last sync: 2021-Jun-15 14:06:27 UTC

All Azure RBAC Role definitions

Id Name Description Actions NotActions DataActions NotDataActions Used in Policy
8311e382-0749-4cb8-b61a-304f252e45ec AcrPush acr push Microsoft.ContainerRegistry/registries/pull/read
Microsoft.ContainerRegistry/registries/push/write
312a565d-c81f-4fd8-895a-4e21e48d571c API Management Service Contributor Can manage service and the APIs Microsoft.ApiManagement/service/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
7f951dda-4ed3-4680-a7ca-43fe172d538d AcrPull acr pull Microsoft.ContainerRegistry/registries/pull/read
6cef56e8-d556-48e5-a04f-b8e64114680f AcrImageSigner acr image signer Microsoft.ContainerRegistry/registries/sign/write
c2f4ef07-c644-48eb-af81-4b1b4947fb11 AcrDelete acr delete Microsoft.ContainerRegistry/registries/artifacts/delete
cdda3590-29a3-44f6-95f2-9f980659eb04 AcrQuarantineReader acr quarantine data reader Microsoft.ContainerRegistry/registries/quarantine/read
c8d4ff99-41c3-41a8-9f60-21dfdad59608 AcrQuarantineWriter acr quarantine data writer Microsoft.ContainerRegistry/registries/quarantine/read
Microsoft.ContainerRegistry/registries/quarantine/write
e022efe7-f5ba-4159-bbe4-b44f577e9b61 API Management Service Operator Role Can manage service but not the APIs Microsoft.ApiManagement/service/*/read
Microsoft.ApiManagement/service/backup/action
Microsoft.ApiManagement/service/delete
Microsoft.ApiManagement/service/managedeployments/action
Microsoft.ApiManagement/service/read
Microsoft.ApiManagement/service/restore/action
Microsoft.ApiManagement/service/updatecertificate/action
Microsoft.ApiManagement/service/updatehostname/action
Microsoft.ApiManagement/service/write
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.ApiManagement/service/users/keys/read
71522526-b88f-4d52-b57f-d31fc3546d0d API Management Service Reader Role Read-only access to service and APIs Microsoft.ApiManagement/service/*/read
Microsoft.ApiManagement/service/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.ApiManagement/service/users/keys/read
ae349356-3a1b-4a5e-921d-050484c6347e Application Insights Component Contributor Can manage Application Insights components Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/generateLiveToken/read
Microsoft.Insights/metricAlerts/*
Microsoft.Insights/components/*
Microsoft.Insights/scheduledqueryrules/*
Microsoft.Insights/topology/read
Microsoft.Insights/transactions/read
Microsoft.Insights/webtests/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
08954f03-6346-4c2e-81c0-ec3a5cfae23b Application Insights Snapshot Debugger Gives user permission to use Application Insights Snapshot Debugger features Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/components/*/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
fd1bd22b-8476-40bc-a0bc-69b95687b9f3 Attestation Reader Can read the attestation provider properties Microsoft.Attestation/attestationProviders/attestation/read
4fe576fe-1146-4730-92eb-48519fa6bf9f Automation Job Operator Create and Manage Jobs using Automation Runbooks. Microsoft.Authorization/*/read
Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read
Microsoft.Automation/automationAccounts/jobs/read
Microsoft.Automation/automationAccounts/jobs/resume/action
Microsoft.Automation/automationAccounts/jobs/stop/action
Microsoft.Automation/automationAccounts/jobs/streams/read
Microsoft.Automation/automationAccounts/jobs/suspend/action
Microsoft.Automation/automationAccounts/jobs/write
Microsoft.Automation/automationAccounts/jobs/output/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 Automation Runbook Operator Read Runbook properties - to be able to create Jobs of the runbook. Microsoft.Authorization/*/read
Microsoft.Automation/automationAccounts/runbooks/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
d3881f73-407a-4167-8283-e981cbba0404 Automation Operator Automation Operators are able to start, stop, suspend, and resume jobs Microsoft.Authorization/*/read
Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read
Microsoft.Automation/automationAccounts/jobs/read
Microsoft.Automation/automationAccounts/jobs/resume/action
Microsoft.Automation/automationAccounts/jobs/stop/action
Microsoft.Automation/automationAccounts/jobs/streams/read
Microsoft.Automation/automationAccounts/jobs/suspend/action
Microsoft.Automation/automationAccounts/jobs/write
Microsoft.Automation/automationAccounts/jobSchedules/read
Microsoft.Automation/automationAccounts/jobSchedules/write
Microsoft.Automation/automationAccounts/linkedWorkspace/read
Microsoft.Automation/automationAccounts/read
Microsoft.Automation/automationAccounts/runbooks/read
Microsoft.Automation/automationAccounts/schedules/read
Microsoft.Automation/automationAccounts/schedules/write
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Automation/automationAccounts/jobs/output/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
4f8fab4f-1852-4a58-a46a-8eaf358af14a Avere Contributor Can create and manage an Avere vFXT cluster. Microsoft.Authorization/*/read
Microsoft.Compute/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/proximityPlacementGroups/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/disks/*
Microsoft.Network/*/read
Microsoft.Network/networkInterfaces/*
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Resources/deployments/*
Microsoft.Insights/alertRules/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/*/read
Microsoft.Storage/storageAccounts/*
Microsoft.Support/*
Microsoft.Resources/subscriptions/resourceGroups/resources/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 Avere Operator Used by the Avere vFXT cluster to manage the cluster Microsoft.Compute/virtualMachines/read
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/blobServices/containers/delete
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 Azure Kubernetes Service Cluster Admin Role List cluster admin credential action. Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action
Microsoft.ContainerService/managedClusters/read
4abbcc35-e782-43d8-92c5-2d3f1bd2253f Azure Kubernetes Service Cluster User Role List cluster user credential action. Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
Microsoft.ContainerService/managedClusters/read
423170ca-a8f6-4b0f-8487-9e4eb8f49bfa Azure Maps Data Reader Grants access to read map related data from an Azure maps account. Microsoft.Maps/accounts/*/read
6f12a6df-dd06-4f3e-bcb1-ce8be600526a Azure Stack Registration Owner Lets you manage Azure Stack registrations. Microsoft.AzureStack/edgeSubscriptions/read
Microsoft.AzureStack/registrations/products/*/action
Microsoft.AzureStack/registrations/products/read
Microsoft.AzureStack/registrations/read
5e467623-bb1f-42f4-a55d-6e525e11384b Backup Contributor Lets you manage backup service,but can't create vaults and give access to others Microsoft.Authorization/*/read
Microsoft.Network/virtualNetworks/read
Microsoft.RecoveryServices/locations/*
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action
Microsoft.RecoveryServices/Vaults/backupJobs/*
Microsoft.RecoveryServices/Vaults/backupJobsExport/action
Microsoft.RecoveryServices/Vaults/backupOperationResults/*
Microsoft.RecoveryServices/Vaults/backupPolicies/*
Microsoft.RecoveryServices/Vaults/backupProtectableItems/*
Microsoft.RecoveryServices/Vaults/backupProtectedItems/*
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*
Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
Microsoft.RecoveryServices/Vaults/certificates/*
Microsoft.RecoveryServices/Vaults/extendedInformation/*
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft.RecoveryServices/Vaults/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/*
Microsoft.RecoveryServices/Vaults/usages/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/read
Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
Microsoft.RecoveryServices/Vaults/backupconfig/*
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action
Microsoft.RecoveryServices/Vaults/write
Microsoft.RecoveryServices/Vaults/backupOperations/read
Microsoft.RecoveryServices/Vaults/backupEngines/read
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read
Microsoft.RecoveryServices/locations/backupStatus/action
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
Microsoft.RecoveryServices/locations/backupValidateFeatures/action
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
Microsoft.RecoveryServices/operations/read
Microsoft.RecoveryServices/locations/operationStatus/read
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
Microsoft.Support/*
Microsoft.DataProtection/locations/getBackupStatus/action
Microsoft.DataProtection/backupVaults/backupInstances/write
Microsoft.DataProtection/backupVaults/backupInstances/delete
Microsoft.DataProtection/backupVaults/backupInstances/read
Microsoft.DataProtection/backupVaults/backupInstances/read
Microsoft.DataProtection/backupVaults/backupInstances/backup/action
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action
Microsoft.DataProtection/backupVaults/backupInstances/restore/action
Microsoft.DataProtection/backupVaults/backupPolicies/write
Microsoft.DataProtection/backupVaults/backupPolicies/delete
Microsoft.DataProtection/backupVaults/backupPolicies/read
Microsoft.DataProtection/backupVaults/backupPolicies/read
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
Microsoft.DataProtection/backupVaults/write
Microsoft.DataProtection/backupVaults/read
Microsoft.DataProtection/backupVaults/operationResults/read
Microsoft.DataProtection/locations/checkNameAvailability/action
Microsoft.DataProtection/backupVaults/read
Microsoft.DataProtection/backupVaults/read
Microsoft.DataProtection/locations/operationStatus/read
Microsoft.DataProtection/locations/operationResults/read
Microsoft.DataProtection/backupVaults/validateForBackup/action
Microsoft.DataProtection/providers/operations/read
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location, Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location, Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy, Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy
fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 Billing Reader Allows read access to billing data Microsoft.Authorization/*/read
Microsoft.Billing/*/read
Microsoft.Commerce/*/read
Microsoft.Consumption/*/read
Microsoft.Management/managementGroups/read
Microsoft.CostManagement/*/read
Microsoft.Support/*
00c29273-979b-4161-815c-10b084fb9324 Backup Operator Lets you manage backup services, except removal of backup, vault creation and giving access to others Microsoft.Authorization/*/read
Microsoft.Network/virtualNetworks/read
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action
Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read
Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action
Microsoft.RecoveryServices/Vaults/backupJobs/*
Microsoft.RecoveryServices/Vaults/backupJobsExport/action
Microsoft.RecoveryServices/Vaults/backupOperationResults/*
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read
Microsoft.RecoveryServices/Vaults/backupPolicies/read
Microsoft.RecoveryServices/Vaults/backupProtectableItems/*
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
Microsoft.RecoveryServices/Vaults/certificates/write
Microsoft.RecoveryServices/Vaults/extendedInformation/read
Microsoft.RecoveryServices/Vaults/extendedInformation/write
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft.RecoveryServices/Vaults/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/write
Microsoft.RecoveryServices/Vaults/usages/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/read
Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
Microsoft.RecoveryServices/Vaults/backupValidateOperation/action
Microsoft.RecoveryServices/Vaults/backupOperations/read
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action
Microsoft.RecoveryServices/Vaults/backupEngines/read
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read
Microsoft.RecoveryServices/locations/backupStatus/action
Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
Microsoft.RecoveryServices/locations/backupValidateFeatures/action
Microsoft.RecoveryServices/locations/backupAadProperties/read
Microsoft.RecoveryServices/locations/backupCrrJobs/action
Microsoft.RecoveryServices/locations/backupCrrJob/action
Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
Microsoft.RecoveryServices/operations/read
Microsoft.RecoveryServices/locations/operationStatus/read
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
Microsoft.Support/*
Microsoft.DataProtection/backupVaults/backupInstances/read
Microsoft.DataProtection/backupVaults/backupInstances/read
Microsoft.DataProtection/backupVaults/backupPolicies/read
Microsoft.DataProtection/backupVaults/backupPolicies/read
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
Microsoft.DataProtection/backupVaults/read
Microsoft.DataProtection/backupVaults/operationResults/read
Microsoft.DataProtection/backupVaults/read
Microsoft.DataProtection/backupVaults/read
Microsoft.DataProtection/locations/operationStatus/read
Microsoft.DataProtection/locations/operationResults/read
Microsoft.DataProtection/providers/operations/read
a795c7a0-d4a2-40c1-ae25-d81f01202912 Backup Reader Can view backup services, but can't make changes Microsoft.Authorization/*/read
Microsoft.RecoveryServices/locations/allocatedStamp/read
Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read
Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read
Microsoft.RecoveryServices/Vaults/backupJobs/read
Microsoft.RecoveryServices/Vaults/backupJobsExport/action
Microsoft.RecoveryServices/Vaults/backupOperationResults/read
Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read
Microsoft.RecoveryServices/Vaults/backupPolicies/read
Microsoft.RecoveryServices/Vaults/backupProtectedItems/read
Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read
Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
Microsoft.RecoveryServices/Vaults/extendedInformation/read
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
Microsoft.RecoveryServices/Vaults/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/read
Microsoft.RecoveryServices/Vaults/backupstorageconfig/read
Microsoft.RecoveryServices/Vaults/backupconfig/read
Microsoft.RecoveryServices/Vaults/backupOperations/read
Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read
Microsoft.RecoveryServices/Vaults/backupEngines/read
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read
Microsoft.RecoveryServices/locations/backupStatus/action
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
Microsoft.RecoveryServices/operations/read
Microsoft.RecoveryServices/locations/operationStatus/read
Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
Microsoft.RecoveryServices/Vaults/usages/read
Microsoft.RecoveryServices/locations/backupValidateFeatures/action
Microsoft.RecoveryServices/locations/backupCrrJobs/action
Microsoft.RecoveryServices/locations/backupCrrJob/action
Microsoft.RecoveryServices/locations/backupCrrOperationResults/read
Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read
Microsoft.DataProtection/locations/getBackupStatus/action
Microsoft.DataProtection/backupVaults/backupInstances/write
Microsoft.DataProtection/backupVaults/backupInstances/read
Microsoft.DataProtection/backupVaults/backupInstances/read
Microsoft.DataProtection/backupVaults/backupInstances/backup/action
Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action
Microsoft.DataProtection/backupVaults/backupInstances/restore/action
Microsoft.DataProtection/backupVaults/backupPolicies/read
Microsoft.DataProtection/backupVaults/backupPolicies/read
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
Microsoft.DataProtection/backupVaults/read
Microsoft.DataProtection/backupVaults/operationResults/read
Microsoft.DataProtection/backupVaults/read
Microsoft.DataProtection/backupVaults/read
Microsoft.DataProtection/locations/operationStatus/read
Microsoft.DataProtection/locations/operationResults/read
Microsoft.DataProtection/backupVaults/validateForBackup/action
Microsoft.DataProtection/providers/operations/read
31a002a1-acaf-453e-8a5b-297c9ca1ea24 Blockchain Member Node Access (Preview) Allows for access to Blockchain Member nodes Microsoft.Blockchain/blockchainMembers/transactionNodes/read
Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action
5e3c6656-6cfa-4708-81fe-0de47ac73342 BizTalk Contributor Lets you manage BizTalk services, but not access to them. Microsoft.Authorization/*/read
Microsoft.BizTalkServices/BizTalk/*
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
426e0c7f-0c7e-4658-b36f-ff54d6c29b45 CDN Endpoint Contributor Can manage CDN endpoints, but can’t grant access to other users. Microsoft.Authorization/*/read
Microsoft.Cdn/edgenodes/read
Microsoft.Cdn/operationresults/*
Microsoft.Cdn/profiles/endpoints/*
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
871e35f6-b5c1-49cc-a043-bde969a0f2cd CDN Endpoint Reader Can view CDN endpoints, but can’t make changes. Microsoft.Authorization/*/read
Microsoft.Cdn/edgenodes/read
Microsoft.Cdn/operationresults/*
Microsoft.Cdn/profiles/endpoints/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
ec156ff8-a8d1-4d15-830c-5b80698ca432 CDN Profile Contributor Can manage CDN profiles and their endpoints, but can’t grant access to other users. Microsoft.Authorization/*/read
Microsoft.Cdn/edgenodes/read
Microsoft.Cdn/operationresults/*
Microsoft.Cdn/profiles/*
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
8f96442b-4075-438f-813d-ad51ab4019af CDN Profile Reader Can view CDN profiles and their endpoints, but can’t make changes. Microsoft.Authorization/*/read
Microsoft.Cdn/edgenodes/read
Microsoft.Cdn/operationresults/*
Microsoft.Cdn/profiles/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
b34d265f-36f7-4a0d-a4d4-e158ca92e90f Classic Network Contributor Lets you manage classic networks, but not access to them. Microsoft.Authorization/*/read
Microsoft.ClassicNetwork/*
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
86e8f5dc-a6e9-4c67-9d15-de283e8eac25 Classic Storage Account Contributor Lets you manage classic storage accounts, but not access to them. Microsoft.Authorization/*/read
Microsoft.ClassicStorage/storageAccounts/*
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
985d6b00-f706-48f5-a6fe-d0ca12fb668d Classic Storage Account Key Operator Service Role Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts Microsoft.ClassicStorage/storageAccounts/listkeys/action
Microsoft.ClassicStorage/storageAccounts/regeneratekey/action
9106cda0-8a86-4e81-b686-29a22c54effe ClearDB MySQL DB Contributor Lets you manage ClearDB MySQL databases, but not access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
successbricks.cleardb/databases/*
d73bb868-a0df-4d4d-bd69-98a00b01fccb Classic Virtual Machine Contributor Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. Microsoft.Authorization/*/read
Microsoft.ClassicCompute/domainNames/*
Microsoft.ClassicCompute/virtualMachines/*
Microsoft.ClassicNetwork/networkSecurityGroups/join/action
Microsoft.ClassicNetwork/reservedIps/link/action
Microsoft.ClassicNetwork/reservedIps/read
Microsoft.ClassicNetwork/virtualNetworks/join/action
Microsoft.ClassicNetwork/virtualNetworks/read
Microsoft.ClassicStorage/storageAccounts/disks/read
Microsoft.ClassicStorage/storageAccounts/images/read
Microsoft.ClassicStorage/storageAccounts/listKeys/action
Microsoft.ClassicStorage/storageAccounts/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
a97b65f3-24c7-4388-baec-2e87135dc908 Cognitive Services User Lets you read and list keys of Cognitive Services. Microsoft.CognitiveServices/*/read
Microsoft.CognitiveServices/accounts/listkeys/action
Microsoft.Insights/alertRules/read
Microsoft.Insights/diagnosticSettings/read
Microsoft.Insights/logDefinitions/read
Microsoft.Insights/metricdefinitions/read
Microsoft.Insights/metrics/read
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/operations/read
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.CognitiveServices/*
b59867f0-fa02-499b-be73-45a86b5b3e1c Cognitive Services Data Reader (Preview) Lets you read Cognitive Services data. Microsoft.CognitiveServices/*/read
25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 Cognitive Services Contributor Lets you create, read, update, delete and manage keys of Cognitive Services. Microsoft.Authorization/*/read
Microsoft.CognitiveServices/*
Microsoft.Features/features/read
Microsoft.Features/providers/features/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/diagnosticSettings/*
Microsoft.Insights/logDefinitions/read
Microsoft.Insights/metricdefinitions/read
Microsoft.Insights/metrics/read
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/deployments/operations/read
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourcegroups/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Configure Cognitive Services accounts with private endpoints
db7b14f2-5adf-42da-9f96-f2ee17bab5cb CosmosBackupOperator Can submit restore request for a Cosmos DB database or a container for an account Microsoft.DocumentDB/databaseAccounts/backup/action
Microsoft.DocumentDB/databaseAccounts/restore/action
b24988ac-6180-42a0-ab88-20f7382dd24c Contributor Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. *
Microsoft.Authorization/*/Delete
Microsoft.Authorization/*/Write
Microsoft.Authorization/elevateAccess/Action
Microsoft.Blueprint/blueprintAssignments/write
Microsoft.Blueprint/blueprintAssignments/delete
Microsoft.Compute/galleries/share/action
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management', Deploy a flow log resource with target network security group, Modify - Configure Azure File Sync to disable public network access, [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs., Configure Batch accounts with private endpoints, [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root, Modify - Configure Azure IoT Hubs to disable public network access, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects', [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed, [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members, Configure Cognitive Services accounts to disable local authentication methods, [Preview]: Deploy - Configure Windows machines to automatically install the Azure Security agent, [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day, Deploy associations for a managed application, Configure Kubernetes clusters with specified GitOps configuration using no secrets, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown', [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters, Configure Azure Automation accounts to disable public network access, Configure virtual machines to be onboarded to Azure Automanage, [Preview]: Configure Azure Defender for SQL agent on virtual machine, [Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain, [Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running', Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords, [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon', Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs, Configure Azure Synapse workspaces with private endpoints, Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Deploy Diagnostic Settings for Search Services to Event Hub, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System', Inherit a tag from the subscription if missing, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings', Configure Cognitive Services accounts to disable public network access, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit', [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed, Deploy Diagnostic Settings for Data Lake Analytics to Event Hub, Add a tag to resources, Deploy Workflow Automation for Azure Security Center regulatory compliance, Configure disk access resources with private endpoints, [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one, Configure Azure Synapse workspaces to disable public network access, Configure network security groups to use specific workspace for traffic analytics, [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent, Add or replace a tag on resources, Configure time zone on Windows machines., Configure private endpoints for App Configuration, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices', [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected, [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled, Deploy Diagnostic Settings for Service Bus to Event Hub, Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace., [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components', [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Azure Defender's extension, [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords, Add a tag to resource groups, Configure App Configuration stores to disable local authentication methods, Configure App Configuration to disable public network access, Deploy Workflow Automation for Azure Security Center recommendations, Configure container registries to disable local authentication., [Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled, [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled, Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment', Configure managed disks to disable public network access, Configure IoT Hub device provisioning service instances to disable public network access, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server', [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access', Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace., [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties', [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed, [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network', Deploy Diagnostic Settings for Azure SQL Database to Event Hub, Configure IoT Hub device provisioning service instances with private endpoints, Deploy Diagnostic Settings for Logic Apps to Event Hub, Configure Container registries to disable public network access, Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers, Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM, Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets, Configure Machine Learning computes to disable local authentication methods, Configure IoT Hub device provisioning instances to use private DNS zones, Inherit a tag from the subscription, [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols, Configure Azure File Sync with private endpoints, Configure CosmosDB accounts with private endpoints , [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client', Deploy - Configure Azure IoT Hubs with private endpoints, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff', Configure Kubernetes clusters with specified GitOps configuration using SSH secrets, Configure private endpoint connections on Azure Automation accounts, Deploy associations for a custom provider, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon', [Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone, [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days, [Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot, Deploy - Configure Azure IoT Hubs to use private DNS zones, Inherit a tag from the resource group, Deploy export to Event Hub for Azure Security Center data, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use', Add or replace a tag on resource groups, [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant, Configure Container registries with private endpoints, Configure CosmosDB accounts to disable public network access , Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers, Deploy Diagnostic Settings for Batch Account to Event Hub, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console', [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts', Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub, Configure network security groups to enable traffic analytics, Inherit a tag from the resource group if missing, [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel', Deploy Diagnostic Settings for Key Vault to Event Hub, Deploy Diagnostic Settings for Stream Analytics to Event Hub, Deploy Diagnostic Settings for Event Hub to Event Hub, [Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed, Deploy Workflow Automation for Azure Security Center alerts, [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)', [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System', [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs., Deploy export to Log Analytics workspace for Azure Security Center data
fbdf93bf-df7d-467e-a4d2-9458aa1360c8 Cosmos DB Account Reader Role Can read Azure Cosmos DB Accounts data Microsoft.Authorization/*/read
Microsoft.DocumentDB/*/read
Microsoft.DocumentDB/databaseAccounts/readonlykeys/action
Microsoft.Insights/MetricDefinitions/read
Microsoft.Insights/Metrics/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
434105ed-43f6-45c7-a02f-909b2ba83430 Cost Management Contributor Can view costs and manage cost configuration (e.g. budgets, exports) Microsoft.Consumption/*
Microsoft.CostManagement/*
Microsoft.Billing/billingPeriods/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Advisor/configurations/read
Microsoft.Advisor/recommendations/read
Microsoft.Management/managementGroups/read
Microsoft.Billing/billingProperty/read
72fafb9e-0641-4937-9268-a91bfd8191a3 Cost Management Reader Can view cost data and configuration (e.g. budgets, exports) Microsoft.Consumption/*/read
Microsoft.CostManagement/*/read
Microsoft.Billing/billingPeriods/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Advisor/configurations/read
Microsoft.Advisor/recommendations/read
Microsoft.Management/managementGroups/read
Microsoft.Billing/billingProperty/read
add466c9-e687-43fc-8d98-dfcf8d720be5 Data Box Contributor Lets you manage everything under Data Box Service except giving access to others. Microsoft.Authorization/*/read
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Databox/*
028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 Data Box Reader Lets you manage Data Box Service except creating order or editing order details and giving access to others. Microsoft.Authorization/*/read
Microsoft.Databox/*/read
Microsoft.Databox/jobs/listsecrets/action
Microsoft.Databox/jobs/listcredentials/action
Microsoft.Databox/locations/availableSkus/action
Microsoft.Databox/locations/validateInputs/action
Microsoft.Databox/locations/regionConfiguration/action
Microsoft.Databox/locations/validateAddress/action
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Support/*
673868aa-7521-48a0-acc6-0f60742d39f5 Data Factory Contributor Create and manage data factories, as well as child resources within them. Microsoft.Authorization/*/read
Microsoft.DataFactory/dataFactories/*
Microsoft.DataFactory/factories/*
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.EventGrid/eventSubscriptions/write
Configure Data Factories to disable public network access, Configure private endpoints for Data factories
150f5e0c-0603-4f03-8c7f-cf70034c4e90 Data Purger Can purge analytics data Microsoft.Insights/components/*/read
Microsoft.Insights/components/purge/action
Microsoft.OperationalInsights/workspaces/*/read
Microsoft.OperationalInsights/workspaces/purge/action
47b7735b-770e-4598-a7da-8b91488b4c88 Data Lake Analytics Developer Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. Microsoft.Authorization/*/read
Microsoft.BigAnalytics/accounts/*
Microsoft.DataLakeAnalytics/accounts/*
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.BigAnalytics/accounts/Delete
Microsoft.BigAnalytics/accounts/TakeOwnership/action
Microsoft.BigAnalytics/accounts/Write
Microsoft.DataLakeAnalytics/accounts/Delete
Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action
Microsoft.DataLakeAnalytics/accounts/Write
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write
Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write
Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete
Microsoft.DataLakeAnalytics/accounts/firewallRules/Write
Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete
Microsoft.DataLakeAnalytics/accounts/computePolicies/Write
Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete
76283e04-6283-4c54-8f91-bcf1374a3c64 DevTest Labs User Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. Microsoft.Authorization/*/read
Microsoft.Compute/availabilitySets/read
Microsoft.Compute/virtualMachines/*/read
Microsoft.Compute/virtualMachines/deallocate/action
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/restart/action
