
Configure Batch accounts to disable public network access
Configure Batch accounts with private endpoints
Configure Cognitive Services accounts to disable local authentication methods
Configure Cognitive Services accounts to disable public network access
Configure container registries to disable anonymous authentication.
Configure container registries to disable ARM audience token authentication.
Configure container registries to disable local admin account.
Configure Container registries to disable public network access
Configure container registries to disable repository scoped access token.
Configure Container registries with private endpoints
Configure CosmosDB accounts to disable public network access
Configure CosmosDB accounts with private endpoints
Configure disk access resources with private endpoints
Configure installation of Flux extension on Kubernetes cluster
Configure IoT Hub device provisioning instances to use private DNS zones
Configure IoT Hub device provisioning service instances to disable public network access
Configure IoT Hub device provisioning service instances with private endpoints
Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault
Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate
Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets
Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets
Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets
Configure Kubernetes clusters with Flux v2 configuration using public Git repository
Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets
Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets
Configure Kubernetes clusters with specified GitOps configuration using no secrets
Configure Kubernetes clusters with specified GitOps configuration using SSH secrets
Configure Log Analytics workspace and automation account to centralize logs and monitoring
Configure managed disks to disable public network access
Configure network security groups to enable traffic analytics
Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics
Configure Packet Core Control Plane diagnostic access to use authentication type Microsoft EntraID
Configure periodic checking for missing system updates on azure virtual machines
Configure private endpoint connections on Azure Automation accounts
Configure private endpoints for App Configuration
Configure Private Link for Azure AD with private endpoints
Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
Configure subscriptions to set up preview features
Configure Synapse Workspaces to use only Microsoft Entra identities for authentication
Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation
Configure the Microsoft Defender for SQL Log Analytics workspace
Configure virtual machines to be onboarded to Azure Automanage
Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile
Configure virtual network to enable Flow Log and Traffic Analytics
Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics
Create and assign a built-in user-assigned managed identity
Deploy - Configure Azure IoT Hubs to use private DNS zones
Deploy - Configure Azure IoT Hubs with private endpoints
Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM
Deploy - Configure IoT Central to use private DNS zones
Deploy - Configure IoT Central with private endpoints
Deploy a flow log resource with target network security group
Deploy a Flow Log resource with target virtual network
Deploy associations for a custom provider
Deploy associations for a managed application
Deploy Diagnostic Settings for Azure SQL Database to Event Hub
Deploy Diagnostic Settings for Batch Account to Event Hub
Deploy Diagnostic Settings for Data Lake Analytics to Event Hub
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub
Deploy Diagnostic Settings for Event Hub to Event Hub
Deploy Diagnostic Settings for Key Vault to Event Hub
Deploy Diagnostic Settings for Logic Apps to Event Hub
Deploy Diagnostic Settings for Search Services to Event Hub
Deploy Diagnostic Settings for Service Bus to Event Hub
Deploy Diagnostic Settings for Stream Analytics to Event Hub
Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data
Deploy export to Event Hub for Microsoft Defender for Cloud data
Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data
Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
Deploy Workflow Automation for Microsoft Defender for Cloud alerts
Deploy Workflow Automation for Microsoft Defender for Cloud recommendations
Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace.
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace.
Inherit a tag from the resource group
Inherit a tag from the resource group if missing
Inherit a tag from the subscription
Inherit a tag from the subscription if missing
Modify - Configure Azure File Sync to disable public network access
Modify - Configure Azure IoT Hubs to disable public network access
Modify - Configure IoT Central to disable public network access
Modify API Management to disable username and password authentication
Protect your data with authentication requirements when exporting or uploading to a disk or snapshot.
Schedule recurring updates using Azure Update Manager
6cd4ddd5-44f4-45bf-853e-a23e79738ce8 Copilot for Azure User Enables users access to Copilot for Azure. False 00003 effective control plane and data plane operations (unique)

•action: 1
•read: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.PortalServices/copilotSettings/conversations/action
fbdf93bf-df7d-467e-a4d2-9458aa1360c8 Cosmos DB Account Reader Role Can read Azure Cosmos DB Accounts data False 00199 effective control plane operations (unique)

•action: 4
•read: 194
•write: 1
Actions: 007
resolved operations: 199
effective operations: 199
•action: 4
•read: 194
•write: 1

•Microsoft.Authorization/*/read
•Microsoft.DocumentDB/*/read
•Microsoft.DocumentDB/databaseAccounts/readonlykeys/action
•Microsoft.Insights/MetricDefinitions/read
•Microsoft.Insights/Metrics/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
230815da-be43-4aae-9cb4-875f7bd000aa Cosmos DB Operator Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. False 00310 effective control plane operations (unique)

•: 1
•action: 54
•delete: 28
•read: 179
•write: 48
Actions: 008
resolved operations: 329
effective operations: 310
•: 1
•action: 54
•delete: 28
•read: 179
•write: 48

•Microsoft.DocumentDb/databaseAccounts/*
•Microsoft.Insights/alertRules/*
•Microsoft.Authorization/*/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
NotActions: 013
resolved not operations: 19
effective not operations: 15882

•Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/*
•Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*
•Microsoft.DocumentDB/databaseAccounts/regenerateKey/*
•Microsoft.DocumentDB/databaseAccounts/listKeys/*
•Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*
•Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write
•Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete
•Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write
•Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete
•Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write
•Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete
•Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write
•Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete
db7b14f2-5adf-42da-9f96-f2ee17bab5cb CosmosBackupOperator Can submit restore request for a Cosmos DB database or a container for an account False 00002 effective control plane operations (unique)

•action: 2
Actions: 002
resolved operations: 2
effective operations: 2
•action: 2

•Microsoft.DocumentDB/databaseAccounts/backup/action
•Microsoft.DocumentDB/databaseAccounts/restore/action
5432c526-bc82-444a-b7ba-57c5b0b5b34f CosmosRestoreOperator Can perform restore action for Cosmos DB database account with continuous backup mode False 00002 effective control plane operations (unique)

•action: 1
•read: 1
Actions: 003
resolved operations: 2
effective operations: 2
•action: 1
•read: 1

•Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action
•Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read
•Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read
434105ed-43f6-45c7-a02f-909b2ba83430 Cost Management Contributor Can view costs and manage cost configuration (e.g. budgets, exports) False 00091 effective control plane operations (unique)

•action: 20
•delete: 4
•read: 60
•write: 7
Actions: 010
resolved operations: 91
effective operations: 91
•action: 20
•delete: 4
•read: 60
•write: 7

•Microsoft.Consumption/*
•Microsoft.CostManagement/*
•Microsoft.Billing/billingPeriods/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Advisor/configurations/read
•Microsoft.Advisor/recommendations/read
•Microsoft.Management/managementGroups/read
•Microsoft.Billing/billingProperty/read
72fafb9e-0641-4937-9268-a91bfd8191a3 Cost Management Reader Can view cost data and configuration (e.g. budgets, exports) False 00064 effective control plane operations (unique)

•action: 3
•read: 60
•write: 1
Actions: 010
resolved operations: 64
effective operations: 64
•action: 3
•read: 60
•write: 1

•Microsoft.Consumption/*/read
•Microsoft.CostManagement/*/read
•Microsoft.Billing/billingPeriods/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Advisor/configurations/read
•Microsoft.Advisor/recommendations/read
•Microsoft.Management/managementGroups/read
•Microsoft.Billing/billingProperty/read
399c3b2b-64c2-4ff1-af34-571db925b068 CrossConnectionManager Allows for read, write access to ExpressRoute CrossConnections False 00018 effective control plane operations (unique)

•action: 2
•delete: 2
•read: 10
•write: 4
Actions: 003
resolved operations: 19
effective operations: 18
•action: 2
•delete: 2
•read: 10
•write: 4

•Microsoft.ClassicNetwork/expressRouteCrossConnections/*
•Microsoft.Network/expressRouteCrossConnections/*
•Microsoft.Features/providers/features/read
NotActions: 001
resolved not operations: 1
effective not operations: 16174

•Microsoft.Network/expressRouteCrossConnections/delete
b6ee44de-fe58-4ddc-b5c2-ab174eb23f05 CrossConnectionReader Allows for read access to ExpressRoute CrossConnections False 00008 effective control plane operations (unique)

•read: 8
Actions: 003
resolved operations: 8
effective operations: 8
•read: 8

•Microsoft.ClassicNetwork/expressRouteCrossConnections/*/read
•Microsoft.Network/expressRouteCrossConnections/*/read
•Microsoft.Features/providers/features/read
d1a38570-4b05-4d70-b8e4-1100bcf76d12 Data Boundary Tenant Administrator Allows tenant level administration for data boundaries. False 00038 effective control plane operations (unique)

•action: 4
•delete: 1
•read: 31
•write: 2
Actions: 004
resolved operations: 38
effective operations: 38
•action: 4
•delete: 1
•read: 31
•write: 2

