| Id | Name | Description | Actions | NotActions | DataActions | NotDataActions | Used in Policy |
|---|---|---|---|---|---|---|---|
| 8311e382-0749-4cb8-b61a-304f252e45ec | AcrPush | acr push | Microsoft.ContainerRegistry/registries/pull/read Microsoft.ContainerRegistry/registries/push/write |
none | |||
| 312a565d-c81f-4fd8-895a-4e21e48d571c | API Management Service Contributor | Can manage service and the APIs | Microsoft.ApiManagement/service/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 7f951dda-4ed3-4680-a7ca-43fe172d538d | AcrPull | acr pull | Microsoft.ContainerRegistry/registries/pull/read |
none | |||
| 6cef56e8-d556-48e5-a04f-b8e64114680f | AcrImageSigner | acr image signer | Microsoft.ContainerRegistry/registries/sign/write |
none | |||
| c2f4ef07-c644-48eb-af81-4b1b4947fb11 | AcrDelete | acr delete | Microsoft.ContainerRegistry/registries/artifacts/delete |
none | |||
| cdda3590-29a3-44f6-95f2-9f980659eb04 | AcrQuarantineReader | acr quarantine data reader | Microsoft.ContainerRegistry/registries/quarantine/read |
none | |||
| c8d4ff99-41c3-41a8-9f60-21dfdad59608 | AcrQuarantineWriter | acr quarantine data writer | Microsoft.ContainerRegistry/registries/quarantine/read Microsoft.ContainerRegistry/registries/quarantine/write |
none | |||
| e022efe7-f5ba-4159-bbe4-b44f577e9b61 | API Management Service Operator Role | Can manage service but not the APIs | Microsoft.ApiManagement/service/*/read Microsoft.ApiManagement/service/backup/action Microsoft.ApiManagement/service/delete Microsoft.ApiManagement/service/managedeployments/action Microsoft.ApiManagement/service/read Microsoft.ApiManagement/service/restore/action Microsoft.ApiManagement/service/updatecertificate/action Microsoft.ApiManagement/service/updatehostname/action Microsoft.ApiManagement/service/write Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
Microsoft.ApiManagement/service/users/keys/read |
none | ||
| 71522526-b88f-4d52-b57f-d31fc3546d0d | API Management Service Reader Role | Read-only access to service and APIs | Microsoft.ApiManagement/service/*/read Microsoft.ApiManagement/service/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
Microsoft.ApiManagement/service/users/keys/read |
none | ||
| ae349356-3a1b-4a5e-921d-050484c6347e | Application Insights Component Contributor | Can manage Application Insights components | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Insights/metricAlerts/* Microsoft.Insights/components/* Microsoft.Insights/webtests/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 08954f03-6346-4c2e-81c0-ec3a5cfae23b | Application Insights Snapshot Debugger | Gives user permission to use Application Insights Snapshot Debugger features | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Insights/components/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| fd1bd22b-8476-40bc-a0bc-69b95687b9f3 | Attestation Reader | Can read the attestation provider properties | Microsoft.Attestation/attestationProviders/attestation/read |
none | |||
| 4fe576fe-1146-4730-92eb-48519fa6bf9f | Automation Job Operator | Create and Manage Jobs using Automation Runbooks. | Microsoft.Authorization/*/read Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read Microsoft.Automation/automationAccounts/jobs/read Microsoft.Automation/automationAccounts/jobs/resume/action Microsoft.Automation/automationAccounts/jobs/stop/action Microsoft.Automation/automationAccounts/jobs/streams/read Microsoft.Automation/automationAccounts/jobs/suspend/action Microsoft.Automation/automationAccounts/jobs/write Microsoft.Automation/automationAccounts/jobs/output/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 | Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. | Microsoft.Authorization/*/read Microsoft.Automation/automationAccounts/runbooks/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| d3881f73-407a-4167-8283-e981cbba0404 | Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs | Microsoft.Authorization/*/read Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read Microsoft.Automation/automationAccounts/jobs/read Microsoft.Automation/automationAccounts/jobs/resume/action Microsoft.Automation/automationAccounts/jobs/stop/action Microsoft.Automation/automationAccounts/jobs/streams/read Microsoft.Automation/automationAccounts/jobs/suspend/action Microsoft.Automation/automationAccounts/jobs/write Microsoft.Automation/automationAccounts/jobSchedules/read Microsoft.Automation/automationAccounts/jobSchedules/write Microsoft.Automation/automationAccounts/linkedWorkspace/read Microsoft.Automation/automationAccounts/read Microsoft.Automation/automationAccounts/runbooks/read Microsoft.Automation/automationAccounts/schedules/read Microsoft.Automation/automationAccounts/schedules/write Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Automation/automationAccounts/jobs/output/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 4f8fab4f-1852-4a58-a46a-8eaf358af14a | Avere Contributor | Can create and manage an Avere vFXT cluster. | Microsoft.Authorization/*/read Microsoft.Compute/*/read Microsoft.Compute/availabilitySets/* Microsoft.Compute/proximityPlacementGroups/* Microsoft.Compute/virtualMachines/* Microsoft.Compute/disks/* Microsoft.Network/*/read Microsoft.Network/networkInterfaces/* Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Microsoft.Network/networkSecurityGroups/join/action Microsoft.Resources/deployments/* Microsoft.Insights/alertRules/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/*/read Microsoft.Storage/storageAccounts/* Microsoft.Support/* Microsoft.Resources/subscriptions/resourceGroups/resources/read |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
none | ||
| c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 | Avere Operator | Used by the Avere vFXT cluster to manage the cluster | Microsoft.Compute/virtualMachines/read Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/write Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Network/networkSecurityGroups/join/action Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/blobServices/containers/delete Microsoft.Storage/storageAccounts/blobServices/containers/read Microsoft.Storage/storageAccounts/blobServices/containers/write |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
none | ||
| 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 | Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. | Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action |
none | |||
| 4abbcc35-e782-43d8-92c5-2d3f1bd2253f | Azure Kubernetes Service Cluster User Role | List cluster user credential action. | Microsoft.ContainerService/managedClusters/listClusterUserCredential/action |
none | |||
| 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa | Azure Maps Data Reader | Grants access to read map related data from an Azure maps account. | Microsoft.Maps/accounts/*/read |
none | |||
| 6f12a6df-dd06-4f3e-bcb1-ce8be600526a | Azure Stack Registration Owner | Lets you manage Azure Stack registrations. | Microsoft.AzureStack/registrations/products/*/action Microsoft.AzureStack/registrations/products/read Microsoft.AzureStack/registrations/read |
none | |||
| 5e467623-bb1f-42f4-a55d-6e525e11384b | Backup Contributor | Lets you manage backup service,but can't create vaults and give access to others | Microsoft.Authorization/*/read Microsoft.Network/virtualNetworks/read Microsoft.RecoveryServices/locations/* Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action Microsoft.RecoveryServices/Vaults/backupJobs/* Microsoft.RecoveryServices/Vaults/backupJobsExport/action Microsoft.RecoveryServices/Vaults/backupOperationResults/* Microsoft.RecoveryServices/Vaults/backupPolicies/* Microsoft.RecoveryServices/Vaults/backupProtectableItems/* Microsoft.RecoveryServices/Vaults/backupProtectedItems/* Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Microsoft.RecoveryServices/Vaults/certificates/* Microsoft.RecoveryServices/Vaults/extendedInformation/* Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/* Microsoft.RecoveryServices/Vaults/usages/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/read Microsoft.RecoveryServices/Vaults/backupstorageconfig/* Microsoft.RecoveryServices/Vaults/backupconfig/* Microsoft.RecoveryServices/Vaults/backupValidateOperation/action Microsoft.RecoveryServices/Vaults/write Microsoft.RecoveryServices/Vaults/backupOperations/read Microsoft.RecoveryServices/Vaults/backupEngines/read Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read Microsoft.RecoveryServices/locations/backupStatus/action Microsoft.RecoveryServices/locations/backupPreValidateProtection/action Microsoft.RecoveryServices/locations/backupValidateFeatures/action Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Microsoft.RecoveryServices/operations/read Microsoft.RecoveryServices/locations/operationStatus/read Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read Microsoft.Support/* |
Configure backup on VMs of a location to an existing central Vault in the same location |
|||
| fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 | Billing Reader | Allows read access to billing data | Microsoft.Authorization/*/read Microsoft.Billing/*/read Microsoft.Commerce/*/read Microsoft.Consumption/*/read Microsoft.Management/managementGroups/read Microsoft.CostManagement/*/read Microsoft.Support/* |
none | |||
