| Id | Name | Description | Actions | NotActions | DataActions | NotDataActions | Used in Policy |
|---|---|---|---|---|---|---|---|
| 05352d14-a920-4328-a0de-4cbe7430e26b | Azure Center for SAP solutions reader | This role provides read access to all capabilities of Azure Center for SAP solutions. | count: 011 •Microsoft.Workloads/sapvirtualInstances/*/read •Microsoft.Workloads/Locations/*/action •Microsoft.Workloads/Operations/read •Microsoft.Workloads/Locations/OperationStatuses/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.ResourceHealth/availabilityStatuses/read | ||||
| aabbc5dd-1af0-458b-a942-81af88f9c138 | Azure Center for SAP solutions service role | Azure Center for SAP solutions service role - This role is intended to be used for providing the permissions to user assigned managed identity. Azure Center for SAP solutions will use this identity to deploy and manage SAP systems. | count: 004 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* | ||||
| 7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7 | Azure Center for SAP solutions administrator | This role provides read and write access to all capabilities of Azure Center for SAP solutions. | count: 014 •Microsoft.Workloads/sapvirtualInstances/*/read •Microsoft.Workloads/sapVirtualInstances/write •Microsoft.Workloads/sapVirtualInstances/delete •Microsoft.Workloads/Locations/*/action •Microsoft.Workloads/Locations/OperationStatuses/read •Microsoft.Workloads/sapVirtualInstances/start/action •Microsoft.Workloads/sapVirtualInstances/stop/action •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.ResourceHealth/availabilityStatuses/read | ||||
| fbc52c3f-28ad-4303-a892-8a056630b8f1 | Azure Traffic Controller Configuration Manager | Allows access to traffic controller resource. Also allows all confiuration Updates on traffic controller | count: 013 •Microsoft.ServiceNetworking/trafficControllers/read •Microsoft.ServiceNetworking/trafficControllers/write •Microsoft.ServiceNetworking/trafficControllers/delete •Microsoft.ServiceNetworking/trafficControllers/frontends/read •Microsoft.ServiceNetworking/trafficControllers/frontends/write •Microsoft.ServiceNetworking/trafficControllers/frontends/delete •Microsoft.ServiceNetworking/trafficControllers/associations/read •Microsoft.ServiceNetworking/trafficControllers/associations/write •Microsoft.ServiceNetworking/trafficControllers/associations/delete •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read | count: 003 •Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/read •Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/write •Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/delete | |||
| 4ba50f17-9666-485c-a643-ff00808643f0 | FHIR SMART User | Role allows user to access FHIR Service according to SMART on FHIR specification | count: 002 •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | ||||
| a001fd3d-188f-4b5d-821b-7da978bf7442 | Cognitive Services OpenAI Contributor | Full access including the ability to fine-tune, deploy and generate text | count: 003 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 001 •Microsoft.CognitiveServices/accounts/OpenAI/* | |||
| 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd | Cognitive Services OpenAI User | Ability to view files, models, deployments. Readers can't make any changes They can inference | count: 003 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 009 •Microsoft.CognitiveServices/accounts/OpenAI/*/read •Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action •Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action •Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action •Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/write •Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/write | |||
| 36e80216-a7e8-4f42-a7e1-f12c98cbaf8a | Impact Reporter | Allows access to create/report, read and delete impacts | count: 002 •Microsoft.Impact/WorkloadImpacts/* •Microsoft.Impact/ImpactCategories/read | ||||
| 68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e | Impact Reader | Allows read-only access to reported impacts and impact categories | count: 002 •Microsoft.Impact/WorkloadImpacts/read •Microsoft.Impact/ImpactCategories/read | ||||
| 1afdec4b-e479-420e-99e7-f82237c7c5e6 | Azure Kubernetes Service Cluster Monitoring User | List cluster monitoring user credential action. | count: 001 •Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action | ||||
| f5819b54-e033-4d82-ac66-4fec3cbf3f4c | Azure Connected Machine Resource Manager | Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group | count: 010 •Microsoft.HybridConnectivity/endpoints/read •Microsoft.HybridConnectivity/endpoints/write •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/*/read •Microsoft.HybridCompute/machines/UpgradeExtensions/action | ||||
| 8311e382-0749-4cb8-b61a-304f252e45ec | AcrPush | acr push | count: 002 •Microsoft.ContainerRegistry/registries/pull/read •Microsoft.ContainerRegistry/registries/push/write | ||||
| 312a565d-c81f-4fd8-895a-4e21e48d571c | API Management Service Contributor | Can manage service and the APIs | count: 007 •Microsoft.ApiManagement/service/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 001 •Configure API Management services to disable public network access | |||
| 7f951dda-4ed3-4680-a7ca-43fe172d538d | AcrPull | acr pull | count: 001 •Microsoft.ContainerRegistry/registries/pull/read | ||||
| 6cef56e8-d556-48e5-a04f-b8e64114680f | AcrImageSigner | acr image signer | count: 001 •Microsoft.ContainerRegistry/registries/sign/write | count: 001 •Microsoft.ContainerRegistry/registries/trustedCollections/write | |||
| c2f4ef07-c644-48eb-af81-4b1b4947fb11 | AcrDelete | acr delete | count: 001 •Microsoft.ContainerRegistry/registries/artifacts/delete | ||||
| cdda3590-29a3-44f6-95f2-9f980659eb04 | AcrQuarantineReader | acr quarantine data reader | count: 001 •Microsoft.ContainerRegistry/registries/quarantine/read | count: 001 •Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | |||
| c8d4ff99-41c3-41a8-9f60-21dfdad59608 | AcrQuarantineWriter | acr quarantine data writer | count: 002 •Microsoft.ContainerRegistry/registries/quarantine/read •Microsoft.ContainerRegistry/registries/quarantine/write | count: 002 •Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read •Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | |||
| e022efe7-f5ba-4159-bbe4-b44f577e9b61 | API Management Service Operator Role | Can manage service but not the APIs | count: 015 •Microsoft.ApiManagement/service/*/read •Microsoft.ApiManagement/service/backup/action •Microsoft.ApiManagement/service/delete •Microsoft.ApiManagement/service/managedeployments/action •Microsoft.ApiManagement/service/read •Microsoft.ApiManagement/service/restore/action •Microsoft.ApiManagement/service/updatecertificate/action •Microsoft.ApiManagement/service/updatehostname/action •Microsoft.ApiManagement/service/write •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 001 •Microsoft.ApiManagement/service/users/keys/read | |||
| 71522526-b88f-4d52-b57f-d31fc3546d0d | API Management Service Reader Role | Read-only access to service and APIs | count: 008 •Microsoft.ApiManagement/service/*/read •Microsoft.ApiManagement/service/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 001 •Microsoft.ApiManagement/service/users/keys/read | |||
| ae349356-3a1b-4a5e-921d-050484c6347e | Application Insights Component Contributor | Can manage Application Insights components | count: 013 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/generateLiveToken/read •Microsoft.Insights/metricAlerts/* •Microsoft.Insights/components/* •Microsoft.Insights/scheduledqueryrules/* •Microsoft.Insights/topology/read •Microsoft.Insights/transactions/read •Microsoft.Insights/webtests/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 001 •Configure Azure Application Insights components to disable public network access for log ingestion and querying | |||
| 08954f03-6346-4c2e-81c0-ec3a5cfae23b | Application Insights Snapshot Debugger | Gives user permission to use Application Insights Snapshot Debugger features | count: 006 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/components/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| fd1bd22b-8476-40bc-a0bc-69b95687b9f3 | Attestation Reader | Can read the attestation provider properties | count: 001 •Microsoft.Attestation/attestationProviders/attestation/read | ||||
| 4fe576fe-1146-4730-92eb-48519fa6bf9f | Automation Job Operator | Create and Manage Jobs using Automation Runbooks. | count: 013 •Microsoft.Authorization/*/read •Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read •Microsoft.Automation/automationAccounts/jobs/read •Microsoft.Automation/automationAccounts/jobs/resume/action •Microsoft.Automation/automationAccounts/jobs/stop/action •Microsoft.Automation/automationAccounts/jobs/streams/read •Microsoft.Automation/automationAccounts/jobs/suspend/action •Microsoft.Automation/automationAccounts/jobs/write •Microsoft.Automation/automationAccounts/jobs/output/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 | Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. | count: 006 •Microsoft.Authorization/*/read •Microsoft.Automation/automationAccounts/runbooks/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| d3881f73-407a-4167-8283-e981cbba0404 | Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs | count: 021 •Microsoft.Authorization/*/read •Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read •Microsoft.Automation/automationAccounts/jobs/read •Microsoft.Automation/automationAccounts/jobs/resume/action •Microsoft.Automation/automationAccounts/jobs/stop/action •Microsoft.Automation/automationAccounts/jobs/streams/read •Microsoft.Automation/automationAccounts/jobs/suspend/action •Microsoft.Automation/automationAccounts/jobs/write •Microsoft.Automation/automationAccounts/jobSchedules/read •Microsoft.Automation/automationAccounts/jobSchedules/write •Microsoft.Automation/automationAccounts/linkedWorkspace/read •Microsoft.Automation/automationAccounts/read •Microsoft.Automation/automationAccounts/runbooks/read •Microsoft.Automation/automationAccounts/schedules/read •Microsoft.Automation/automationAccounts/schedules/write •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Automation/automationAccounts/jobs/output/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 4f8fab4f-1852-4a58-a46a-8eaf358af14a | Avere Contributor | Can create and manage an Avere vFXT cluster. | count: 020 •Microsoft.Authorization/*/read •Microsoft.Compute/*/read •Microsoft.Compute/availabilitySets/* •Microsoft.Compute/proximityPlacementGroups/* •Microsoft.Compute/virtualMachines/* •Microsoft.Compute/disks/* •Microsoft.Network/*/read •Microsoft.Network/networkInterfaces/* •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Resources/deployments/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/*/read •Microsoft.Storage/storageAccounts/* •Microsoft.Support/* •Microsoft.Resources/subscriptions/resourceGroups/resources/read | count: 003 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | |||
| c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 | Avere Operator | Used by the Avere vFXT cluster to manage the cluster | count: 011 •Microsoft.Compute/virtualMachines/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/blobServices/containers/delete •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write | count: 003 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | |||
| 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 | Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. | count: 004 •Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action •Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action •Microsoft.ContainerService/managedClusters/read •Microsoft.ContainerService/managedClusters/runcommand/action | ||||
| 4abbcc35-e782-43d8-92c5-2d3f1bd2253f | Azure Kubernetes Service Cluster User Role | List cluster user credential action. | count: 002 •Microsoft.ContainerService/managedClusters/listClusterUserCredential/action •Microsoft.ContainerService/managedClusters/read | ||||
| 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa | Azure Maps Data Reader | Grants access to read map related data from an Azure maps account. | count: 001 •Microsoft.Maps/accounts/*/read | ||||
| 6f12a6df-dd06-4f3e-bcb1-ce8be600526a | Azure Stack Registration Owner | Lets you manage Azure Stack registrations. | count: 004 •Microsoft.AzureStack/edgeSubscriptions/read •Microsoft.AzureStack/registrations/products/*/action •Microsoft.AzureStack/registrations/products/read •Microsoft.AzureStack/registrations/read | ||||
| 5e467623-bb1f-42f4-a55d-6e525e11384b | Backup Contributor | Lets you manage backup service,but can't create vaults and give access to others | count: 069 •Microsoft.Authorization/*/read •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/locations/* •Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* •Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action •Microsoft.RecoveryServices/Vaults/backupJobs/* •Microsoft.RecoveryServices/Vaults/backupJobsExport/action •Microsoft.RecoveryServices/Vaults/backupOperationResults/* •Microsoft.RecoveryServices/Vaults/backupPolicies/* •Microsoft.RecoveryServices/Vaults/backupProtectableItems/* •Microsoft.RecoveryServices/Vaults/backupProtectedItems/* •Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* •Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* •Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read •Microsoft.RecoveryServices/Vaults/certificates/* •Microsoft.RecoveryServices/Vaults/extendedInformation/* •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/* •Microsoft.RecoveryServices/Vaults/usages/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.RecoveryServices/Vaults/backupstorageconfig/* •Microsoft.RecoveryServices/Vaults/backupconfig/* •Microsoft.RecoveryServices/Vaults/backupValidateOperation/action •Microsoft.RecoveryServices/Vaults/write •Microsoft.RecoveryServices/Vaults/backupOperations/read •Microsoft.RecoveryServices/Vaults/backupEngines/read •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* •Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read •Microsoft.RecoveryServices/locations/backupStatus/action •Microsoft.RecoveryServices/locations/backupPreValidateProtection/action •Microsoft.RecoveryServices/locations/backupValidateFeatures/action •Microsoft.RecoveryServices/Vaults/monitoringAlerts/write •Microsoft.RecoveryServices/operations/read •Microsoft.RecoveryServices/locations/operationStatus/read •Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read •Microsoft.Support/* •Microsoft.DataProtection/locations/getBackupStatus/action •Microsoft.DataProtection/backupVaults/backupInstances/write •Microsoft.DataProtection/backupVaults/backupInstances/delete •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/deletedBackupInstances/read •Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action •Microsoft.DataProtection/backupVaults/backupInstances/backup/action •Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action •Microsoft.DataProtection/backupVaults/backupInstances/restore/action •Microsoft.DataProtection/backupVaults/backupPolicies/write •Microsoft.DataProtection/backupVaults/backupPolicies/delete •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action •Microsoft.DataProtection/backupVaults/write •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/operationResults/read •Microsoft.DataProtection/backupVaults/operationStatus/read •Microsoft.DataProtection/locations/checkNameAvailability/action •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/locations/operationStatus/read •Microsoft.DataProtection/locations/operationResults/read •Microsoft.DataProtection/backupVaults/validateForBackup/action •Microsoft.DataProtection/operations/read | count: 006 •[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region •[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region •Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location •Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | |||
| fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 | Billing Reader | Allows read access to billing data | count: 007 •Microsoft.Authorization/*/read •Microsoft.Billing/*/read •Microsoft.Commerce/*/read •Microsoft.Consumption/*/read •Microsoft.Management/managementGroups/read •Microsoft.CostManagement/*/read •Microsoft.Support/* | ||||
| 00c29273-979b-4161-815c-10b084fb9324 | Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others | count: 086 •Microsoft.Authorization/*/read •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action •Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read •Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action •Microsoft.RecoveryServices/Vaults/backupJobs/* •Microsoft.RecoveryServices/Vaults/backupJobsExport/action •Microsoft.RecoveryServices/Vaults/backupOperationResults/* •Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read •Microsoft.RecoveryServices/Vaults/backupPolicies/read •Microsoft.RecoveryServices/Vaults/backupProtectableItems/* •Microsoft.RecoveryServices/Vaults/backupProtectedItems/read •Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read •Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read •Microsoft.RecoveryServices/Vaults/certificates/write •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/extendedInformation/write •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/write •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.RecoveryServices/Vaults/backupstorageconfig/* •Microsoft.RecoveryServices/Vaults/backupValidateOperation/action •Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action •Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read •Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read •Microsoft.RecoveryServices/Vaults/backupOperations/read •Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action •Microsoft.RecoveryServices/Vaults/backupEngines/read •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read •Microsoft.RecoveryServices/locations/backupStatus/action •Microsoft.RecoveryServices/locations/backupPreValidateProtection/action •Microsoft.RecoveryServices/locations/backupValidateFeatures/action •Microsoft.RecoveryServices/locations/backupAadProperties/read •Microsoft.RecoveryServices/locations/backupCrrJobs/action •Microsoft.RecoveryServices/locations/backupCrrJob/action •Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action •Microsoft.RecoveryServices/locations/backupCrrOperationResults/read •Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/write •Microsoft.RecoveryServices/operations/read •Microsoft.RecoveryServices/locations/operationStatus/read •Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read •Microsoft.Support/* •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/deletedBackupInstances/read •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/operationResults/read •Microsoft.DataProtection/backupVaults/operationStatus/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/locations/operationStatus/read •Microsoft.DataProtection/locations/operationResults/read •Microsoft.DataProtection/operations/read •Microsoft.DataProtection/backupVaults/validateForBackup/action •Microsoft.DataProtection/backupVaults/backupInstances/backup/action •Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action •Microsoft.DataProtection/backupVaults/backupInstances/restore/action | ||||
| a795c7a0-d4a2-40c1-ae25-d81f01202912 | Backup Reader | Can view backup services, but can't make changes | count: 063 •Microsoft.Authorization/*/read •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read •Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read •Microsoft.RecoveryServices/Vaults/backupJobs/read •Microsoft.RecoveryServices/Vaults/backupJobsExport/action •Microsoft.RecoveryServices/Vaults/backupOperationResults/read •Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read •Microsoft.RecoveryServices/Vaults/backupPolicies/read •Microsoft.RecoveryServices/Vaults/backupProtectedItems/read •Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read •Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/Vaults/backupstorageconfig/read •Microsoft.RecoveryServices/Vaults/backupconfig/read •Microsoft.RecoveryServices/Vaults/backupOperations/read •Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read •Microsoft.RecoveryServices/Vaults/backupEngines/read •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read •Microsoft.RecoveryServices/locations/backupStatus/action •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* •Microsoft.RecoveryServices/Vaults/monitoringAlerts/write •Microsoft.RecoveryServices/operations/read •Microsoft.RecoveryServices/locations/operationStatus/read •Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/locations/backupValidateFeatures/action •Microsoft.RecoveryServices/locations/backupCrrJobs/action •Microsoft.RecoveryServices/locations/backupCrrJob/action •Microsoft.RecoveryServices/locations/backupCrrOperationResults/read •Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read •Microsoft.DataProtection/locations/getBackupStatus/action •Microsoft.DataProtection/backupVaults/backupInstances/write •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/deletedBackupInstances/read •Microsoft.DataProtection/backupVaults/backupInstances/backup/action •Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action •Microsoft.DataProtection/backupVaults/backupInstances/restore/action •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/operationResults/read •Microsoft.DataProtection/backupVaults/operationStatus/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/locations/operationStatus/read •Microsoft.DataProtection/locations/operationResults/read •Microsoft.DataProtection/backupVaults/validateForBackup/action •Microsoft.DataProtection/operations/read | ||||
| 31a002a1-acaf-453e-8a5b-297c9ca1ea24 | Blockchain Member Node Access (Preview) | Allows for access to Blockchain Member nodes | count: 001 •Microsoft.Blockchain/blockchainMembers/transactionNodes/read | count: 001 •Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action | |||
| 5e3c6656-6cfa-4708-81fe-0de47ac73342 | BizTalk Contributor | Lets you manage BizTalk services, but not access to them. | count: 007 •Microsoft.Authorization/*/read •Microsoft.BizTalkServices/BizTalk/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 | CDN Endpoint Contributor | Can manage CDN endpoints, but can't grant access to other users. | count: 008 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/endpoints/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 871e35f6-b5c1-49cc-a043-bde969a0f2cd | CDN Endpoint Reader | Can view CDN endpoints, but can't make changes. | count: 009 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/endpoints/*/read •Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| ec156ff8-a8d1-4d15-830c-5b80698ca432 | CDN Profile Contributor | Can manage CDN profiles and their endpoints, but can't grant access to other users. | count: 008 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 8f96442b-4075-438f-813d-ad51ab4019af | CDN Profile Reader | Can view CDN profiles and their endpoints, but can't make changes. | count: 008 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| b34d265f-36f7-4a0d-a4d4-e158ca92e90f | Classic Network Contributor | Lets you manage classic networks, but not access to them. | count: 007 •Microsoft.Authorization/*/read •Microsoft.ClassicNetwork/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 | Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. | count: 007 •Microsoft.Authorization/*/read •Microsoft.ClassicStorage/storageAccounts/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 985d6b00-f706-48f5-a6fe-d0ca12fb668d | Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts | count: 002 •Microsoft.ClassicStorage/storageAccounts/listkeys/action •Microsoft.ClassicStorage/storageAccounts/regeneratekey/action | ||||
| 9106cda0-8a86-4e81-b686-29a22c54effe | ClearDB MySQL DB Contributor | Lets you manage ClearDB MySQL databases, but not access to them. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •successbricks.cleardb/databases/* | ||||
| d73bb868-a0df-4d4d-bd69-98a00b01fccb | Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | count: 017 •Microsoft.Authorization/*/read •Microsoft.ClassicCompute/domainNames/* •Microsoft.ClassicCompute/virtualMachines/* •Microsoft.ClassicNetwork/networkSecurityGroups/join/action •Microsoft.ClassicNetwork/reservedIps/link/action •Microsoft.ClassicNetwork/reservedIps/read •Microsoft.ClassicNetwork/virtualNetworks/join/action •Microsoft.ClassicNetwork/virtualNetworks/read •Microsoft.ClassicStorage/storageAccounts/disks/read •Microsoft.ClassicStorage/storageAccounts/images/read •Microsoft.ClassicStorage/storageAccounts/listKeys/action •Microsoft.ClassicStorage/storageAccounts/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| a97b65f3-24c7-4388-baec-2e87135dc908 | Cognitive Services User | Lets you read and list keys of Cognitive Services. | count: 013 •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/listkeys/action •Microsoft.Insights/alertRules/read •Microsoft.Insights/diagnosticSettings/read •Microsoft.Insights/logDefinitions/read •Microsoft.Insights/metricdefinitions/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 001 •Microsoft.CognitiveServices/* | |||
| b59867f0-fa02-499b-be73-45a86b5b3e1c | Cognitive Services Data Reader (Preview) | Lets you read Cognitive Services data. | count: 001 •Microsoft.CognitiveServices/*/read | ||||
| 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 | Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. | count: 018 •Microsoft.Authorization/*/read •Microsoft.CognitiveServices/* •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Features/providers/features/register/action •Microsoft.Insights/alertRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Insights/logDefinitions/read •Microsoft.Insights/metricdefinitions/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 001 •Configure Cognitive Services accounts with private endpoints | |||
| db7b14f2-5adf-42da-9f96-f2ee17bab5cb | CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account | count: 002 •Microsoft.DocumentDB/databaseAccounts/backup/action •Microsoft.DocumentDB/databaseAccounts/restore/action | ||||
| b24988ac-6180-42a0-ab88-20f7382dd24c | Contributor | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. | count: 001 •* | count: 006 •Microsoft.Authorization/*/Delete •Microsoft.Authorization/*/Write •Microsoft.Authorization/elevateAccess/Action •Microsoft.Blueprint/blueprintAssignments/write •Microsoft.Blueprint/blueprintAssignments/delete •Microsoft.Compute/galleries/share/action | count: 178 •[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage •[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords •[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 •[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords •[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' •[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members •[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members •[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' •[Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled •[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords •[Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain •[Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone •[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption •[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days •[Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot •[Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols •[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. •[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. •[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines •[Preview]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent •[Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent •[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension •[Preview]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace •[Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace •[Preview]: Configure Azure Defender for SQL agent on virtual machine •[Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent •[Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent •[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines •[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines •[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines •[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines •[Preview]: Schedule recurring updates using Update Management Center •Add a tag to resource groups •Add a tag to resources •Add or replace a tag on resource groups •Add or replace a tag on resources •Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities •Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity •Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers •Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers •Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers •Configure App Configuration stores to disable local authentication methods •Configure App Configuration to disable public network access •Configure Azure Automation account to disable local authentication •Configure Azure Automation accounts to disable public network access •Configure Azure Device Update for IoT Hub accounts to disable public network access •Configure Azure Device Update for IoT Hub accounts to use private DNS zones •Configure Azure Device Update for IoT Hub accounts with private endpoint •Configure Azure File Sync with private endpoints •Configure Azure HDInsight clusters with private endpoints •Configure Azure IoT Hub to disable local authentication •Configure Azure Kubernetes Service clusters to enable Defender profile •Configure Azure Monitor Private Link Scope to block access to non private link resources •Configure Azure Monitor Private Link Scopes with private endpoints •Configure Azure Synapse Workspace Dedicated SQL minimum TLS version •Configure Azure Synapse workspaces to disable public network access •Configure Azure Synapse workspaces with private endpoints •Configure Batch accounts to disable local authentication •Configure Batch accounts to disable public network access •Configure Batch accounts with private endpoints •Configure Cognitive Services accounts to disable local authentication methods •Configure Cognitive Services accounts to disable public network access •Configure container registries to disable anonymous authentication. •Configure container registries to disable ARM audience token authentication. •Configure container registries to disable local admin account. •Configure Container registries to disable public network access •Configure container registries to disable repository scoped access token. •Configure Container registries with private endpoints •Configure CosmosDB accounts to disable public network access •Configure CosmosDB accounts with private endpoints •Configure disk access resources with private endpoints •Configure installation of Flux extension on Kubernetes cluster •Configure