Microsoft.Compute/virtualMachines/start/action
Microsoft.DevTestLab/*/read
Microsoft.DevTestLab/labs/claimAnyVm/action
Microsoft.DevTestLab/labs/createEnvironment/action
Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action
Microsoft.DevTestLab/labs/formulas/delete
Microsoft.DevTestLab/labs/formulas/read
Microsoft.DevTestLab/labs/formulas/write
Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action
Microsoft.DevTestLab/labs/virtualMachines/claim/action
Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action
Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Microsoft.Network/loadBalancers/inboundNatRules/join/action
Microsoft.Network/networkInterfaces/*/read
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/publicIPAddresses/*/read
Microsoft.Network/publicIPAddresses/join/action
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Resources/deployments/operations/read
Microsoft.Resources/deployments/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Compute/virtualMachines/vmSizes/read
5bd9cd88-fe45-4216-938b-f97437e15450 DocumentDB Account Contributor Lets you manage DocumentDB accounts, but not access to them. Microsoft.Authorization/*/read
Microsoft.DocumentDb/databaseAccounts/*
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
Configure CosmosDB accounts with private endpoints , Configure CosmosDB accounts to disable public network access
befefa01-2a29-4197-83a8-272ff33ce314 DNS Zone Contributor Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Network/dnsZones/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
428e0ff0-5e57-4d9c-a221-2c70d0e0a443 EventGrid EventSubscription Contributor Lets you manage EventGrid event subscription operations. Microsoft.Authorization/*/read
Microsoft.EventGrid/eventSubscriptions/*
Microsoft.EventGrid/topicTypes/eventSubscriptions/read
Microsoft.EventGrid/locations/eventSubscriptions/read
Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
2414bbcf-6497-4faf-8c65-045460748405 EventGrid EventSubscription Reader Lets you read EventGrid event subscriptions. Microsoft.Authorization/*/read
Microsoft.EventGrid/eventSubscriptions/read
Microsoft.EventGrid/topicTypes/eventSubscriptions/read
Microsoft.EventGrid/locations/eventSubscriptions/read
Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
b60367af-1334-4454-b71e-769d9a4f83d9 Graph Owner Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions Microsoft.EnterpriseKnowledgeGraph/services/conflation/read
Microsoft.EnterpriseKnowledgeGraph/services/conflation/write
Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/read
Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/write
Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read
Microsoft.EnterpriseKnowledgeGraph/services/knowledge/write
Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/read
Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/write
Microsoft.EnterpriseKnowledgeGraph/services/ingestion/read
Microsoft.EnterpriseKnowledgeGraph/services/ingestion/write
Microsoft.EnterpriseKnowledgeGraph/services/ontology/read
Microsoft.EnterpriseKnowledgeGraph/services/ontology/write
Microsoft.EnterpriseKnowledgeGraph/services/delete
Microsoft.EnterpriseKnowledgeGraph/operations/read
8d8d5a11-05d3-4bda-a417-a08778121c7c HDInsight Domain Services Contributor Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package Microsoft.AAD/*/read
Microsoft.AAD/domainServices/*/read
Microsoft.AAD/domainServices/oucontainer/*
03a6d094-3444-4b3d-88af-7477090a9e5e Intelligent Systems Account Contributor Lets you manage Intelligent Systems accounts, but not access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.IntelligentSystems/accounts/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
f25e0fa2-a7c8-4377-a976-54943a77a395 Key Vault Contributor Lets you manage key vaults, but not access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.KeyVault/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.KeyVault/locations/deletedVaults/purge/action
Microsoft.KeyVault/hsmPools/*
Microsoft.KeyVault/managedHsms/*
[Preview]: Configure Azure Key Vaults with private endpoints, [Preview]: Configure key vaults to disable public network access
ee361c5d-f7b5-4119-b4b6-892157c8f64c Knowledge Consumer Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read
b97fb8bc-a8b2-4522-a38b-dd33c7e65ead Lab Creator Lets you create new labs under your Azure Lab Accounts. Microsoft.Authorization/*/read
Microsoft.LabServices/labAccounts/*/read
Microsoft.LabServices/labAccounts/createLab/action
Microsoft.LabServices/labAccounts/getPricingAndAvailability/action
Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
73c42c96-874c-492b-b04d-ab87d138a893 Log Analytics Reader Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. */read
Microsoft.OperationalInsights/workspaces/analytics/query/action
Microsoft.OperationalInsights/workspaces/search/action
Microsoft.Support/*
Microsoft.OperationalInsights/workspaces/sharedKeys/read
92aaf0da-9dab-42b6-94a3-d43ce8d16293 Log Analytics Contributor Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources. */read
Microsoft.Automation/automationAccounts/*
Microsoft.ClassicCompute/virtualMachines/extensions/*
Microsoft.ClassicStorage/storageAccounts/listKeys/action
Microsoft.Compute/virtualMachines/extensions/*
Microsoft.HybridCompute/machines/extensions/write
Microsoft.Insights/alertRules/*
Microsoft.Insights/diagnosticSettings/*
Microsoft.OperationalInsights/*
Microsoft.OperationsManagement/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourcegroups/deployments/*
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Support/*
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace, Deploy Log Analytics agent for Linux VMs, Deploy - Configure Log Analytics agent to be enabled on Windows virtual machines, Deploy Diagnostic Settings for Search Services to Log Analytics workspace, [Preview]: Deploy - Configure Windows machines to automatically install the Azure Security agent, Deploy - Configure Dependency agent to be enabled on Windows virtual machines, Deploy Diagnostic Settings for Event Hub to Log Analytics workspace, Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace, Configure Azure Activity logs to stream to specified Log Analytics workspace, Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace, Deploy - Configure Log Analytics agent to be enabled on Windows virtual machine scale sets, [Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs, Deploy Dependency agent for Linux virtual machines, Deploy Log Analytics agent for Linux virtual machine scale sets, [Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent, Configure Log Analytics agent on Azure Arc enabled Windows servers, Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace, Configure diagnostic settings for storage accounts to Log Analytics workspace, [Preview]: Configure Azure Arc enabled Kubernetes clusters to install Azure Defender's extension, Public IP addresses should have resource logs enabled for Azure DDoS Protection Standard, Configure Azure SQL database servers diagnostic settings to Log Analytics workspace, Configure Dependency agent on Azure Arc enabled Windows servers, Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace, Configure Log Analytics agent on Azure Arc enabled Linux servers, Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM, Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace, Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace, Deploy Diagnostic Settings for Key Vault to Log Analytics workspace, Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories., Deploy Diagnostic Settings for Batch Account to Log Analytics workspace, Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace, Configure Dependency agent on Azure Arc enabled Linux servers
515c2055-d9d4-4321-b1b9-bd0c9a0f79fe Logic App Operator Lets you read, enable and disable logic app. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*/read
Microsoft.Insights/metricAlerts/*/read
Microsoft.Insights/diagnosticSettings/*/read
Microsoft.Insights/metricDefinitions/*/read
Microsoft.Logic/*/read
Microsoft.Logic/workflows/disable/action
Microsoft.Logic/workflows/enable/action
Microsoft.Logic/workflows/validate/action
Microsoft.Resources/deployments/operations/read
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Web/connectionGateways/*/read
Microsoft.Web/connections/*/read
Microsoft.Web/customApis/*/read
Microsoft.Web/serverFarms/read
87a39d53-fc1b-424a-814c-f7e04687dc9e Logic App Contributor Lets you manage logic app, but not access to them. Microsoft.Authorization/*/read
Microsoft.ClassicStorage/storageAccounts/listKeys/action
Microsoft.ClassicStorage/storageAccounts/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/metricAlerts/*
Microsoft.Insights/diagnosticSettings/*
Microsoft.Insights/logdefinitions/*
Microsoft.Insights/metricDefinitions/*
Microsoft.Logic/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/listkeys/action
Microsoft.Storage/storageAccounts/read
Microsoft.Support/*
Microsoft.Web/connectionGateways/*
Microsoft.Web/connections/*
Microsoft.Web/customApis/*
Microsoft.Web/serverFarms/join/action
Microsoft.Web/serverFarms/read
Microsoft.Web/sites/functions/listSecrets/action
c7393b34-138c-406f-901b-d8cf2b17e6ae Managed Application Operator Role Lets you read and perform actions on Managed Application resources */read
Microsoft.Solutions/applications/read
Microsoft.Solutions/*/action
b9331d33-8a36-4f8c-b097-4f54124fdb44 Managed Applications Reader Lets you read resources in a managed app and request JIT access. */read
Microsoft.Resources/deployments/*
Microsoft.Solutions/jitRequests/*
f1a07417-d97a-45cb-824c-7a7467783830 Managed Identity Operator Read and Assign User Assigned Identity Microsoft.ManagedIdentity/userAssignedIdentities/*/read
Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Support/*
e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 Managed Identity Contributor Create, Read, Update, and Delete User Assigned Identity Microsoft.ManagedIdentity/userAssignedIdentities/read
Microsoft.ManagedIdentity/userAssignedIdentities/write
Microsoft.ManagedIdentity/userAssignedIdentities/delete
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Support/*
5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c Management Group Contributor Management Group Contributor Role Microsoft.Management/managementGroups/delete
Microsoft.Management/managementGroups/read
Microsoft.Management/managementGroups/subscriptions/delete
Microsoft.Management/managementGroups/subscriptions/write
Microsoft.Management/managementGroups/write
Microsoft.Management/managementGroups/subscriptions/read
ac63b705-f282-497d-ac71-919bf39d939d Management Group Reader Management Group Reader Role Microsoft.Management/managementGroups/read
Microsoft.Management/managementGroups/subscriptions/read
3913510d-42f4-4e42-8a64-420c390055eb Monitoring Metrics Publisher Enables publishing metrics against Azure resources Microsoft.Insights/Register/Action
Microsoft.Support/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Insights/Metrics/Write
43d0d8ad-25c7-4714-9337-8ba259a9fe05 Monitoring Reader Can read all monitoring data. */read
Microsoft.OperationalInsights/workspaces/search/action
Microsoft.Support/*
4d97b98b-1d4f-4787-a291-c67834d212e7 Network Contributor Lets you manage networks, but not access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Network/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Configure Azure File Sync to use private DNS zones, Configure Azure Web PubSub Service to use private DNS zones, Configure Azure Web PubSub Service with private endpoints, Configure Azure Synapse workspaces to use private DNS zones, Deploy - Configure Azure Event Grid domains with private endpoints, Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts, Configure Azure Automation accounts with private DNS zones, Deploy - Configure Azure Event Grid topics with private endpoints, Configure Azure Migrate resources to use private DNS zones, Configure Azure Machine Learning workspaces with private endpoints, Configure private DNS zones for private endpoints connected to App Configuration, Configure Service Bus namespaces with private endpoints, Configure private DNS zones for private endpoints that connect to Azure Data Factory, Configure Azure SQL Server to enable private endpoint connections, Configure Event Hub namespaces with private endpoints, [Preview]: Configure Azure Recovery Services vaults to use private DNS zones, Virtual networks should be protected by Azure DDoS Protection Standard, Configure Azure Cognitive Search services to disable public network access, [Preview]: Configure Azure Key Vaults with private endpoints, Configure Storage account to use a private link connection, Configure CosmosDB accounts to use private DNS zones, Deploy network watcher when virtual networks are created, [Preview]: Configure Azure Key Vaults to use private DNS zones, [Preview]: Configure Recovery Services vaults to use private DNS zones, Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service, Configure Azure Cognitive Search services with private endpoints, Deploy - Configure Azure Event Grid topics to use private DNS zones, Configure disk access resources to use private DNS zones, Deploy - Configure Azure IoT Hubs with private endpoints, Configure private endpoint connections on Azure Automation accounts, Configure Cognitive Services accounts to use private DNS zones, Deploy - Configure Azure IoT Hubs to use private DNS zones, Deploy - Configure Azure Event Grid domains to use private DNS zones, Configure Cognitive Services accounts with private endpoints, Configure Azure Cache for Redis to use private DNS zones, Configure Container registries to use private DNS zones, [Preview]: Configure private endpoints on Azure Recovery Services vaults, Configure Event Hub namespaces to use private DNS zones, Configure Azure Machine Learning workspace to use private DNS zones, Configure private endpoints to Azure SignalR Service, Configure Service Bus namespaces to use private DNS zones, Configure Azure Cognitive Search services to use private DNS zones
749f88d5-cbae-40b8-bcfc-e573ddc772fa Monitoring Contributor Can read all monitoring data and update monitoring settings. */read
Microsoft.AlertsManagement/alerts/*
Microsoft.AlertsManagement/alertsSummary/*
Microsoft.Insights/actiongroups/*
Microsoft.Insights/activityLogAlerts/*
Microsoft.Insights/AlertRules/*
Microsoft.Insights/components/*
Microsoft.Insights/dataCollectionRules/*
Microsoft.Insights/dataCollectionRuleAssociations/*
Microsoft.Insights/DiagnosticSettings/*
Microsoft.Insights/eventtypes/*
Microsoft.Insights/LogDefinitions/*
Microsoft.Insights/metricalerts/*
Microsoft.Insights/MetricDefinitions/*
Microsoft.Insights/Metrics/*
Microsoft.Insights/Register/Action
Microsoft.Insights/scheduledqueryrules/*
Microsoft.Insights/webtests/*
Microsoft.Insights/workbooks/*
Microsoft.Insights/privateLinkScopes/*
Microsoft.Insights/privateLinkScopeOperationStatuses/*
Microsoft.OperationalInsights/workspaces/write
Microsoft.OperationalInsights/workspaces/intelligencepacks/*
Microsoft.OperationalInsights/workspaces/savedSearches/*
Microsoft.OperationalInsights/workspaces/search/action
Microsoft.OperationalInsights/workspaces/sharedKeys/action
Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*
Microsoft.Support/*
Microsoft.WorkloadMonitor/monitors/*
Microsoft.AlertsManagement/smartDetectorAlertRules/*
Microsoft.AlertsManagement/actionRules/*
Microsoft.AlertsManagement/smartGroups/*
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace, Deploy Diagnostic Settings for Search Services to Log Analytics workspace, Deploy Diagnostic Settings for Event Hub to Log Analytics workspace, Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace, Configure Azure Activity logs to stream to specified Log Analytics workspace, Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace, Configure Association to link Linux virtual machines to Data Collection Rule, Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace, Configure diagnostic settings for storage accounts to Log Analytics workspace, Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace, Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM, Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace, Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace, Deploy Diagnostic Settings for Key Vault to Log Analytics workspace, Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories., Deploy Diagnostic Settings for Batch Account to Log Analytics workspace, Deploy Diagnostic Settings for Network Security Groups, Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace, Configure Association to link Windows virtual machines to Data Collection Rule