| 00c29273-979b-4161-815c-10b084fb9324 | Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others | Microsoft.Authorization/*/read Microsoft.Network/virtualNetworks/read Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action Microsoft.RecoveryServices/Vaults/backupJobs/* Microsoft.RecoveryServices/Vaults/backupJobsExport/action Microsoft.RecoveryServices/Vaults/backupOperationResults/* Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read Microsoft.RecoveryServices/Vaults/backupPolicies/read Microsoft.RecoveryServices/Vaults/backupProtectableItems/* Microsoft.RecoveryServices/Vaults/backupProtectedItems/read Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Microsoft.RecoveryServices/Vaults/certificates/write Microsoft.RecoveryServices/Vaults/extendedInformation/read Microsoft.RecoveryServices/Vaults/extendedInformation/write Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/read Microsoft.RecoveryServices/Vaults/registeredIdentities/write Microsoft.RecoveryServices/Vaults/usages/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/read Microsoft.RecoveryServices/Vaults/backupstorageconfig/* Microsoft.RecoveryServices/Vaults/backupValidateOperation/action Microsoft.RecoveryServices/Vaults/backupOperations/read Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action Microsoft.RecoveryServices/Vaults/backupEngines/read Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read Microsoft.RecoveryServices/locations/backupStatus/action Microsoft.RecoveryServices/locations/backupPreValidateProtection/action Microsoft.RecoveryServices/locations/backupValidateFeatures/action Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Microsoft.RecoveryServices/operations/read Microsoft.RecoveryServices/locations/operationStatus/read Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read Microsoft.Support/* |
none | |||
| a795c7a0-d4a2-40c1-ae25-d81f01202912 | Backup Reader | Can view backup services, but can't make changes | Microsoft.Authorization/*/read Microsoft.RecoveryServices/locations/allocatedStamp/read Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read Microsoft.RecoveryServices/Vaults/backupJobs/read Microsoft.RecoveryServices/Vaults/backupJobsExport/action Microsoft.RecoveryServices/Vaults/backupOperationResults/read Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read Microsoft.RecoveryServices/Vaults/backupPolicies/read Microsoft.RecoveryServices/Vaults/backupProtectedItems/read Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Microsoft.RecoveryServices/Vaults/extendedInformation/read Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/read Microsoft.RecoveryServices/Vaults/backupstorageconfig/read Microsoft.RecoveryServices/Vaults/backupconfig/read Microsoft.RecoveryServices/Vaults/backupOperations/read Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read Microsoft.RecoveryServices/Vaults/backupEngines/read Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read Microsoft.RecoveryServices/locations/backupStatus/action Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Microsoft.RecoveryServices/operations/read Microsoft.RecoveryServices/locations/operationStatus/read Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read Microsoft.RecoveryServices/Vaults/usages/read Microsoft.RecoveryServices/locations/backupValidateFeatures/action |
none | |||
| 31a002a1-acaf-453e-8a5b-297c9ca1ea24 | Blockchain Member Node Access (Preview) | Allows for access to Blockchain Member nodes | Microsoft.Blockchain/blockchainMembers/transactionNodes/read |
Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action |
none | ||
| 5e3c6656-6cfa-4708-81fe-0de47ac73342 | BizTalk Contributor | Lets you manage BizTalk services, but not access to them. | Microsoft.Authorization/*/read Microsoft.BizTalkServices/BizTalk/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 | CDN Endpoint Contributor | Can manage CDN endpoints, but can’t grant access to other users. | Microsoft.Authorization/*/read Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/endpoints/* Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 871e35f6-b5c1-49cc-a043-bde969a0f2cd | CDN Endpoint Reader | Can view CDN endpoints, but can’t make changes. | Microsoft.Authorization/*/read Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/endpoints/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| ec156ff8-a8d1-4d15-830c-5b80698ca432 | CDN Profile Contributor | Can manage CDN profiles and their endpoints, but can’t grant access to other users. | Microsoft.Authorization/*/read Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/* Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 8f96442b-4075-438f-813d-ad51ab4019af | CDN Profile Reader | Can view CDN profiles and their endpoints, but can’t make changes. | Microsoft.Authorization/*/read Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| b34d265f-36f7-4a0d-a4d4-e158ca92e90f | Classic Network Contributor | Lets you manage classic networks, but not access to them. | Microsoft.Authorization/*/read Microsoft.ClassicNetwork/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 | Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. | Microsoft.Authorization/*/read Microsoft.ClassicStorage/storageAccounts/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 985d6b00-f706-48f5-a6fe-d0ca12fb668d | Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts | Microsoft.ClassicStorage/storageAccounts/listkeys/action Microsoft.ClassicStorage/storageAccounts/regeneratekey/action |
none | |||
| 9106cda0-8a86-4e81-b686-29a22c54effe | ClearDB MySQL DB Contributor | Lets you manage ClearDB MySQL databases, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* successbricks.cleardb/databases/* |
none | |||
| d73bb868-a0df-4d4d-bd69-98a00b01fccb | Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. | Microsoft.Authorization/*/read Microsoft.ClassicCompute/domainNames/* Microsoft.ClassicCompute/virtualMachines/* Microsoft.ClassicNetwork/networkSecurityGroups/join/action Microsoft.ClassicNetwork/reservedIps/link/action Microsoft.ClassicNetwork/reservedIps/read Microsoft.ClassicNetwork/virtualNetworks/join/action Microsoft.ClassicNetwork/virtualNetworks/read Microsoft.ClassicStorage/storageAccounts/disks/read Microsoft.ClassicStorage/storageAccounts/images/read Microsoft.ClassicStorage/storageAccounts/listKeys/action Microsoft.ClassicStorage/storageAccounts/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| a97b65f3-24c7-4388-baec-2e87135dc908 | Cognitive Services User | Lets you read and list keys of Cognitive Services. | Microsoft.CognitiveServices/*/read Microsoft.CognitiveServices/accounts/listkeys/action Microsoft.Insights/alertRules/read Microsoft.Insights/diagnosticSettings/read Microsoft.Insights/logDefinitions/read Microsoft.Insights/metricdefinitions/read Microsoft.Insights/metrics/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/operations/read Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
Microsoft.CognitiveServices/* |
none | ||
| b59867f0-fa02-499b-be73-45a86b5b3e1c | Cognitive Services Data Reader (Preview) | Lets you read Cognitive Services data. | Microsoft.CognitiveServices/*/read |
none | |||
| 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 | Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. | Microsoft.Authorization/*/read Microsoft.CognitiveServices/* Microsoft.Features/features/read Microsoft.Features/providers/features/read Microsoft.Insights/alertRules/* Microsoft.Insights/diagnosticSettings/* Microsoft.Insights/logDefinitions/read Microsoft.Insights/metricdefinitions/read Microsoft.Insights/metrics/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/deployments/operations/read Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourcegroups/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| db7b14f2-5adf-42da-9f96-f2ee17bab5cb | CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account | Microsoft.DocumentDB/databaseAccounts/backup/action Microsoft.DocumentDB/databaseAccounts/restore/action |
none | |||
| b24988ac-6180-42a0-ab88-20f7382dd24c | Contributor | Lets you manage everything except access to resources. | * |
Microsoft.Authorization/*/Delete Microsoft.Authorization/*/Write Microsoft.Authorization/elevateAccess/Action Microsoft.Blueprint/blueprintAssignments/write Microsoft.Blueprint/blueprintAssignments/delete |
[Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. [Preview]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' Deploy prerequisites to audit Windows VMs that do not have the specified applications installed Deploy prerequisites to audit Windows VMs in which the Administrators group contains any of the specified members [Preview]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day Deploy associations for a managed application [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' [Preview]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters Deploy prerequisites to audit Windows VMs that are not joined to the specified domain Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' [Preview]: Deploy prerequisites to audit Linux VMs that have accounts without passwords [Preview]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' Deploy Diagnostic Settings for Search Services to Event Hub [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' Inherit a tag from the subscription if missing [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' Deploy prerequisites to audit Linux VMs that do not have the specified applications installed Deploy Diagnostic Settings for Data Lake Analytics to Event Hub Add a tag to resources [Preview]: Deploy prerequisites to audit Windows VMs on which the remote host connection status does not match the specified one Add or replace a tag on resources [Preview]: Configure time zone on Windows machines. [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' [Preview]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled Deploy Diagnostic Settings for Service Bus to Event Hub Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' [Preview]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords Add a tag to resource groups Deploy Workflow Automation for Azure Security Center recommendations Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled [Preview]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' Deploy