IoT Hub device provisioning instances to use private DNS zones •Configure IoT Hub device provisioning service instances to disable public network access •Configure IoT Hub device provisioning service instances with private endpoints •Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault •Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate •Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets •Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets •Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets •Configure Kubernetes clusters with Flux v2 configuration using public Git repository •Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets •Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets •Configure Kubernetes clusters with specified GitOps configuration using no secrets •Configure Kubernetes clusters with specified GitOps configuration using SSH secrets •Configure Log Analytics workspace and automation account to centralize logs and monitoring •Configure Machine Learning computes to disable local authentication methods •Configure managed disks to disable public network access •Configure network security groups to enable traffic analytics •Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics •Configure private endpoint connections on Azure Automation accounts •Configure private endpoints for App Configuration •Configure Private Link for Azure AD with private endpoints •Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows servers •Configure Synapse Workspaces to use only Azure Active Directory identities for authentication •Configure virtual machines to be onboarded to Azure Automanage •Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile •Deploy - Configure Azure IoT Hubs to use private DNS zones •Deploy - Configure Azure IoT Hubs with private endpoints •Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM •Deploy - Configure IoT Central to use private DNS zones •Deploy - Configure IoT Central with private endpoints •Deploy a flow log resource with target network security group •Deploy associations for a custom provider •Deploy associations for a managed application •Deploy Diagnostic Settings for Azure SQL Database to Event Hub •Deploy Diagnostic Settings for Batch Account to Event Hub •Deploy Diagnostic Settings for Data Lake Analytics to Event Hub •Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub •Deploy Diagnostic Settings for Event Hub to Event Hub •Deploy Diagnostic Settings for Key Vault to Event Hub •Deploy Diagnostic Settings for Logic Apps to Event Hub •Deploy Diagnostic Settings for Search Services to Event Hub •Deploy Diagnostic Settings for Service Bus to Event Hub •Deploy Diagnostic Settings for Stream Analytics to Event Hub •Deploy export to Event Hub for Microsoft Defender for Cloud data •Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data •Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs •Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs •Deploy Workflow Automation for Microsoft Defender for Cloud alerts •Deploy Workflow Automation for Microsoft Defender for Cloud recommendations •Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance •Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. •Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. •Inherit a tag from the resource group •Inherit a tag from the resource group if missing •Inherit a tag from the subscription •Inherit a tag from the subscription if missing •Modify - Configure Azure File Sync to disable public network access •Modify - Configure Azure IoT Hubs to disable public network access •Modify - Configure IoT Central to disable public network access | ||
| fbdf93bf-df7d-467e-a4d2-9458aa1360c8 | Cosmos DB Account Reader Role | Can read Azure Cosmos DB Accounts data | count: 007 •Microsoft.Authorization/*/read •Microsoft.DocumentDB/*/read •Microsoft.DocumentDB/databaseAccounts/readonlykeys/action •Microsoft.Insights/MetricDefinitions/read •Microsoft.Insights/Metrics/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 434105ed-43f6-45c7-a02f-909b2ba83430 | Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) | count: 010 •Microsoft.Consumption/* •Microsoft.CostManagement/* •Microsoft.Billing/billingPeriods/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Advisor/configurations/read •Microsoft.Advisor/recommendations/read •Microsoft.Management/managementGroups/read •Microsoft.Billing/billingProperty/read | ||||
| 72fafb9e-0641-4937-9268-a91bfd8191a3 | Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) | count: 010 •Microsoft.Consumption/*/read •Microsoft.CostManagement/*/read •Microsoft.Billing/billingPeriods/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Advisor/configurations/read •Microsoft.Advisor/recommendations/read •Microsoft.Management/managementGroups/read •Microsoft.Billing/billingProperty/read | ||||
| add466c9-e687-43fc-8d98-dfcf8d720be5 | Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. | count: 006 •Microsoft.Authorization/*/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Databox/* | ||||
| 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 | Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. | count: 010 •Microsoft.Authorization/*/read •Microsoft.Databox/*/read •Microsoft.Databox/jobs/listsecrets/action •Microsoft.Databox/jobs/listcredentials/action •Microsoft.Databox/locations/availableSkus/action •Microsoft.Databox/locations/validateInputs/action •Microsoft.Databox/locations/regionConfiguration/action •Microsoft.Databox/locations/validateAddress/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Support/* | ||||
| 673868aa-7521-48a0-acc6-0f60742d39f5 | Data Factory Contributor | Create and manage data factories, as well as child resources within them. | count: 009 •Microsoft.Authorization/*/read •Microsoft.DataFactory/dataFactories/* •Microsoft.DataFactory/factories/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.EventGrid/eventSubscriptions/write | count: 002 •Configure Data Factories to disable public network access •Configure private endpoints for Data factories | |||
| 150f5e0c-0603-4f03-8c7f-cf70034c4e90 | Data Purger | Can purge analytics data | count: 004 •Microsoft.Insights/components/*/read •Microsoft.Insights/components/purge/action •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/purge/action | ||||
| 47b7735b-770e-4598-a7da-8b91488b4c88 | Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | count: 008 •Microsoft.Authorization/*/read •Microsoft.BigAnalytics/accounts/* •Microsoft.DataLakeAnalytics/accounts/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 014 •Microsoft.BigAnalytics/accounts/Delete •Microsoft.BigAnalytics/accounts/TakeOwnership/action •Microsoft.BigAnalytics/accounts/Write •Microsoft.DataLakeAnalytics/accounts/Delete •Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action •Microsoft.DataLakeAnalytics/accounts/Write •Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write •Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete •Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write •Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete •Microsoft.DataLakeAnalytics/accounts/firewallRules/Write •Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete •Microsoft.DataLakeAnalytics/accounts/computePolicies/Write •Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete | |||
| 76283e04-6283-4c54-8f91-bcf1374a3c64 | DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | count: 032 •Microsoft.Authorization/*/read •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/virtualMachines/*/read •Microsoft.Compute/virtualMachines/deallocate/action •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/restart/action •Microsoft.Compute/virtualMachines/start/action •Microsoft.DevTestLab/*/read •Microsoft.DevTestLab/labs/claimAnyVm/action •Microsoft.DevTestLab/labs/createEnvironment/action •Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action •Microsoft.DevTestLab/labs/formulas/delete •Microsoft.DevTestLab/labs/formulas/read •Microsoft.DevTestLab/labs/formulas/write •Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action •Microsoft.DevTestLab/labs/virtualMachines/claim/action •Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action •Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/inboundNatRules/join/action •Microsoft.Network/networkInterfaces/*/read •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/publicIPAddresses/*/read •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/listKeys/action | count: 001 •Microsoft.Compute/virtualMachines/vmSizes/read | |||
| 5bd9cd88-fe45-4216-938b-f97437e15450 | DocumentDB Account Contributor | Lets you manage DocumentDB accounts, but not access to them. | count: 008 •Microsoft.Authorization/*/read •Microsoft.DocumentDb/databaseAccounts/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | count: 003 •Configure Cosmos DB database accounts to disable local authentication •Configure CosmosDB accounts to disable public network access •Configure CosmosDB accounts with private endpoints | |||
| befefa01-2a29-4197-83a8-272ff33ce314 | DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/dnsZones/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 | EventGrid EventSubscription Contributor | Lets you manage EventGrid event subscription operations. | count: 009 •Microsoft.Authorization/*/read •Microsoft.EventGrid/eventSubscriptions/* •Microsoft.EventGrid/topicTypes/eventSubscriptions/read •Microsoft.EventGrid/locations/eventSubscriptions/read •Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 2414bbcf-6497-4faf-8c65-045460748405 | EventGrid EventSubscription Reader | Lets you read EventGrid event subscriptions. | count: 006 •Microsoft.Authorization/*/read •Microsoft.EventGrid/eventSubscriptions/read •Microsoft.EventGrid/topicTypes/eventSubscriptions/read •Microsoft.EventGrid/locations/eventSubscriptions/read •Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| b60367af-1334-4454-b71e-769d9a4f83d9 | Graph Owner | Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions | count: 014 •Microsoft.EnterpriseKnowledgeGraph/services/conflation/read •Microsoft.EnterpriseKnowledgeGraph/services/conflation/write •Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/read •Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/write •Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read •Microsoft.EnterpriseKnowledgeGraph/services/knowledge/write •Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/read •Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/write •Microsoft.EnterpriseKnowledgeGraph/services/ingestion/read •Microsoft.EnterpriseKnowledgeGraph/services/ingestion/write •Microsoft.EnterpriseKnowledgeGraph/services/ontology/read •Microsoft.EnterpriseKnowledgeGraph/services/ontology/write •Microsoft.EnterpriseKnowledgeGraph/services/delete •Microsoft.EnterpriseKnowledgeGraph/operations/read | ||||
| 8d8d5a11-05d3-4bda-a417-a08778121c7c | HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | count: 003 •Microsoft.AAD/*/read •Microsoft.AAD/domainServices/*/read •Microsoft.AAD/domainServices/oucontainer/* | ||||
| 03a6d094-3444-4b3d-88af-7477090a9e5e | Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.IntelligentSystems/accounts/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| f25e0fa2-a7c8-4377-a976-54943a77a395 | Key Vault Contributor | Lets you manage key vaults, but not access to them. | count: 006 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KeyVault/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 003 •Microsoft.KeyVault/locations/deletedVaults/purge/action •Microsoft.KeyVault/hsmPools/* •Microsoft.KeyVault/managedHsms/* | count: 002 •[Preview]: Configure Azure Key Vaults with private endpoints •Configure key vaults to enable firewall | ||
| ee361c5d-f7b5-4119-b4b6-892157c8f64c | Knowledge Consumer | Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query | count: 001 •Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read | ||||
| b97fb8bc-a8b2-4522-a38b-dd33c7e65ead | Lab Creator | Lets you create new labs under your Azure Lab Accounts. | count: 018 •Microsoft.Authorization/*/read •Microsoft.LabServices/labAccounts/*/read •Microsoft.LabServices/labAccounts/createLab/action •Microsoft.LabServices/labAccounts/getPricingAndAvailability/action •Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labPlans/saveImage/action •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 001 •Microsoft.LabServices/labPlans/createLab/action | |||
| 73c42c96-874c-492b-b04d-ab87d138a893 | Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | count: 004 •*/read •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/search/action •Microsoft.Support/* | count: 001 •Microsoft.OperationalInsights/workspaces/sharedKeys/read | |||
| 92aaf0da-9dab-42b6-94a3-d43ce8d16293 | Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. | count: 013 •*/read •Microsoft.ClassicCompute/virtualMachines/extensions/* •Microsoft.ClassicStorage/storageAccounts/listKeys/action •Microsoft.Compute/virtualMachines/extensions/* •Microsoft.HybridCompute/machines/extensions/write •Microsoft.Insights/alertRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.OperationalInsights/* •Microsoft.OperationsManagement/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Support/* | count: 060 •[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace •[Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs •[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension •[Preview]: Configure ChangeTracking Extension for Linux Arc machines •[Preview]: Configure ChangeTracking Extension for Windows Arc machines •[Preview]: Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings •[Preview]: Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings •[Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agent •[Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agent •[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group •[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group •[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group •[Preview]: Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings •[Preview]: Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings •Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. •Configure Azure Activity logs to stream to specified Log Analytics workspace •Configure Azure Kubernetes Service clusters to enable Defender profile •Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying •Configure Azure SQL database servers diagnostic settings to Log Analytics workspace •Configure Dependency agent on Azure Arc enabled Linux servers •Configure Dependency agent on Azure Arc enabled Windows servers •Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace •Configure diagnostic settings for Blob Services to Log Analytics workspace •Configure diagnostic settings for File Services to Log Analytics workspace •Configure diagnostic settings for Queue Services to Log Analytics workspace •Configure diagnostic settings for Storage Accounts to Log Analytics workspace •Configure diagnostic settings for Table Services to Log Analytics workspace •Configure Linux Arc Machines to be associated with a Data Collection Rule •Configure Linux Machines to be associated with a Data Collection Rule •Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule •Configure Linux Virtual Machines to be associated with a Data Collection Rule •Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below •Configure Log Analytics extension on Azure Arc enabled Windows servers •Configure SQL servers to have auditing enabled to Log Analytics workspace •Configure Synapse workspaces to have auditing enabled to Log Analytics workspace •Configure Windows Arc Machines to be associated with a Data Collection Rule •Configure Windows Machines to be associated with a Data Collection Rule •Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule •Configure Windows Virtual Machines to be associated with a Data Collection Rule •Deploy - Configure Dependency agent to be enabled on Windows virtual machines •Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace •Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace •Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace •Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM •Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets •Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines •Deploy Dependency agent for Linux virtual machines •Deploy Diagnostic Settings for Batch Account to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace •Deploy Diagnostic Settings for Event Hub to Log Analytics workspace •Deploy Diagnostic Settings for Key Vault to Log Analytics workspace •Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace •Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. •Deploy Diagnostic Settings for Search Services to Log Analytics workspace •Deploy Diagnostic Settings for Service Bus to Log Analytics workspace •Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace •Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below •Deploy Log Analytics extension for Linux VMs. See deprecation notice below •Public IP addresses should have resource logs enabled for Azure DDoS Protection Standard | |||