•Microsoft.Resources/dataBoundaries/write
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
add466c9-e687-43fc-8d98-dfcf8d720be5 Data Box Contributor Lets you manage everything under Data Box Service except giving access to others. False 00071 effective control plane operations (unique)

•action: 21
•delete: 3
•read: 43
•write: 4
Actions: 006
resolved operations: 71
effective operations: 71
•action: 21
•delete: 3
•read: 43
•write: 4

•Microsoft.Authorization/*/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Databox/*
028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 Data Box Reader Lets you manage Data Box Service except creating order or editing order details and giving access to others. False 00049 effective control plane operations (unique)

•action: 9
•read: 39
•write: 1
Actions: 010
resolved operations: 49
effective operations: 49
•action: 9
•read: 39
•write: 1

•Microsoft.Authorization/*/read
•Microsoft.Databox/*/read
•Microsoft.Databox/jobs/listsecrets/action
•Microsoft.Databox/jobs/listcredentials/action
•Microsoft.Databox/locations/availableSkus/action
•Microsoft.Databox/locations/validateInputs/action
•Microsoft.Databox/locations/regionConfiguration/action
•Microsoft.Databox/locations/validateAddress/action
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Support/*
673868aa-7521-48a0-acc6-0f60742d39f5 Data Factory Contributor Create and manage data factories, as well as child resources within them. False 00218 effective control plane operations (unique)

•: 1
•action: 66
•delete: 24
•read: 96
•write: 31
Actions: 009
resolved operations: 218
effective operations: 218
•: 1
•action: 66
•delete: 24
•read: 96
•write: 31

•Microsoft.Authorization/*/read
•Microsoft.DataFactory/dataFactories/*
•Microsoft.DataFactory/factories/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.EventGrid/eventSubscriptions/write
count: 002
Configure Data Factories to disable public network access
Configure private endpoints for Data factories
c6decf44-fd0a-444c-a844-d653c394e7ab Data Labeling - Labeler Can label data in Labeling. False 00006 effective control plane operations (unique)

•read: 5
•write: 1
Actions: 006
resolved operations: 6
effective operations: 6
•read: 5
•write: 1

•Microsoft.MachineLearningServices/workspaces/read
•Microsoft.MachineLearningServices/workspaces/experiments/runs/read
•Microsoft.MachineLearningServices/workspaces/labeling/projects/read
•Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read
•Microsoft.MachineLearningServices/workspaces/labeling/labels/read
•Microsoft.MachineLearningServices/workspaces/labeling/labels/write
47b7735b-770e-4598-a7da-8b91488b4c88 Data Lake Analytics Developer Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. False 00075 effective control plane operations (unique)

•: 1
•action: 12
•delete: 4
•read: 52
•write: 6
Actions: 008
resolved operations: 89
effective operations: 75
•: 1
•action: 12
•delete: 4
•read: 52
•write: 6

•Microsoft.Authorization/*/read
•Microsoft.BigAnalytics/accounts/*
•Microsoft.DataLakeAnalytics/accounts/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
NotActions: 014
resolved not operations: 14
effective not operations: 16117

•Microsoft.BigAnalytics/accounts/Delete
•Microsoft.BigAnalytics/accounts/TakeOwnership/action
•Microsoft.BigAnalytics/accounts/Write
•Microsoft.DataLakeAnalytics/accounts/Delete
•Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action
•Microsoft.DataLakeAnalytics/accounts/Write
•Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write
•Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete
•Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write
•Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete
•Microsoft.DataLakeAnalytics/accounts/firewallRules/Write
•Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete
•Microsoft.DataLakeAnalytics/accounts/computePolicies/Write
•Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete
959f8984-c045-4866-89c7-12bf9737be2e Data Operator for Managed Disks Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. False 00004 effective data plane operations (unique)

•action: 4
DataActions: 004
resolved data operations: 4
effective data operations: 4
•action: 4

•Microsoft.Compute/disks/download/action
•Microsoft.Compute/disks/upload/action
•Microsoft.Compute/snapshots/download/action
•Microsoft.Compute/snapshots/upload/action
150f5e0c-0603-4f03-8c7f-cf70034c4e90 Data Purger Can purge analytics data False 00804 effective control plane operations (unique)

•Action: 2
•Read: 802
Actions: 004
resolved operations: 804
effective operations: 804
•Action: 2
•Read: 802

•Microsoft.Insights/components/*/read
•Microsoft.Insights/components/purge/action
•Microsoft.OperationalInsights/workspaces/*/read
•Microsoft.OperationalInsights/workspaces/purge/action
0b6ca2e8-2cdc-4bd6-b896-aa3d8c21fc35 Defender CSPM Storage Data Scanner Grants access to read blobs and files. This role is used by the data scanner of Dfender CSPM. False 00004 effective control plane and data plane operations (unique)

•read: 4
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/fileServices/shares/read
DataActions: 002
resolved data operations: 2
effective data operations: 2
•read: 2

•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
8480c0f0-4509-4229-9339-7c10018cb8c4 Defender CSPM Storage Scanner Operator Lets you enable and configure Microsoft Defender CSPM's sensitive data discovery feature on your storage accounts. Includes an ABAC condition to limit role assignments. True 00056 effective control plane operations (unique)

•action: 7
•delete: 3
•read: 41
•write: 5
Actions: 013
resolved operations: 56
effective operations: 56
•action: 7
•delete: 3
•read: 41
•write: 5

•Microsoft.Storage/storageAccounts/write
•Microsoft.Storage/storageAccounts/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Management/managementGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
•Microsoft.Security/datascanners/read
•Microsoft.Security/datascanners/write
•Microsoft.Security/dataScanners/delete
•Microsoft.Authorization/roleAssignments/write
•Microsoft.Authorization/roleAssignments/delete
1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 Defender for Storage Data Scanner Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. False 00004 effective control plane and data plane operations (unique)

•read: 3
•write: 1
Actions: 001
resolved operations: 1
effective operations: 1
•read: 1

•Microsoft.Storage/storageAccounts/blobServices/containers/read
DataActions: 003
resolved data operations: 3
effective data operations: 3
•read: 2
•write: 1

•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
0f641de8-0b88-4198-bdef-bd8b45ceba96 Defender for Storage Scanner Operator Lets you enable and configure Microsoft Defender for Storage's malware scanning and sensitive data discovery features on your storage accounts. Includes an ABAC condition to limit role assignments. True 00064 effective control plane operations (unique)

•action: 7
•delete: 4
•read: 45
•write: 8
Actions: 022
resolved operations: 64
effective operations: 64
•action: 7
•delete: 4
•read: 45
•write: 8

•Microsoft.Authorization/roleAssignments/write conditioned
•Microsoft.Authorization/roleAssignments/delete conditioned
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Management/managementGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
•Microsoft.Security/defenderforstoragesettings/read
•Microsoft.Security/defenderforstoragesettings/write
•Microsoft.Security/advancedThreatProtectionSettings/read
•Microsoft.Security/advancedThreatProtectionSettings/write
•Microsoft.Security/datascanners/read
•Microsoft.Security/datascanners/write
•Microsoft.Security/dataScanners/delete
•Microsoft.Storage/storageAccounts/write
•Microsoft.Storage/storageAccounts/read
•Microsoft.EventGrid/topics/read
•Microsoft.EventGrid/eventSubscriptions/read
•Microsoft.EventGrid/eventSubscriptions/write
•Microsoft.EventGrid/eventSubscriptions/delete
8bb6f106-b146-4ee6-a3f9-b9c5a96e0ae5 Defender Kubernetes Agent Operator Grants Microsoft Defender for Cloud permissions to provision the Kubernetes defender security agent False 00060 effective control plane operations (unique)

•: 1
•Action: 11
•Delete: 3
•read: 39
•Write: 6
Actions: 019
resolved operations: 60
effective operations: 60
•: 1
•Action: 11
•Delete: 3
•read: 39
•Write: 6

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourceGroups/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.KubernetesConfiguration/extensions/write
•Microsoft.KubernetesConfiguration/extensions/read
•Microsoft.KubernetesConfiguration/extensions/delete
•Microsoft.KubernetesConfiguration/extensions/operations/read
•Microsoft.Kubernetes/connectedClusters/Write
•Microsoft.Kubernetes/connectedClusters/read
•Microsoft.OperationalInsights/workspaces/write
•Microsoft.OperationalInsights/workspaces/read
•Microsoft.OperationalInsights/workspaces/listKeys/action
•Microsoft.OperationalInsights/workspaces/sharedkeys/action
•Microsoft.Kubernetes/register/action
•Microsoft.KubernetesConfiguration/register/action
count: 002
[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension
Configure Azure Kubernetes Service clusters to enable Defender profile
8a90fa6b-6997-4a07-8a95-30633a7c97b9 DeID Batch Data Owner Create and manage DeID batch jobs. This role is in preview and subject to change. False 00003 effective data plane operations (unique)