5d28c62d-5b37-4476-8438-e587778df237 New Relic APM Account Contributor Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
NewRelic.APM/accounts/*
8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Owner Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. *
Configure disaster recovery on virtual machines by enabling replication
acdd72a7-3385-48ef-bd42-f606fba81ae7 Reader View all resources, but does not allow you to make any changes. */read
e0f68234-74aa-48ed-b826-c38b57376e17 Redis Cache Contributor Lets you manage Redis caches, but not access to them. Microsoft.Authorization/*/read
Microsoft.Cache/register/action
Microsoft.Cache/redis/*
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Configure Azure Cache for Redis to disable public network access
c12c1c16-33a1-487b-954d-41c89c60f349 Reader and Data Access Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/ListAccountSas/action
Microsoft.Storage/storageAccounts/read
36243c78-bf99-498c-9df9-86d9f8d28608 Resource Policy Contributor Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. */read
Microsoft.Authorization/policyassignments/*
Microsoft.Authorization/policydefinitions/*
Microsoft.Authorization/policyexemptions/*
Microsoft.Authorization/policysetdefinitions/*
Microsoft.PolicyInsights/*
Microsoft.Support/*
188a0f2f-5c9e-469b-ae67-2aa5ce574b94 Scheduler Job Collections Contributor Lets you manage Scheduler job collections, but not access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Scheduler/jobcollections/*
Microsoft.Support/*
7ca78c08-252a-4471-8644-bb5ff32d4ba0 Search Service Contributor Lets you manage Search services, but not access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Search/searchServices/*
Microsoft.Support/*
Configure Azure Cognitive Search services to disable public network access, Configure Azure Cognitive Search services with private endpoints
fb1c8493-542b-48eb-b624-b4c8fea62acd Security Admin Security Admin Role Microsoft.Authorization/*/read
Microsoft.Authorization/policyAssignments/*
Microsoft.Authorization/policyDefinitions/*
Microsoft.Authorization/policyExemptions/*
Microsoft.Authorization/policySetDefinitions/*
Microsoft.Insights/alertRules/*
Microsoft.Management/managementGroups/read
Microsoft.operationalInsights/workspaces/*/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Security/*
Microsoft.Support/*
[Preview]: Configure machines to receive a vulnerability assessment agent, Deploy Advanced Threat Protection on storage accounts, Deploy - Configure suppression rules for Azure Security Center alerts, Enable Azure Security Center on your subscription, Deploy Advanced Threat Protection for Cosmos DB Accounts
e3d13bf0-dd5a-482e-ba6b-9b8433878d10 Security Manager (Legacy) This is a legacy role. Please use Security Administrator instead Microsoft.Authorization/*/read
Microsoft.ClassicCompute/*/read
Microsoft.ClassicCompute/virtualMachines/*/write
Microsoft.ClassicNetwork/*/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Security/*
Microsoft.Support/*
39bc4728-0917-49c7-9d2c-d95423bc2eb4 Security Reader Security Reader Role Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Microsoft.operationalInsights/workspaces/*/read
Microsoft.Resources/deployments/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Security/*/read
Microsoft.Support/*/read
Microsoft.Security/iotDefenderSettings/packageDownloads/action
Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action
Microsoft.Security/iotSensors/downloadResetPassword/action
Microsoft.Management/managementGroups/read
8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 Spatial Anchors Account Contributor Lets you manage spatial anchors in your account, but not delete them Microsoft.MixedReality/SpatialAnchorsAccounts/create/action
Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read
Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read
Microsoft.MixedReality/SpatialAnchorsAccounts/query/read
Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read
Microsoft.MixedReality/SpatialAnchorsAccounts/write
6670b86e-a3f7-4917-ac9b-5d6ab1be4567 Site Recovery Contributor Lets you manage Site Recovery service except vault creation and role assignment Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Network/virtualNetworks/read
Microsoft.RecoveryServices/locations/allocatedStamp/read
Microsoft.RecoveryServices/locations/allocateStamp/action
Microsoft.RecoveryServices/Vaults/certificates/write
Microsoft.RecoveryServices/Vaults/extendedInformation/*
Microsoft.RecoveryServices/Vaults/read
Microsoft.RecoveryServices/Vaults/refreshContainers/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/*
Microsoft.RecoveryServices/vaults/replicationAlertSettings/*
Microsoft.RecoveryServices/vaults/replicationEvents/read
Microsoft.RecoveryServices/vaults/replicationFabrics/*
Microsoft.RecoveryServices/vaults/replicationJobs/*
Microsoft.RecoveryServices/vaults/replicationPolicies/*
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*
Microsoft.RecoveryServices/Vaults/storageConfig/*
Microsoft.RecoveryServices/Vaults/tokenInfo/read
Microsoft.RecoveryServices/Vaults/usages/read
Microsoft.RecoveryServices/Vaults/vaultTokens/read
Microsoft.RecoveryServices/Vaults/monitoringAlerts/*
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/read
Microsoft.RecoveryServices/vaults/replicationOperationStatus/read
Microsoft.Support/*
[Preview]: Configure private endpoints on Azure Recovery Services vaults
494ae006-db33-4328-bf46-533a6560a3ca Site Recovery Operator Lets you failover and failback but not perform other Site Recovery management operations Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Network/virtualNetworks/read
Microsoft.RecoveryServices/locations/allocatedStamp/read
Microsoft.RecoveryServices/locations/allocateStamp/action
Microsoft.RecoveryServices/Vaults/extendedInformation/read
Microsoft.RecoveryServices/Vaults/read
Microsoft.RecoveryServices/Vaults/refreshContainers/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/read
Microsoft.RecoveryServices/vaults/replicationAlertSettings/read
Microsoft.RecoveryServices/vaults/replicationEvents/read
Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action
Microsoft.RecoveryServices/vaults/replicationFabrics/read
Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action
Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read
Microsoft.RecoveryServices/vaults/replicationJobs/*
Microsoft.RecoveryServices/vaults/replicationPolicies/read
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action
Microsoft.RecoveryServices/Vaults/monitoringAlerts/*
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
Microsoft.RecoveryServices/Vaults/storageConfig/read
Microsoft.RecoveryServices/Vaults/tokenInfo/read
Microsoft.RecoveryServices/Vaults/usages/read
Microsoft.RecoveryServices/Vaults/vaultTokens/read
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/read
Microsoft.Support/*
5d51204f-eb77-4b1c-b86a-2ec626c49413 Spatial Anchors Account Reader Lets you locate and read properties of spatial anchors in your account Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read
Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read
Microsoft.MixedReality/SpatialAnchorsAccounts/query/read
Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read
dbaa88c4-0c30-4179-9fb3-46319faa6149 Site Recovery Reader Lets you view Site Recovery status but not perform other management operations Microsoft.Authorization/*/read
Microsoft.RecoveryServices/locations/allocatedStamp/read
Microsoft.RecoveryServices/Vaults/extendedInformation/read
Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
Microsoft.RecoveryServices/Vaults/read
Microsoft.RecoveryServices/Vaults/refreshContainers/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
Microsoft.RecoveryServices/Vaults/registeredIdentities/read
Microsoft.RecoveryServices/vaults/replicationAlertSettings/read
Microsoft.RecoveryServices/vaults/replicationEvents/read
Microsoft.RecoveryServices/vaults/replicationFabrics/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read
Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read
Microsoft.RecoveryServices/vaults/replicationJobs/read
Microsoft.RecoveryServices/vaults/replicationPolicies/read
Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read
Microsoft.RecoveryServices/Vaults/storageConfig/read
Microsoft.RecoveryServices/Vaults/tokenInfo/read
Microsoft.RecoveryServices/Vaults/usages/read
Microsoft.RecoveryServices/Vaults/vaultTokens/read
Microsoft.Support/*
70bbe301-9835-447d-afdd-19eb3167307c Spatial Anchors Account Owner Lets you manage spatial anchors in your account, including deleting them Microsoft.MixedReality/SpatialAnchorsAccounts/create/action
Microsoft.MixedReality/SpatialAnchorsAccounts/delete
Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read
Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read
Microsoft.MixedReality/SpatialAnchorsAccounts/query/read
Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read
Microsoft.MixedReality/SpatialAnchorsAccounts/write
4939a1f6-9ae0-4e48-a1e0-f2cbe897382d SQL Managed Instance Contributor Lets you manage SQL Managed Instances and required network configuration, but can’t give access to others. Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Network/networkSecurityGroups/*
Microsoft.Network/routeTables/*
Microsoft.Sql/locations/*/read
Microsoft.Sql/locations/instanceFailoverGroups/*
Microsoft.Sql/managedInstances/*
Microsoft.Support/*
Microsoft.Network/virtualNetworks/subnets/*
Microsoft.Network/virtualNetworks/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/metrics/read
Microsoft.Insights/metricDefinitions/read
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write
9b7fa17d-e63e-47b0-bb0a-15c516ac86ec SQL DB Contributor Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Sql/locations/*/read
Microsoft.Sql/servers/databases/*
Microsoft.Sql/servers/read
Microsoft.Support/*
Microsoft.Insights/metrics/read
Microsoft.Insights/metricDefinitions/read
Microsoft.Sql/servers/databases/ledgerDigestUploads/write
Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
Microsoft.Sql/managedInstances/securityAlertPolicies/*
Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
Microsoft.Sql/servers/databases/auditingSettings/*
Microsoft.Sql/servers/databases/auditRecords/read
Microsoft.Sql/servers/databases/currentSensitivityLabels/*
Microsoft.Sql/servers/databases/dataMaskingPolicies/*
Microsoft.Sql/servers/databases/extendedAuditingSettings/*
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/servers/databases/securityAlertPolicies/*
Microsoft.Sql/servers/databases/securityMetrics/*
Microsoft.Sql/servers/databases/sensitivityLabels/*
Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
Microsoft.Sql/servers/vulnerabilityAssessments/*
Deploy SQL DB transparent data encryption
056cd41c-7e88-42e1-933e-88ba6a50c9c3 SQL Security Manager Lets you manage the security-related policies of SQL servers and databases, but not access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Sql/locations/administratorAzureAsyncOperation/read
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
Microsoft.Sql/managedInstances/securityAlertPolicies/*
Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*
Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
Microsoft.Sql/servers/auditingSettings/*
Microsoft.Sql/servers/extendedAuditingSettings/read
Microsoft.Sql/servers/databases/auditingSettings/*
Microsoft.Sql/servers/databases/auditRecords/read
Microsoft.Sql/servers/databases/currentSensitivityLabels/*
Microsoft.Sql/servers/databases/dataMaskingPolicies/*
Microsoft.Sql/servers/databases/extendedAuditingSettings/read
Microsoft.Sql/servers/databases/read
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
Microsoft.Sql/servers/databases/schemas/read
Microsoft.Sql/servers/databases/schemas/tables/columns/read
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/servers/databases/schemas/tables/read
Microsoft.Sql/servers/databases/securityAlertPolicies/*
Microsoft.Sql/servers/databases/securityMetrics/*
Microsoft.Sql/servers/databases/sensitivityLabels/*
Microsoft.Sql/servers/databases/transparentDataEncryption/*
Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
Microsoft.Sql/servers/devOpsAuditingSettings/*
Microsoft.Sql/servers/firewallRules/*
Microsoft.Sql/servers/read
Microsoft.Sql/servers/securityAlertPolicies/*
Microsoft.Sql/servers/vulnerabilityAssessments/*
Microsoft.Support/*
Microsoft.Sql/servers/azureADOnlyAuthentications/*
Microsoft.Sql/managedInstances/read
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*
Microsoft.Security/sqlVulnerabilityAssessments/*
Microsoft.Sql/managedInstances/administrators/read
Microsoft.Sql/servers/administrators/read
Deploy Threat Detection on SQL servers, Deploy Advanced Data Security on SQL servers, Configure Azure SQL database servers diagnostic settings to Log Analytics workspace, Configure Synapse workspaces to have auditing enabled, Configure SQL servers to have auditing enabled
17d1049b-9a84-46fb-8f53-869881c3d3ab Storage Account Contributor Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/diagnosticSettings/*
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/storageAccounts/*
Microsoft.Support/*
Deploy Advanced Data Security on SQL servers, Configure Storage account to use a private link connection, Configure Synapse workspaces to have auditing enabled, Deploy Diagnostic Settings for Network Security Groups, Configure SQL servers to have auditing enabled
6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 SQL Server Contributor Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Sql/locations/*/read
Microsoft.Sql/servers/*
Microsoft.Support/*
Microsoft.Insights/metrics/read
Microsoft.Insights/metricDefinitions/read
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
Microsoft.Sql/managedInstances/securityAlertPolicies/*
Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
Microsoft.Sql/servers/auditingSettings/*
Microsoft.Sql/servers/databases/auditingSettings/*
Microsoft.Sql/servers/databases/auditRecords/read
Microsoft.Sql/servers/databases/currentSensitivityLabels/*
Microsoft.Sql/servers/databases/dataMaskingPolicies/*
Microsoft.Sql/servers/databases/extendedAuditingSettings/*
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
Microsoft.Sql/servers/databases/securityAlertPolicies/*
Microsoft.Sql/servers/databases/securityMetrics/*
Microsoft.Sql/servers/databases/sensitivityLabels/*
Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
Microsoft.Sql/servers/devOpsAuditingSettings/*
Microsoft.Sql/servers/extendedAuditingSettings/*
Microsoft.Sql/servers/securityAlertPolicies/*
Microsoft.Sql/servers/vulnerabilityAssessments/*
Microsoft.Sql/servers/azureADOnlyAuthentications/delete
Microsoft.Sql/servers/azureADOnlyAuthentications/write
Configure Azure SQL Server to disable public network access, Configure Azure SQL Server to enable private endpoint connections
81a9662b-bebf-436f-a333-f67b29880f12 Storage Account Key Operator Service Role Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts Microsoft.Storage/storageAccounts/listkeys/action
Microsoft.Storage/storageAccounts/regeneratekey/action
ba92f5b4-2d11-453d-a403-e96b0029c9fe Storage Blob Data Contributor Allows for read, write and delete access to Azure Storage blob containers and data Microsoft.Storage/storageAccounts/blobServices/containers/delete
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
b7e6dc6d-f1e8-4753-8033-0f276bb0955b Storage Blob Data Owner Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control. Microsoft.Storage/storageAccounts/blobServices/containers/*
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 Storage Blob Data Reader Allows for read access to Azure Storage blob containers and data Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