prerequisites to audit Linux VMs that have the specified applications installed [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. [Preview]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain all of the specified members [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' Deploy Diagnostic Settings for Azure SQL Database to Event Hub Deploy Diagnostic Settings for Logic Apps to Event Hub Inherit a tag from the subscription Deploy prerequisites to audit Windows web servers that are not using secure communication protocols Deploy prerequisites to audit Windows VMs in which the Administrators group does not contain only the specified members [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' Deploy associations for a custom provider [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' Deploy prerequisites to audit Windows VMs that are not set to the specified time zone [Preview]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days Deploy prerequisites to audit Windows VMs with a pending reboot Inherit a tag from the resource group Deploy export to Event Hub for Azure Security Center alerts and recommendations [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' Add or replace a tag on resource groups [Preview]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant Deploy Diagnostic Settings for Batch Account to Event Hub [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub Inherit a tag from the resource group if missing [Preview]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' Deploy Diagnostic Settings for Key Vault to Event Hub Deploy Diagnostic Settings for Stream Analytics to Event Hub Deploy Diagnostic Settings for Event Hub to Event Hub Deploy prerequisites to audit Windows VMs that have the specified applications installed Deploy Workflow Automation for Azure Security Center alerts [Preview]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' [Preview]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' [Preview]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations |
||
| fbdf93bf-df7d-467e-a4d2-9458aa1360c8 | Cosmos DB Account Reader Role | Can read Azure Cosmos DB Accounts data | Microsoft.Authorization/*/read Microsoft.DocumentDB/*/read Microsoft.DocumentDB/databaseAccounts/readonlykeys/action Microsoft.Insights/MetricDefinitions/read Microsoft.Insights/Metrics/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 434105ed-43f6-45c7-a02f-909b2ba83430 | Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) | Microsoft.Consumption/* Microsoft.CostManagement/* Microsoft.Billing/billingPeriods/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Advisor/configurations/read Microsoft.Advisor/recommendations/read Microsoft.Management/managementGroups/read |
none | |||
| 72fafb9e-0641-4937-9268-a91bfd8191a3 | Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) | Microsoft.Consumption/*/read Microsoft.CostManagement/*/read Microsoft.Billing/billingPeriods/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Advisor/configurations/read Microsoft.Advisor/recommendations/read Microsoft.Management/managementGroups/read |
none | |||
| add466c9-e687-43fc-8d98-dfcf8d720be5 | Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. | Microsoft.Authorization/*/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Databox/* |
none | |||
| 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 | Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. | Microsoft.Authorization/*/read Microsoft.Databox/*/read Microsoft.Databox/jobs/listsecrets/action Microsoft.Databox/jobs/listcredentials/action Microsoft.Databox/locations/availableSkus/action Microsoft.Databox/locations/validateInputs/action Microsoft.Databox/locations/regionConfiguration/action Microsoft.Databox/locations/validateAddress/action Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Support/* |
none | |||
| 673868aa-7521-48a0-acc6-0f60742d39f5 | Data Factory Contributor | Create and manage data factories, as well as child resources within them. | Microsoft.Authorization/*/read Microsoft.DataFactory/dataFactories/* Microsoft.DataFactory/factories/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.EventGrid/eventSubscriptions/write |
none | |||
| 150f5e0c-0603-4f03-8c7f-cf70034c4e90 | Data Purger | Can purge analytics data | Microsoft.Insights/components/*/read Microsoft.Insights/components/purge/action Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/purge/action |
none | |||
| 47b7735b-770e-4598-a7da-8b91488b4c88 | Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | Microsoft.Authorization/*/read Microsoft.BigAnalytics/accounts/* Microsoft.DataLakeAnalytics/accounts/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
Microsoft.BigAnalytics/accounts/Delete Microsoft.BigAnalytics/accounts/TakeOwnership/action Microsoft.BigAnalytics/accounts/Write Microsoft.DataLakeAnalytics/accounts/Delete Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action Microsoft.DataLakeAnalytics/accounts/Write Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete Microsoft.DataLakeAnalytics/accounts/firewallRules/Write Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete Microsoft.DataLakeAnalytics/accounts/computePolicies/Write Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete |
none | ||
| 76283e04-6283-4c54-8f91-bcf1374a3c64 | DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | Microsoft.Authorization/*/read Microsoft.Compute/availabilitySets/read Microsoft.Compute/virtualMachines/*/read Microsoft.Compute/virtualMachines/deallocate/action Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/restart/action Microsoft.Compute/virtualMachines/start/action Microsoft.DevTestLab/*/read Microsoft.DevTestLab/labs/claimAnyVm/action Microsoft.DevTestLab/labs/createEnvironment/action Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action Microsoft.DevTestLab/labs/formulas/delete Microsoft.DevTestLab/labs/formulas/read Microsoft.DevTestLab/labs/formulas/write Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action Microsoft.DevTestLab/labs/virtualMachines/claim/action Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action Microsoft.Network/loadBalancers/backendAddressPools/join/action Microsoft.Network/loadBalancers/inboundNatRules/join/action Microsoft.Network/networkInterfaces/*/read Microsoft.Network/networkInterfaces/join/action Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/write Microsoft.Network/publicIPAddresses/*/read Microsoft.Network/publicIPAddresses/join/action Microsoft.Network/publicIPAddresses/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Resources/deployments/operations/read Microsoft.Resources/deployments/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/listKeys/action |
Microsoft.Compute/virtualMachines/vmSizes/read |
none | ||
| 5bd9cd88-fe45-4216-938b-f97437e15450 | DocumentDB Account Contributor | Lets you manage DocumentDB accounts, but not access to them. | Microsoft.Authorization/*/read Microsoft.DocumentDb/databaseAccounts/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action |
none | |||
| befefa01-2a29-4197-83a8-272ff33ce314 | DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/dnsZones/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 | EventGrid EventSubscription Contributor | Lets you manage EventGrid event subscription operations. | Microsoft.Authorization/*/read Microsoft.EventGrid/eventSubscriptions/* Microsoft.EventGrid/topicTypes/eventSubscriptions/read Microsoft.EventGrid/locations/eventSubscriptions/read Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 2414bbcf-6497-4faf-8c65-045460748405 | EventGrid EventSubscription Reader | Lets you read EventGrid event subscriptions. | Microsoft.Authorization/*/read Microsoft.EventGrid/eventSubscriptions/read Microsoft.EventGrid/topicTypes/eventSubscriptions/read Microsoft.EventGrid/locations/eventSubscriptions/read Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read |
none | |||
| b60367af-1334-4454-b71e-769d9a4f83d9 | Graph Owner | Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions | Microsoft.EnterpriseKnowledgeGraph/services/conflation/read Microsoft.EnterpriseKnowledgeGraph/services/conflation/write Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/read Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/write Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read Microsoft.EnterpriseKnowledgeGraph/services/knowledge/write Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/read Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/write Microsoft.EnterpriseKnowledgeGraph/services/ingestion/read Microsoft.EnterpriseKnowledgeGraph/services/ingestion/write Microsoft.EnterpriseKnowledgeGraph/services/ontology/read Microsoft.EnterpriseKnowledgeGraph/services/ontology/write Microsoft.EnterpriseKnowledgeGraph/services/delete Microsoft.EnterpriseKnowledgeGraph/operations/read |
none | |||
| 8d8d5a11-05d3-4bda-a417-a08778121c7c | HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | Microsoft.AAD/*/read Microsoft.AAD/domainServices/*/read Microsoft.AAD/domainServices/oucontainer/* |
none | |||
| 03a6d094-3444-4b3d-88af-7477090a9e5e | Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.IntelligentSystems/accounts/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| f25e0fa2-a7c8-4377-a976-54943a77a395 | Key Vault Contributor | Lets you manage key vaults, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.KeyVault/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
Microsoft.KeyVault/locations/deletedVaults/purge/action Microsoft.KeyVault/hsmPools/* |
none | ||
| ee361c5d-f7b5-4119-b4b6-892157c8f64c | Knowledge Consumer | Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query | Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read |
none | |||