•delete: 1
•read: 1
•write: 1
DataActions: 003
resolved data operations: 3
effective data operations: 3
•delete: 1
•read: 1
•write: 1

•Microsoft.HealthDataAIServices/DeidServices/Batch/write
•Microsoft.HealthDataAIServices/DeidServices/Batch/delete
•Microsoft.HealthDataAIServices/DeidServices/Batch/read
b73a14ee-91f5-41b7-bd81-920e12466be9 DeID Batch Data Reader Read DeID batch jobs. This role is in preview and subject to change. False 00001 effective data plane operations (unique)

•read: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•read: 1

•Microsoft.HealthDataAIServices/DeidServices/Batch/read
NotDataActions: 002
resolved not data operations: 2
effective not data operations: 3302

•Microsoft.HealthDataAIServices/DeidServices/Batch/write
•Microsoft.HealthDataAIServices/DeidServices/Batch/delete
78e4b983-1a0b-472e-8b7d-8d770f7c5890 DeID Data Owner Full access to DeID data. This role is in preview and subject to change False 00012 effective data plane operations (unique)

•action: 2
•delete: 3
•read: 4
•write: 3
DataActions: 001
resolved data operations: 12
effective data operations: 12
•action: 2
•delete: 3
•read: 4
•write: 3

•Microsoft.HealthDataAIServices/DeidServices/*
bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e DeID Realtime Data User Execute requests against DeID realtime endpoint. This role is in preview and subject to change. False 00001 effective data plane operations (unique)

•action: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.HealthDataAIServices/DeidServices/Realtime/action
eb960402-bf75-4cc3-8d68-35b34f960f72 Deployment Environments Reader Provides read access to environment resources. False 00038 effective control plane and data plane operations (unique)

•action: 3
•read: 35
Actions: 004
resolved operations: 37
effective operations: 35
•read: 35

•Microsoft.DevCenter/projects/read
•Microsoft.DevCenter/projects/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
NotActions: 002
resolved not operations: 2
effective not operations: 16157

•Microsoft.DevCenter/projects/pools/read
•Microsoft.DevCenter/projects/pools/schedules/read
DataActions: 003
resolved data operations: 3
effective data operations: 3
•action: 3

•Microsoft.DevCenter/projects/users/environments/adminRead/action
•Microsoft.DevCenter/projects/users/environments/adminActionRead/action
•Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action
18e40d4e-8d2e-438d-97e1-9528336e149c Deployment Environments User Provides access to manage environment resources. False 00040 effective control plane and data plane operations (unique)

•action: 5
•read: 35
Actions: 004
resolved operations: 37
effective operations: 35
•read: 35

•Microsoft.DevCenter/projects/read
•Microsoft.DevCenter/projects/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Authorization/*/read
NotActions: 002
resolved not operations: 2
effective not operations: 16157

•Microsoft.DevCenter/projects/pools/read
•Microsoft.DevCenter/projects/pools/schedules/read
DataActions: 005
resolved data operations: 5
effective data operations: 5
•action: 5

•Microsoft.DevCenter/projects/users/environments/userRead/action
•Microsoft.DevCenter/projects/users/environments/userWrite/action
•Microsoft.DevCenter/projects/users/environments/userDelete/action
•Microsoft.DevCenter/projects/users/environments/userActionManage/action
•Microsoft.DevCenter/projects/users/environments/userOutputsRead/action
97dfb3ce-e936-462c-9425-9cdb67e66d45 Desktop Virtualization App Attach Contributor Provide permission to manage app attach resources False 00050 effective control plane operations (unique)

•: 1
•Action: 7
•delete: 3
•read: 36
•write: 3
Actions: 009
resolved operations: 50
effective operations: 50
•: 1
•Action: 7
•delete: 3
•read: 36
•write: 3

•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.Resources/subscriptions/read
•Microsoft.DesktopVirtualization/appattachpackages/read
•Microsoft.DesktopVirtualization/appattachpackages/write
•Microsoft.DesktopVirtualization/appattachpackages/delete
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
86240b0e-9422-4c43-887b-b61143f32ba8 Desktop Virtualization Application Group Contributor Contributor of the Desktop Virtualization Application Group. False 00073 effective control plane operations (unique)

•: 1
•action: 11
•delete: 5
•read: 48
•write: 8
Actions: 008
resolved operations: 73
effective operations: 73
•: 1
•action: 11
•delete: 5
•read: 48
•write: 8

•Microsoft.DesktopVirtualization/applicationgroups/*
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 Desktop Virtualization Application Group Reader Reader of the Desktop Virtualization Application Group. False 00049 effective control plane operations (unique)

•action: 3
•read: 45
•write: 1
Actions: 009
resolved operations: 49
effective operations: 49
•action: 3
•read: 45
•write: 1

•Microsoft.DesktopVirtualization/applicationgroups/*/read
•Microsoft.DesktopVirtualization/applicationgroups/read
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Support/*
082f0a83-3be5-4ba1-904c-961cca79b387 Desktop Virtualization Contributor Contributor of Desktop Virtualization. False 00162 effective control plane operations (unique)

•: 1
•action: 30
•delete: 19
•read: 85
•write: 27
Actions: 006
resolved operations: 162
effective operations: 162
•: 1
•action: 30
•delete: 19
•read: 85
•write: 27

•Microsoft.DesktopVirtualization/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
e307426c-f9b6-4e81-87de-d99efb3c32bc Desktop Virtualization Host Pool Contributor Contributor of the Desktop Virtualization Host Pool. False 00106 effective control plane operations (unique)

•: 1
•action: 23
•delete: 9
•read: 61
•write: 12
Actions: 006
resolved operations: 106
effective operations: 106
•: 1
•action: 23
•delete: 9
•read: 61
•write: 12

•Microsoft.DesktopVirtualization/hostpools/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
count: 002
Configure Azure Virtual Desktop hostpools to disable public network access
Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts
ceadfde2-b300-400a-ab7b-6143895aa822 Desktop Virtualization Host Pool Reader Reader of the Desktop Virtualization Host Pool. False 00062 effective control plane operations (unique)

•action: 3
•read: 58
•write: 1
Actions: 007
resolved operations: 62
effective operations: 62
•action: 3
•read: 58
•write: 1

•Microsoft.DesktopVirtualization/hostpools/*/read
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Support/*
489581de-a3bd-480d-9518-53dea7416b33 Desktop Virtualization Power On Contributor Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines. False 00055 effective control plane operations (unique)

•: 1
•Action: 9
•Delete: 2
•read: 41
•Write: 2
Actions: 014
resolved operations: 55
effective operations: 55
•: 1
•Action: 9
•Delete: 2
•read: 41
•Write: 2

•Microsoft.Compute/virtualMachines/start/action
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/instanceView/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/operations/read
•Microsoft.HybridCompute/locations/operationresults/read
•Microsoft.HybridCompute/locations/operationstatus/read
•Microsoft.AzureStackHCI/virtualMachineInstances/read
•Microsoft.AzureStackHCI/virtualMachineInstances/start/action
•Microsoft.AzureStackHCI/operations/read
40c5ff49-9181-41f8-ae61-143b0e78555e Desktop Virtualization Power On Off Contributor Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines. False 00078 effective control plane operations (unique)

•: 1
•Action: 25
•delete: 3
•read: 45
•write: 4
Actions: 037
resolved operations: 78
effective operations: 78
•: 1
•Action: 25
•delete: 3
•read: 45
•write: 4

•Microsoft.Authorization/*/read
•Microsoft.AzureStackHCI/operations/read
•Microsoft.AzureStackHCI/virtualMachineInstances/read
•Microsoft.AzureStackHCI/virtualMachineInstances/restart/action
•Microsoft.AzureStackHCI/virtualMachineInstances/start/action
•Microsoft.AzureStackHCI/virtualMachineInstances/stop/action
•Microsoft.Compute/virtualMachines/deallocate/action
•Microsoft.Compute/virtualMachines/instanceView/read
•Microsoft.Compute/virtualMachines/powerOff/action
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/restart/action
•Microsoft.Compute/virtualMachines/start/action
•Microsoft.ComputeSchedule/locations/virtualMachinesCancelOperations/action
•Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDeallocate/action
•Microsoft.ComputeSchedule/locations/virtualMachinesExecuteHibernate/action
•Microsoft.ComputeSchedule/locations/virtualMachinesExecuteStart/action
•Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationErrors/action
•Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationStatus/action
•Microsoft.ComputeSchedule/locations/virtualMachinesSubmitDeallocate/action
•Microsoft.ComputeSchedule/locations/virtualMachinesSubmitHibernate/action
•Microsoft.ComputeSchedule/locations/virtualMachinesSubmitStart/action
•Microsoft.ComputeSchedule/register/action
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/write
•Microsoft.DesktopVirtualization/hostpools/write
•Microsoft.HybridCompute/locations/operationresults/read
•Microsoft.HybridCompute/locations/operationstatus/read
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/operations/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/eventtypes/values/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
49a72310-ab8d-41df-bbb0-79b649203868 Desktop Virtualization Reader Reader of Desktop Virtualization. False 00086 effective control plane operations (unique)