| 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe | Logic App Operator | Lets you read, enable and disable logic app. | count: 017 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/*/read •Microsoft.Insights/metricAlerts/*/read •Microsoft.Insights/diagnosticSettings/*/read •Microsoft.Insights/metricDefinitions/*/read •Microsoft.Logic/*/read •Microsoft.Logic/workflows/disable/action •Microsoft.Logic/workflows/enable/action •Microsoft.Logic/workflows/validate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/connectionGateways/*/read •Microsoft.Web/connections/*/read •Microsoft.Web/customApis/*/read •Microsoft.Web/serverFarms/read | ||||
| 87a39d53-fc1b-424a-814c-f7e04687dc9e | Logic App Contributor | Lets you manage logic app, but not access to them. | count: 021 •Microsoft.Authorization/*/read •Microsoft.ClassicStorage/storageAccounts/listKeys/action •Microsoft.ClassicStorage/storageAccounts/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metricAlerts/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Insights/logdefinitions/* •Microsoft.Insights/metricDefinitions/* •Microsoft.Logic/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* •Microsoft.Web/connectionGateways/* •Microsoft.Web/connections/* •Microsoft.Web/customApis/* •Microsoft.Web/serverFarms/join/action •Microsoft.Web/serverFarms/read •Microsoft.Web/sites/functions/listSecrets/action | ||||
| c7393b34-138c-406f-901b-d8cf2b17e6ae | Managed Application Operator Role | Lets you read and perform actions on Managed Application resources | count: 003 •*/read •Microsoft.Solutions/applications/read •Microsoft.Solutions/*/action | ||||
| b9331d33-8a36-4f8c-b097-4f54124fdb44 | Managed Applications Reader | Lets you read resources in a managed app and request JIT access. | count: 003 •*/read •Microsoft.Resources/deployments/* •Microsoft.Solutions/jitRequests/* | ||||
| f1a07417-d97a-45cb-824c-7a7467783830 | Managed Identity Operator | Read and Assign User Assigned Identity | count: 007 •Microsoft.ManagedIdentity/userAssignedIdentities/*/read •Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* | count: 001 •[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | |||
| e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 | Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity | count: 008 •Microsoft.ManagedIdentity/userAssignedIdentities/read •Microsoft.ManagedIdentity/userAssignedIdentities/write •Microsoft.ManagedIdentity/userAssignedIdentities/delete •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* | count: 001 •[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | |||
| 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c | Management Group Contributor | Management Group Contributor Role | count: 007 •Microsoft.Management/managementGroups/delete •Microsoft.Management/managementGroups/read •Microsoft.Management/managementGroups/subscriptions/delete •Microsoft.Management/managementGroups/subscriptions/write •Microsoft.Management/managementGroups/write •Microsoft.Management/managementGroups/subscriptions/read •Microsoft.Authorization/*/read | ||||
| ac63b705-f282-497d-ac71-919bf39d939d | Management Group Reader | Management Group Reader Role | count: 003 •Microsoft.Management/managementGroups/read •Microsoft.Management/managementGroups/subscriptions/read •Microsoft.Authorization/*/read | ||||
| 3913510d-42f4-4e42-8a64-420c390055eb | Monitoring Metrics Publisher | Enables publishing metrics against Azure resources | count: 003 •Microsoft.Insights/Register/Action •Microsoft.Support/* •Microsoft.Resources/subscriptions/resourceGroups/read | count: 002 •Microsoft.Insights/Metrics/Write •Microsoft.Insights/Telemetry/Write | |||
| 43d0d8ad-25c7-4714-9337-8ba259a9fe05 | Monitoring Reader | Can read all monitoring data. | count: 003 •*/read •Microsoft.OperationalInsights/workspaces/search/action •Microsoft.Support/* | ||||
| 4d97b98b-1d4f-4787-a291-c67834d212e7 | Network Contributor | Lets you manage networks, but not access to them. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 069 •[Preview]: Configure Azure Key Vault Managed HSM with private endpoints •[Preview]: Configure Azure Key Vaults to use private DNS zones •[Preview]: Configure Azure Key Vaults with private endpoints •[Preview]: Configure Azure Recovery Services vaults to use private DNS zones •[Preview]: Configure private endpoints on Azure Recovery Services vaults •[Preview]: Configure Recovery Services vaults to use private DNS zones for backup •[Preview]: Configure Recovery Services vaults to use private endpoints for backup •Configure a private DNS Zone ID for blob groupID •Configure a private DNS Zone ID for blob_secondary groupID •Configure a private DNS Zone ID for dfs groupID •Configure a private DNS Zone ID for dfs_secondary groupID •Configure a private DNS Zone ID for file groupID •Configure a private DNS Zone ID for queue groupID •Configure a private DNS Zone ID for queue_secondary groupID •Configure a private DNS Zone ID for table groupID •Configure a private DNS Zone ID for table_secondary groupID •Configure a private DNS Zone ID for web groupID •Configure a private DNS Zone ID for web_secondary groupID •Configure App Service apps to use private DNS zones •Configure Azure Arc Private Link Scopes to use private DNS zones •Configure Azure Arc Private Link Scopes with private endpoints •Configure Azure Automation accounts with private DNS zones •Configure Azure Cache for Redis to use private DNS zones •Configure Azure Cognitive Search services to disable public network access •Configure Azure Cognitive Search services to use private DNS zones •Configure Azure Cognitive Search services with private endpoints •Configure Azure Device Update for IoT Hub accounts to use private DNS zones •Configure Azure Device Update for IoT Hub accounts with private endpoint •Configure Azure File Sync to use private DNS zones •Configure Azure HDInsight clusters to use private DNS zones •Configure Azure Machine Learning workspace to use private DNS zones •Configure Azure Machine Learning workspaces with private endpoints •Configure Azure Media Services to use private DNS zones •Configure Azure Media Services with private endpoints •Configure Azure Migrate resources to use private DNS zones •Configure Azure Monitor Private Link Scope to use private DNS zones •Configure Azure SQL Server to enable private endpoint connections •Configure Azure Synapse workspaces to use private DNS zones •Configure Azure Web PubSub Service to use private DNS zones •Configure Azure Web PubSub Service with private endpoints •Configure BotService resources to use private DNS zones •Configure BotService resources with private endpoints •Configure Cognitive Services accounts to use private DNS zones •Configure Cognitive Services accounts with private endpoints •Configure Container registries to use private DNS zones •Configure CosmosDB accounts to use private DNS zones •Configure disk access resources to use private DNS zones •Configure Event Hub namespaces to use private DNS zones •Configure Event Hub namespaces with private endpoints •Configure private DNS zones for private endpoints connected to App Configuration •Configure private DNS zones for private endpoints that connect to Azure Data Factory •Configure private endpoint connections on Azure Automation accounts •Configure private endpoints to Azure SignalR Service •Configure Private Link for Azure AD to use private DNS zones •Configure Service Bus namespaces to use private DNS zones •Configure Service Bus namespaces with private endpoints •Configure Storage account to use a private link connection •Deploy - Configure Azure Event Grid domains to use private DNS zones •Deploy - Configure Azure Event Grid domains with private endpoints •Deploy - Configure Azure Event Grid topics to use private DNS zones •Deploy - Configure Azure Event Grid topics with private endpoints •Deploy - Configure Azure IoT Hubs to use private DNS zones •Deploy - Configure Azure IoT Hubs with private endpoints •Deploy - Configure IoT Central to use private DNS zones •Deploy - Configure IoT Central with private endpoints •Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service •Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts •Deploy network watcher when virtual networks are created •Virtual networks should be protected by Azure DDoS Protection Standard | |||
| 749f88d5-cbae-40b8-bcfc-e573ddc772fa | Monitoring Contributor | Can read all monitoring data and update monitoring settings. | count: 037 •*/read •Microsoft.AlertsManagement/alerts/* •Microsoft.AlertsManagement/alertsSummary/* •Microsoft.Insights/actiongroups/* •Microsoft.Insights/activityLogAlerts/* •Microsoft.Insights/AlertRules/* •Microsoft.Insights/components/* •Microsoft.Insights/createNotifications/* •Microsoft.Insights/dataCollectionEndpoints/* •Microsoft.Insights/dataCollectionRules/* •Microsoft.Insights/dataCollectionRuleAssociations/* •Microsoft.Insights/DiagnosticSettings/* •Microsoft.Insights/eventtypes/* •Microsoft.Insights/LogDefinitions/* •Microsoft.Insights/metricalerts/* •Microsoft.Insights/MetricDefinitions/* •Microsoft.Insights/Metrics/* •Microsoft.Insights/notificationStatus/* •Microsoft.Insights/Register/Action •Microsoft.Insights/scheduledqueryrules/* •Microsoft.Insights/webtests/* •Microsoft.Insights/workbooks/* •Microsoft.Insights/workbooktemplates/* •Microsoft.Insights/privateLinkScopes/* •Microsoft.Insights/privateLinkScopeOperationStatuses/* •Microsoft.OperationalInsights/workspaces/write •Microsoft.OperationalInsights/workspaces/intelligencepacks/* •Microsoft.OperationalInsights/workspaces/savedSearches/* •Microsoft.OperationalInsights/workspaces/search/action •Microsoft.OperationalInsights/workspaces/sharedKeys/action •Microsoft.OperationalInsights/workspaces/storageinsightconfigs/* •Microsoft.Support/* •Microsoft.WorkloadMonitor/monitors/* •Microsoft.AlertsManagement/smartDetectorAlertRules/* •Microsoft.AlertsManagement/actionRules/* •Microsoft.AlertsManagement/smartGroups/* •Microsoft.AlertsManagement/migrateFromSmartDetection/* | count: 038 •[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace •[Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule •[Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule •[Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule •[Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule •[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group •[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group •[Preview]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group •Configure Azure Activity logs to stream to specified Log Analytics workspace •Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace •Configure diagnostic settings for Blob Services to Log Analytics workspace •Configure diagnostic settings for File Services to Log Analytics workspace •Configure diagnostic settings for Queue Services to Log Analytics workspace •Configure diagnostic settings for Storage Accounts to Log Analytics workspace •Configure diagnostic settings for Table Services to Log Analytics workspace •Configure Linux Arc Machines to be associated with a Data Collection Rule •Configure Linux Machines to be associated with a Data Collection Rule •Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule •Configure Linux Virtual Machines to be associated with a Data Collection Rule •Configure Windows Arc Machines to be associated with a Data Collection Rule •Configure Windows Machines to be associated with a Data Collection Rule •Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule •Configure Windows Virtual Machines to be associated with a Data Collection Rule •Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace •Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace •Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace •Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM •Deploy Diagnostic Settings for Batch Account to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace •Deploy Diagnostic Settings for Event Hub to Log Analytics workspace •Deploy Diagnostic Settings for Key Vault to Log Analytics workspace •Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace •Deploy Diagnostic Settings for Network Security Groups •Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. •Deploy Diagnostic Settings for Search Services to Log Analytics workspace •Deploy Diagnostic Settings for Service Bus to Log Analytics workspace •Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | |||
| 5d28c62d-5b37-4476-8438-e587778df237 | New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •NewRelic.APM/accounts/* | ||||
| 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 | Owner | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. | count: 001 •* | count: 003 •Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed •Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery •Configure Synapse workspaces to have auditing enabled to Log Analytics workspace | |||
| acdd72a7-3385-48ef-bd42-f606fba81ae7 | Reader | View all resources, but does not allow you to make any changes. | count: 001 •*/read | count: 002 •[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension •[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension | |||
| e0f68234-74aa-48ed-b826-c38b57376e17 | Redis Cache Contributor | Lets you manage Redis caches, but not access to them. | count: 008 •Microsoft.Authorization/*/read •Microsoft.Cache/register/action •Microsoft.Cache/redis/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 002 •Configure Azure Cache for Redis to disable public network access •Configure Azure Cache for Redis with private endpoints | |||
| c12c1c16-33a1-487b-954d-41c89c60f349 | Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | count: 003 •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/ListAccountSas/action •Microsoft.Storage/storageAccounts/read | ||||