| b97fb8bc-a8b2-4522-a38b-dd33c7e65ead | Lab Creator | Lets you create, manage, delete your managed labs under your Azure Lab Accounts. | Microsoft.Authorization/*/read Microsoft.LabServices/labAccounts/*/read Microsoft.LabServices/labAccounts/createLab/action Microsoft.LabServices/labAccounts/sizes/getRegionalAvailability/action Microsoft.LabServices/labAccounts/getRegionalAvailability/action Microsoft.LabServices/labAccounts/getPricingAndAvailability/action Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 73c42c96-874c-492b-b04d-ab87d138a893 | Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | */read Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/search/action Microsoft.Support/* |
Microsoft.OperationalInsights/workspaces/sharedKeys/read |
none | ||
| 92aaf0da-9dab-42b6-94a3-d43ce8d16293 | Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources. | */read Microsoft.Automation/automationAccounts/* Microsoft.ClassicCompute/virtualMachines/extensions/* Microsoft.ClassicStorage/storageAccounts/listKeys/action Microsoft.Compute/virtualMachines/extensions/* Microsoft.HybridCompute/machines/extensions/write Microsoft.Insights/alertRules/* Microsoft.Insights/diagnosticSettings/* Microsoft.OperationalInsights/* Microsoft.OperationsManagement/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourcegroups/deployments/* Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Support/* |
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploy Log Analytics agent for Linux VMs Deploy Log Analytics agent for Windows VMs Deploy Diagnostic Settings for Search Services to Log Analytics workspace Deploy Dependency agent for Windows VMs Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace Deploy Log Analytics agent for Windows virtual machine scale sets [Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs Deploy Dependency agent for Linux VMs Deploy Log Analytics agent for Linux virtual machine scale sets [Preview]: Deploy Log Analytics agent to Windows Azure Arc machines [Preview]: Deploy Dependency agent to Windows Azure Arc machines [Preview]: Deploy Log Analytics agent to Linux Azure Arc machines Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace Deploy Diagnostic Settings for Key Vault to Log Analytics workspace [Preview]: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace [Preview]: Deploy Dependency agent to hybrid Linux Azure Arc machines |
|||
| 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe | Logic App Operator | Lets you read, enable and disable logic app. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/*/read Microsoft.Insights/metricAlerts/*/read Microsoft.Insights/diagnosticSettings/*/read Microsoft.Insights/metricDefinitions/*/read Microsoft.Logic/*/read Microsoft.Logic/workflows/disable/action Microsoft.Logic/workflows/enable/action Microsoft.Logic/workflows/validate/action Microsoft.Resources/deployments/operations/read Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Web/connectionGateways/*/read Microsoft.Web/connections/*/read Microsoft.Web/customApis/*/read Microsoft.Web/serverFarms/read |
none | |||
| 87a39d53-fc1b-424a-814c-f7e04687dc9e | Logic App Contributor | Lets you manage logic app, but not access to them. | Microsoft.Authorization/*/read Microsoft.ClassicStorage/storageAccounts/listKeys/action Microsoft.ClassicStorage/storageAccounts/read Microsoft.Insights/alertRules/* Microsoft.Insights/metricAlerts/* Microsoft.Insights/diagnosticSettings/* Microsoft.Insights/logdefinitions/* Microsoft.Insights/metricDefinitions/* Microsoft.Logic/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/listkeys/action Microsoft.Storage/storageAccounts/read Microsoft.Support/* Microsoft.Web/connectionGateways/* Microsoft.Web/connections/* Microsoft.Web/customApis/* Microsoft.Web/serverFarms/join/action Microsoft.Web/serverFarms/read Microsoft.Web/sites/functions/listSecrets/action |
none | |||
| c7393b34-138c-406f-901b-d8cf2b17e6ae | Managed Application Operator Role | Lets you read and perform actions on Managed Application resources | */read Microsoft.Solutions/applications/read Microsoft.Solutions/*/action |
none | |||
| b9331d33-8a36-4f8c-b097-4f54124fdb44 | Managed Applications Reader | Lets you read resources in a managed app and request JIT access. | */read Microsoft.Resources/deployments/* Microsoft.Solutions/jitRequests/* |
none | |||
| f1a07417-d97a-45cb-824c-7a7467783830 | Managed Identity Operator | Read and Assign User Assigned Identity | Microsoft.ManagedIdentity/userAssignedIdentities/*/read Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* |
none | |||
| e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 | Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity | Microsoft.ManagedIdentity/userAssignedIdentities/read Microsoft.ManagedIdentity/userAssignedIdentities/write Microsoft.ManagedIdentity/userAssignedIdentities/delete Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* |
none | |||
| 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c | Management Group Contributor | Management Group Contributor Role | Microsoft.Management/managementGroups/delete Microsoft.Management/managementGroups/read Microsoft.Management/managementGroups/subscriptions/delete Microsoft.Management/managementGroups/subscriptions/write Microsoft.Management/managementGroups/write |
none | |||
| ac63b705-f282-497d-ac71-919bf39d939d | Management Group Reader | Management Group Reader Role | Microsoft.Management/managementGroups/read |
none | |||
| 3913510d-42f4-4e42-8a64-420c390055eb | Monitoring Metrics Publisher | Enables publishing metrics against Azure resources | Microsoft.Insights/Register/Action Microsoft.Support/* Microsoft.Resources/subscriptions/resourceGroups/read |
Microsoft.Insights/Metrics/Write |
none | ||
| 43d0d8ad-25c7-4714-9337-8ba259a9fe05 | Monitoring Reader | Can read all monitoring data. | */read Microsoft.OperationalInsights/workspaces/search/action Microsoft.Support/* |
none | |||
| 4d97b98b-1d4f-4787-a291-c67834d212e7 | Network Contributor | Lets you manage networks, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
Deploy network watcher when virtual networks are created |
|||
| 749f88d5-cbae-40b8-bcfc-e573ddc772fa | Monitoring Contributor | Can read all monitoring data and update monitoring settings. | */read Microsoft.AlertsManagement/alerts/* Microsoft.AlertsManagement/alertsSummary/* Microsoft.Insights/actiongroups/* Microsoft.Insights/activityLogAlerts/* Microsoft.Insights/AlertRules/* Microsoft.Insights/components/* Microsoft.Insights/DiagnosticSettings/* Microsoft.Insights/eventtypes/* Microsoft.Insights/LogDefinitions/* Microsoft.Insights/metricalerts/* Microsoft.Insights/MetricDefinitions/* Microsoft.Insights/Metrics/* Microsoft.Insights/Register/Action Microsoft.Insights/scheduledqueryrules/* Microsoft.Insights/webtests/* Microsoft.Insights/workbooks/* Microsoft.Insights/privateLinkScopes/* Microsoft.Insights/privateLinkScopeOperationStatuses/* Microsoft.OperationalInsights/workspaces/write Microsoft.OperationalInsights/workspaces/intelligencepacks/* Microsoft.OperationalInsights/workspaces/savedSearches/* Microsoft.OperationalInsights/workspaces/search/action Microsoft.OperationalInsights/workspaces/sharedKeys/action Microsoft.OperationalInsights/workspaces/storageinsightconfigs/* Microsoft.Support/* Microsoft.WorkloadMonitor/monitors/* Microsoft.WorkloadMonitor/notificationSettings/* Microsoft.AlertsManagement/smartDetectorAlertRules/* Microsoft.AlertsManagement/actionRules/* Microsoft.AlertsManagement/smartGroups/* |
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Deploy Diagnostic Settings for Search Services to Log Analytics workspace Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace Deploy Diagnostic Settings for Key Vault to Log Analytics workspace [Preview]: Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Deploy Diagnostic Settings for Network Security Groups Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace |
|||
| 5d28c62d-5b37-4476-8438-e587778df237 | New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* NewRelic.APM/accounts/* |
none | |||
| 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 | Owner | Lets you manage everything, including access to resources. | * |
none | |||
| acdd72a7-3385-48ef-bd42-f606fba81ae7 | Reader | Lets you view everything, but not make any changes. | */read |
none | |||
| e0f68234-74aa-48ed-b826-c38b57376e17 | Redis Cache Contributor | Lets you manage Redis caches, but not access to them. | Microsoft.Authorization/*/read Microsoft.Cache/redis/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| c12c1c16-33a1-487b-954d-41c89c60f349 | Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Storage/storageAccounts/ListAccountSas/action Microsoft.Storage/storageAccounts/read |
none | |||
| 36243c78-bf99-498c-9df9-86d9f8d28608 | Resource Policy Contributor | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | */read Microsoft.Authorization/policyassignments/* Microsoft.Authorization/policydefinitions/* Microsoft.Authorization/policysetdefinitions/* Microsoft.PolicyInsights/* Microsoft.Support/* |
none | |||
| 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 | Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Scheduler/jobcollections/* Microsoft.Support/* |
none | |||
| 7ca78c08-252a-4471-8644-bb5ff32d4ba0 | Search Service Contributor | Lets you manage Search services, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Search/searchServices/* Microsoft.Support/* |
none | |||
| fb1c8493-542b-48eb-b624-b4c8fea62acd | Security Admin | Security Admin Role | Microsoft.Authorization/*/read Microsoft.Authorization/policyAssignments/* Microsoft.Authorization/policyDefinitions/* Microsoft.Authorization/policySetDefinitions/* Microsoft.Insights/alertRules/* Microsoft.Management/managementGroups/read Microsoft.operationalInsights/workspaces/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Security/* Microsoft.Support/* |