•action: 3
•read: 82
•write: 1
Actions: 006
resolved operations: 86
effective operations: 86
•action: 3
•read: 82
•write: 1

•Microsoft.DesktopVirtualization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Support/*
2ad6aaab-ead9-4eaa-8ac5-da422f562408 Desktop Virtualization Session Host Operator Operator of the Desktop Virtualization Session Host. False 00065 effective control plane operations (unique)

•: 1
•action: 13
•delete: 4
•read: 42
•write: 5
Actions: 007
resolved operations: 65
effective operations: 65
•: 1
•action: 13
•delete: 4
•read: 42
•write: 5

•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 Desktop Virtualization User Allows user to use the applications in an application group. False 00002 effective data plane operations (unique)

•action: 2
DataActions: 002
resolved data operations: 2
effective data operations: 2
•action: 2

•Microsoft.DesktopVirtualization/applicationGroups/useApplications/action
•Microsoft.DesktopVirtualization/appAttachPackages/useApplications/action
ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 Desktop Virtualization User Session Operator Operator of the Desktop Virtualization User Session. False 00062 effective control plane operations (unique)

•: 1
•action: 12
•delete: 3
•read: 42
•write: 4
Actions: 008
resolved operations: 62
effective operations: 62
•: 1
•action: 12
•delete: 3
•read: 42
•write: 4

•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
a959dbd1-f747-45e3-8ba6-dd80f235f97c Desktop Virtualization Virtual Machine Contributor This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines. False 00099 effective control plane operations (unique)

•: 1
•action: 20
•delete: 7
•read: 60
•write: 11
Actions: 059
resolved operations: 99
effective operations: 99
•: 1
•action: 20
•delete: 7
•read: 60
•write: 11

•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/write
•Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/write
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action
•Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read
•Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/retryprovisioning/action
•Microsoft.Compute/availabilitySets/read
•Microsoft.Compute/availabilitySets/write
•Microsoft.Compute/availabilitySets/vmSizes/read
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/write
•Microsoft.Compute/disks/delete
•Microsoft.Compute/galleries/read
•Microsoft.Compute/galleries/images/read
•Microsoft.Compute/galleries/images/versions/read
•Microsoft.Compute/images/read
•Microsoft.Compute/locations/usages/read
•Microsoft.Compute/locations/vmSizes/read
•Microsoft.Compute/operations/read
•Microsoft.Compute/skus/read
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/write
•Microsoft.Compute/virtualMachines/delete
•Microsoft.Compute/virtualMachines/start/action
•Microsoft.Compute/virtualMachines/powerOff/action
•Microsoft.Compute/virtualMachines/restart/action
•Microsoft.Compute/virtualMachines/deallocate/action
•Microsoft.Compute/virtualMachines/runCommand/action
•Microsoft.Compute/virtualMachines/extensions/read
•Microsoft.Compute/virtualMachines/extensions/write
•Microsoft.Compute/virtualMachines/extensions/delete
•Microsoft.Compute/virtualMachines/runCommands/read
•Microsoft.Compute/virtualMachines/runCommands/write
•Microsoft.Compute/virtualMachines/vmSizes/read
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/join/action
•Microsoft.Network/networkInterfaces/delete
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/usages/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read
•Microsoft.KeyVault/vaults/deploy/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.DesktopVirtualization/scalingPlans/read
•Microsoft.DesktopVirtualization/scalingPlans/write
21efdde3-836f-432b-bf3d-3e8e734d4b2b Desktop Virtualization Workspace Contributor Contributor of the Desktop Virtualization Workspace. False 00072 effective control plane operations (unique)

•: 1
•action: 12
•delete: 5
•read: 47
•write: 7
Actions: 007
resolved operations: 72
effective operations: 72
•: 1
•action: 12
•delete: 5
•read: 47
•write: 7

•Microsoft.DesktopVirtualization/workspaces/*
•Microsoft.DesktopVirtualization/applicationgroups/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
count: 001
Configure Azure Virtual Desktop workspaces to disable public network access
0fa44ee9-7a7d-466b-9bb2-2bf446b1204d Desktop Virtualization Workspace Reader Reader of the Desktop Virtualization Workspace. False 00042 effective control plane operations (unique)

•action: 3
•read: 38
•write: 1
Actions: 007
resolved operations: 42
effective operations: 42
•action: 3
•read: 38
•write: 1

•Microsoft.DesktopVirtualization/workspaces/read
•Microsoft.DesktopVirtualization/applicationgroups/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Support/*
45d50f46-0b78-4001-a660-4198cbe8cd05 DevCenter Dev Box User Provides access to create and manage dev boxes. False 00048 effective control plane and data plane operations (unique)

•action: 11
•read: 37
Actions: 004
resolved operations: 37
effective operations: 37
•read: 37

•Microsoft.DevCenter/projects/read
•Microsoft.DevCenter/projects/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 011
resolved data operations: 11
effective data operations: 11
•action: 11

•Microsoft.DevCenter/projects/users/devboxes/userStop/action
•Microsoft.DevCenter/projects/users/devboxes/userStart/action
•Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action
•Microsoft.DevCenter/projects/users/devboxes/userRead/action
•Microsoft.DevCenter/projects/users/devboxes/userWrite/action
•Microsoft.DevCenter/projects/users/devboxes/userDelete/action
•Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionRead/action
•Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionManage/action
•Microsoft.DevCenter/projects/users/devboxes/userActionRead/action
•Microsoft.DevCenter/projects/users/devboxes/userActionManage/action
•Microsoft.DevCenter/projects/users/devboxes/userCustomize/action
331c37c6-af14-46d9-b9f4-e1909e1b95a0 DevCenter Project Admin Provides access to manage project resources. False 00082 effective control plane and data plane operations (unique)

•action: 32
•delete: 5
•read: 40
•write: 5
Actions: 004
resolved operations: 61
effective operations: 59
•action: 9
•delete: 5
•read: 40
•write: 5

•Microsoft.DevCenter/projects/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
NotActions: 002
resolved not operations: 2
effective not operations: 16133

•Microsoft.DevCenter/projects/write
•Microsoft.DevCenter/projects/delete
DataActions: 023
resolved data operations: 23
effective data operations: 23
•action: 23

•Microsoft.DevCenter/projects/users/devboxes/adminStart/action
•Microsoft.DevCenter/projects/users/devboxes/adminStop/action
•Microsoft.DevCenter/projects/users/devboxes/adminRead/action
•Microsoft.DevCenter/projects/users/devboxes/adminWrite/action
•Microsoft.DevCenter/projects/users/devboxes/adminDelete/action
•Microsoft.DevCenter/projects/users/devboxes/userStop/action
•Microsoft.DevCenter/projects/users/devboxes/userStart/action
•Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action
•Microsoft.DevCenter/projects/users/devboxes/userRead/action
•Microsoft.DevCenter/projects/users/devboxes/userWrite/action
•Microsoft.DevCenter/projects/users/devboxes/userDelete/action
•Microsoft.DevCenter/projects/users/devboxes/userActionRead/action
•Microsoft.DevCenter/projects/users/devboxes/userActionManage/action
•Microsoft.DevCenter/projects/users/devboxes/userCustomize/action
•Microsoft.DevCenter/projects/users/environments/adminRead/action
•Microsoft.DevCenter/projects/users/environments/userWrite/action
•Microsoft.DevCenter/projects/users/environments/adminWrite/action
•Microsoft.DevCenter/projects/users/environments/userDelete/action
•Microsoft.DevCenter/projects/users/environments/adminDelete/action
•Microsoft.DevCenter/projects/users/environments/adminAction/action
•Microsoft.DevCenter/projects/users/environments/adminActionRead/action
•Microsoft.DevCenter/projects/users/environments/adminActionManage/action
•Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action
dfce44e4-17b7-4bd1-a6d1-04996ec95633 Device Provisioning Service Data Contributor Allows for full access to Device Provisioning Service data-plane operations. False 00009 effective data plane operations (unique)

•action: 1
•delete: 3
•read: 3
•write: 2
DataActions: 001
resolved data operations: 9
effective data operations: 9
•action: 1
•delete: 3
•read: 3
•write: 2

•Microsoft.Devices/provisioningServices/*
10745317-c249-44a1-a5ce-3a4353c0bbd8 Device Provisioning Service Data Reader Allows for full read access to Device Provisioning Service data-plane properties. False 00003 effective data plane operations (unique)

•read: 3
DataActions: 001
resolved data operations: 3
effective data operations: 3
•read: 3