| 36243c78-bf99-498c-9df9-86d9f8d28608 | Resource Policy Contributor | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | count: 007 •*/read •Microsoft.Authorization/policyassignments/* •Microsoft.Authorization/policydefinitions/* •Microsoft.Authorization/policyexemptions/* •Microsoft.Authorization/policysetdefinitions/* •Microsoft.PolicyInsights/* •Microsoft.Support/* | ||||
| 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 | Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Scheduler/jobcollections/* •Microsoft.Support/* | ||||
| 7ca78c08-252a-4471-8644-bb5ff32d4ba0 | Search Service Contributor | Lets you manage Search services, but not access to them. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Search/searchServices/* •Microsoft.Support/* | count: 003 •Configure Azure Cognitive Search services to disable local authentication •Configure Azure Cognitive Search services to disable public network access •Configure Azure Cognitive Search services with private endpoints | |||
| fb1c8493-542b-48eb-b624-b4c8fea62acd | Security Admin | Security Admin Role | count: 013 •Microsoft.Authorization/*/read •Microsoft.Authorization/policyAssignments/* •Microsoft.Authorization/policyDefinitions/* •Microsoft.Authorization/policyExemptions/* •Microsoft.Authorization/policySetDefinitions/* •Microsoft.Insights/alertRules/* •Microsoft.Management/managementGroups/read •Microsoft.operationalInsights/workspaces/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/* •Microsoft.IoTSecurity/* •Microsoft.Support/* | count: 020 •[Deprecated]: Configure Azure Defender for container registries to be enabled •[Deprecated]: Configure Azure Defender for Kubernetes to be enabled •Configure Azure Defender for App Service to be enabled •Configure Azure Defender for Azure SQL database to be enabled •Configure Azure Defender for DNS to be enabled •Configure Azure Defender for Key Vaults to be enabled •Configure Azure Defender for open-source relational databases to be enabled •Configure Azure Defender for Resource Manager to be enabled •Configure Azure Defender for servers to be enabled •Configure Azure Defender for SQL servers on machines to be enabled •Configure Azure Defender for Storage to be enabled •Configure machines to receive a vulnerability assessment provider •Configure Microsoft Defender CSPM to be enabled •Configure Microsoft Defender for APIs should be enabled •Configure Microsoft Defender for Azure Cosmos DB to be enabled •Configure Microsoft Defender for Containers to be enabled •Deploy - Configure suppression rules for Azure Security Center alerts •Deploy Advanced Threat Protection for Cosmos DB Accounts •Deploy Advanced Threat Protection on storage accounts •Enable Microsoft Defender for Cloud on your subscription | |||
| e3d13bf0-dd5a-482e-ba6b-9b8433878d10 | Security Manager (Legacy) | This is a legacy role. Please use Security Administrator instead | count: 010 •Microsoft.Authorization/*/read •Microsoft.ClassicCompute/*/read •Microsoft.ClassicCompute/virtualMachines/*/write •Microsoft.ClassicNetwork/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/* •Microsoft.Support/* | ||||
| 39bc4728-0917-49c7-9d2c-d95423bc2eb4 | Security Reader | Security Reader Role | count: 014 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.operationalInsights/workspaces/*/read •Microsoft.Resources/deployments/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/*/read •Microsoft.IoTSecurity/*/read •Microsoft.Support/*/read •Microsoft.Security/iotDefenderSettings/packageDownloads/action •Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action •Microsoft.Security/iotSensors/downloadResetPassword/action •Microsoft.IoTSecurity/defenderSettings/packageDownloads/action •Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action •Microsoft.Management/managementGroups/read | ||||
| 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 | Spatial Anchors Account Contributor | Lets you manage spatial anchors in your account, but not delete them | count: 006 •Microsoft.MixedReality/SpatialAnchorsAccounts/create/action •Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read •Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read •Microsoft.MixedReality/SpatialAnchorsAccounts/query/read •Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read •Microsoft.MixedReality/SpatialAnchorsAccounts/write | ||||
| 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 | Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment | count: 029 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/locations/allocateStamp/action •Microsoft.RecoveryServices/Vaults/certificates/write •Microsoft.RecoveryServices/Vaults/extendedInformation/* •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/refreshContainers/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/* •Microsoft.RecoveryServices/vaults/replicationAlertSettings/* •Microsoft.RecoveryServices/vaults/replicationEvents/read •Microsoft.RecoveryServices/vaults/replicationFabrics/* •Microsoft.RecoveryServices/vaults/replicationJobs/* •Microsoft.RecoveryServices/vaults/replicationPolicies/* •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/* •Microsoft.RecoveryServices/vaults/replicationVaultSettings/* •Microsoft.RecoveryServices/Vaults/storageConfig/* •Microsoft.RecoveryServices/Vaults/tokenInfo/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/vaultTokens/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/* •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.RecoveryServices/vaults/replicationOperationStatus/read •Microsoft.Support/* | count: 001 •[Preview]: Configure private endpoints on Azure Recovery Services vaults | |||
| 494ae006-db33-4328-bf46-533a6560a3ca | Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations | count: 059 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/locations/allocateStamp/action •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/refreshContainers/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/vaults/replicationAlertSettings/read •Microsoft.RecoveryServices/vaults/replicationEvents/read •Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action •Microsoft.RecoveryServices/vaults/replicationFabrics/read •Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action •Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read •Microsoft.RecoveryServices/vaults/replicationJobs/* •Microsoft.RecoveryServices/vaults/replicationPolicies/read •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action •Microsoft.RecoveryServices/vaults/replicationVaultSettings/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/* •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read •Microsoft.RecoveryServices/Vaults/storageConfig/read •Microsoft.RecoveryServices/Vaults/tokenInfo/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/vaultTokens/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* | ||||
| 5d51204f-eb77-4b1c-b86a-2ec626c49413 | Spatial Anchors Account Reader | Lets you locate and read properties of spatial anchors in your account | count: 004 •Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read •Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read •Microsoft.MixedReality/SpatialAnchorsAccounts/query/read •Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read | ||||
| dbaa88c4-0c30-4179-9fb3-46319faa6149 | Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations | count: 032 •Microsoft.Authorization/*/read •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/refreshContainers/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/vaults/replicationAlertSettings/read •Microsoft.RecoveryServices/vaults/replicationEvents/read •Microsoft.RecoveryServices/vaults/replicationFabrics/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read •Microsoft.RecoveryServices/vaults/replicationJobs/read •Microsoft.RecoveryServices/vaults/replicationPolicies/read •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read •Microsoft.RecoveryServices/vaults/replicationVaultSettings/read •Microsoft.RecoveryServices/Vaults/storageConfig/read •Microsoft.RecoveryServices/Vaults/tokenInfo/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/vaultTokens/read •Microsoft.Support/* | ||||
| 70bbe301-9835-447d-afdd-19eb3167307c | Spatial Anchors Account Owner | Lets you manage spatial anchors in your account, including deleting them | count: 007 •Microsoft.MixedReality/SpatialAnchorsAccounts/create/action •Microsoft.MixedReality/SpatialAnchorsAccounts/delete •Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read •Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read •Microsoft.MixedReality/SpatialAnchorsAccounts/query/read •Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read •Microsoft.MixedReality/SpatialAnchorsAccounts/write | ||||
| 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d | SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. | count: 015 •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Network/networkSecurityGroups/* •Microsoft.Network/routeTables/* •Microsoft.Sql/locations/*/read •Microsoft.Sql/locations/instanceFailoverGroups/* •Microsoft.Sql/managedInstances/* •Microsoft.Support/* •Microsoft.Network/virtualNetworks/subnets/* •Microsoft.Network/virtualNetworks/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read | count: 002 •Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete •Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write | |||
| 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec | SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. | count: 011 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Sql/locations/*/read •Microsoft.Sql/servers/databases/* •Microsoft.Sql/servers/read •Microsoft.Support/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read | count: 024 •Microsoft.Sql/servers/databases/ledgerDigestUploads/write •Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action •Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* •Microsoft.Sql/managedInstances/databases/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* •Microsoft.Sql/managedInstances/securityAlertPolicies/* •Microsoft.Sql/managedInstances/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/auditingSettings/* •Microsoft.Sql/servers/databases/auditRecords/read •Microsoft.Sql/servers/databases/currentSensitivityLabels/* •Microsoft.Sql/servers/databases/dataMaskingPolicies/* •Microsoft.Sql/servers/databases/extendedAuditingSettings/* •Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/servers/databases/securityAlertPolicies/* •Microsoft.Sql/servers/databases/securityMetrics/* •Microsoft.Sql/servers/databases/sensitivityLabels/* •Microsoft.Sql/servers/databases/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* •Microsoft.Sql/servers/vulnerabilityAssessments/* | count: 001 •Deploy SQL DB transparent data encryption | ||
| 056cd41c-7e88-42e1-933e-88ba6a50c9c3 | SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. | count: 054 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Sql/locations/administratorAzureAsyncOperation/read •Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* •Microsoft.Sql/managedInstances/databases/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* •Microsoft.Sql/managedInstances/securityAlertPolicies/* •Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* •Microsoft.Sql/managedInstances/vulnerabilityAssessments/* •Microsoft.Sql/servers/auditingSettings/* •Microsoft.Sql/servers/extendedAuditingSettings/read •Microsoft.Sql/servers/databases/auditingSettings/* •Microsoft.Sql/servers/databases/auditRecords/read •Microsoft.Sql/servers/databases/currentSensitivityLabels/* •Microsoft.Sql/servers/databases/dataMaskingPolicies/* •Microsoft.Sql/servers/databases/extendedAuditingSettings/read •Microsoft.Sql/servers/databases/read •Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/read •Microsoft.Sql/servers/databases/schemas/tables/columns/read •Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/tables/read •Microsoft.Sql/servers/databases/securityAlertPolicies/* •Microsoft.Sql/servers/databases/securityMetrics/* •Microsoft.Sql/servers/databases/sensitivityLabels/* •Microsoft.Sql/servers/databases/transparentDataEncryption/* •Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/* •Microsoft.Sql/servers/databases/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* •Microsoft.Sql/servers/devOpsAuditingSettings/* •Microsoft.Sql/servers/firewallRules/* •Microsoft.Sql/servers/read •Microsoft.Sql/servers/securityAlertPolicies/* •Microsoft.Sql/servers/sqlvulnerabilityAssessments/* •Microsoft.Sql/servers/vulnerabilityAssessments/* •Microsoft.Support/* •Microsoft.Sql/servers/azureADOnlyAuthentications/* •Microsoft.Sql/managedInstances/read •Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* •Microsoft.Security/sqlVulnerabilityAssessments/* •Microsoft.Sql/managedInstances/administrators/read •Microsoft.Sql/servers/administrators/read •Microsoft.Sql/servers/databases/ledgerDigestUploads/* •Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read •Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read •Microsoft.Sql/servers/externalPolicyBasedAuthorizations/* | count: 008 •Configure Azure Defender to be enabled on SQL managed instances •Configure Azure Defender to be enabled on SQL servers •Configure Azure SQL database servers diagnostic settings to Log Analytics workspace •Configure Microsoft Defender for SQL to be enabled on Synapse workspaces •Configure SQL servers to have auditing enabled •Configure SQL servers to have auditing enabled to Log Analytics workspace •Configure Synapse workspaces to have auditing enabled •Deploy Advanced Data Security on SQL servers | |||
| 17d1049b-9a84-46fb-8f53-869881c3d3ab | Storage Account Contributor | Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. | count: 009 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/* •Microsoft.Support/* | count: 008 •Configure secure transfer of data on a storage account •Configure SQL servers to have auditing enabled •Configure Storage account to use a private link connection •Configure storage accounts to disable public network access •Configure Synapse workspaces to have auditing enabled •Configure your Storage account public access to be disallowed •Deploy Advanced Data Security on SQL servers •Deploy Diagnostic Settings for Network Security Groups | |||
| 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 | SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. | count: 010 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Sql/locations/*/read •Microsoft.Sql/servers/* •Microsoft.Support/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read | count: 030 •Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* •Microsoft.Sql/managedInstances/databases/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* •Microsoft.Sql/managedInstances/securityAlertPolicies/* •Microsoft.Sql/managedInstances/vulnerabilityAssessments/* •Microsoft.Sql/servers/auditingSettings/* •Microsoft.Sql/servers/databases/auditingSettings/* •Microsoft.Sql/servers/databases/auditRecords/read •Microsoft.Sql/servers/databases/currentSensitivityLabels/* •Microsoft.Sql/servers/databases/dataMaskingPolicies/* •Microsoft.Sql/servers/databases/extendedAuditingSettings/* •Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/servers/databases/securityAlertPolicies/* •Microsoft.Sql/servers/databases/securityMetrics/* •Microsoft.Sql/servers/databases/sensitivityLabels/* •Microsoft.Sql/servers/databases/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* •Microsoft.Sql/servers/devOpsAuditingSettings/* •Microsoft.Sql/servers/extendedAuditingSettings/* •Microsoft.Sql/servers/securityAlertPolicies/* •Microsoft.Sql/servers/vulnerabilityAssessments/* •Microsoft.Sql/servers/azureADOnlyAuthentications/delete •Microsoft.Sql/servers/azureADOnlyAuthentications/write •Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete •Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write | count: 002 •Configure Azure SQL Server to disable public network access •Configure Azure SQL Server to enable private endpoint connections | ||