Deploy Advanced Threat Protection on Storage Accounts Enable Azure Security Center on your subscription Deploy Advanced Threat Protection for Cosmos DB Accounts |
|||
| e3d13bf0-dd5a-482e-ba6b-9b8433878d10 | Security Manager (Legacy) | This is a legacy role. Please use Security Administrator instead | Microsoft.Authorization/*/read Microsoft.ClassicCompute/*/read Microsoft.ClassicCompute/virtualMachines/*/write Microsoft.ClassicNetwork/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Security/* Microsoft.Support/* |
none | |||
| 39bc4728-0917-49c7-9d2c-d95423bc2eb4 | Security Reader | Security Reader Role | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.operationalInsights/workspaces/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Security/*/read Microsoft.Support/* Microsoft.Management/managementGroups/read |
none | |||
| 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 | Spatial Anchors Account Contributor | Lets you manage spatial anchors in your account, but not delete them | Microsoft.MixedReality/SpatialAnchorsAccounts/create/action Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read Microsoft.MixedReality/SpatialAnchorsAccounts/query/read Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read Microsoft.MixedReality/SpatialAnchorsAccounts/write |
none | |||
| 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 | Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/virtualNetworks/read Microsoft.RecoveryServices/locations/allocatedStamp/read Microsoft.RecoveryServices/locations/allocateStamp/action Microsoft.RecoveryServices/Vaults/certificates/write Microsoft.RecoveryServices/Vaults/extendedInformation/* Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/refreshContainers/read Microsoft.RecoveryServices/Vaults/registeredIdentities/* Microsoft.RecoveryServices/vaults/replicationAlertSettings/* Microsoft.RecoveryServices/vaults/replicationEvents/read Microsoft.RecoveryServices/vaults/replicationFabrics/* Microsoft.RecoveryServices/vaults/replicationJobs/* Microsoft.RecoveryServices/vaults/replicationPolicies/* Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/* Microsoft.RecoveryServices/Vaults/storageConfig/* Microsoft.RecoveryServices/Vaults/tokenInfo/read Microsoft.RecoveryServices/Vaults/usages/read Microsoft.RecoveryServices/Vaults/vaultTokens/read Microsoft.RecoveryServices/Vaults/monitoringAlerts/* Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/read Microsoft.RecoveryServices/vaults/replicationOperationStatus/read Microsoft.Support/* |
none | |||
| 494ae006-db33-4328-bf46-533a6560a3ca | Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/virtualNetworks/read Microsoft.RecoveryServices/locations/allocatedStamp/read Microsoft.RecoveryServices/locations/allocateStamp/action Microsoft.RecoveryServices/Vaults/extendedInformation/read Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/refreshContainers/read Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/read Microsoft.RecoveryServices/vaults/replicationAlertSettings/read Microsoft.RecoveryServices/vaults/replicationEvents/read Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action Microsoft.RecoveryServices/vaults/replicationFabrics/read Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read Microsoft.RecoveryServices/vaults/replicationJobs/* Microsoft.RecoveryServices/vaults/replicationPolicies/read Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action Microsoft.RecoveryServices/Vaults/monitoringAlerts/* Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.RecoveryServices/Vaults/storageConfig/read Microsoft.RecoveryServices/Vaults/tokenInfo/read Microsoft.RecoveryServices/Vaults/usages/read Microsoft.RecoveryServices/Vaults/vaultTokens/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/read Microsoft.Support/* |
none | |||
| 5d51204f-eb77-4b1c-b86a-2ec626c49413 | Spatial Anchors Account Reader | Lets you locate and read properties of spatial anchors in your account | Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read Microsoft.MixedReality/SpatialAnchorsAccounts/query/read Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read |
none | |||
| dbaa88c4-0c30-4179-9fb3-46319faa6149 | Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations | Microsoft.Authorization/*/read Microsoft.RecoveryServices/locations/allocatedStamp/read Microsoft.RecoveryServices/Vaults/extendedInformation/read Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/refreshContainers/read Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/read Microsoft.RecoveryServices/vaults/replicationAlertSettings/read Microsoft.RecoveryServices/vaults/replicationEvents/read Microsoft.RecoveryServices/vaults/replicationFabrics/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read Microsoft.RecoveryServices/vaults/replicationJobs/read Microsoft.RecoveryServices/vaults/replicationPolicies/read Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read Microsoft.RecoveryServices/Vaults/storageConfig/read Microsoft.RecoveryServices/Vaults/tokenInfo/read Microsoft.RecoveryServices/Vaults/usages/read Microsoft.RecoveryServices/Vaults/vaultTokens/read Microsoft.Support/* |
none | |||
| 70bbe301-9835-447d-afdd-19eb3167307c | Spatial Anchors Account Owner | Lets you manage spatial anchors in your account, including deleting them | Microsoft.MixedReality/SpatialAnchorsAccounts/create/action Microsoft.MixedReality/SpatialAnchorsAccounts/delete Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read Microsoft.MixedReality/SpatialAnchorsAccounts/query/read Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read Microsoft.MixedReality/SpatialAnchorsAccounts/write |
none | |||
| 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d | SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can’t give access to others. | Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Network/networkSecurityGroups/* Microsoft.Network/routeTables/* Microsoft.Sql/locations/*/read Microsoft.Sql/managedInstances/* Microsoft.Support/* Microsoft.Network/virtualNetworks/subnets/* Microsoft.Network/virtualNetworks/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Insights/metrics/read Microsoft.Insights/metricDefinitions/read |
none | |||
| 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec | SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Sql/locations/*/read Microsoft.Sql/servers/databases/* Microsoft.Sql/servers/read Microsoft.Support/* Microsoft.Insights/metrics/read Microsoft.Insights/metricDefinitions/read |
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/managedInstances/securityAlertPolicies/* Microsoft.Sql/managedInstances/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/auditingPolicies/* Microsoft.Sql/servers/databases/auditingSettings/* Microsoft.Sql/servers/databases/auditRecords/read Microsoft.Sql/servers/databases/connectionPolicies/* Microsoft.Sql/servers/databases/currentSensitivityLabels/* Microsoft.Sql/servers/databases/dataMaskingPolicies/* Microsoft.Sql/servers/databases/extendedAuditingSettings/* Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/securityAlertPolicies/* Microsoft.Sql/servers/databases/securityMetrics/* Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql/servers/vulnerabilityAssessments/* |
Deploy SQL DB transparent data encryption |
||
| 056cd41c-7e88-42e1-933e-88ba6a50c9c3 | SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/managedInstances/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* Microsoft.Sql/managedInstances/vulnerabilityAssessments/* Microsoft.Sql/servers/auditingPolicies/* Microsoft.Sql/servers/auditingSettings/* Microsoft.Sql/servers/extendedAuditingSettings/read Microsoft.Sql/servers/databases/auditingPolicies/* Microsoft.Sql/servers/databases/auditingSettings/* Microsoft.Sql/servers/databases/auditRecords/read Microsoft.Sql/servers/databases/connectionPolicies/* Microsoft.Sql/servers/databases/currentSensitivityLabels/* Microsoft.Sql/servers/databases/dataMaskingPolicies/* Microsoft.Sql/servers/databases/extendedAuditingSettings/read Microsoft.Sql/servers/databases/read Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* Microsoft.Sql/servers/databases/schemas/read Microsoft.Sql/servers/databases/schemas/tables/columns/read Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/schemas/tables/read Microsoft.Sql/servers/databases/securityAlertPolicies/* Microsoft.Sql/servers/databases/securityMetrics/* Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/transparentDataEncryption/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql/servers/firewallRules/* Microsoft.Sql/servers/read Microsoft.Sql/servers/securityAlertPolicies/* Microsoft.Sql/servers/vulnerabilityAssessments/* Microsoft.Support/* |
Deploy Threat Detection on SQL servers Deploy Advanced Data Security on SQL servers Deploy Auditing on SQL servers |
|||
| 17d1049b-9a84-46fb-8f53-869881c3d3ab | Storage Account Contributor | Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Insights/diagnosticSettings/* Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/* Microsoft.Support/* |
Deploy Advanced Data Security on SQL servers Deploy Diagnostic Settings for Network Security Groups Deploy Auditing on SQL servers |
|||
| 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 | SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Sql/locations/*/read Microsoft.Sql/servers/* Microsoft.Support/* Microsoft.Insights/metrics/read Microsoft.Insights/metricDefinitions/read |