•Microsoft.Devices/provisioningServices/*/read
02ca0879-e8e4-47a5-a61e-5c618b76e64a Device Update Administrator Gives you full access to management and content operations False 00061 effective control plane and data plane operations (unique)

•: 1
•Action: 10
•delete: 4
•read: 41
•write: 5
Actions: 005
resolved operations: 55
effective operations: 55
•: 1
•Action: 10
•Delete: 2
•read: 39
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
DataActions: 006
resolved data operations: 6
effective data operations: 6
•delete: 2
•read: 2
•write: 2

•Microsoft.DeviceUpdate/accounts/instances/updates/read
•Microsoft.DeviceUpdate/accounts/instances/updates/write
•Microsoft.DeviceUpdate/accounts/instances/updates/delete
•Microsoft.DeviceUpdate/accounts/instances/management/read
•Microsoft.DeviceUpdate/accounts/instances/management/write
•Microsoft.DeviceUpdate/accounts/instances/management/delete
0378884a-3af5-44ab-8323-f5b22f9f3c98 Device Update Content Administrator Gives you full access to content operations False 00058 effective control plane and data plane operations (unique)

•: 1
•Action: 10
•delete: 3
•read: 40
•write: 4
Actions: 005
resolved operations: 55
effective operations: 55
•: 1
•Action: 10
•Delete: 2
•read: 39
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
DataActions: 003
resolved data operations: 3
effective data operations: 3
•delete: 1
•read: 1
•write: 1

•Microsoft.DeviceUpdate/accounts/instances/updates/read
•Microsoft.DeviceUpdate/accounts/instances/updates/write
•Microsoft.DeviceUpdate/accounts/instances/updates/delete
d1ee9a80-8b14-47f0-bdc2-f4a351625a7b Device Update Content Reader Gives you read access to content operations, but does not allow making changes False 00056 effective control plane and data plane operations (unique)

•: 1
•Action: 10
•Delete: 2
•read: 40
•Write: 3
Actions: 005
resolved operations: 55
effective operations: 55
•: 1
•Action: 10
•Delete: 2
•read: 39
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
DataActions: 001
resolved data operations: 1
effective data operations: 1
•read: 1

•Microsoft.DeviceUpdate/accounts/instances/updates/read
e4237640-0e3d-4a46-8fda-70bc94856432 Device Update Deployments Administrator Gives you full access to management operations False 00059 effective control plane and data plane operations (unique)

•: 1
•Action: 10
•delete: 3
•read: 41
•write: 4
Actions: 005
resolved operations: 55
effective operations: 55
•: 1
•Action: 10
•Delete: 2
•read: 39
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
DataActions: 004
resolved data operations: 4
effective data operations: 4
•delete: 1
•read: 2
•write: 1

•Microsoft.DeviceUpdate/accounts/instances/management/read
•Microsoft.DeviceUpdate/accounts/instances/management/write
•Microsoft.DeviceUpdate/accounts/instances/management/delete
•Microsoft.DeviceUpdate/accounts/instances/updates/read
49e2f5d2-7741-4835-8efa-19e1fe35e47f Device Update Deployments Reader Gives you read access to management operations, but does not allow making changes False 00057 effective control plane and data plane operations (unique)

•: 1
•Action: 10
•Delete: 2
•read: 41
•Write: 3
Actions: 005
resolved operations: 55
effective operations: 55
•: 1
•Action: 10
•Delete: 2
•read: 39
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
DataActions: 002
resolved data operations: 2
effective data operations: 2
•read: 2

•Microsoft.DeviceUpdate/accounts/instances/management/read
•Microsoft.DeviceUpdate/accounts/instances/updates/read
e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f Device Update Reader Gives you read access to management and content operations, but does not allow making changes False 00057 effective control plane and data plane operations (unique)

•: 1
•Action: 10
•Delete: 2
•read: 41
•Write: 3
Actions: 005
resolved operations: 55
effective operations: 55
•: 1
•Action: 10
•Delete: 2
•read: 39
•Write: 3

•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
DataActions: 002
resolved data operations: 2
effective data operations: 2
•read: 2

•Microsoft.DeviceUpdate/accounts/instances/updates/read
•Microsoft.DeviceUpdate/accounts/instances/management/read
76283e04-6283-4c54-8f91-bcf1374a3c64 DevTest Labs User Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. False 00101 effective control plane operations (unique)

•action: 16
•delete: 1
•read: 82
•write: 2
Actions: 032
resolved operations: 102
effective operations: 101
•action: 16
•delete: 1
•read: 82
•write: 2

•Microsoft.Authorization/*/read
•Microsoft.Compute/availabilitySets/read
•Microsoft.Compute/virtualMachines/*/read
•Microsoft.Compute/virtualMachines/deallocate/action
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/restart/action
•Microsoft.Compute/virtualMachines/start/action
•Microsoft.DevTestLab/*/read
•Microsoft.DevTestLab/labs/claimAnyVm/action
•Microsoft.DevTestLab/labs/createEnvironment/action
•Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action
•Microsoft.DevTestLab/labs/formulas/delete
•Microsoft.DevTestLab/labs/formulas/read
•Microsoft.DevTestLab/labs/formulas/write
•Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action
•Microsoft.DevTestLab/labs/virtualMachines/claim/action
•Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action
•Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action
•Microsoft.Network/loadBalancers/backendAddressPools/join/action
•Microsoft.Network/loadBalancers/inboundNatRules/join/action
•Microsoft.Network/networkInterfaces/*/read
•Microsoft.Network/networkInterfaces/join/action
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/publicIPAddresses/*/read
•Microsoft.Network/publicIPAddresses/join/action
•Microsoft.Network/publicIPAddresses/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/listKeys/action
NotActions: 001
resolved not operations: 1
effective not operations: 16091

•Microsoft.Compute/virtualMachines/vmSizes/read
58a3b984-7adf-4c20-983a-32417c86fbc8 DICOM Data Owner Full access to DICOM data. False 00005 effective data plane operations (unique)

•action: 2
•delete: 1
•read: 1
•write: 1
DataActions: 001
resolved data operations: 5
effective data operations: 5
•action: 2
•delete: 1
•read: 1
•write: 1

•Microsoft.HealthcareApis/workspaces/dicomservices/resources/*
e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a DICOM Data Reader Read and search DICOM data. False 00001 effective data plane operations (unique)

•read: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•read: 1

•Microsoft.HealthcareApis/workspaces/dicomservices/resources/read
3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 Disk Backup Reader Provides permission to backup vault to perform disk backup. False 00029 effective control plane operations (unique)

•action: 1
•read: 28
Actions: 003
resolved operations: 29
effective operations: 29
•action: 1
•read: 28

•Microsoft.Authorization/*/read
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/beginGetAccess/action
136d308c-0937-4a49-9bd7-edfb42adbffc Disk Encryption Set Operator for Managed Disks Provides permissions to read, write or delete disk encryption sets which are used for encrypting managed disks with customer managed keys False 00003 effective control plane operations (unique)

•delete: 1
•read: 1
•write: 1
Actions: 001
resolved operations: 3
effective operations: 3
•delete: 1
•read: 1
•write: 1

•Microsoft.Compute/diskEncryptionSets/*
60fc6e62-5479-42d4-8bf4-67625fcc2840 Disk Pool Operator Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool. False 00047 effective control plane operations (unique)

•: 1
•Action: 7
•Delete: 2
•read: 34
•write: 3
Actions: 006
resolved operations: 47
effective operations: 47
•: 1
•Action: 7
•Delete: 2
•read: 34
•write: 3

•Microsoft.Compute/disks/write
•Microsoft.Compute/disks/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
b50d9833-a0cb-478e-945f-707fcc997c13 Disk Restore Operator Provides permission to backup vault to perform disk restore. False 00030 effective control plane operations (unique)

•read: 29
•write: 1
Actions: 004
resolved operations: 30
effective operations: 30
•read: 29
•write: 1

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Compute/disks/write
•Microsoft.Compute/disks/read
7efff54f-a5b4-42b5-a1c5-5411624893ce Disk Snapshot Contributor Provides permission to backup vault to manage disk snapshots. False 00038 effective control plane operations (unique)

•action: 4
•delete: 2
•read: 30
•write: 2
Actions: 012
resolved operations: 38
effective operations: 38
•action: 4
•delete: 2
•read: 30
•write: 2

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Compute/snapshots/delete
•Microsoft.Compute/snapshots/write
•Microsoft.Compute/snapshots/read
•Microsoft.Compute/snapshots/beginGetAccess/action
•Microsoft.Compute/snapshots/endGetAccess/action
•Microsoft.Compute/disks/beginGetAccess/action
•Microsoft.Storage/storageAccounts/listkeys/action
•Microsoft.Storage/storageAccounts/write
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/delete
0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d DNS Resolver Contributor Lets you manage DNS resolver resources. False 00080 effective control plane operations (unique)