| 81a9662b-bebf-436f-a333-f67b29880f12 | Storage Account Key Operator Service Role | Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts | count: 002 •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/regeneratekey/action | ||||
| ba92f5b4-2d11-453d-a403-e96b0029c9fe | Storage Blob Data Contributor | Allows for read, write and delete access to Azure Storage blob containers and data | count: 004 •Microsoft.Storage/storageAccounts/blobServices/containers/delete •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | count: 005 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | |||
| b7e6dc6d-f1e8-4753-8033-0f276bb0955b | Storage Blob Data Owner | Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control. | count: 002 •Microsoft.Storage/storageAccounts/blobServices/containers/* •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | count: 001 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* | |||
| 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 | Storage Blob Data Reader | Allows for read access to Azure Storage blob containers and data | count: 002 •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | count: 001 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | |||
| 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | Storage Queue Data Contributor | Allows for read, write, and delete access to Azure Storage queues and queue messages | count: 003 •Microsoft.Storage/storageAccounts/queueServices/queues/delete •Microsoft.Storage/storageAccounts/queueServices/queues/read •Microsoft.Storage/storageAccounts/queueServices/queues/write | count: 004 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete •Microsoft.Storage/storageAccounts/queueServices/queues/messages/read •Microsoft.Storage/storageAccounts/queueServices/queues/messages/write •Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | |||
| 8a0f0c08-91a1-4084-bc3d-661d67233fed | Storage Queue Data Message Processor | Allows for peek, receive, and delete access to Azure Storage queue messages | count: 002 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/read •Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | ||||
| c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | Storage Queue Data Message Sender | Allows for sending of Azure Storage queue messages | count: 001 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action | ||||
| 19e7f393-937e-4f77-808e-94535e297925 | Storage Queue Data Reader | Allows for read access to Azure Storage queues and queue messages | count: 001 •Microsoft.Storage/storageAccounts/queueServices/queues/read | count: 001 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | |||
| cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e | Support Request Contributor | Lets you create and manage Support requests | count: 003 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 | Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/trafficManagerProfiles/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 1c0163c0-47e6-4577-8991-ea5c82e286e4 | Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator | count: 007 •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Compute/virtualMachines/*/read •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridConnectivity/endpoints/listCredentials/action | count: 004 •Microsoft.Compute/virtualMachines/login/action •Microsoft.Compute/virtualMachines/loginAsAdmin/action •Microsoft.HybridCompute/machines/login/action •Microsoft.HybridCompute/machines/loginAsAdmin/action | |||
| 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 | User Access Administrator | Lets you manage user access to Azure resources. | count: 003 •*/read •Microsoft.Authorization/* •Microsoft.Support/* | count: 004 •[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines •Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. | |||
| fb879df8-f326-4884-b1cf-06f3ad86be52 | Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. | count: 007 •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Compute/virtualMachines/*/read •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridConnectivity/endpoints/listCredentials/action | count: 002 •Microsoft.Compute/virtualMachines/login/action •Microsoft.HybridCompute/machines/login/action | |||
| 9980e02c-c2be-4d73-94e8-173b1dc7cf3c | Virtual Machine Contributor | Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | count: 043 •Microsoft.Authorization/*/read •Microsoft.Compute/availabilitySets/* •Microsoft.Compute/locations/* •Microsoft.Compute/virtualMachines/* •Microsoft.Compute/virtualMachineScaleSets/* •Microsoft.Compute/cloudServices/* •Microsoft.Compute/disks/write •Microsoft.Compute/disks/read •Microsoft.Compute/disks/delete •Microsoft.DevTestLab/schedules/* •Microsoft.Insights/alertRules/* •Microsoft.Network/applicationGateways/backendAddressPools/join/action •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/inboundNatPools/join/action •Microsoft.Network/loadBalancers/inboundNatRules/join/action •Microsoft.Network/loadBalancers/probes/join/action •Microsoft.Network/loadBalancers/read •Microsoft.Network/locations/* •Microsoft.Network/networkInterfaces/* •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.RecoveryServices/locations/* •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write •Microsoft.RecoveryServices/Vaults/backupPolicies/read •Microsoft.RecoveryServices/Vaults/backupPolicies/write •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SerialConsole/serialPorts/connect/action •Microsoft.SqlVirtualMachine/* •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* | count: 038 •[Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets •[Preview]: Configure ChangeTracking Extension for Linux virtual machines •[Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets •[Preview]: Configure ChangeTracking Extension for Windows virtual machines •[Preview]: Configure periodic checking for missing system updates on azure virtual machines •[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent •[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension •[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot •[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent •[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension •[Preview]: Configure supported virtual machines to automatically enable vTPM •[Preview]: Configure supported Windows machines to automatically install the Azure Security agent •[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent •[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension •[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot •[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension •[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs •[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension •[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension •[Preview]: Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings •[Preview]: Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings •Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location •Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location •Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication •Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication •Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication •Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication •Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity •Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication •Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity •Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication •Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets •Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets •Deploy default Microsoft IaaSAntimalware extension for Windows Server •Deploy Dependency agent for Linux virtual machine scale sets •Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | |||
| 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b | Web Plan Contributor | Lets you manage the web plans for websites, but not access to them. | count: 009 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/serverFarms/* •Microsoft.Web/hostingEnvironments/Join/Action •Microsoft.Insights/autoscalesettings/* | ||||
| de139f84-1756-47ae-9be6-808fbbe84772 | Website Contributor | Lets you manage websites (not web plans), but not access to them. | count: 012 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/components/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/certificates/* •Microsoft.Web/listSitesAssignedToHostName/read •Microsoft.Web/serverFarms/join/action •Microsoft.Web/serverFarms/read •Microsoft.Web/sites/* | count: 021 •[Deprecated]: Configure App Services to disable public network access •Configure App Service app slots to disable local authentication for FTP deployments •Configure App Service app slots to disable local authentication for SCM sites •Configure App Service app slots to disable public network access •Configure App Service app slots to only be accessible over HTTPS •Configure App Service app slots to turn off remote debugging •Configure App Service app slots to use the latest TLS version •Configure App Service apps to disable local authentication for FTP deployments •Configure App Service apps to disable local authentication for SCM sites •Configure App Service apps to disable public network access •Configure App Service apps to only be accessible over HTTPS •Configure App Service apps to turn off remote debugging •Configure App Service apps to use the latest TLS version •Configure Function app slots to disable public network access •Configure Function app slots to only be accessible over HTTPS •Configure Function app slots to turn off remote debugging •Configure Function app slots to use the latest TLS version •Configure Function apps to disable public network access •Configure Function apps to only be accessible over HTTPS •Configure Function apps to turn off remote debugging •Configure Function apps to use the latest TLS version | |||
| 090c5cfd-751d-490a-894a-3ce6f1109419 | Azure Service Bus Data Owner | Allows for full access to Azure Service Bus resources. | count: 001 •Microsoft.ServiceBus/* | count: 001 •Microsoft.ServiceBus/* | count: 002 •Configure Azure Service Bus namespaces to disable local authentication •Configure Service Bus namespaces with private endpoints | ||
| f526a384-b230-433a-b45c-95f59c4a2dec | Azure Event Hubs Data Owner | Allows for full access to Azure Event Hubs resources. | count: 001 •Microsoft.EventHub/* | count: 001 •Microsoft.EventHub/* | count: 002 •Configure Azure Event Hub namespaces to disable local authentication •Configure Event Hub namespaces with private endpoints | ||
| bbf86eb8-f7b4-4cce-96e4-18cddf81d86e | Attestation Contributor | Can read write or delete the attestation provider instance | count: 003 •Microsoft.Attestation/attestationProviders/attestation/read •Microsoft.Attestation/attestationProviders/attestation/write •Microsoft.Attestation/attestationProviders/attestation/delete | ||||
| 61ed4efc-fab3-44fd-b111-e24485cc132a | HDInsight Cluster Operator | Lets you read and modify HDInsight cluster configurations. | count: 009 •Microsoft.HDInsight/*/read •Microsoft.HDInsight/clusters/getGatewaySettings/action •Microsoft.HDInsight/clusters/updateGatewaySettings/action •Microsoft.HDInsight/clusters/configurations/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/operations/read •Microsoft.Insights/alertRules/* •Microsoft.Authorization/*/read •Microsoft.Support/* | ||||
| 230815da-be43-4aae-9cb4-875f7bd000aa | Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. | count: 008 •Microsoft.DocumentDb/databaseAccounts/* •Microsoft.Insights/alertRules/* •Microsoft.Authorization/*/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | count: 008 •Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* •Microsoft.DocumentDB/databaseAccounts/regenerateKey/* •Microsoft.DocumentDB/databaseAccounts/listKeys/* •Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* •Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write •Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete •Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write •Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete | |||
| 48b40c6e-82e0-4eb3-90d5-19e40f49b624 | Hybrid Server Resource Administrator | Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. | count: 002 •Microsoft.HybridCompute/machines/* •Microsoft.HybridCompute/*/read | ||||
| 5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb | Hybrid Server Onboarding | Can onboard new Hybrid servers to the Hybrid Resource Provider. | count: 002 •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write | ||||
| a638d3c7-ab3a-418d-83e6-5f17a39d4fde | Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. | count: 001 •Microsoft.EventHub/*/eventhubs/consumergroups/read | count: 001 •Microsoft.EventHub/*/receive/action | |||
| 2b629674-e913-4c01-ae53-ef4638d8f975 | Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. | count: 001 •Microsoft.EventHub/*/eventhubs/read | count: 001 •Microsoft.EventHub/*/send/action | |||
| 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | Azure Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. | count: 003 •Microsoft.ServiceBus/*/queues/read •Microsoft.ServiceBus/*/topics/read •Microsoft.ServiceBus/*/topics/subscriptions/read | count: 001 •Microsoft.ServiceBus/*/receive/action | |||
| 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 | Azure Service Bus Data Sender | Allows for send access to Azure Service Bus resources. | count: 003 •Microsoft.ServiceBus/*/queues/read •Microsoft.ServiceBus/*/topics/read •Microsoft.ServiceBus/*/topics/subscriptions/read | count: 001 •Microsoft.ServiceBus/*/send/action | |||
| aba4ae5f-2193-4029-9191-0cb91df5e314 | Storage File Data SMB Share Reader | Allows for read access to Azure File Share over SMB | count: 001 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | ||||
| 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb | Storage File Data SMB Share Contributor | Allows for read, write, and delete access in Azure Storage file shares over SMB | count: 003 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | ||||
| b12aa53e-6015-4669-85d0-8515ebb3ae7f | Private DNS Zone Contributor | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. | count: 010 •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Network/privateDnsZones/* •Microsoft.Network/privateDnsOperationResults/* •Microsoft.Network/privateDnsOperationStatuses/* •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/join/action •Microsoft.Authorization/*/read | count: 001 •Configure Azure File Sync to use private DNS zones | |||
| db58b8e5-c6ad-4a2a-8342-4190687cbf4a | Storage Blob Delegator | Allows for generation of a user delegation key which can be used to sign SAS tokens | count: 001 •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | ||||
| 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 | Desktop Virtualization User | Allows user to use the applications in an application group. | count: 001 •Microsoft.DesktopVirtualization/applicationGroups/useApplications/action | ||||
| a7264617-510b-434b-a828-9731dc254ea7 | Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB | count: 004 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | ||||