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/managedInstances/securityAlertPolicies/* Microsoft.Sql/managedInstances/vulnerabilityAssessments/* Microsoft.Sql/servers/auditingPolicies/* Microsoft.Sql/servers/auditingSettings/* Microsoft.Sql/servers/databases/auditingPolicies/* Microsoft.Sql/servers/databases/auditingSettings/* Microsoft.Sql/servers/databases/auditRecords/read Microsoft.Sql/servers/databases/connectionPolicies/* Microsoft.Sql/servers/databases/currentSensitivityLabels/* Microsoft.Sql/servers/databases/dataMaskingPolicies/* Microsoft.Sql/servers/databases/extendedAuditingSettings/* Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/securityAlertPolicies/* Microsoft.Sql/servers/databases/securityMetrics/* Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql/servers/extendedAuditingSettings/* Microsoft.Sql/servers/securityAlertPolicies/* Microsoft.Sql/servers/vulnerabilityAssessments/* |
none | ||
| 81a9662b-bebf-436f-a333-f67b29880f12 | Storage Account Key Operator Service Role | Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts | Microsoft.Storage/storageAccounts/listkeys/action Microsoft.Storage/storageAccounts/regeneratekey/action |
none | |||
| ba92f5b4-2d11-453d-a403-e96b0029c9fe | Storage Blob Data Contributor | Allows for read, write and delete access to Azure Storage blob containers and data | Microsoft.Storage/storageAccounts/blobServices/containers/delete Microsoft.Storage/storageAccounts/blobServices/containers/read Microsoft.Storage/storageAccounts/blobServices/containers/write Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |
none | ||
| b7e6dc6d-f1e8-4753-8033-0f276bb0955b | Storage Blob Data Owner | Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control. | Microsoft.Storage/storageAccounts/blobServices/containers/* Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* |
none | ||
| 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 | Storage Blob Data Reader | Allows for read access to Azure Storage blob containers and data | Microsoft.Storage/storageAccounts/blobServices/containers/read Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action |
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |
none | ||
| 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | Storage Queue Data Contributor | Allows for read, write, and delete access to Azure Storage queues and queue messages | Microsoft.Storage/storageAccounts/queueServices/queues/delete Microsoft.Storage/storageAccounts/queueServices/queues/read Microsoft.Storage/storageAccounts/queueServices/queues/write |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete Microsoft.Storage/storageAccounts/queueServices/queues/messages/read Microsoft.Storage/storageAccounts/queueServices/queues/messages/write |
none | ||
| 8a0f0c08-91a1-4084-bc3d-661d67233fed | Storage Queue Data Message Processor | Allows for peek, receive, and delete access to Azure Storage queue messages | Microsoft.Storage/storageAccounts/queueServices/queues/messages/read Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action |
none | |||
| c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | Storage Queue Data Message Sender | Allows for sending of Azure Storage queue messages | Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action |
none | |||
| 19e7f393-937e-4f77-808e-94535e297925 | Storage Queue Data Reader | Allows for read access to Azure Storage queues and queue messages | Microsoft.Storage/storageAccounts/queueServices/queues/read |
Microsoft.Storage/storageAccounts/queueServices/queues/messages/read |
none | ||
| cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e | Support Request Contributor | Lets you create and manage Support requests | Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 | Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/trafficManagerProfiles/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 1c0163c0-47e6-4577-8991-ea5c82e286e4 | Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator | Microsoft.Network/publicIPAddresses/read Microsoft.Network/virtualNetworks/read Microsoft.Network/loadBalancers/read Microsoft.Network/networkInterfaces/read Microsoft.Compute/virtualMachines/*/read |
Microsoft.Compute/virtualMachines/login/action Microsoft.Compute/virtualMachines/loginAsAdmin/action |
none | ||
| 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 | User Access Administrator | Lets you manage user access to Azure resources. | */read Microsoft.Authorization/* Microsoft.Support/* |
none | |||
| fb879df8-f326-4884-b1cf-06f3ad86be52 | Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. | Microsoft.Network/publicIPAddresses/read Microsoft.Network/virtualNetworks/read Microsoft.Network/loadBalancers/read Microsoft.Network/networkInterfaces/read Microsoft.Compute/virtualMachines/*/read |
Microsoft.Compute/virtualMachines/login/action |
none | ||
| 9980e02c-c2be-4d73-94e8-173b1dc7cf3c | Virtual Machine Contributor | Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | Microsoft.Authorization/*/read Microsoft.Compute/availabilitySets/* Microsoft.Compute/locations/* Microsoft.Compute/virtualMachines/* Microsoft.Compute/virtualMachineScaleSets/* Microsoft.Compute/disks/write Microsoft.Compute/disks/read Microsoft.Compute/disks/delete Microsoft.DevTestLab/schedules/* Microsoft.Insights/alertRules/* Microsoft.Network/applicationGateways/backendAddressPools/join/action Microsoft.Network/loadBalancers/backendAddressPools/join/action Microsoft.Network/loadBalancers/inboundNatPools/join/action Microsoft.Network/loadBalancers/inboundNatRules/join/action Microsoft.Network/loadBalancers/probes/join/action Microsoft.Network/loadBalancers/read Microsoft.Network/locations/* Microsoft.Network/networkInterfaces/* Microsoft.Network/networkSecurityGroups/join/action Microsoft.Network/networkSecurityGroups/read Microsoft.Network/publicIPAddresses/join/action Microsoft.Network/publicIPAddresses/read Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.RecoveryServices/locations/* Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write Microsoft.RecoveryServices/Vaults/backupPolicies/read Microsoft.RecoveryServices/Vaults/backupPolicies/write Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/usages/read Microsoft.RecoveryServices/Vaults/write Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.SqlVirtualMachine/* Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Storage/storageAccounts/read Microsoft.Support/* |
Configure backup on VMs of a location to an existing central Vault in the same location Deploy default Microsoft IaaSAntimalware extension for Windows Server Deploy Dependency agent for Windows virtual machine scale sets Deploy Log Analytics agent for Windows virtual machine scale sets Deploy Log Analytics agent for Linux virtual machine scale sets Deploy Dependency agent for Linux virtual machine scale sets |
|||
| 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b | Web Plan Contributor | Lets you manage the web plans for websites, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Web/serverFarms/* Microsoft.Web/hostingEnvironments/Join/Action |
none | |||
| de139f84-1756-47ae-9be6-808fbbe84772 | Website Contributor | Lets you manage websites (not web plans), but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Insights/components/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Web/certificates/* Microsoft.Web/listSitesAssignedToHostName/read Microsoft.Web/serverFarms/join/action Microsoft.Web/serverFarms/read Microsoft.Web/sites/* |
none | |||
| 090c5cfd-751d-490a-894a-3ce6f1109419 | Azure Service Bus Data Owner | Allows for full access to Azure Service Bus resources. | Microsoft.ServiceBus/* |
Microsoft.ServiceBus/* |
none | ||
| f526a384-b230-433a-b45c-95f59c4a2dec | Azure Event Hubs Data Owner | Allows for full access to Azure Event Hubs resources. | Microsoft.EventHub/* |
Microsoft.EventHub/* |
none | ||
| bbf86eb8-f7b4-4cce-96e4-18cddf81d86e | Attestation Contributor | Can read write or delete the attestation provider instance | Microsoft.Attestation/attestationProviders/attestation/read Microsoft.Attestation/attestationProviders/attestation/write Microsoft.Attestation/attestationProviders/attestation/delete |
none | |||
| 61ed4efc-fab3-44fd-b111-e24485cc132a | HDInsight Cluster Operator | Lets you read and modify HDInsight cluster configurations. | Microsoft.HDInsight/*/read Microsoft.HDInsight/clusters/getGatewaySettings/action Microsoft.HDInsight/clusters/updateGatewaySettings/action Microsoft.HDInsight/clusters/configurations/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/operations/read Microsoft.Insights/alertRules/* Microsoft.Authorization/*/read Microsoft.Support/* |
none | |||
| 230815da-be43-4aae-9cb4-875f7bd000aa | Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. | Microsoft.DocumentDb/databaseAccounts/* Microsoft.Insights/alertRules/* Microsoft.Authorization/*/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action |
Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* Microsoft.DocumentDB/databaseAccounts/regenerateKey/* Microsoft.DocumentDB/databaseAccounts/listKeys/* Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* |
none | ||
| 48b40c6e-82e0-4eb3-90d5-19e40f49b624 | Hybrid Server Resource Administrator | Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. | Microsoft.HybridCompute/machines/* Microsoft.HybridCompute/*/read |
none | |||
| 5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb | Hybrid Server Onboarding | Can onboard new Hybrid servers to the Hybrid Resource Provider. | Microsoft.HybridCompute/machines/read Microsoft.HybridCompute/machines/write |
none | |||
| a638d3c7-ab3a-418d-83e6-5f17a39d4fde | Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. | Microsoft.EventHub/*/eventhubs/consumergroups/read |
Microsoft.EventHub/*/receive/action |
none | ||
| 2b629674-e913-4c01-ae53-ef4638d8f975 | Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. | Microsoft.EventHub/*/eventhubs/read |
Microsoft.EventHub/*/send/action |
none | ||