•: 1
•Action: 19
•Delete: 8
•read: 43
•Write: 9
Actions: 041
resolved operations: 80
effective operations: 80
•: 1
•Action: 19
•Delete: 8
•read: 43
•Write: 9

•Microsoft.Network/dnsResolvers/read
•Microsoft.Network/dnsResolvers/write
•Microsoft.Network/dnsResolvers/delete
•Microsoft.Network/dnsResolvers/join/action
•Microsoft.Network/dnsResolvers/inboundEndpoints/read
•Microsoft.Network/dnsResolvers/inboundEndpoints/write
•Microsoft.Network/dnsResolvers/inboundEndpoints/delete
•Microsoft.Network/dnsResolvers/inboundEndpoints/join/action
•Microsoft.Network/dnsResolvers/outboundEndpoints/read
•Microsoft.Network/dnsResolvers/outboundEndpoints/write
•Microsoft.Network/dnsResolvers/outboundEndpoints/delete
•Microsoft.Network/dnsResolvers/outboundEndpoints/join/action
•Microsoft.Network/dnsForwardingRulesets/read
•Microsoft.Network/dnsForwardingRulesets/write
•Microsoft.Network/dnsForwardingRulesets/delete
•Microsoft.Network/dnsForwardingRulesets/join/action
•Microsoft.Network/dnsForwardingRulesets/forwardingRules/read
•Microsoft.Network/dnsForwardingRulesets/forwardingRules/write
•Microsoft.Network/dnsForwardingRulesets/forwardingRules/delete
•Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/read
•Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/write
•Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/delete
•Microsoft.Network/locations/dnsResolverOperationResults/read
•Microsoft.Network/locations/dnsResolverOperationStatuses/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/join/action
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/write
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/join/action
•Microsoft.Network/virtualNetworks/joinLoadBalancer/action
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action
•Microsoft.Network/natGateways/join/action
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Network/routeTables/join/action
•Microsoft.Network/serviceEndpointPolicies/join/action
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/subscriptions/resourceGroups/read
befefa01-2a29-4197-83a8-272ff33ce314 DNS Zone Contributor Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. False 00102 effective control plane operations (unique)

•: 1
•Action: 10
•Delete: 15
•read: 58
•Write: 18
Actions: 007
resolved operations: 102
effective operations: 102
•: 1
•Action: 10
•Delete: 15
•read: 58
•Write: 18

•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Network/dnsZones/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
5bd9cd88-fe45-4216-938b-f97437e15450 DocumentDB Account Contributor Lets you manage DocumentDB accounts, but not access to them. False 00329 effective control plane operations (unique)

•: 1
•action: 62
•delete: 32
•read: 181
•write: 53
Actions: 008
resolved operations: 329
effective operations: 329
•: 1
•action: 62
•delete: 32
•read: 181
•write: 53

•Microsoft.Authorization/*/read
•Microsoft.DocumentDb/databaseAccounts/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
count: 003
Configure Cosmos DB database accounts to disable local authentication
Configure CosmosDB accounts to disable public network access
Configure CosmosDB accounts with private endpoints
eeaeda52-9324-47f6-8069-5d5bade478b2 Domain Services Contributor Can manage Azure AD Domain Services and related network configurations False 00120 effective control plane operations (unique)

•action: 21
•delete: 14
•read: 71
•write: 14
Actions: 069
resolved operations: 120
effective operations: 120
•action: 21
•delete: 14
•read: 71
•write: 14

•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Insights/Logs/Read
•Microsoft.Insights/Metrics/Read
•Microsoft.Insights/DiagnosticSettings/*
•Microsoft.Insights/DiagnosticSettingsCategories/Read
•Microsoft.AAD/register/action
•Microsoft.AAD/unregister/action
•Microsoft.AAD/domainServices/*
•Microsoft.Network/register/action
•Microsoft.Network/unregister/action
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/write
•Microsoft.Network/virtualNetworks/delete
•Microsoft.Network/virtualNetworks/peer/action
•Microsoft.Network/virtualNetworks/join/action
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/write
•Microsoft.Network/virtualNetworks/subnets/delete
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
•Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
•Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/azureFirewalls/read
•Microsoft.Network/ddosProtectionPlans/read
•Microsoft.Network/ddosProtectionPlans/join/action
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/delete
•Microsoft.Network/loadBalancers/*/read
•Microsoft.Network/loadBalancers/backendAddressPools/join/action
•Microsoft.Network/loadBalancers/inboundNatRules/join/action
•Microsoft.Network/natGateways/join/action
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/networkInterfaces/delete
•Microsoft.Network/networkInterfaces/join/action
•Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/networkSecurityGroups/write
•Microsoft.Network/networkSecurityGroups/delete
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Network/networkSecurityGroups/securityRules/read
•Microsoft.Network/networkSecurityGroups/securityRules/write
•Microsoft.Network/networkSecurityGroups/securityRules/delete
•Microsoft.Network/routeTables/read
•Microsoft.Network/routeTables/write
•Microsoft.Network/routeTables/delete
•Microsoft.Network/routeTables/join/action
•Microsoft.Network/routeTables/routes/read
•Microsoft.Network/routeTables/routes/write
•Microsoft.Network/routeTables/routes/delete
361898ef-9ed1-48c2-849c-a832951106bb Domain Services Reader Can view Azure AD Domain Services and related network configurations False 00071 effective control plane operations (unique)

•read: 71
Actions: 028
resolved operations: 71
effective operations: 71
•read: 71

•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Insights/Logs/Read
•Microsoft.Insights/Metrics/read
•Microsoft.Insights/DiagnosticSettings/read
•Microsoft.Insights/DiagnosticSettingsCategories/Read
•Microsoft.AAD/domainServices/*/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/azureFirewalls/read
•Microsoft.Network/ddosProtectionPlans/read
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/*/read
•Microsoft.Network/natGateways/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/networkSecurityGroups/securityRules/read
•Microsoft.Network/routeTables/read
•Microsoft.Network/routeTables/routes/read
0ad04412-c4d5-4796-b79c-f76d14c8d402 Durable Task Data Contributor Durable Task role for all data access operations. False 00001 effective data plane operations (unique)

•execute: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•execute: 1

•Microsoft.DurableTask/*
80d0d6b0-f522-40a4-8886-a5a11720c375 Durable Task Worker Used by worker applications to interact with the Durable Task service False 00001 effective data plane operations (unique)

•execute: 1
DataActions: 001
resolved data operations: 1
effective data operations: 1
•execute: 1

•Microsoft.DurableTask/data/execute
fa6cecf6-5db3-4c43-8470-c540bcb4eafa Elastic SAN Network Admin Allows access to create Private Endpoints on SAN resources, and to read SAN resources False 00009 effective control plane operations (unique)

•action: 1
•delete: 1
•read: 6
•write: 1
Actions: 005
resolved operations: 9
effective operations: 9
•action: 1
•delete: 1
•read: 6
•write: 1

•Microsoft.ElasticSan/elasticSans/*/read
•Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action
•Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write
•Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete
•Microsoft.ElasticSan/locations/asyncoperations/read
80dcbedb-47ef-405d-95bd-188a1b4ac406 Elastic SAN Owner Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access False 00061 effective control plane operations (unique)

•action: 8
•delete: 7
•read: 39
•write: 7
Actions: 006
resolved operations: 61
effective operations: 61
•action: 8
•delete: 7
•read: 39
•write: 7

•Microsoft.Authorization/*/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ElasticSan/elasticSans/*
•Microsoft.ElasticSan/locations/*
af6a70f8-3c9f-4105-acf1-d719e9fca4ca Elastic SAN Reader Allows for control path read access to Azure Elastic SAN False 00009 effective control plane operations (unique)

•read: 9
Actions: 005
resolved operations: 9
effective operations: 9
•read: 9

•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ElasticSan/elasticSans/*/read
1c4770c0-34f7-4110-a1ea-a5855cc7a939 Elastic SAN Snapshot Exporter Allows for creating and exporting Snapshot of Elastic San Volume False 00079 effective control plane operations (unique)

•action: 6
•delete: 3
•read: 67
•write: 3
Actions: 014
resolved operations: 79
effective operations: 79
•action: 6
•delete: 3
•read: 67
•write: 3

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ElasticSan/elasticSans/*/read
•Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/write
•Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/delete
•Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/beginGetAccess/action
•Microsoft.ElasticSan/locations/*
•Microsoft.Compute/locations/*
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/write
•Microsoft.Compute/disks/delete
•Microsoft.Compute/snapshots/read
•Microsoft.Compute/snapshots/write
•Microsoft.Compute/snapshots/delete
a8281131-f312-4f34-8d98-ae12be9f0d23 Elastic SAN Volume Group Owner Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access False 00013 effective control plane operations (unique)

•action: 1
•delete: 3
•read: 6
•write: 3
Actions: 004
resolved operations: 13
effective operations: 13
•action: 1
•delete: 3
•read: 6
•write: 3