974c5e8b-45b9-4653-ba55-5f855dd0fb88 Storage Queue Data Contributor Allows for read, write, and delete access to Azure Storage queues and queue messages Microsoft.Storage/storageAccounts/queueServices/queues/delete
Microsoft.Storage/storageAccounts/queueServices/queues/read
Microsoft.Storage/storageAccounts/queueServices/queues/write
Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
Microsoft.Storage/storageAccounts/queueServices/queues/messages/write
Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action
8a0f0c08-91a1-4084-bc3d-661d67233fed Storage Queue Data Message Processor Allows for peek, receive, and delete access to Azure Storage queue messages Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action
c6a89b2d-59bc-44d0-9896-0f6e12d7b80a Storage Queue Data Message Sender Allows for sending of Azure Storage queue messages Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action
19e7f393-937e-4f77-808e-94535e297925 Storage Queue Data Reader Allows for read access to Azure Storage queues and queue messages Microsoft.Storage/storageAccounts/queueServices/queues/read
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e Support Request Contributor Lets you create and manage Support requests Microsoft.Authorization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 Traffic Manager Contributor Lets you manage Traffic Manager profiles, but does not let you control who has access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Network/trafficManagerProfiles/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
1c0163c0-47e6-4577-8991-ea5c82e286e4 Virtual Machine Administrator Login View Virtual Machines in the portal and login as administrator Microsoft.Network/publicIPAddresses/read
Microsoft.Network/virtualNetworks/read
Microsoft.Network/loadBalancers/read
Microsoft.Network/networkInterfaces/read
Microsoft.Compute/virtualMachines/*/read
Microsoft.Compute/virtualMachines/login/action
Microsoft.Compute/virtualMachines/loginAsAdmin/action
18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 User Access Administrator Lets you manage user access to Azure resources. */read
Microsoft.Authorization/*
Microsoft.Support/*
fb879df8-f326-4884-b1cf-06f3ad86be52 Virtual Machine User Login View Virtual Machines in the portal and login as a regular user. Microsoft.Network/publicIPAddresses/read
Microsoft.Network/virtualNetworks/read
Microsoft.Network/loadBalancers/read
Microsoft.Network/networkInterfaces/read
Microsoft.Compute/virtualMachines/*/read
Microsoft.Compute/virtualMachines/login/action
9980e02c-c2be-4d73-94e8-173b1dc7cf3c Virtual Machine Contributor Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. Microsoft.Authorization/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/locations/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/virtualMachineScaleSets/*
Microsoft.Compute/disks/write
Microsoft.Compute/disks/read
Microsoft.Compute/disks/delete
Microsoft.DevTestLab/schedules/*
Microsoft.Insights/alertRules/*
Microsoft.Network/applicationGateways/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Microsoft.Network/loadBalancers/inboundNatPools/join/action
Microsoft.Network/loadBalancers/inboundNatRules/join/action
Microsoft.Network/loadBalancers/probes/join/action
Microsoft.Network/loadBalancers/read
Microsoft.Network/locations/*
Microsoft.Network/networkInterfaces/*
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/publicIPAddresses/join/action
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.RecoveryServices/locations/*
Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write
Microsoft.RecoveryServices/Vaults/backupPolicies/read
Microsoft.RecoveryServices/Vaults/backupPolicies/write
Microsoft.RecoveryServices/Vaults/read
Microsoft.RecoveryServices/Vaults/usages/read
Microsoft.RecoveryServices/Vaults/write
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.SqlVirtualMachine/*
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/read
Microsoft.Support/*
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location, [ASC Private Preview] Configure system-assigned managed identity to enable Azure Monitor assignments on VMs, Deploy default Microsoft IaaSAntimalware extension for Windows Server, Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location, Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets, Deploy - Configure Log Analytics agent to be enabled on Windows virtual machine scale sets, [Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension, Deploy Log Analytics agent for Linux virtual machine scale sets, [Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension, Deploy Dependency agent for Linux virtual machine scale sets, [Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot, Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy, [Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot, Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy, [Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension, Configure Linux virtual machines with Azure Monitor Agent, [Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension, Configure Windows virtual machines with Azure Monitor Agent, [Preview]: Configure supported virtual machines to automatically enable vTPM
2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b Web Plan Contributor Lets you manage the web plans for websites, but not access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Web/serverFarms/*
Microsoft.Web/hostingEnvironments/Join/Action
de139f84-1756-47ae-9be6-808fbbe84772 Website Contributor Lets you manage websites (not web plans), but not access to them. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/components/*
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Web/certificates/*
Microsoft.Web/listSitesAssignedToHostName/read
Microsoft.Web/serverFarms/join/action
Microsoft.Web/serverFarms/read
Microsoft.Web/sites/*
090c5cfd-751d-490a-894a-3ce6f1109419 Azure Service Bus Data Owner Allows for full access to Azure Service Bus resources. Microsoft.ServiceBus/*
Microsoft.ServiceBus/*
Configure Service Bus namespaces with private endpoints
f526a384-b230-433a-b45c-95f59c4a2dec Azure Event Hubs Data Owner Allows for full access to Azure Event Hubs resources. Microsoft.EventHub/*
Microsoft.EventHub/*
Configure Event Hub namespaces with private endpoints
bbf86eb8-f7b4-4cce-96e4-18cddf81d86e Attestation Contributor Can read write or delete the attestation provider instance Microsoft.Attestation/attestationProviders/attestation/read
Microsoft.Attestation/attestationProviders/attestation/write
Microsoft.Attestation/attestationProviders/attestation/delete
61ed4efc-fab3-44fd-b111-e24485cc132a HDInsight Cluster Operator Lets you read and modify HDInsight cluster configurations. Microsoft.HDInsight/*/read
Microsoft.HDInsight/clusters/getGatewaySettings/action
Microsoft.HDInsight/clusters/updateGatewaySettings/action
Microsoft.HDInsight/clusters/configurations/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/operations/read
Microsoft.Insights/alertRules/*
Microsoft.Authorization/*/read
Microsoft.Support/*
230815da-be43-4aae-9cb4-875f7bd000aa Cosmos DB Operator Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. Microsoft.DocumentDb/databaseAccounts/*
Microsoft.Insights/alertRules/*
Microsoft.Authorization/*/read
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*
Microsoft.DocumentDB/databaseAccounts/regenerateKey/*
Microsoft.DocumentDB/databaseAccounts/listKeys/*
Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write
Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete
48b40c6e-82e0-4eb3-90d5-19e40f49b624 Hybrid Server Resource Administrator Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. Microsoft.HybridCompute/machines/*
Microsoft.HybridCompute/*/read
5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb Hybrid Server Onboarding Can onboard new Hybrid servers to the Hybrid Resource Provider. Microsoft.HybridCompute/machines/read
Microsoft.HybridCompute/machines/write
a638d3c7-ab3a-418d-83e6-5f17a39d4fde Azure Event Hubs Data Receiver Allows receive access to Azure Event Hubs resources. Microsoft.EventHub/*/eventhubs/consumergroups/read
Microsoft.EventHub/*/receive/action
2b629674-e913-4c01-ae53-ef4638d8f975 Azure Event Hubs Data Sender Allows send access to Azure Event Hubs resources. Microsoft.EventHub/*/eventhubs/read
Microsoft.EventHub/*/send/action
4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 Azure Service Bus Data Receiver Allows for receive access to Azure Service Bus resources. Microsoft.ServiceBus/*/queues/read
Microsoft.ServiceBus/*/topics/read
Microsoft.ServiceBus/*/topics/subscriptions/read
Microsoft.ServiceBus/*/receive/action
69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 Azure Service Bus Data Sender Allows for send access to Azure Service Bus resources. Microsoft.ServiceBus/*/queues/read
Microsoft.ServiceBus/*/topics/read
Microsoft.ServiceBus/*/topics/subscriptions/read
Microsoft.ServiceBus/*/send/action
aba4ae5f-2193-4029-9191-0cb91df5e314 Storage File Data SMB Share Reader Allows for read access to Azure File Share over SMB Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb Storage File Data SMB Share Contributor Allows for read, write, and delete access in Azure Storage file shares over SMB Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete
b12aa53e-6015-4669-85d0-8515ebb3ae7f Private DNS Zone Contributor Lets you manage private DNS zone resources, but not the virtual networks they are linked to. Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Network/privateDnsZones/*
Microsoft.Network/privateDnsOperationResults/*
Microsoft.Network/privateDnsOperationStatuses/*
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/join/action
Microsoft.Authorization/*/read
Configure Azure File Sync to use private DNS zones
db58b8e5-c6ad-4a2a-8342-4190687cbf4a Storage Blob Delegator Allows for generation of a user delegation key which can be used to sign SAS tokens Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 Desktop Virtualization User Allows user to use the applications in an application group. Microsoft.DesktopVirtualization/applicationGroups/useApplications/action
a7264617-510b-434b-a828-9731dc254ea7 Storage File Data SMB Share Elevated Contributor Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete
Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action
41077137-e803-4205-871c-5a86e6a753b4 Blueprint Contributor Can manage blueprint definitions, but not assign them. Microsoft.Authorization/*/read
Microsoft.Blueprint/blueprints/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Support/*
437d2ced-4a38-4302-8479-ed2bcb43d090 Blueprint Operator Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. Microsoft.Authorization/*/read
Microsoft.Blueprint/blueprintAssignments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Support/*
ab8e14d6-4a74-4a29-9ba8-549422addade Azure Sentinel Contributor Azure Sentinel Contributor Microsoft.SecurityInsights/*
Microsoft.OperationalInsights/workspaces/analytics/query/action
Microsoft.OperationalInsights/workspaces/*/read
Microsoft.OperationalInsights/workspaces/savedSearches/*
Microsoft.OperationsManagement/solutions/read
Microsoft.OperationalInsights/workspaces/query/read
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read
Microsoft.Insights/workbooks/*
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
3e150937-b8fe-4cfb-8069-0eaf05ecd056 Azure Sentinel Responder Azure Sentinel Responder Microsoft.SecurityInsights/*/read
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action
Microsoft.SecurityInsights/automationRules/*
Microsoft.SecurityInsights/cases/*
Microsoft.SecurityInsights/incidents/*
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action
Microsoft.SecurityInsights/threatIntelligence/bulkTag/action
Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action
Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action
Microsoft.OperationalInsights/workspaces/analytics/query/action
Microsoft.OperationalInsights/workspaces/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read
Microsoft.OperationalInsights/workspaces/savedSearches/read
Microsoft.OperationsManagement/solutions/read
Microsoft.OperationalInsights/workspaces/query/read
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read
Microsoft.Insights/workbooks/read
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.SecurityInsights/cases/*/Delete
Microsoft.SecurityInsights/incidents/*/Delete
8d289c81-5878-46d4-8554-54e1e3d8b5cb Azure Sentinel Reader Azure Sentinel Reader Microsoft.SecurityInsights/*/read
Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action
Microsoft.SecurityInsights/threatIntelligence/indicators/query/action
Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action
Microsoft.OperationalInsights/workspaces/analytics/query/action
Microsoft.OperationalInsights/workspaces/*/read
Microsoft.OperationalInsights/workspaces/LinkedServices/read
Microsoft.OperationalInsights/workspaces/savedSearches/read
Microsoft.OperationsManagement/solutions/read
Microsoft.OperationalInsights/workspaces/query/read
Microsoft.OperationalInsights/workspaces/query/*/read
Microsoft.OperationalInsights/workspaces/dataSources/read
Microsoft.Insights/workbooks/read
Microsoft.Insights/myworkbooks/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
b279062a-9be3-42a0-92ae-8b3cf002ec4d Workbook Reader Can read workbooks. microsoft.insights/workbooks/read
e8ddcd69-c73f-4f9f-9844-4100522f16ad Workbook Contributor Can save shared workbooks. Microsoft.Insights/workbooks/write
Microsoft.Insights/workbooks/delete
Microsoft.Insights/workbooks/read
66bb4e9e-b016-4a94-8249-4c0511c2be84 Policy Insights Data Writer (Preview) Allows read access to resource policies and write access to resource component policy events. Microsoft.Authorization/policyassignments/read
Microsoft.Authorization/policydefinitions/read
Microsoft.Authorization/policyexemptions/read
Microsoft.Authorization/policysetdefinitions/read
Microsoft.PolicyInsights/checkDataPolicyCompliance/action
Microsoft.PolicyInsights/policyEvents/logDataEvents/action
04165923-9d83-45d5-8227-78b77b0a687e SignalR AccessKey Reader Read SignalR Service Access Keys Microsoft.SignalRService/*/read
Microsoft.SignalRService/SignalR/listkeys/action
Microsoft.Authorization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 SignalR Contributor Create, Read, Update, and Delete SignalR service resources Microsoft.SignalRService/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Support/*
Configure Azure Web PubSub Service with private endpoints, Configure Azure Web PubSub Service to disable public network access, Modify Azure SignalR Service resources to disable public network access, Configure private endpoints to Azure SignalR Service
b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 Azure Connected Machine Onboarding Can onboard Azure Connected Machines. Microsoft.HybridCompute/machines/read
Microsoft.HybridCompute/machines/write
Microsoft.HybridCompute/privateLinkScopes/read
Microsoft.GuestConfiguration/guestConfigurationAssignments/read
cd570a14-e51a-42ad-bac8-bafd67325302 Azure Connected Machine Resource Administrator Can read, write, delete and re-onboard Azure Connected Machines. Microsoft.HybridCompute/machines/read
Microsoft.HybridCompute/machines/write
Microsoft.HybridCompute/machines/delete
Microsoft.HybridCompute/machines/UpgradeExtensions/action
Microsoft.HybridCompute/machines/extensions/read
Microsoft.HybridCompute/machines/extensions/write
Microsoft.HybridCompute/machines/extensions/delete
Microsoft.HybridCompute/privateLinkScopes/*
Microsoft.HybridCompute/*/read
91c1777a-f3dc-4fae-b103-61d183457e46 Managed Services Registration assignment Delete Role Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. Microsoft.ManagedServices/registrationAssignments/read
Microsoft.ManagedServices/registrationAssignments/delete
Microsoft.ManagedServices/operationStatuses/read
5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b App Configuration Data Owner Allows full access to App Configuration data. Microsoft.AppConfiguration/configurationStores/*/read
Microsoft.AppConfiguration/configurationStores/*/write
Microsoft.AppConfiguration/configurationStores/*/delete