| 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | Azure Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. | Microsoft.ServiceBus/*/queues/read Microsoft.ServiceBus/*/topics/read Microsoft.ServiceBus/*/topics/subscriptions/read |
Microsoft.ServiceBus/*/receive/action |
none | ||
| 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 | Azure Service Bus Data Sender | Allows for send access to Azure Service Bus resources. | Microsoft.ServiceBus/*/queues/read Microsoft.ServiceBus/*/topics/read Microsoft.ServiceBus/*/topics/subscriptions/read |
Microsoft.ServiceBus/*/send/action |
none | ||
| aba4ae5f-2193-4029-9191-0cb91df5e314 | Storage File Data SMB Share Reader | Allows for read access to Azure File Share over SMB | Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read |
none | |||
| 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb | Storage File Data SMB Share Contributor | Allows for read, write, and delete access in Azure Storage file shares over SMB | Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete |
none | |||
| b12aa53e-6015-4669-85d0-8515ebb3ae7f | Private DNS Zone Contributor | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. | Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Network/privateDnsZones/* Microsoft.Network/privateDnsOperationResults/* Microsoft.Network/privateDnsOperationStatuses/* Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/join/action Microsoft.Authorization/*/read |
none | |||
| db58b8e5-c6ad-4a2a-8342-4190687cbf4a | Storage Blob Delegator | Allows for generation of a user delegation key which can be used to sign SAS tokens | Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action |
none | |||
| 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 | Desktop Virtualization User | Allows user to use the applications in an application group. | Microsoft.DesktopVirtualization/applicationGroups/useApplications/action |
none | |||
| a7264617-510b-434b-a828-9731dc254ea7 | Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB | Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action |
none | |||
| 41077137-e803-4205-871c-5a86e6a753b4 | Blueprint Contributor | Can manage blueprint definitions, but not assign them. | Microsoft.Authorization/*/read Microsoft.Blueprint/blueprints/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* |
none | |||
| 437d2ced-4a38-4302-8479-ed2bcb43d090 | Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. | Microsoft.Authorization/*/read Microsoft.Blueprint/blueprintAssignments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* |
none | |||
| ab8e14d6-4a74-4a29-9ba8-549422addade | Azure Sentinel Contributor | Azure Sentinel Contributor | Microsoft.SecurityInsights/* Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/savedSearches/* Microsoft.OperationsManagement/solutions/read Microsoft.OperationalInsights/workspaces/query/read Microsoft.OperationalInsights/workspaces/query/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.Insights/workbooks/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 3e150937-b8fe-4cfb-8069-0eaf05ecd056 | Azure Sentinel Responder | Azure Sentinel Responder | Microsoft.SecurityInsights/*/read Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action Microsoft.SecurityInsights/cases/* Microsoft.SecurityInsights/incidents/* Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.OperationalInsights/workspaces/savedSearches/read Microsoft.OperationsManagement/solutions/read Microsoft.OperationalInsights/workspaces/query/read Microsoft.OperationalInsights/workspaces/query/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.Insights/workbooks/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 8d289c81-5878-46d4-8554-54e1e3d8b5cb | Azure Sentinel Reader | Azure Sentinel Reader | Microsoft.SecurityInsights/*/read Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/LinkedServices/read Microsoft.OperationalInsights/workspaces/savedSearches/read Microsoft.OperationsManagement/solutions/read Microsoft.OperationalInsights/workspaces/query/read Microsoft.OperationalInsights/workspaces/query/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.Insights/workbooks/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| b279062a-9be3-42a0-92ae-8b3cf002ec4d | Workbook Reader | Can read workbooks. | microsoft.insights/workbooks/read |
none | |||
| e8ddcd69-c73f-4f9f-9844-4100522f16ad | Workbook Contributor | Can save shared workbooks. | Microsoft.Insights/workbooks/write Microsoft.Insights/workbooks/delete Microsoft.Insights/workbooks/read |
none | |||
| 66bb4e9e-b016-4a94-8249-4c0511c2be84 | Policy Insights Data Writer (Preview) | Allows read access to resource policies and write access to resource component policy events. | Microsoft.Authorization/policyassignments/read Microsoft.Authorization/policydefinitions/read Microsoft.Authorization/policysetdefinitions/read |
Microsoft.PolicyInsights/checkDataPolicyCompliance/action Microsoft.PolicyInsights/policyEvents/logDataEvents/action |
none | ||
| 04165923-9d83-45d5-8227-78b77b0a687e | SignalR AccessKey Reader | Read SignalR Service Access Keys | Microsoft.SignalRService/*/read Microsoft.SignalRService/SignalR/listkeys/action Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* |
none | |||
| 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 | SignalR Contributor | Create, Read, Update, and Delete SignalR service resources | Microsoft.SignalRService/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* |
none | |||
| b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 | Azure Connected Machine Onboarding | Can onboard Azure Connected Machines. | Microsoft.HybridCompute/machines/read Microsoft.HybridCompute/machines/write Microsoft.GuestConfiguration/guestConfigurationAssignments/read |
none | |||
| cd570a14-e51a-42ad-bac8-bafd67325302 | Azure Connected Machine Resource Administrator | Can read, write, delete and re-onboard Azure Connected Machines. | Microsoft.HybridCompute/machines/read Microsoft.HybridCompute/machines/write Microsoft.HybridCompute/machines/delete Microsoft.HybridCompute/machines/reconnect/action Microsoft.HybridCompute/machines/extensions/write Microsoft.HybridCompute/*/read |
none | |||
| 91c1777a-f3dc-4fae-b103-61d183457e46 | Managed Services Registration assignment Delete Role | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. | Microsoft.ManagedServices/registrationAssignments/read Microsoft.ManagedServices/registrationAssignments/delete Microsoft.ManagedServices/operationStatuses/read |
none | |||
| 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b | App Configuration Data Owner | Allows full access to App Configuration data. | Microsoft.AppConfiguration/configurationStores/*/read Microsoft.AppConfiguration/configurationStores/*/write Microsoft.AppConfiguration/configurationStores/*/delete |
none | |||
| 516239f1-63e1-4d78-a4de-a74fb236a071 | App Configuration Data Reader | Allows read access to App Configuration data. | Microsoft.AppConfiguration/configurationStores/*/read |
none | |||
| 34e09817-6cbe-4d01-b1a2-e0eac5743d41 | Kubernetes Cluster - Azure Arc Onboarding | Role definition to authorize any user/service to create connectedClusters resource | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Kubernetes/connectedClusters/Write Microsoft.Kubernetes/connectedClusters/read Microsoft.Support/* |
none | |||
| 7f646f1b-fa08-80eb-a22b-edd6ce5c915c | Experimentation Contributor | Experimentation Contributor | Microsoft.Resources/subscriptions/resourceGroups/read |
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/action Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action Microsoft.Experimentation/experimentWorkspaces/read Microsoft.Experimentation/experimentWorkspaces/write Microsoft.Experimentation/experimentWorkspaces/delete |
none | ||
| 466ccd10-b268-4a11-b098-b4849f024126 | Cognitive Services QnA Maker Reader | Let’s you read and test a KB only. | Microsoft.CognitiveServices/*/read Microsoft.Authorization/roleAssignments/read Microsoft.Authorization/roleDefinitions/read |
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read |
none | ||
| f4cc2bf9-21be-47a1-bdf1-5c5804381025 | Cognitive Services QnA Maker Editor | Let’s you create, edit, import and export a KB. You cannot publish or delete a KB. | Microsoft.CognitiveServices/*/read Microsoft.Authorization/roleAssignments/read Microsoft.Authorization/roleDefinitions/read |
Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write Microsoft.CognitiveServices/accounts/QnAMaker/operations/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read |
none | ||
| 7f646f1b-fa08-80eb-a33b-edd6ce5c915c | Experimentation Administrator | Experimentation Administrator | Microsoft.Resources/subscriptions/resourceGroups/read |
Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/admin/action Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/action Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action Microsoft.Experimentation/experimentWorkspaces/read Microsoft.Experimentation/experimentWorkspaces/write Microsoft.Experimentation/experimentWorkspaces/delete Microsoft.Experimentation/experimentWorkspaces/admin/action |
none | ||
| 3df8b902-2a6f-47c7-8cc5-360e9b272a7e | Remote Rendering Administrator | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | Microsoft.MixedReality/RemoteRenderingAccounts/convert/action Microsoft.MixedReality/RemoteRenderingAccounts/convert/read Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete Microsoft.MixedReality/RemoteRenderingAccounts/render/read Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read |
none | |||
| d39065c4-c120-43c9-ab0a-63eed9795f0a | Remote Rendering Client | Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. | Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete Microsoft.MixedReality/RemoteRenderingAccounts/render/read Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read |
none | |||