•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
•Microsoft.ElasticSan/elasticSans/volumeGroups/*
•Microsoft.ElasticSan/locations/asyncoperations/read
90e8b822-3e73-47b5-868a-787dc80c008f Elastic SAN Volume Importer Allows for Importing Elastic San Volume False 00075 effective control plane operations (unique)

•action: 9
•delete: 1
•read: 64
•write: 1
Actions: 013
resolved operations: 75
effective operations: 75
•action: 9
•delete: 1
•read: 64
•write: 1

•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ElasticSan/elasticSans/volumeGroups/*/read
•Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/write
•Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/delete
•Microsoft.ElasticSan/locations/*
•Microsoft.Compute/locations/*
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/beginGetAccess/action
•Microsoft.Compute/disks/endGetAccess/action
•Microsoft.Compute/snapshots/read
•Microsoft.Compute/snapshots/beginGetAccess/action
•Microsoft.Compute/snapshots/endGetAccess/action
2142ea27-02ad-4094-bfea-2dbac6d24934 Enclave Approver Role Read all resources in Azure Virtual Enclaves and Approve approval requests within the Enclave False 00064 effective control plane operations (unique)

•: 1
•Action: 8
•Delete: 2
•read: 50
•Write: 3
Actions: 023
resolved operations: 64
effective operations: 64
•: 1
•Action: 8
•Delete: 2
•read: 50
•Write: 3

•Microsoft.Mission/Operations/read
•Microsoft.Mission/communities/read
•Microsoft.Mission/internalConnections/read
•Microsoft.Mission/virtualEnclaves/read
•Microsoft.Mission/virtualEnclaves/endpoints/read
•Microsoft.Mission/virtualEnclaves/workloads/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Features/providers/features/read
•Microsoft.Features/features/read
•Microsoft.Mission/communities/communityEndpoints/read
•Microsoft.Mission/communities/transitHubs/read
•Microsoft.Mission/enclaveConnections/read
•Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read
•Microsoft.Mission/approvals/read
•Microsoft.Mission/approvals/write
•Microsoft.Mission/enclaveConnections/approvalCallback/action
19feefae-eacc-4106-81fd-ac34c0671f14 Enclave Contributor Role Enclave Contributor Role to access the resources of Microsoft.Mission stored with RPSAAS. False 00061 effective control plane operations (unique)

•action: 2
•read: 49
•write: 10
Actions: 035
resolved operations: 61
effective operations: 61
•action: 2
•read: 49
•write: 10

•Microsoft.Mission/register/action
•Microsoft.Mission/unregister/action
•Microsoft.Mission/Locations/OperationStatuses/read
•Microsoft.Mission/Locations/OperationStatuses/write
•Microsoft.Mission/Operations/read
•Microsoft.Mission/catalogs/read
•Microsoft.Mission/catalogs/write
•Microsoft.Mission/communities/read
•Microsoft.Mission/internalConnections/read
•Microsoft.Mission/internalConnections/write
•Microsoft.Mission/virtualEnclaves/read
•Microsoft.Mission/virtualEnclaves/write
•Microsoft.Mission/virtualEnclaves/endpoints/read
•Microsoft.Mission/virtualEnclaves/endpoints/write
•Microsoft.Mission/virtualEnclaves/workloads/read
•Microsoft.Mission/virtualEnclaves/workloads/write
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Features/providers/features/read
•Microsoft.Features/features/read
•Microsoft.Mission/communities/communityEndpoints/read
•Microsoft.Mission/communities/transitHubs/read
•Microsoft.Mission/enclaveConnections/read
•Microsoft.Mission/enclaveConnections/write
•Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read
•Microsoft.Mission/virtualEnclaves/enclaveEndpoints/write
•Microsoft.Mission/approvals/read
•Microsoft.Mission/approvals/write
3d5f3eff-eb94-473d-91e3-7aac74d6c0bb Enclave Owner Role Enclave Owner Role to access the resources of Microsoft.Mission stored with RPSAAS. False 00064 effective control plane operations (unique)

•delete: 7
•read: 48
•write: 9
Actions: 038
resolved operations: 64
effective operations: 64
•delete: 7
•read: 48
•write: 9

•Microsoft.Mission/Locations/OperationStatuses/read
•Microsoft.Mission/Locations/OperationStatuses/write
•Microsoft.Mission/Operations/read
•Microsoft.Mission/catalogs/read
•Microsoft.Mission/catalogs/write
•Microsoft.Mission/catalogs/delete
•Microsoft.Mission/internalConnections/read
•Microsoft.Mission/internalConnections/write
•Microsoft.Mission/internalConnections/delete
•Microsoft.Mission/virtualEnclaves/read
•Microsoft.Mission/virtualEnclaves/write
•Microsoft.Mission/virtualEnclaves/delete
•Microsoft.Mission/virtualEnclaves/workloads/read
•Microsoft.Mission/virtualEnclaves/workloads/write
•Microsoft.Mission/virtualEnclaves/workloads/delete
•Microsoft.Mission/communities/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Features/providers/features/read
•Microsoft.Features/features/read
•Microsoft.Mission/communities/communityEndpoints/read
•Microsoft.Mission/communities/transitHubs/read
•Microsoft.Mission/enclaveConnections/read
•Microsoft.Mission/enclaveConnections/write
•Microsoft.Mission/enclaveConnections/delete
•Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read
•Microsoft.Mission/virtualEnclaves/enclaveEndpoints/write
•Microsoft.Mission/virtualEnclaves/enclaveEndpoints/delete
•Microsoft.Mission/approvals/read
•Microsoft.Mission/approvals/write
•Microsoft.Mission/approvals/delete
86fede04-b259-4277-8c3e-e26b9865abd8 Enclave Reader Role Enclave Reader Role to access the resources of Microsoft.Mission stored with RPSAAS. False 00065 effective control plane operations (unique)

•: 1
•Action: 7
•Delete: 3
•read: 51
•Write: 3
Actions: 024
resolved operations: 65
effective operations: 65
•: 1
•Action: 7
•Delete: 3
•read: 51
•Write: 3

•Microsoft.Mission/Operations/read
•Microsoft.Mission/catalogs/read
•Microsoft.Mission/catalogs/write
•Microsoft.Mission/catalogs/delete
•Microsoft.Mission/communities/read
•Microsoft.Mission/internalConnections/read
•Microsoft.Mission/virtualEnclaves/read
•Microsoft.Mission/virtualEnclaves/endpoints/read
•Microsoft.Mission/virtualEnclaves/workloads/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Features/providers/features/read
•Microsoft.Features/features/read
•Microsoft.Mission/communities/communityEndpoints/read
•Microsoft.Mission/communities/transitHubs/read
•Microsoft.Mission/enclaveConnections/read
•Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read
•Microsoft.Mission/approvals/read
1e241071-0855-49ea-94dc-649edcd759de EventGrid Contributor Lets you manage EventGrid operations. False 00251 effective control plane operations (unique)

•: 1
•action: 57
•delete: 37
•read: 112
•write: 44
Actions: 006
resolved operations: 251
effective operations: 251
•: 1
•action: 57
•delete: 37
•read: 112
•write: 44

•Microsoft.Authorization/*/read
•Microsoft.EventGrid/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 009
Configure Azure Event Grid domains to disable local authentication
Configure Azure Event Grid namespace MQTT broker with private endpoints
Configure Azure Event Grid namespaces with private endpoints
Configure Azure Event Grid partner namespaces to disable local authentication
Configure Azure Event Grid topics to disable local authentication
Deploy - Configure Azure Event Grid domains with private endpoints
Deploy - Configure Azure Event Grid topics with private endpoints
Modify - Configure Azure Event Grid domains to disable public network access
Modify - Configure Azure Event Grid topics to disable public network access
1d8c3fe3-8864-474b-8749-01e3783e8157 EventGrid Data Contributor Allows send and receive access to event grid events. False 00038 effective control plane and data plane operations (unique)

•action: 2
•read: 36
Actions: 010
resolved operations: 36
effective operations: 36
•read: 36

•Microsoft.Authorization/*/read
•Microsoft.EventGrid/eventSubscriptions/read
•Microsoft.EventGrid/topicTypes/eventSubscriptions/read
•Microsoft.EventGrid/locations/eventSubscriptions/read
•Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.EventGrid/topics/read
•Microsoft.EventGrid/domains/read
•Microsoft.EventGrid/partnerNamespaces/read
•Microsoft.EventGrid/namespaces/read
DataActions: 002
resolved data operations: 2
effective data operations: 2
•action: 2

•Microsoft.EventGrid/events/send/action
•Microsoft.EventGrid/events/receive/action
78cbd9e7-9798-4e2e-9b5a-547d9ebb31fb EventGrid Data Receiver Allows receive access to event grid events. False 00034 effective control plane and data plane operations (unique)