516239f1-63e1-4d78-a4de-a74fb236a071 App Configuration Data Reader Allows read access to App Configuration data. Microsoft.AppConfiguration/configurationStores/*/read
34e09817-6cbe-4d01-b1a2-e0eac5743d41 Kubernetes Cluster - Azure Arc Onboarding Role definition to authorize any user/service to create connectedClusters resource Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Kubernetes/connectedClusters/Write
Microsoft.Kubernetes/connectedClusters/read
Microsoft.Support/*
7f646f1b-fa08-80eb-a22b-edd6ce5c915c Experimentation Contributor Experimentation Contributor Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Experimentation/experimentWorkspaces/read
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action
Microsoft.Experimentation/experimentWorkspaces/read
Microsoft.Experimentation/experimentWorkspaces/write
Microsoft.Experimentation/experimentWorkspaces/delete
466ccd10-b268-4a11-b098-b4849f024126 Cognitive Services QnA Maker Reader Let’s you read and test a KB only. Microsoft.CognitiveServices/*/read
Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleDefinitions/read
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action
Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read
Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read
Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action
Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read
f4cc2bf9-21be-47a1-bdf1-5c5804381025 Cognitive Services QnA Maker Editor Let’s you create, edit, import and export a KB. You cannot publish or delete a KB. Microsoft.CognitiveServices/*/read
Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleDefinitions/read
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action
Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read
Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write
Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read
Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action
Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read
Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write
Microsoft.CognitiveServices/accounts/QnAMaker/operations/read
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action
Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action
Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read
Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read
Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write
Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write
Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read
7f646f1b-fa08-80eb-a33b-edd6ce5c915c Experimentation Administrator Experimentation Administrator Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Experimentation/experimentWorkspaces/read
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/admin/action
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/action
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action
Microsoft.Experimentation/experimentWorkspaces/read
Microsoft.Experimentation/experimentWorkspaces/write
Microsoft.Experimentation/experimentWorkspaces/delete
Microsoft.Experimentation/experimentWorkspaces/admin/action
Microsoft.Experimentation/experimentWorkspaces/metricwrite/action
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action
3df8b902-2a6f-47c7-8cc5-360e9b272a7e Remote Rendering Administrator Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering Microsoft.MixedReality/RemoteRenderingAccounts/convert/action
Microsoft.MixedReality/RemoteRenderingAccounts/convert/read
Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete
Microsoft.MixedReality/RemoteRenderingAccounts/render/read
Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read
d39065c4-c120-43c9-ab0a-63eed9795f0a Remote Rendering Client Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action
Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete
Microsoft.MixedReality/RemoteRenderingAccounts/render/read
Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read
641177b8-a67a-45b9-a033-47bc880bb21e Managed Application Contributor Role Allows for creating managed application resources. */read
Microsoft.Solutions/applications/*
Microsoft.Solutions/register/action
Microsoft.Resources/subscriptions/resourceGroups/*
Microsoft.Resources/deployments/*
612c2aa1-cb24-443b-ac28-3ab7272de6f5 Security Assessment Contributor Lets you push assessments to Security Center Microsoft.Security/assessments/write
4a9ae827-6dc8-4573-8ac7-8239d42aa03f Tag Contributor Lets you manage tags on entities, without providing access to the entities themselves. Microsoft.Authorization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourceGroups/resources/read
Microsoft.Resources/subscriptions/resources/read
Microsoft.Resources/deployments/*
Microsoft.Insights/alertRules/*
Microsoft.Support/*
Microsoft.Resources/tags/*
Add or replace a tag on subscriptions, Add a tag to subscriptions
c7aa55d3-1abb-444a-a5ca-5e51e485d6ec Integration Service Environment Developer Allows developers to create and update workflows, integration accounts and API connections in integration service environments. Microsoft.Authorization/*/read
Microsoft.Support/*
Microsoft.Logic/integrationServiceEnvironments/read
Microsoft.Logic/integrationServiceEnvironments/*/join/action
a41e2c5b-bd99-4a07-88f4-9bf657a760b8 Integration Service Environment Contributor Lets you manage integration service environments, but not access to them. Microsoft.Authorization/*/read
Microsoft.Support/*
Microsoft.Logic/integrationServiceEnvironments/*
ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 Azure Kubernetes Service Contributor Role Grants access to read and write Azure Kubernetes Service clusters Microsoft.ContainerService/managedClusters/read
Microsoft.ContainerService/managedClusters/write
Microsoft.Resources/deployments/*
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
d57506d4-4c8d-48b1-8587-93c323f6a5a3 Azure Digital Twins Data Reader Read-only role for Digital Twins data-plane properties Microsoft.DigitalTwins/digitaltwins/read
Microsoft.DigitalTwins/digitaltwins/relationships/read
Microsoft.DigitalTwins/eventroutes/read
Microsoft.DigitalTwins/models/read
Microsoft.DigitalTwins/query/action
bcd981a7-7f74-457b-83e1-cceb9e632ffe Azure Digital Twins Data Owner Full access role for Digital Twins data-plane Microsoft.DigitalTwins/eventroutes/*
Microsoft.DigitalTwins/digitaltwins/*
Microsoft.DigitalTwins/digitaltwins/commands/*
Microsoft.DigitalTwins/digitaltwins/relationships/*
Microsoft.DigitalTwins/models/*
Microsoft.DigitalTwins/query/*
350f8d15-c687-4448-8ae1-157740a3936d Hierarchy Settings Administrator Allows users to edit and delete Hierarchy Settings Microsoft.Management/managementGroups/settings/write
Microsoft.Management/managementGroups/settings/delete
5a1fc7df-4bf1-4951-a576-89034ee01acd FHIR Data Contributor Role allows user or principal full access to FHIR Data Microsoft.HealthcareApis/services/fhir/resources/*
3db33094-8700-4567-8da5-1501d4e7e843 FHIR Data Exporter Role allows user or principal to read and export FHIR Data Microsoft.HealthcareApis/services/fhir/resources/read
Microsoft.HealthcareApis/services/fhir/resources/export/action
4c8d0bbc-75d3-4935-991f-5f3c56d81508 FHIR Data Reader Role allows user or principal to read FHIR Data Microsoft.HealthcareApis/services/fhir/resources/read
3f88fce4-5892-4214-ae73-ba5294559913 FHIR Data Writer Role allows user or principal to read and write FHIR Data Microsoft.HealthcareApis/services/fhir/resources/*
Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action
49632ef5-d9ac-41f4-b8e7-bbe587fa74a1 Experimentation Reader Experimentation Reader Microsoft.Experimentation/experimentWorkspaces/read
Microsoft.Experimentation/experimentWorkspaces/read
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
4dd61c23-6743-42fe-a388-d8bdd41cb745 Object Understanding Account Owner Provides user with ingestion capabilities for Azure Object Understanding. Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/action
Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read
8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 Azure Maps Data Contributor Grants access to read, write, and delete access to map related data from an Azure maps account. Microsoft.Maps/accounts/*/read
Microsoft.Maps/accounts/*/write
Microsoft.Maps/accounts/*/delete
c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 Cognitive Services Custom Vision Contributor Full access to the project, including the ability to view, create, edit, or delete projects. Microsoft.CognitiveServices/*/read
Microsoft.CognitiveServices/accounts/CustomVision/*
5c4089e1-6d96-4d2f-b296-c1bc7137275f Cognitive Services Custom Vision Deployment Publish, unpublish or export models. Deployment can view the project but can’t update. Microsoft.CognitiveServices/*/read
Microsoft.CognitiveServices/accounts/CustomVision/*/read
Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*
Microsoft.CognitiveServices/accounts/CustomVision/classify/*
Microsoft.CognitiveServices/accounts/CustomVision/detect/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
88424f51-ebe7-446f-bc41-7fa16989e96c Cognitive Services Custom Vision Labeler View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can’t update anything other than training images and tags. Microsoft.CognitiveServices/*/read
Microsoft.CognitiveServices/accounts/CustomVision/*/read
Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action
Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
93586559-c37d-4a6b-ba08-b9f0940c2d73 Cognitive Services Custom Vision Reader Read-only actions in the project. Readers can’t create or update the project. Microsoft.CognitiveServices/*/read
Microsoft.CognitiveServices/accounts/CustomVision/*/read
Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
0a5ae4ab-0d65-4eeb-be61-29fc9b54394b Cognitive Services Custom Vision Trainer View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can’t create or delete the project. Microsoft.CognitiveServices/*/read
Microsoft.CognitiveServices/accounts/CustomVision/*
Microsoft.CognitiveServices/accounts/CustomVision/projects/action
Microsoft.CognitiveServices/accounts/CustomVision/projects/delete
Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
00482a5a-887f-4fb3-b363-3b7fe8e74483 Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.KeyVault/checkNameAvailability/read
Microsoft.KeyVault/deletedVaults/read
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read
Microsoft.KeyVault/vaults/*
14b46e9e-c2b7-41b4-b07b-48a6ebf60603 Key Vault Crypto Officer Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.KeyVault/checkNameAvailability/read
Microsoft.KeyVault/deletedVaults/read
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read
Microsoft.KeyVault/vaults/keys/*
12338af0-0e69-4776-bea7-57ae8d297424 Key Vault Crypto User Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. Microsoft.KeyVault/vaults/keys/read
Microsoft.KeyVault/vaults/keys/update/action
Microsoft.KeyVault/vaults/keys/backup/action
Microsoft.KeyVault/vaults/keys/encrypt/action
Microsoft.KeyVault/vaults/keys/decrypt/action
Microsoft.KeyVault/vaults/keys/wrap/action
Microsoft.KeyVault/vaults/keys/unwrap/action
Microsoft.KeyVault/vaults/keys/sign/action
Microsoft.KeyVault/vaults/keys/verify/action
b86a8fe4-44ce-4948-aee5-eccb2c155cd7 Key Vault Secrets Officer Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.KeyVault/checkNameAvailability/read
Microsoft.KeyVault/deletedVaults/read
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read
Microsoft.KeyVault/vaults/secrets/*
4633458b-17de-408a-b874-0445c86b69e6 Key Vault Secrets User Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. Microsoft.KeyVault/vaults/secrets/getSecret/action
Microsoft.KeyVault/vaults/secrets/readMetadata/action
a4417e6f-fecd-4de8-b567-7b0420556985 Key Vault Certificates Officer Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.KeyVault/checkNameAvailability/read
Microsoft.KeyVault/deletedVaults/read
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read
Microsoft.KeyVault/vaults/certificatecas/*
Microsoft.KeyVault/vaults/certificates/*
21090545-7ca7-4776-b22c-e363652d74d2 Key Vault Reader Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.KeyVault/checkNameAvailability/read
Microsoft.KeyVault/deletedVaults/read
Microsoft.KeyVault/locations/*/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/operations/read
Microsoft.KeyVault/vaults/*/read
Microsoft.KeyVault/vaults/secrets/readMetadata/action
e147488a-f6f5-4113-8e2d-b22465e65bf6 Key Vault Crypto Service Encryption User Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. Microsoft.EventGrid/eventSubscriptions/write
Microsoft.EventGrid/eventSubscriptions/read
Microsoft.EventGrid/eventSubscriptions/delete
Microsoft.KeyVault/vaults/keys/read
Microsoft.KeyVault/vaults/keys/wrap/action
Microsoft.KeyVault/vaults/keys/unwrap/action
63f0a09d-1495-4db4-a681-037d84835eb4 Azure Arc Kubernetes Viewer Lets you view all resources in cluster/namespace, except secrets. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read
Microsoft.Kubernetes/connectedClusters/apps/deployments/read
Microsoft.Kubernetes/connectedClusters/apps/replicasets/read
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read
Microsoft.Kubernetes/connectedClusters/batch/jobs/read
Microsoft.Kubernetes/connectedClusters/configmaps/read
Microsoft.Kubernetes/connectedClusters/endpoints/read
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
Microsoft.Kubernetes/connectedClusters/events/read
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read
Microsoft.Kubernetes/connectedClusters/extensions/deployments/read
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read
Microsoft.Kubernetes/connectedClusters/limitranges/read
Microsoft.Kubernetes/connectedClusters/namespaces/read
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read
Microsoft.Kubernetes/connectedClusters/pods/read
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read
Microsoft.Kubernetes/connectedClusters/resourcequotas/read
Microsoft.Kubernetes/connectedClusters/serviceaccounts/read
Microsoft.Kubernetes/connectedClusters/services/read
5b999177-9696-4545-85c7-50de3797e5a1 Azure Arc Kubernetes Writer Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
Microsoft.Kubernetes/connectedClusters/events/read
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read
Microsoft.Kubernetes/connectedClusters/namespaces/read
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
8393591c-06b9-48a2-a542-1bd6b377f6a2 Azure Arc Kubernetes Cluster Admin Lets you manage all resources in the cluster. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Kubernetes/connectedClusters/*
dffb1e0c-446f-4dde-a09f-99eb5cc68b96 Azure Arc Kubernetes Admin Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
Microsoft.Kubernetes/connectedClusters/apps/deployments/*
Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write
Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
Microsoft.Kubernetes/connectedClusters/batch/jobs/*
Microsoft.Kubernetes/connectedClusters/configmaps/*
Microsoft.Kubernetes/connectedClusters/endpoints/*
Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
Microsoft.Kubernetes/connectedClusters/events/read
Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
Microsoft.Kubernetes/connectedClusters/limitranges/read
Microsoft.Kubernetes/connectedClusters/namespaces/read
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
Microsoft.Kubernetes/connectedClusters/pods/*
Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*
Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
Microsoft.Kubernetes/connectedClusters/resourcequotas/read
Microsoft.Kubernetes/connectedClusters/secrets/*
Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
Microsoft.Kubernetes/connectedClusters/services/*
b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b Azure Kubernetes Service RBAC Cluster Admin Lets you manage all resources in the cluster. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
Microsoft.ContainerService/managedClusters/*
3498e952-d568-435e-9b2c-8d77e338d7f7 Azure Kubernetes Service RBAC Admin Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
Microsoft.ContainerService/managedClusters/*
Microsoft.ContainerService/managedClusters/resourcequotas/write
Microsoft.ContainerService/managedClusters/resourcequotas/delete