| 41077137-e803-4205-871c-5a86e6a753b4 | Blueprint Contributor | Can manage blueprint definitions, but not assign them. | count: 005 •Microsoft.Authorization/*/read •Microsoft.Blueprint/blueprints/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* | ||||
| 437d2ced-4a38-4302-8479-ed2bcb43d090 | Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. | count: 005 •Microsoft.Authorization/*/read •Microsoft.Blueprint/blueprintAssignments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* | ||||
| ab8e14d6-4a74-4a29-9ba8-549422addade | Microsoft Sentinel Contributor | Microsoft Sentinel Contributor | count: 016 •Microsoft.SecurityInsights/* •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/savedSearches/* •Microsoft.OperationsManagement/solutions/read •Microsoft.OperationalInsights/workspaces/query/read •Microsoft.OperationalInsights/workspaces/query/*/read •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.OperationalInsights/querypacks/*/read •Microsoft.Insights/workbooks/* •Microsoft.Insights/myworkbooks/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 002 •Microsoft.SecurityInsights/ConfidentialWatchlists/* •Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |||
| 3e150937-b8fe-4cfb-8069-0eaf05ecd056 | Microsoft Sentinel Responder | Microsoft Sentinel Responder | count: 027 •Microsoft.SecurityInsights/*/read •Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action •Microsoft.SecurityInsights/automationRules/* •Microsoft.SecurityInsights/cases/* •Microsoft.SecurityInsights/incidents/* •Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action •Microsoft.SecurityInsights/threatIntelligence/indicators/query/action •Microsoft.SecurityInsights/threatIntelligence/bulkTag/action •Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action •Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action •Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.OperationalInsights/workspaces/savedSearches/read •Microsoft.OperationsManagement/solutions/read •Microsoft.OperationalInsights/workspaces/query/read •Microsoft.OperationalInsights/workspaces/query/*/read •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.OperationalInsights/querypacks/*/read •Microsoft.Insights/workbooks/read •Microsoft.Insights/myworkbooks/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 004 •Microsoft.SecurityInsights/cases/*/Delete •Microsoft.SecurityInsights/incidents/*/Delete •Microsoft.SecurityInsights/ConfidentialWatchlists/* •Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |||
| 8d289c81-5878-46d4-8554-54e1e3d8b5cb | Microsoft Sentinel Reader | Microsoft Sentinel Reader | count: 021 •Microsoft.SecurityInsights/*/read •Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action •Microsoft.SecurityInsights/threatIntelligence/indicators/query/action •Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/LinkedServices/read •Microsoft.OperationalInsights/workspaces/savedSearches/read •Microsoft.OperationsManagement/solutions/read •Microsoft.OperationalInsights/workspaces/query/read •Microsoft.OperationalInsights/workspaces/query/*/read •Microsoft.OperationalInsights/querypacks/*/read •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.Insights/workbooks/read •Microsoft.Insights/myworkbooks/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/templateSpecs/*/read •Microsoft.Support/* | count: 002 •Microsoft.SecurityInsights/ConfidentialWatchlists/* •Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |||
| b279062a-9be3-42a0-92ae-8b3cf002ec4d | Workbook Reader | Can read workbooks. | count: 002 •microsoft.insights/workbooks/read •microsoft.insights/workbooktemplates/read | ||||
| e8ddcd69-c73f-4f9f-9844-4100522f16ad | Workbook Contributor | Can save shared workbooks. | count: 006 •Microsoft.Insights/workbooks/write •Microsoft.Insights/workbooks/delete •Microsoft.Insights/workbooks/read •Microsoft.Insights/workbooktemplates/write •Microsoft.Insights/workbooktemplates/delete •Microsoft.Insights/workbooktemplates/read | ||||
| 66bb4e9e-b016-4a94-8249-4c0511c2be84 | Policy Insights Data Writer (Preview) | Allows read access to resource policies and write access to resource component policy events. | count: 004 •Microsoft.Authorization/policyassignments/read •Microsoft.Authorization/policydefinitions/read •Microsoft.Authorization/policyexemptions/read •Microsoft.Authorization/policysetdefinitions/read | count: 002 •Microsoft.PolicyInsights/checkDataPolicyCompliance/action •Microsoft.PolicyInsights/policyEvents/logDataEvents/action | |||
| 04165923-9d83-45d5-8227-78b77b0a687e | SignalR AccessKey Reader | Read SignalR Service Access Keys | count: 005 •Microsoft.SignalRService/*/read •Microsoft.SignalRService/SignalR/listkeys/action •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 | SignalR/Web PubSub Contributor | Create, Read, Update, and Delete SignalR service resources | count: 006 •Microsoft.SignalRService/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* | count: 005 •Configure Azure SignalR Service to disable local authentication •Configure Azure Web PubSub Service to disable public network access •Configure Azure Web PubSub Service with private endpoints •Configure private endpoints to Azure SignalR Service •Modify Azure SignalR Service resources to disable public network access | |||
| b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 | Azure Connected Machine Onboarding | Can onboard Azure Connected Machines. | count: 004 •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/privateLinkScopes/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/read | ||||
| cd570a14-e51a-42ad-bac8-bafd67325302 | Azure Connected Machine Resource Administrator | Can read, write, delete and re-onboard Azure Connected Machines. | count: 010 •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/privateLinkScopes/* •Microsoft.HybridCompute/*/read •Microsoft.Resources/deployments/* | count: 006 •[Preview]: Configure periodic checking for missing system updates on azure Arc-enabled servers •Configure Azure Arc Private Link Scopes to disable public network access •Configure Azure Arc Private Link Scopes with private endpoints •Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope •Configure Linux Arc-enabled machines to run Azure Monitor Agent •Configure Windows Arc-enabled machines to run Azure Monitor Agent | |||
| 91c1777a-f3dc-4fae-b103-61d183457e46 | Managed Services Registration assignment Delete Role | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. | count: 003 •Microsoft.ManagedServices/registrationAssignments/read •Microsoft.ManagedServices/registrationAssignments/delete •Microsoft.ManagedServices/operationStatuses/read | ||||
| 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b | App Configuration Data Owner | Allows full access to App Configuration data. | count: 003 •Microsoft.AppConfiguration/configurationStores/*/read •Microsoft.AppConfiguration/configurationStores/*/write •Microsoft.AppConfiguration/configurationStores/*/delete | ||||
| 516239f1-63e1-4d78-a4de-a74fb236a071 | App Configuration Data Reader | Allows read access to App Configuration data. | count: 001 •Microsoft.AppConfiguration/configurationStores/*/read | ||||
| 34e09817-6cbe-4d01-b1a2-e0eac5743d41 | Kubernetes Cluster - Azure Arc Onboarding | Role definition to authorize any user/service to create connectedClusters resource | count: 009 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Kubernetes/connectedClusters/Write •Microsoft.Kubernetes/connectedClusters/read •Microsoft.Support/* | count: 002 •Configure Azure Arc Private Link Scopes with private endpoints •Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope | |||
| 7f646f1b-fa08-80eb-a22b-edd6ce5c915c | Experimentation Contributor | Experimentation Contributor | count: 002 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Experimentation/experimentWorkspaces/read | count: 008 •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action •Microsoft.Experimentation/experimentWorkspaces/read •Microsoft.Experimentation/experimentWorkspaces/write •Microsoft.Experimentation/experimentWorkspaces/delete | |||
| 466ccd10-b268-4a11-b098-b4849f024126 | Cognitive Services QnA Maker Reader | Let's you read and test a KB only. | count: 003 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 018 •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read | |||
| f4cc2bf9-21be-47a1-bdf1-5c5804381025 | Cognitive Services QnA Maker Editor | Let's you create, edit, import and export a KB. You cannot publish or delete a KB. | count: 003 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 039 •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action •Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write •Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action •Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write •Microsoft.CognitiveServices/accounts/QnAMaker/operations/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read | |||
| 7f646f1b-fa08-80eb-a33b-edd6ce5c915c | Experimentation Administrator | Experimentation Administrator | count: 002 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Experimentation/experimentWorkspaces/read | count: 013 •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/admin/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action •Microsoft.Experimentation/experimentWorkspaces/read •Microsoft.Experimentation/experimentWorkspaces/write •Microsoft.Experimentation/experimentWorkspaces/delete •Microsoft.Experimentation/experimentWorkspaces/admin/action •Microsoft.Experimentation/experimentWorkspaces/metricwrite/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action | |||
| 3df8b902-2a6f-47c7-8cc5-360e9b272a7e | Remote Rendering Administrator | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | count: 008 •Microsoft.MixedReality/RemoteRenderingAccounts/convert/action •Microsoft.MixedReality/RemoteRenderingAccounts/convert/read •Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete •Microsoft.MixedReality/RemoteRenderingAccounts/render/read •Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read | ||||
| d39065c4-c120-43c9-ab0a-63eed9795f0a | Remote Rendering Client | Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. | count: 005 •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete •Microsoft.MixedReality/RemoteRenderingAccounts/render/read •Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read | ||||
| 641177b8-a67a-45b9-a033-47bc880bb21e | Managed Application Contributor Role | Allows for creating managed application resources. | count: 005 •*/read •Microsoft.Solutions/applications/* •Microsoft.Solutions/register/action •Microsoft.Resources/subscriptions/resourceGroups/* •Microsoft.Resources/deployments/* | ||||
| 612c2aa1-cb24-443b-ac28-3ab7272de6f5 | Security Assessment Contributor | Lets you push assessments to Security Center | count: 001 •Microsoft.Security/assessments/write | ||||
| 4a9ae827-6dc8-4573-8ac7-8239d42aa03f | Tag Contributor | Lets you manage tags on entities, without providing access to the entities themselves. | count: 008 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/resources/read •Microsoft.Resources/subscriptions/resources/read •Microsoft.Resources/deployments/* •Microsoft.Insights/alertRules/* •Microsoft.Support/* •Microsoft.Resources/tags/* | count: 002 •Add a tag to subscriptions •Add or replace a tag on subscriptions | |||
| c7aa55d3-1abb-444a-a5ca-5e51e485d6ec | Integration Service Environment Developer | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | count: 004 •Microsoft.Authorization/*/read •Microsoft.Support/* •Microsoft.Logic/integrationServiceEnvironments/read •Microsoft.Logic/integrationServiceEnvironments/*/join/action | ||||
| a41e2c5b-bd99-4a07-88f4-9bf657a760b8 | Integration Service Environment Contributor | Lets you manage integration service environments, but not access to them. | count: 003 •Microsoft.Authorization/*/read •Microsoft.Support/* •Microsoft.Logic/integrationServiceEnvironments/* | ||||
| ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 | Azure Kubernetes Service Contributor Role | Grants access to read and write Azure Kubernetes Service clusters | count: 003 •Microsoft.ContainerService/managedClusters/read •Microsoft.ContainerService/managedClusters/write •Microsoft.Resources/deployments/* | count: 003 •Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access •Deploy Azure Policy Add-on to Azure Kubernetes Service clusters •Disable Command Invoke on Azure Kubernetes Service clusters | |||
| d57506d4-4c8d-48b1-8587-93c323f6a5a3 | Azure Digital Twins Data Reader | Read-only role for Digital Twins data-plane properties | count: 006 •Microsoft.DigitalTwins/digitaltwins/read •Microsoft.DigitalTwins/digitaltwins/relationships/read •Microsoft.DigitalTwins/eventroutes/read •Microsoft.DigitalTwins/jobs/import/read •Microsoft.DigitalTwins/models/read •Microsoft.DigitalTwins/query/action | ||||
| bcd981a7-7f74-457b-83e1-cceb9e632ffe | Azure Digital Twins Data Owner | Full access role for Digital Twins data-plane | count: 007 •Microsoft.DigitalTwins/digitaltwins/* •Microsoft.DigitalTwins/digitaltwins/commands/* •Microsoft.DigitalTwins/digitaltwins/relationships/* •Microsoft.DigitalTwins/eventroutes/* •Microsoft.DigitalTwins/jobs/* •Microsoft.DigitalTwins/models/* •Microsoft.DigitalTwins/query/* | ||||
| 350f8d15-c687-4448-8ae1-157740a3936d | Hierarchy Settings Administrator | Allows users to edit and delete Hierarchy Settings | count: 002 •Microsoft.Management/managementGroups/settings/write •Microsoft.Management/managementGroups/settings/delete | ||||
| 5a1fc7df-4bf1-4951-a576-89034ee01acd | FHIR Data Contributor | Role allows user or principal full access to FHIR Data | count: 002 •Microsoft.HealthcareApis/services/fhir/resources/* •Microsoft.HealthcareApis/workspaces/fhirservices/resources/* | ||||
| 3db33094-8700-4567-8da5-1501d4e7e843 | FHIR Data Exporter | Role allows user or principal to read and export FHIR Data | count: 004 •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/services/fhir/resources/export/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action | ||||
| 4c8d0bbc-75d3-4935-991f-5f3c56d81508 | FHIR Data Reader | Role allows user or principal to read FHIR Data | count: 002 •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | ||||
| 3f88fce4-5892-4214-ae73-ba5294559913 | FHIR Data Writer | Role allows user or principal to read and write FHIR Data | count: 002 •Microsoft.HealthcareApis/services/fhir/resources/* •Microsoft.HealthcareApis/workspaces/fhirservices/resources/* | count: 002 •Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action | |||
| 49632ef5-d9ac-41f4-b8e7-bbe587fa74a1 | Experimentation Reader | Experimentation Reader | count: 001 •Microsoft.Experimentation/experimentWorkspaces/read | count: 002 •Microsoft.Experimentation/experimentWorkspaces/read •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read | |||
| 4dd61c23-6743-42fe-a388-d8bdd41cb745 | Object Understanding Account Owner | Provides user with ingestion capabilities for Azure Object Understanding. | count: 002 •Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/action •Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read | ||||
| 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 | Azure Maps Data Contributor | Grants access to read, write, and delete access to map related data from an Azure maps account. | count: 004 •Microsoft.Maps/accounts/*/read •Microsoft.Maps/accounts/*/write •Microsoft.Maps/accounts/*/delete •Microsoft.Maps/accounts/*/action | ||||