| 641177b8-a67a-45b9-a033-47bc880bb21e | Managed Application Contributor Role | Allows for creating managed application resources. | */read Microsoft.Solutions/applications/* Microsoft.Solutions/register/action Microsoft.Resources/subscriptions/resourceGroups/* Microsoft.Resources/deployments/* |
none | |||
| 612c2aa1-cb24-443b-ac28-3ab7272de6f5 | Security Assessment Contributor | Lets you push assessments to Security Center | Microsoft.Security/assessments/write |
none | |||
| 4a9ae827-6dc8-4573-8ac7-8239d42aa03f | Tag Contributor | Lets you manage tags on entities, without providing access to the entities themselves. | Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/resourceGroups/resources/read Microsoft.Resources/subscriptions/resources/read Microsoft.Resources/deployments/* Microsoft.Insights/alertRules/* Microsoft.Support/* Microsoft.Resources/tags/* |
none | |||
| c7aa55d3-1abb-444a-a5ca-5e51e485d6ec | Integration Service Environment Developer | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | Microsoft.Authorization/*/read Microsoft.Support/* Microsoft.Logic/integrationServiceEnvironments/read Microsoft.Logic/integrationServiceEnvironments/join/action |
none | |||
| a41e2c5b-bd99-4a07-88f4-9bf657a760b8 | Integration Service Environment Contributor | Lets you manage integration service environments, but not access to them. | Microsoft.Authorization/*/read Microsoft.Support/* Microsoft.Logic/integrationServiceEnvironments/* |
none | |||
| dd920d6d-f481-47f1-b461-f338c46b2d9f | Marketplace Admin | Administrator of marketplace resource provider | Microsoft.Marketplace/privateStores/write Microsoft.Marketplace/privateStores/action Microsoft.Marketplace/privateStores/delete Microsoft.Marketplace/privateStores/offers/write Microsoft.Marketplace/privateStores/offers/action Microsoft.Marketplace/privateStores/offers/delete |
none | |||
| ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 | Azure Kubernetes Service Contributor Role | Grants access to read and write Azure Kubernetes Service clusters | Microsoft.ContainerService/managedClusters/read Microsoft.ContainerService/managedClusters/write Microsoft.Resources/deployments/* |
none | |||
| d57506d4-4c8d-48b1-8587-93c323f6a5a3 | Azure Digital Twins Reader (Preview) | Read-only role for Digital Twins data-plane properties | Microsoft.DigitalTwins/digitaltwins/read Microsoft.DigitalTwins/eventroutes/read Microsoft.DigitalTwins/models/read Microsoft.DigitalTwins/query/action |
none | |||
| bcd981a7-7f74-457b-83e1-cceb9e632ffe | Azure Digital Twins Owner (Preview) | Full access role for Digital Twins data-plane | Microsoft.DigitalTwins/eventroutes/* Microsoft.DigitalTwins/digitaltwins/* Microsoft.DigitalTwins/digitaltwins/commands/* Microsoft.DigitalTwins/digitaltwins/relationships/* Microsoft.DigitalTwins/models/* Microsoft.DigitalTwins/query/* |
none | |||
| 350f8d15-c687-4448-8ae1-157740a3936d | Hierarchy Settings Administrator | Allows users to edit and delete Hierarchy Settings | Microsoft.Management/managementGroups/settings/write Microsoft.Management/managementGroups/settings/delete |
none | |||
| 5a1fc7df-4bf1-4951-a576-89034ee01acd | FHIR Data Contributor | Role allows user or principal full access to FHIR Data | Microsoft.HealthcareApis/services/fhir/resources/* |
none | |||
| 3db33094-8700-4567-8da5-1501d4e7e843 | FHIR Data Exporter | Role allows user or principal to read and export FHIR Data | Microsoft.HealthcareApis/services/fhir/resources/read Microsoft.HealthcareApis/services/fhir/resources/export/action |
none | |||
| 4c8d0bbc-75d3-4935-991f-5f3c56d81508 | FHIR Data Reader | Role allows user or principal to read FHIR Data | Microsoft.HealthcareApis/services/fhir/resources/read |
none | |||
| 3f88fce4-5892-4214-ae73-ba5294559913 | FHIR Data Writer | Role allows user or principal to read and write FHIR Data | Microsoft.HealthcareApis/services/fhir/resources/* |
Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action |
none | ||
| 49632ef5-d9ac-41f4-b8e7-bbe587fa74a1 | Experimentation Reader | Experimentation Reader | Microsoft.Experimentation/experimentWorkspaces/read Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read |
none | |||
| 4dd61c23-6743-42fe-a388-d8bdd41cb745 | Object Understanding Account Owner | Provides user with ingestion capabilities for Azure Object Understanding. | Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/action Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read |
none | |||
| 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 | Azure Maps Data Contributor | Grants access to read, write, and delete access to map related data from an Azure maps account. | Microsoft.Maps/accounts/*/read Microsoft.Maps/accounts/*/write Microsoft.Maps/accounts/*/delete |
none | |||
| c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 | Cognitive Services Custom Vision Contributor | Full access to the project, including the ability to view, create, edit, or delete projects. | Microsoft.CognitiveServices/*/read |
Microsoft.CognitiveServices/accounts/CustomVision/* |
none | ||
| 5c4089e1-6d96-4d2f-b296-c1bc7137275f | Cognitive Services Custom Vision Deployment | Publish, unpublish or export models. Deployment can view the project but can’t update. | Microsoft.CognitiveServices/*/read |
Microsoft.CognitiveServices/accounts/CustomVision/*/read Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/* Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/* Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/* Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/* Microsoft.CognitiveServices/accounts/CustomVision/classify/* Microsoft.CognitiveServices/accounts/CustomVision/detect/* |
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read |
none | |
| 88424f51-ebe7-446f-bc41-7fa16989e96c | Cognitive Services Custom Vision Labeler | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can’t update anything other than training images and tags. | Microsoft.CognitiveServices/*/read |
Microsoft.CognitiveServices/accounts/CustomVision/*/read Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action Microsoft.CognitiveServices/accounts/CustomVision/projects/images/* Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/* Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/* Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action |
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read |
none | |
| 93586559-c37d-4a6b-ba08-b9f0940c2d73 | Cognitive Services Custom Vision Reader | Read-only actions in the project. Readers can’t create or update the project. | Microsoft.CognitiveServices/*/read |
Microsoft.CognitiveServices/accounts/CustomVision/*/read Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action |
Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read |
none | |
| 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b | Cognitive Services Custom Vision Trainer | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can’t create or delete the project. | Microsoft.CognitiveServices/*/read |
Microsoft.CognitiveServices/accounts/CustomVision/* |
Microsoft.CognitiveServices/accounts/CustomVision/projects/action Microsoft.CognitiveServices/accounts/CustomVision/projects/delete Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read |
none | |
| 00482a5a-887f-4fb3-b363-3b7fe8e74483 | Key Vault Administrator (preview) | Can perform any action on certificates, keys and secrets of a key vault, except manage permissions. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read |
Microsoft.KeyVault/vaults/* |
none | ||
| 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 | Key Vault Crypto Officer (preview) | Can perform any action on the keys of a key vault, except manage permissions. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read |
Microsoft.KeyVault/vaults/keys/* |
none | ||
| 12338af0-0e69-4776-bea7-57ae8d297424 | Key Vault Crypto User (preview) | Can perform cryptographic operations on keys and certificates. | Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/keys/update/action Microsoft.KeyVault/vaults/keys/backup/action Microsoft.KeyVault/vaults/keys/encrypt/action Microsoft.KeyVault/vaults/keys/decrypt/action Microsoft.KeyVault/vaults/keys/wrap/action Microsoft.KeyVault/vaults/keys/unwrap/action Microsoft.KeyVault/vaults/keys/sign/action Microsoft.KeyVault/vaults/keys/verify/action |
none | |||
| b86a8fe4-44ce-4948-aee5-eccb2c155cd7 | Key Vault Secrets Officer (preview) | Can perform any action on the secrets of a key vault, except manage permissions. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read |
Microsoft.KeyVault/vaults/secrets/* |
none | ||
| 4633458b-17de-408a-b874-0445c86b69e6 | Key Vault Secrets User (preview) | Can read secret contents. | Microsoft.KeyVault/vaults/secrets/getSecret/action Microsoft.KeyVault/vaults/secrets/readMetadata/action |
none | |||
| a4417e6f-fecd-4de8-b567-7b0420556985 | Key Vault Certificates Officer (preview) | Can perform any action on the certificates of a key vault, except manage permissions. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read |
Microsoft.KeyVault/vaults/certificatecas/* Microsoft.KeyVault/vaults/certificates/* |
none | ||
| 21090545-7ca7-4776-b22c-e363652d74d2 | Key Vault Reader (preview) | Can read metadata of key vaults and its certificates, keys and secrets. Cannot read sensitive values such as secret contents or key material. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read |
Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/vaults/secrets/readMetadata/action |
none | ||
| e147488a-f6f5-4113-8e2d-b22465e65bf6 | Key Vault Crypto Service Encryption (preview) | Can read metadata of keys and perform wrap/unwrap operations. | Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/keys/wrap/action Microsoft.KeyVault/vaults/keys/unwrap/action |
none |