Microsoft.ContainerService/managedClusters/namespaces/write
Microsoft.ContainerService/managedClusters/namespaces/delete
7f6c6a51-bcf8-42ba-9220-52d62157d7db Azure Kubernetes Service RBAC Reader Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read
Microsoft.ContainerService/managedClusters/apps/daemonsets/read
Microsoft.ContainerService/managedClusters/apps/deployments/read
Microsoft.ContainerService/managedClusters/apps/replicasets/read
Microsoft.ContainerService/managedClusters/apps/statefulsets/read
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read
Microsoft.ContainerService/managedClusters/batch/cronjobs/read
Microsoft.ContainerService/managedClusters/batch/jobs/read
Microsoft.ContainerService/managedClusters/configmaps/read
Microsoft.ContainerService/managedClusters/endpoints/read
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read
Microsoft.ContainerService/managedClusters/events/read
Microsoft.ContainerService/managedClusters/extensions/daemonsets/read
Microsoft.ContainerService/managedClusters/extensions/deployments/read
Microsoft.ContainerService/managedClusters/extensions/ingresses/read
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read
Microsoft.ContainerService/managedClusters/extensions/replicasets/read
Microsoft.ContainerService/managedClusters/limitranges/read
Microsoft.ContainerService/managedClusters/namespaces/read
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read
Microsoft.ContainerService/managedClusters/pods/read
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read
Microsoft.ContainerService/managedClusters/replicationcontrollers/read
Microsoft.ContainerService/managedClusters/replicationcontrollers/read
Microsoft.ContainerService/managedClusters/resourcequotas/read
Microsoft.ContainerService/managedClusters/serviceaccounts/read
Microsoft.ContainerService/managedClusters/services/read
a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb Azure Kubernetes Service RBAC Writer Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read
Microsoft.ContainerService/managedClusters/apps/daemonsets/*
Microsoft.ContainerService/managedClusters/apps/deployments/*
Microsoft.ContainerService/managedClusters/apps/replicasets/*
Microsoft.ContainerService/managedClusters/apps/statefulsets/*
Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*
Microsoft.ContainerService/managedClusters/batch/cronjobs/*
Microsoft.ContainerService/managedClusters/batch/jobs/*
Microsoft.ContainerService/managedClusters/configmaps/*
Microsoft.ContainerService/managedClusters/endpoints/*
Microsoft.ContainerService/managedClusters/events.k8s.io/events/read
Microsoft.ContainerService/managedClusters/events/read
Microsoft.ContainerService/managedClusters/extensions/daemonsets/*
Microsoft.ContainerService/managedClusters/extensions/deployments/*
Microsoft.ContainerService/managedClusters/extensions/ingresses/*
Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*
Microsoft.ContainerService/managedClusters/extensions/replicasets/*
Microsoft.ContainerService/managedClusters/limitranges/read
Microsoft.ContainerService/managedClusters/namespaces/read
Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*
Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*
Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*
Microsoft.ContainerService/managedClusters/pods/*
Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*
Microsoft.ContainerService/managedClusters/replicationcontrollers/*
Microsoft.ContainerService/managedClusters/replicationcontrollers/*
Microsoft.ContainerService/managedClusters/resourcequotas/read
Microsoft.ContainerService/managedClusters/secrets/*
Microsoft.ContainerService/managedClusters/serviceaccounts/*
Microsoft.ContainerService/managedClusters/services/*
82200a5b-e217-47a5-b665-6d8765ee745b Services Hub Operator Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. Microsoft.Authorization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.ServicesHub/connectors/write
Microsoft.ServicesHub/connectors/read
Microsoft.ServicesHub/connectors/delete
Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action
Microsoft.ServicesHub/supportOfferingEntitlement/read
Microsoft.ServicesHub/workspaces/read
d18777c0-1514-4662-8490-608db7d334b6 Object Understanding Account Reader Lets you read ingestion jobs for an object understanding account. Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read
00493d72-78f6-4148-b6c5-d3ce8e4799dd Azure Arc Enabled Kubernetes Cluster User Role List cluster user credentials action. Microsoft.Resources/deployments/write
Microsoft.Resources/subscriptions/operationresults/read
Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
420fcaa2-552c-430f-98ca-3264be4806c7 SignalR App Server (Preview) Lets your app server access SignalR Service with AAD auth options. Microsoft.SignalRService/SignalR/auth/accessKey/action
Microsoft.SignalRService/SignalR/serverConnection/write
fd53cd77-2268-407a-8f46-7e7863d0f521 SignalR Serverless Contributor (Preview) Lets your app access service in serverless mode with AAD auth options. Microsoft.SignalRService/SignalR/auth/clientToken/action
daa9e50b-21df-454c-94a6-a8050adab352 Collaborative Data Contributor Can manage data packages of a collaborative. Microsoft.IndustryDataLifecycle/custodianCollaboratives/*/read
Microsoft.IndustryDataLifecycle/memberCollaboratives/*/read
Microsoft.IndustryDataLifecycle/locations/dataPackages/*
Microsoft.IndustryDataLifecycle/custodianCollaboratives/receivedDataPackages/*
Microsoft.IndustryDataLifecycle/custodianCollaboratives/rejectDataPackage/action
Microsoft.IndustryDataLifecycle/memberCollaboratives/sharedDataPackages/*
Microsoft.IndustryDataLifecycle/custodianCollaboratives/dataModels/*
Microsoft.IndustryDataLifecycle/custodianCollaboratives/auditLogs/action
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f Device Update Reader Gives you read access to management and content operations, but does not allow making changes Microsoft.Authorization/*/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Insights/alertRules/*
Microsoft.DeviceUpdate/accounts/instances/updates/read
Microsoft.DeviceUpdate/accounts/instances/management/read
02ca0879-e8e4-47a5-a61e-5c618b76e64a Device Update Administrator Gives you full access to management and content operations Microsoft.Authorization/*/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Insights/alertRules/*
Microsoft.DeviceUpdate/accounts/instances/updates/read
Microsoft.DeviceUpdate/accounts/instances/updates/write
Microsoft.DeviceUpdate/accounts/instances/updates/delete
Microsoft.DeviceUpdate/accounts/instances/management/read
Microsoft.DeviceUpdate/accounts/instances/management/write
Microsoft.DeviceUpdate/accounts/instances/management/delete
0378884a-3af5-44ab-8323-f5b22f9f3c98 Device Update Content Administrator Gives you full access to content operations Microsoft.Authorization/*/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Insights/alertRules/*
Microsoft.DeviceUpdate/accounts/instances/updates/read
Microsoft.DeviceUpdate/accounts/instances/updates/write
Microsoft.DeviceUpdate/accounts/instances/updates/delete
e4237640-0e3d-4a46-8fda-70bc94856432 Device Update Deployments Administrator Gives you full access to management operations Microsoft.Authorization/*/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Insights/alertRules/*
Microsoft.DeviceUpdate/accounts/instances/management/read
Microsoft.DeviceUpdate/accounts/instances/management/write
Microsoft.DeviceUpdate/accounts/instances/management/delete
49e2f5d2-7741-4835-8efa-19e1fe35e47f Device Update Deployments Reader Gives you read access to management operations, but does not allow making changes Microsoft.Authorization/*/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Insights/alertRules/*
Microsoft.DeviceUpdate/accounts/instances/management/read
d1ee9a80-8b14-47f0-bdc2-f4a351625a7b Device Update Content Reader Gives you read access to content operations, but does not allow making changes Microsoft.Authorization/*/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Microsoft.Insights/alertRules/*
Microsoft.DeviceUpdate/accounts/instances/updates/read
cb43c632-a144-4ec5-977c-e80c4affc34a Cognitive Services Metrics Advisor Administrator Full access to the project, including the system level configuration. Microsoft.CognitiveServices/*/read
Microsoft.CognitiveServices/accounts/MetricsAdvisor/*
3b20f47b-3825-43cb-8114-4bd2201156a8 Cognitive Services Metrics Advisor User Access to the project. Microsoft.CognitiveServices/*/read
Microsoft.CognitiveServices/accounts/MetricsAdvisor/*
Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/*
2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 Schema Registry Reader (Preview) Read and list Schema Registry groups and schemas. Microsoft.EventHub/namespaces/schemagroups/read
Microsoft.EventHub/namespaces/schemas/read
5dffeca3-4936-4216-b2bc-10343a5abb25 Schema Registry Contributor (Preview) Read, write, and delete Schema Registry groups and schemas. Microsoft.EventHub/namespaces/schemagroups/*
Microsoft.EventHub/namespaces/schemas/*
7ec7ccdc-f61e-41fe-9aaf-980df0a44eba AgFood Platform Service Reader Provides read access to AgFood Platform Service Microsoft.AgFoodPlatform/*/read
8508508a-4469-4e45-963b-2518ee0bb728 AgFood Platform Service Contributor Provides contribute access to AgFood Platform Service Microsoft.AgFoodPlatform/*/action
Microsoft.AgFoodPlatform/*/read
Microsoft.AgFoodPlatform/*/write
Microsoft.AgFoodPlatform/farmers/write
f8da80de-1ff9-4747-ad80-a19b7f6079e3 AgFood Platform Service Admin Provides admin access to AgFood Platform Service Microsoft.AgFoodPlatform/*
18500a29-7fe2-46b2-a342-b16a415e101d Managed HSM contributor Lets you manage managed HSM pools, but not access to them. Microsoft.KeyVault/managedHSMs/*
0b555d9b-b4a7-4f43-b330-627f0e5be8f0 Security Detonation Chamber Submitter Allowed to create submissions to Security Detonation Chamber Microsoft.SecurityDetonation/chambers/submissions/delete
Microsoft.SecurityDetonation/chambers/submissions/write
Microsoft.SecurityDetonation/chambers/submissions/read
Microsoft.SecurityDetonation/chambers/submissions/files/read
Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read
Microsoft.SecurityDetonation/chambers/platforms/metadata/read
Microsoft.SecurityDetonation/chambers/workflows/metadata/read
Microsoft.SecurityDetonation/chambers/toolsets/metadata/read
ddde6b66-c0df-4114-a159-3618637b3035 SignalR Service Reader (Preview) Read-only access to Azure SignalR Service REST APIs Microsoft.SignalRService/SignalR/group/read
Microsoft.SignalRService/SignalR/clientConnection/read
Microsoft.SignalRService/SignalR/user/read
7e4f1700-ea5a-4f59-8f37-079cfe29dce3 SignalR Service Owner (Preview) Full access to Azure SignalR Service REST APIs Microsoft.SignalRService/SignalR/auth/accessKey/action
Microsoft.SignalRService/SignalR/auth/clientToken/action
Microsoft.SignalRService/SignalR/hub/send/action
Microsoft.SignalRService/SignalR/group/send/action
Microsoft.SignalRService/SignalR/group/read
Microsoft.SignalRService/SignalR/group/write
Microsoft.SignalRService/SignalR/clientConnection/send/action
Microsoft.SignalRService/SignalR/clientConnection/read
Microsoft.SignalRService/SignalR/clientConnection/write
Microsoft.SignalRService/SignalR/user/send/action
Microsoft.SignalRService/SignalR/user/read
Microsoft.SignalRService/SignalR/user/write
f7b75c60-3036-4b75-91c3-6b41c27c1689 Reservation Purchaser Lets you purchase reservations Microsoft.Resources/subscriptions/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Capacity/register/action
Microsoft.Compute/register/action
Microsoft.SQL/register/action
Microsoft.Consumption/register/action
Microsoft.Capacity/catalogs/read
Microsoft.Authorization/roleAssignments/read
Microsoft.Consumption/reservationRecommendations/read
Microsoft.Support/supporttickets/write
635dd51f-9968-44d3-b7fb-6d9a6bd613ae AzureML Metrics Writer (preview) Lets you write metrics to AzureML workspace Microsoft.MachineLearningServices/workspaces/metrics/*/write
e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 Storage Account Backup Contributor Role Storage Account Backup Contributors are allowed to perform backup and restore of Storage Account. Microsoft.Authorization/*/read
Microsoft.Authorization/locks/read
Microsoft.Authorization/locks/write
Microsoft.Authorization/locks/delete
Microsoft.Features/features/read
Microsoft.Features/providers/features/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Storage/operations/read
Microsoft.Storage/storageAccounts/blobServices/containers/read
Microsoft.Storage/storageAccounts/blobServices/read
Microsoft.Storage/storageAccounts/blobServices/write
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/restoreBlobRanges/action
6188b7c9-7d01-4f99-a59f-c88b630326c0 Experimentation Metric Contributor Allows for creation, writes and reads to the metric set via the metrics service APIs. Microsoft.Experimentation/experimentWorkspaces/read
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action
Microsoft.Experimentation/experimentWorkspaces/metricwrite/action
Microsoft.Experimentation/experimentWorkspaces/read
9ef4ef9c-a049-46b0-82ab-dd8ac094c889 Project Babylon Data Curator The Microsoft.ProjectBabylon data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. Microsoft.ProjectBabylon/accounts/read
Microsoft.ProjectBabylon/accounts/data/read
Microsoft.ProjectBabylon/accounts/data/write
c8d896ba-346d-4f50-bc1d-7d1c84130446 Project Babylon Data Reader The Microsoft.ProjectBabylon data reader can read catalog data objects. This role is in preview and subject to change. Microsoft.ProjectBabylon/accounts/read
Microsoft.ProjectBabylon/accounts/data/read
05b7651b-dc44-475e-b74d-df3db49fae0f Project Babylon Data Source Administrator The Microsoft.ProjectBabylon data source administrator can manage data sources and data scans. This role is in preview and subject to change. Microsoft.ProjectBabylon/accounts/read
Microsoft.ProjectBabylon/accounts/scan/read
Microsoft.ProjectBabylon/accounts/scan/write
8a3c2885-9b38-4fd2-9d99-91af537c1347 Purview Data Curator The Microsoft.Purview data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. Microsoft.Purview/accounts/read
Microsoft.Purview/accounts/data/read
Microsoft.Purview/accounts/data/write
ff100721-1b9d-43d8-af52-42b69c1272db Purview Data Reader The Microsoft.Purview data reader can read catalog data objects. This role is in preview and subject to change. Microsoft.Purview/accounts/read
Microsoft.Purview/accounts/data/read
200bba9e-f0c8-430f-892b-6f0794863803 Purview Data Source Administrator The Microsoft.Purview data source administrator can manage data sources and data scans. This role is in preview and subject to change. Microsoft.Purview/accounts/read
Microsoft.Purview/accounts/scan/read
Microsoft.Purview/accounts/scan/write
ca6382a4-1721-4bcf-a114-ff0c70227b6b Application Group Contributor Contributor of the Application Group. Microsoft.DesktopVirtualization/applicationgroups/*
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.DesktopVirtualization/workspaces/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
49a72310-ab8d-41df-bbb0-79b649203868 Desktop Virtualization Reader Reader of Desktop Virtualization. Microsoft.DesktopVirtualization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Microsoft.Support/*
082f0a83-3be5-4ba1-904c-961cca79b387 Desktop Virtualization Contributor Contributor of Desktop Virtualization. Microsoft.DesktopVirtualization/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
21efdde3-836f-432b-bf3d-3e8e734d4b2b Desktop Virtualization Workspace Contributor Contributor of the Desktop Virtualization Workspace. Microsoft.DesktopVirtualization/workspaces/*
Microsoft.DesktopVirtualization/applicationgroups/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 Desktop Virtualization User Session Operator Operator of the Desktop Virtualization Uesr Session. Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
2ad6aaab-ead9-4eaa-8ac5-da422f562408 Desktop Virtualization Session Host Operator Operator of the Desktop Virtualization Session Host. Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
ceadfde2-b300-400a-ab7b-6143895aa822 Desktop Virtualization Host Pool Reader Reader of the Desktop Virtualization Host Pool. Microsoft.DesktopVirtualization/hostpools/*/read