•action: 1
•read: 33
Actions: 007
resolved operations: 33
effective operations: 33
•read: 33

•Microsoft.Authorization/*/read
•Microsoft.EventGrid/eventSubscriptions/read
•Microsoft.EventGrid/topicTypes/eventSubscriptions/read
•Microsoft.EventGrid/locations/eventSubscriptions/read
•Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.EventGrid/namespaces/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.EventGrid/events/receive/action
d5a91429-5739-47e2-a06b-3470a27159e7 EventGrid Data Sender Allows send access to event grid events. False 00033 effective control plane and data plane operations (unique)

•action: 1
•read: 32
Actions: 006
resolved operations: 32
effective operations: 32
•read: 32

•Microsoft.Authorization/*/read
•Microsoft.EventGrid/topics/read
•Microsoft.EventGrid/domains/read
•Microsoft.EventGrid/partnerNamespaces/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.EventGrid/namespaces/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.EventGrid/events/send/action
428e0ff0-5e57-4d9c-a221-2c70d0e0a443 EventGrid EventSubscription Contributor Lets you manage EventGrid event subscription operations. False 00066 effective control plane operations (unique)

•: 1
•action: 12
•delete: 3
•read: 45
•write: 5
Actions: 009
resolved operations: 66
effective operations: 66
•: 1
•action: 12
•delete: 3
•read: 45
•write: 5

•Microsoft.Authorization/*/read
•Microsoft.EventGrid/eventSubscriptions/*
•Microsoft.EventGrid/topicTypes/eventSubscriptions/read
•Microsoft.EventGrid/locations/eventSubscriptions/read
•Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
2414bbcf-6497-4faf-8c65-045460748405 EventGrid EventSubscription Reader Lets you read EventGrid event subscriptions. False 00032 effective control plane operations (unique)

•read: 32
Actions: 006
resolved operations: 32
effective operations: 32
•read: 32

•Microsoft.Authorization/*/read
•Microsoft.EventGrid/eventSubscriptions/read
•Microsoft.EventGrid/topicTypes/eventSubscriptions/read
•Microsoft.EventGrid/locations/eventSubscriptions/read
•Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
a12b0b94-b317-4dcd-84a8-502ce99884c6 EventGrid TopicSpaces Publisher Lets you publish messages on topicspaces. False 00119 effective control plane and data plane operations (unique)

•: 1
•action: 8
•Delete: 2
•read: 106
•Write: 2
Actions: 005
resolved operations: 118
effective operations: 118
•: 1
•Action: 7
•Delete: 2
•read: 106
•Write: 2

•Microsoft.Authorization/*/read
•Microsoft.EventGrid/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.EventGrid/topicSpaces/publish/action
4b0f2fd7-60b4-4eca-896f-4435034f8bf5 EventGrid TopicSpaces Subscriber Lets you subscribe messages on topicspaces. False 00119 effective control plane and data plane operations (unique)

•: 1
•action: 8
•Delete: 2
•read: 106
•Write: 2
Actions: 005
resolved operations: 118
effective operations: 118
•: 1
•Action: 7
•Delete: 2
•read: 106
•Write: 2

•Microsoft.Authorization/*/read
•Microsoft.EventGrid/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
DataActions: 001
resolved data operations: 1
effective data operations: 1
•action: 1

•Microsoft.EventGrid/topicSpaces/subscribe/action
7f646f1b-fa08-80eb-a33b-edd6ce5c915c Experimentation Administrator Experimentation Administrator False 00014 effective control plane and data plane operations (unique)

•action: 7
•delete: 2
•read: 3
•write: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Experimentation/experimentWorkspaces/read
DataActions: 013
resolved data operations: 13
effective data operations: 13
•action: 7
•delete: 2
•read: 2
•write: 2

•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/admin/action
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/action
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action
•Microsoft.Experimentation/experimentWorkspaces/read
•Microsoft.Experimentation/experimentWorkspaces/write
•Microsoft.Experimentation/experimentWorkspaces/delete
•Microsoft.Experimentation/experimentWorkspaces/admin/action
•Microsoft.Experimentation/experimentWorkspaces/metricwrite/action
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action
7f646f1b-fa08-80eb-a22b-edd6ce5c915c Experimentation Contributor Experimentation Contributor False 00009 effective control plane and data plane operations (unique)

•action: 2
•delete: 2
•read: 3
•write: 2
Actions: 002
resolved operations: 2
effective operations: 2
•read: 2

•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Experimentation/experimentWorkspaces/read
DataActions: 008
resolved data operations: 8
effective data operations: 8
•action: 2
•delete: 2
•read: 2
•write: 2

•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action
•Microsoft.Experimentation/experimentWorkspaces/read
•Microsoft.Experimentation/experimentWorkspaces/write
•Microsoft.Experimentation/experimentWorkspaces/delete
6188b7c9-7d01-4f99-a59f-c88b630326c0 Experimentation Metric Contributor Allows for creation, writes and reads to the metric set via the metrics service APIs. False 00004 effective control plane and data plane operations (unique)

•action: 2
•read: 2
Actions: 001
resolved operations: 1
effective operations: 1
•read: 1

•Microsoft.Experimentation/experimentWorkspaces/read
DataActions: 004
resolved data operations: 4
effective data operations: 4
•action: 2
•read: 2

•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action
•Microsoft.Experimentation/experimentWorkspaces/metricwrite/action
•Microsoft.Experimentation/experimentWorkspaces/read
49632ef5-d9ac-41f4-b8e7-bbe587fa74a1 Experimentation Reader Experimentation Reader False 00002 effective control plane and data plane operations (unique)

•read: 2
Actions: 001
resolved operations: 1
effective operations: 1
•read: 1

•Microsoft.Experimentation/experimentWorkspaces/read
DataActions: 002
resolved data operations: 2
effective data operations: 2
•read: 2

•Microsoft.Experimentation/experimentWorkspaces/read
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
5a1fc7df-4bf1-4951-a576-89034ee01acd FHIR Data Contributor Role allows user or principal full access to FHIR Data False 00022 effective data plane operations (unique)

•action: 16
•delete: 2
•read: 2
•write: 2
DataActions: 002
resolved data operations: 24
effective data operations: 22
•action: 16
•delete: 2
•read: 2
•write: 2

•Microsoft.HealthcareApis/services/fhir/resources/*
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/*
NotDataActions: 002
resolved not data operations: 2
effective not data operations: 3281

•Microsoft.HealthcareApis/services/fhir/resources/smart/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action
a1705bd2-3a8f-45a5-8683-466fcfd5cc24 FHIR Data Converter Role allows user or principal to convert data from legacy format to FHIR False 00002 effective data plane operations (unique)

•action: 2
DataActions: 002
resolved data operations: 2
effective data operations: 2
•action: 2

•Microsoft.HealthcareApis/services/fhir/resources/convertData/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action
3db33094-8700-4567-8da5-1501d4e7e843 FHIR Data Exporter Role allows user or principal to read and export FHIR Data False 00004 effective data plane operations (unique)

•action: 2
•read: 2
DataActions: 004
resolved data operations: 4
effective data operations: 4
•action: 2
•read: 2

•Microsoft.HealthcareApis/services/fhir/resources/read
•Microsoft.HealthcareApis/services/fhir/resources/export/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/read
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action
4465e953-8ced-4406-a58e-0f6e3f3b530b FHIR Data Importer Role allows user or principal to read and import FHIR Data False 00002 effective data plane operations (unique)

•action: 1
•read: 1
DataActions: 002
resolved data operations: 2
effective data operations: 2
•action: 1
•read: 1

•Microsoft.HealthcareApis/workspaces/fhirservices/resources/read
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action
4c8d0bbc-75d3-4935-991f-5f3c56d81508 FHIR Data Reader Role allows user or principal to read FHIR Data False 00002 effective data plane operations (unique)

•read: 2
DataActions: 002
resolved data operations: 2
effective data operations: 2
•read: 2

•Microsoft.HealthcareApis/services/fhir/resources/read
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/read
3f88fce4-5892-4214-ae73-ba5294559913 FHIR Data Writer Role allows user or principal to read and write FHIR Data False 00018 effective data plane operations (unique)

•action: 12
•delete: 2
•read: 2
•write: 2
DataActions: 018
resolved data operations: 18
effective data operations: 18
•action: 12
•delete: 2
•read: 2
•write: 2

•Microsoft.HealthcareApis/services/fhir/resources/read
•Microsoft.HealthcareApis/services/fhir/resources/write
•Microsoft.HealthcareApis/services/fhir/resources/delete
•Microsoft.HealthcareApis/services/fhir/resources/export/action
•Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action
•Microsoft.HealthcareApis/services/fhir/resources/reindex/action
•Microsoft.HealthcareApis/services/fhir/resources/convertData/action
•Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action
•Microsoft.HealthcareApis/services/fhir/resources/import/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/read
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/wri