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Microsoft.Support/*
e307426c-f9b6-4e81-87de-d99efb3c32bc Desktop Virtualization Host Pool Contributor Contributor of the Desktop Virtualization Host Pool. Microsoft.DesktopVirtualization/hostpools/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 Desktop Virtualization Application Group Reader Reader of the Desktop Virtualization Application Group. Microsoft.DesktopVirtualization/applicationgroups/*/read
Microsoft.DesktopVirtualization/applicationgroups/read
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Microsoft.Support/*
86240b0e-9422-4c43-887b-b61143f32ba8 Desktop Virtualization Application Group Contributor Contributor of the Desktop Virtualization Application Group. Microsoft.DesktopVirtualization/applicationgroups/*
Microsoft.DesktopVirtualization/hostpools/read
Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Support/*
0fa44ee9-7a7d-466b-9bb2-2bf446b1204d Desktop Virtualization Workspace Reader Reader of the Desktop Virtualization Workspace. Microsoft.DesktopVirtualization/workspaces/read
Microsoft.DesktopVirtualization/applicationgroups/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/deployments/read
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/read
Microsoft.Support/*
3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 Disk Backup Reader Provides permission to backup vault to perform disk backup. Microsoft.Authorization/*/read
Microsoft.Compute/disks/read
Microsoft.Compute/disks/beginGetAccess/action
b8b15564-4fa6-4a59-ab12-03e1d9594795 Autonomous Development Platform Data Contributor (Preview) Grants permissions to upload and manage new Autonomous Development Platform measurements. Microsoft.AutonomousDevelopmentPlatform/accounts/*/read
Microsoft.Authorization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/discoveries/*
Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/uploads/*
Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/*
Microsoft.AutonomousDevelopmentPlatform/accounts/measurementCollections/*
Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/changeState/action
d63b75f7-47ea-4f27-92ac-e0d173aaf093 Autonomous Development Platform Data Reader (Preview) Grants read access to Autonomous Development Platform data. Microsoft.AutonomousDevelopmentPlatform/accounts/*/read
Microsoft.Authorization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.AutonomousDevelopmentPlatform/accounts/*/read
27f8b550-c507-4db9-86f2-f4b8e816d59d Autonomous Development Platform Data Owner (Preview) Grants full access to Autonomous Development Platform data. Microsoft.AutonomousDevelopmentPlatform/accounts/*/read
Microsoft.Authorization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.AutonomousDevelopmentPlatform/accounts/*
b50d9833-a0cb-478e-945f-707fcc997c13 Disk Restore Operator Provides permission to backup vault to perform disk restore. Microsoft.Authorization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Compute/disks/write
Microsoft.Compute/disks/read
7efff54f-a5b4-42b5-a1c5-5411624893ce Disk Snapshot Contributor Provides permission to backup vault to manage disk snapshots. Microsoft.Authorization/*/read
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Compute/snapshots/delete
Microsoft.Compute/snapshots/write
Microsoft.Compute/snapshots/read
Microsoft.Compute/snapshots/beginGetAccess/action
Microsoft.Compute/snapshots/endGetAccess/action
Microsoft.Compute/disks/beginGetAccess/action
Microsoft.Storage/storageAccounts/listkeys/action
Microsoft.Storage/storageAccounts/write
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/delete
5548b2cf-c94c-4228-90ba-30851930a12f Microsoft.Kubernetes connected cluster role Microsoft.Kubernetes connected cluster role. Microsoft.Kubernetes/connectedClusters/read
Microsoft.Kubernetes/connectedClusters/write
Microsoft.Kubernetes/connectedClusters/delete
Microsoft.Kubernetes/registeredSubscriptions/read
a37b566d-3efa-4beb-a2f2-698963fa42ce Security Detonation Chamber Submission Manager Allowed to create and manage submissions to Security Detonation Chamber Microsoft.SecurityDetonation/chambers/submissions/delete
Microsoft.SecurityDetonation/chambers/submissions/write
Microsoft.SecurityDetonation/chambers/submissions/read
Microsoft.SecurityDetonation/chambers/submissions/files/read
Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read
Microsoft.SecurityDetonation/chambers/submissions/adminview/read
Microsoft.SecurityDetonation/chambers/submissions/analystview/read
Microsoft.SecurityDetonation/chambers/submissions/publicview/read
Microsoft.SecurityDetonation/chambers/platforms/metadata/read
Microsoft.SecurityDetonation/chambers/workflows/metadata/read
Microsoft.SecurityDetonation/chambers/toolsets/metadata/read
352470b3-6a9c-4686-b503-35deb827e500 Security Detonation Chamber Publisher Allowed to publish and modify platforms, workflows and toolsets to Security Detonation Chamber Microsoft.SecurityDetonation/chambers/platforms/read
Microsoft.SecurityDetonation/chambers/platforms/write
Microsoft.SecurityDetonation/chambers/platforms/delete
Microsoft.SecurityDetonation/chambers/platforms/metadata/read
Microsoft.SecurityDetonation/chambers/workflows/read
Microsoft.SecurityDetonation/chambers/workflows/write
Microsoft.SecurityDetonation/chambers/workflows/delete
Microsoft.SecurityDetonation/chambers/workflows/metadata/read
Microsoft.SecurityDetonation/chambers/toolsets/read
Microsoft.SecurityDetonation/chambers/toolsets/write
Microsoft.SecurityDetonation/chambers/toolsets/delete
Microsoft.SecurityDetonation/chambers/toolsets/metadata/read
Microsoft.SecurityDetonation/chambers/publishRequests/read
Microsoft.SecurityDetonation/chambers/publishRequests/cancel/action
7a6f0e70-c033-4fb1-828c-08514e5f4102 Collaborative Runtime Operator Can manage resources created by AICS at runtime Microsoft.IndustryDataLifecycle/derivedModels/*
Microsoft.IndustryDataLifecycle/pipelineSets/*
Microsoft.IndustryDataLifecycle/modelMappings/*
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
5432c526-bc82-444a-b7ba-57c5b0b5b34f CosmosRestoreOperator Can perform restore action for Cosmos DB database account with continuous backup mode Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read
Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read
a1705bd2-3a8f-45a5-8683-466fcfd5cc24 FHIR Data Converter Role allows user or principal to convert data from legacy format to FHIR Microsoft.HealthcareApis/services/fhir/resources/convertData/action
f4c81013-99ee-4d62-a7ee-b3f1f648599a Azure Sentinel Automation Contributor Azure Sentinel Automation Contributor Microsoft.Authorization/*/read
Microsoft.Logic/workflows/triggers/read
Microsoft.Logic/workflows/triggers/listCallbackUrl/action
Microsoft.Logic/workflows/runs/read
0e5f05e5-9ab9-446b-b98d-1e2157c94125 Quota Request Operator Read and create quota requests, get quota request status, and create support tickets. Microsoft.Capacity/resourceProviders/locations/serviceLimits/read
Microsoft.Capacity/resourceProviders/locations/serviceLimits/write
Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read
Microsoft.Capacity/register/action
Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
1e241071-0855-49ea-94dc-649edcd759de EventGrid Contributor Lets you manage EventGrid operations. Microsoft.Authorization/*/read
Microsoft.EventGrid/*
Microsoft.Insights/alertRules/*
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Support/*
Modify - Configure Azure Event Grid topics to disable public network access, Deploy - Configure Azure Event Grid domains with private endpoints, Deploy - Configure Azure Event Grid topics with private endpoints, Modify - Configure Azure Event Grid domains to disable public network access
28241645-39f8-410b-ad48-87863e2951d5 Security Detonation Chamber Reader Allowed to query submission info and files from Security Detonation Chamber Microsoft.SecurityDetonation/chambers/submissions/read
Microsoft.SecurityDetonation/chambers/submissions/files/read
4a167cdf-cb95-4554-9203-2347fe489bd9 Object Anchors Account Reader Lets you read ingestion jobs for an object anchors account. Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read
ca0835dd-bacc-42dd-8ed2-ed5e7230d15b Object Anchors Account Owner Provides user with ingestion capabilities for an object anchors account. Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/action
Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read
d17ce0a2-0697-43bc-aac5-9113337ab61c WorkloadBuilder Migration Agent Role WorkloadBuilder Migration Agent Role. Microsoft.WorkloadBuilder/migrationAgents/Read
Microsoft.WorkloadBuilder/migrationAgents/Write
12cf5a90-567b-43ae-8102-96cf46c7d9b4 Web PubSub Service Owner (Preview) Full access to Azure Web PubSub Service REST APIs Microsoft.SignalRService/WebPubSub/clientConnection/read
Microsoft.SignalRService/WebPubSub/clientConnection/send/action
Microsoft.SignalRService/WebPubSub/clientConnection/write
Microsoft.SignalRService/WebPubSub/group/read
Microsoft.SignalRService/WebPubSub/group/send/action
Microsoft.SignalRService/WebPubSub/group/write
Microsoft.SignalRService/WebPubSub/hub/send/action
Microsoft.SignalRService/WebPubSub/user/read
Microsoft.SignalRService/WebPubSub/user/send/action
bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf Web PubSub Service Reader (Preview) Read-only access to Azure Web PubSub Service REST APIs Microsoft.SignalRService/WebPubSub/clientConnection/read
Microsoft.SignalRService/WebPubSub/group/read
Microsoft.SignalRService/WebPubSub/user/read
b5537268-8956-4941-a8f0-646150406f0c Azure Spring Cloud Data Reader Allow read access to Azure Spring Cloud Data Microsoft.AppPlatform/Spring/*/read
f2dc8367-1007-4938-bd23-fe263f013447 Cognitive Services Speech User This is a role that can create, read, change and delete batch transcriptions, do real time transcriptions and list or get other speech resources. Microsoft.CognitiveServices/accounts/SpeechServices/*/read
Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/write
Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/delete
Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/read
Microsoft.CognitiveServices/accounts/SpeechServices/*/frontend/action
0e75ca1e-0464-4b4d-8b93-68208a576181 Cognitive Services Speech Contributor This is a role that can read, write and delete all speech resources. Microsoft.CognitiveServices/accounts/SpeechServices/*
9894cab4-e18a-44aa-828b-cb588cd6f2d7 Cognitive Services Face Recognizer Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. Microsoft.CognitiveServices/accounts/Face/detect/action
Microsoft.CognitiveServices/accounts/Face/verify/action
Microsoft.CognitiveServices/accounts/Face/identify/action
Microsoft.CognitiveServices/accounts/Face/group/action
Microsoft.CognitiveServices/accounts/Face/findsimilars/action
054126f8-9a2b-4f1c-a9ad-eca461f08466 Media Services Account Administrator Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/metrics/read
Microsoft.Insights/metricDefinitions/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/listStreamingLocators/action
Microsoft.Media/mediaservices/streamingLocators/listPaths/action
Microsoft.Media/mediaservices/write
Microsoft.Media/mediaservices/delete
Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action
Microsoft.Media/mediaservices/privateEndpointConnections/*
532bc159-b25e-42c0-969e-a1d439f60d77 Media Services Live Events Administrator Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/metrics/read
Microsoft.Insights/metricDefinitions/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/*
Microsoft.Media/mediaservices/assets/assetfilters/*
Microsoft.Media/mediaservices/streamingLocators/*
Microsoft.Media/mediaservices/liveEvents/*
Microsoft.Media/mediaservices/assets/getEncryptionKey/action
Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action
e4395492-1534-4db2-bedf-88c14621589c Media Services Media Operator Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/metrics/read
Microsoft.Insights/metricDefinitions/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/*
Microsoft.Media/mediaservices/assets/assetfilters/*
Microsoft.Media/mediaservices/streamingLocators/*
Microsoft.Media/mediaservices/transforms/jobs/*
Microsoft.Media/mediaservices/assets/getEncryptionKey/action
Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action
c4bba371-dacd-4a26-b320-7250bca963ae Media Services Policy Administrator Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/metrics/read
Microsoft.Insights/metricDefinitions/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/listStreamingLocators/action
Microsoft.Media/mediaservices/streamingLocators/listPaths/action
Microsoft.Media/mediaservices/accountFilters/*
Microsoft.Media/mediaservices/streamingPolicies/*
Microsoft.Media/mediaservices/contentKeyPolicies/*
Microsoft.Media/mediaservices/transforms/*
Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action
99dba123-b5fe-44d5-874c-ced7199a5804 Media Services Streaming Endpoints Administrator Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. Microsoft.Authorization/*/read
Microsoft.Insights/alertRules/*
Microsoft.Insights/metrics/read
Microsoft.Insights/metricDefinitions/read
Microsoft.Resources/deployments/*
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.ResourceHealth/availabilityStatuses/read
Microsoft.Media/mediaservices/*/read
Microsoft.Media/mediaservices/assets/listStreamingLocators/action
Microsoft.Media/mediaservices/streamingLocators/listPaths/action
Microsoft.Media/mediaservices/streamingEndpoints/*
1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf Stream Analytics Query Tester Lets you perform query testing without creating a stream analytics job first Microsoft.StreamAnalytics/locations/TestQuery/action
a2138dac-4907-4679-a376-736901ed8ad8 AnyBuild Builder Basic user role for AnyBuild. This role allows listing of agent information and execution of remote build capabilities. Microsoft.AnyBuild/clusters/build/write
Microsoft.AnyBuild/clusters/build/read
b447c946-2db7-41ec-983d-d8bf3b1c77e3 IoT Hub Data Reader Allows for full read access to IoT Hub data-plane properties Microsoft.Devices/IotHubs/*/read
Microsoft.Devices/IotHubs/fileUpload/notifications/action
494bdba2-168f-4f31-a0a1-191d2f7c028c IoT Hub Twin Contributor Allows for read and write access to all IoT Hub device and module twins. Microsoft.Devices/IotHubs/twins/*
4ea46cd5-c1b2-4a8e-910b-273211f9ce47 IoT Hub Registry Contributor Allows for full access to IoT Hub device registry. Microsoft.Devices/IotHubs/devices/*
4fc6c259-987e-4a07-842e-c321cc9d413f IoT Hub Data Contributor Allows for full access to IoT Hub data plane operations. Microsoft.Devices/IotHubs/*
15e0f5a1-3450-4248-8e25-e2afe88a9e85 Test Base Reader Let you view and download packages and test results. Microsoft.TestBase/testBaseAccounts/packages/testResults/getDownloadUrl/action
Microsoft.TestBase/testBaseAccounts/packages/testResults/getVideoDownloadUrl/action
Microsoft.TestBase/testBaseAccounts/packages/getDownloadUrl/action
Microsoft.TestBase/*/read
1407120a-92aa-4202-b7e9-c0e197c71c8f Search Index Data Reader Grants read access to Azure Cognitive Search index data. Microsoft.Search/searchServices/indexes/documents/read
8ebe5a00-799e-43f5-93ac-243d3dce84a7 Search Index Data Contributor Grants full access to Azure Cognitive Search index data. Microsoft.Search/searchServices/indexes/documents/*
76199698-9eea-4c19-bc75-cec21354c6b6 Storage Table Data Reader Allows for read access to Azure Storage tables and entities Microsoft.Storage/storageAccounts/tableServices/tables/read
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read
0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 Storage Table Data Contributor Allows for read, write and delete access to Azure Storage tables and entities Microsoft.Storage/storageAccounts/tableServices/tables/read
Microsoft.Storage/storageAccounts/tableServices/tables/write
Microsoft.Storage/storageAccounts/tableServices/tables/delete
Microsoft.Storage/storageAccounts/tableServices/tables/entities/read
Microsoft.Storage/storageAccounts/tableServices/tables/entities/write
Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete
Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action
Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action