| c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 | Cognitive Services Custom Vision Contributor | Full access to the project, including the ability to view, create, edit, or delete projects. | count: 001 •Microsoft.CognitiveServices/*/read | count: 001 •Microsoft.CognitiveServices/accounts/CustomVision/* | |||
| 5c4089e1-6d96-4d2f-b296-c1bc7137275f | Cognitive Services Custom Vision Deployment | Publish, unpublish or export models. Deployment can view the project but can't update. | count: 001 •Microsoft.CognitiveServices/*/read | count: 007 •Microsoft.CognitiveServices/accounts/CustomVision/*/read •Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/* •Microsoft.CognitiveServices/accounts/CustomVision/classify/* •Microsoft.CognitiveServices/accounts/CustomVision/detect/* | count: 001 •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 88424f51-ebe7-446f-bc41-7fa16989e96c | Cognitive Services Custom Vision Labeler | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. | count: 001 •Microsoft.CognitiveServices/*/read | count: 006 •Microsoft.CognitiveServices/accounts/CustomVision/*/read •Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action •Microsoft.CognitiveServices/accounts/CustomVision/projects/images/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action | count: 001 •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 93586559-c37d-4a6b-ba08-b9f0940c2d73 | Cognitive Services Custom Vision Reader | Read-only actions in the project. Readers can't create or update the project. | count: 001 •Microsoft.CognitiveServices/*/read | count: 002 •Microsoft.CognitiveServices/accounts/CustomVision/*/read •Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action | count: 001 •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b | Cognitive Services Custom Vision Trainer | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. | count: 001 •Microsoft.CognitiveServices/*/read | count: 001 •Microsoft.CognitiveServices/accounts/CustomVision/* | count: 004 •Microsoft.CognitiveServices/accounts/CustomVision/projects/action •Microsoft.CognitiveServices/accounts/CustomVision/projects/delete •Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 00482a5a-887f-4fb3-b363-3b7fe8e74483 | Key Vault Administrator | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | count: 010 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/operations/read | count: 001 •Microsoft.KeyVault/vaults/* | |||
| 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 | Key Vault Crypto Officer | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | count: 010 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/operations/read | count: 002 •Microsoft.KeyVault/vaults/keys/* •Microsoft.KeyVault/vaults/keyrotationpolicies/* | |||
| 12338af0-0e69-4776-bea7-57ae8d297424 | Key Vault Crypto User | Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | count: 009 •Microsoft.KeyVault/vaults/keys/read •Microsoft.KeyVault/vaults/keys/update/action •Microsoft.KeyVault/vaults/keys/backup/action •Microsoft.KeyVault/vaults/keys/encrypt/action •Microsoft.KeyVault/vaults/keys/decrypt/action •Microsoft.KeyVault/vaults/keys/wrap/action •Microsoft.KeyVault/vaults/keys/unwrap/action •Microsoft.KeyVault/vaults/keys/sign/action •Microsoft.KeyVault/vaults/keys/verify/action | ||||
| b86a8fe4-44ce-4948-aee5-eccb2c155cd7 | Key Vault Secrets Officer | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | count: 010 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/operations/read | count: 001 •Microsoft.KeyVault/vaults/secrets/* | |||
| 4633458b-17de-408a-b874-0445c86b69e6 | Key Vault Secrets User | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | count: 002 •Microsoft.KeyVault/vaults/secrets/getSecret/action •Microsoft.KeyVault/vaults/secrets/readMetadata/action | ||||
| a4417e6f-fecd-4de8-b567-7b0420556985 | Key Vault Certificates Officer | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | count: 010 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/operations/read | count: 002 •Microsoft.KeyVault/vaults/certificatecas/* •Microsoft.KeyVault/vaults/certificates/* | |||
| 21090545-7ca7-4776-b22c-e363652d74d2 | Key Vault Reader | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. | count: 010 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/operations/read | count: 002 •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/vaults/secrets/readMetadata/action | |||
| e147488a-f6f5-4113-8e2d-b22465e65bf6 | Key Vault Crypto Service Encryption User | Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. | count: 003 •Microsoft.EventGrid/eventSubscriptions/write •Microsoft.EventGrid/eventSubscriptions/read •Microsoft.EventGrid/eventSubscriptions/delete | count: 003 •Microsoft.KeyVault/vaults/keys/read •Microsoft.KeyVault/vaults/keys/wrap/action •Microsoft.KeyVault/vaults/keys/unwrap/action | |||
| 63f0a09d-1495-4db4-a681-037d84835eb4 | Azure Arc Kubernetes Viewer | Lets you view all resources in cluster/namespace, except secrets. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 029 •Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read •Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read •Microsoft.Kubernetes/connectedClusters/apps/deployments/read •Microsoft.Kubernetes/connectedClusters/apps/replicasets/read •Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read •Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read •Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read •Microsoft.Kubernetes/connectedClusters/batch/jobs/read •Microsoft.Kubernetes/connectedClusters/configmaps/read •Microsoft.Kubernetes/connectedClusters/endpoints/read •Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read •Microsoft.Kubernetes/connectedClusters/events/read •Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read •Microsoft.Kubernetes/connectedClusters/extensions/deployments/read •Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read •Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read •Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read •Microsoft.Kubernetes/connectedClusters/limitranges/read •Microsoft.Kubernetes/connectedClusters/namespaces/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read •Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read •Microsoft.Kubernetes/connectedClusters/pods/read •Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read •Microsoft.Kubernetes/connectedClusters/resourcequotas/read •Microsoft.Kubernetes/connectedClusters/serviceaccounts/read •Microsoft.Kubernetes/connectedClusters/services/read | |||
| 5b999177-9696-4545-85c7-50de3797e5a1 | Azure Arc Kubernetes Writer | Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 030 •Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read •Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* •Microsoft.Kubernetes/connectedClusters/apps/deployments/* •Microsoft.Kubernetes/connectedClusters/apps/replicasets/* •Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* •Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* •Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* •Microsoft.Kubernetes/connectedClusters/batch/jobs/* •Microsoft.Kubernetes/connectedClusters/configmaps/* •Microsoft.Kubernetes/connectedClusters/endpoints/* •Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read •Microsoft.Kubernetes/connectedClusters/events/read •Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* •Microsoft.Kubernetes/connectedClusters/extensions/deployments/* •Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* •Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* •Microsoft.Kubernetes/connectedClusters/limitranges/read •Microsoft.Kubernetes/connectedClusters/namespaces/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* •Microsoft.Kubernetes/connectedClusters/pods/* •Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/resourcequotas/read •Microsoft.Kubernetes/connectedClusters/secrets/* •Microsoft.Kubernetes/connectedClusters/serviceaccounts/* •Microsoft.Kubernetes/connectedClusters/services/* | |||
| 8393591c-06b9-48a2-a542-1bd6b377f6a2 | Azure Arc Kubernetes Cluster Admin | Lets you manage all resources in the cluster. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 001 •Microsoft.Kubernetes/connectedClusters/* | |||
| dffb1e0c-446f-4dde-a09f-99eb5cc68b96 | Azure Arc Kubernetes Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | count: 007 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 033 •Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read •Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* •Microsoft.Kubernetes/connectedClusters/apps/deployments/* •Microsoft.Kubernetes/connectedClusters/apps/replicasets/* •Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* •Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write •Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* •Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* •Microsoft.Kubernetes/connectedClusters/batch/jobs/* •Microsoft.Kubernetes/connectedClusters/configmaps/* •Microsoft.Kubernetes/connectedClusters/endpoints/* •Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read •Microsoft.Kubernetes/connectedClusters/events/read •Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* •Microsoft.Kubernetes/connectedClusters/extensions/deployments/* •Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* •Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* •Microsoft.Kubernetes/connectedClusters/limitranges/read •Microsoft.Kubernetes/connectedClusters/namespaces/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* •Microsoft.Kubernetes/connectedClusters/pods/* •Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* •Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* •Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/resourcequotas/read •Microsoft.Kubernetes/connectedClusters/secrets/* •Microsoft.Kubernetes/connectedClusters/serviceaccounts/* •Microsoft.Kubernetes/connectedClusters/services/* | |||
| b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b | Azure Kubernetes Service RBAC Cluster Admin | Lets you manage all resources in the cluster. | count: 005 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | count: 001 •Microsoft.ContainerService/managedClusters/* | |||
| 3498e952-d568-435e-9b2c-8d77e338d7f7 | Azure Kubernetes Service RBAC Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | count: 005 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | count: 001 •Microsoft.ContainerService/managedClusters/* | count: 004 •Microsoft.ContainerService/managedClusters/resourcequotas/write •Microsoft.ContainerService/managedClusters/resourcequotas/delete •Microsoft.ContainerService/managedClusters/namespaces/write •Microsoft.ContainerService/managedClusters/namespaces/delete | ||
| 7f6c6a51-bcf8-42ba-9220-52d62157d7db | Azure Kubernetes Service RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | count: 004 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | count: 029 •Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read •Microsoft.ContainerService/managedClusters/apps/daemonsets/read •Microsoft.ContainerService/managedClusters/apps/deployments/read •Microsoft.ContainerService/managedClusters/apps/replicasets/read •Microsoft.ContainerService/managedClusters/apps/statefulsets/read •Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read •Microsoft.ContainerService/managedClusters/batch/cronjobs/read •Microsoft.ContainerService/managedClusters/batch/jobs/read •Microsoft.ContainerService/managedClusters/configmaps/read •Microsoft.ContainerService/managedClusters/endpoints/read •Microsoft.ContainerService/managedClusters/events.k8s.io/events/read •Microsoft.ContainerService/managedClusters/events/read •Microsoft.ContainerService/managedClusters/extensions/daemonsets/read •Microsoft.ContainerService/managedClusters/extensions/deployments/read •Microsoft.ContainerService/managedClusters/extensions/ingresses/read •Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read •Microsoft.ContainerService/managedClusters/extensions/replicasets/read •Microsoft.ContainerService/managedClusters/limitranges/read •Microsoft.ContainerService/managedClusters/namespaces/read •Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read •Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read •Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read •Microsoft.ContainerService/managedClusters/pods/read •Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read •Microsoft.ContainerService/managedClusters/replicationcontrollers/read •Microsoft.ContainerService/managedClusters/replicationcontrollers/read •Microsoft.ContainerService/managedClusters/resourcequotas/read •Microsoft.ContainerService/managedClusters/serviceaccounts/read •Microsoft.ContainerService/managedClusters/services/read | |||
| a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb | Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | count: 004 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | count: 030 •Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read •Microsoft.ContainerService/managedClusters/apps/daemonsets/* •Microsoft.ContainerService/managedClusters/apps/deployments/* •Microsoft.ContainerService/managedClusters/apps/replicasets/* •Microsoft.ContainerService/managedClusters/apps/statefulsets/* •Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* •Microsoft.ContainerService/managedClusters/batch/cronjobs/* •Microsoft.ContainerService/managedClusters/batch/jobs/* •Microsoft.ContainerService/managedClusters/configmaps/* •Microsoft.ContainerService/managedClusters/endpoints/* •Microsoft.ContainerService/managedClusters/events.k8s.io/events/read •Microsoft.ContainerService/managedClusters/events/read •Microsoft.ContainerService/managedClusters/extensions/daemonsets/* •Microsoft.ContainerService/managedClusters/extensions/deployments/* •Microsoft.ContainerService/managedClusters/extensions/ingresses/* •Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* •Microsoft.ContainerService/managedClusters/extensions/replicasets/* •Microsoft.ContainerService/managedClusters/limitranges/read •Microsoft.ContainerService/managedClusters/namespaces/read •Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* •Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* •Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* •Microsoft.ContainerService/managedClusters/pods/* •Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* •Microsoft.ContainerService/managedClusters/replicationcontrollers/* •Microsoft.ContainerService/managedClusters/replicationcontrollers/* •Microsoft.ContainerService/managedClusters/resourcequotas/read •Microsoft.ContainerService/managedClusters/secrets/* •Microsoft.ContainerService/managedClusters/serviceaccounts/* •Microsoft.ContainerService/managedClusters/services/* | |||
| 82200a5b-e217-47a5-b665-6d8765ee745b | Services Hub Operator | Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. | count: 009 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.ServicesHub/connectors/write •Microsoft.ServicesHub/connectors/read •Microsoft.ServicesHub/connectors/delete •Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action •Microsoft.ServicesHub/supportOfferingEntitlement/read •Microsoft.ServicesHub/workspaces/read | ||||
| d18777c0-1514-4662-8490-608db7d334b6 | Object Understanding Account Reader | Lets you read ingestion jobs for an object understanding account. | count: 001 •Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read | ||||
| 00493d72-78f6-4148-b6c5-d3ce8e4799dd | Azure Arc Enabled Kubernetes Cluster User Role | List cluster user credentials action. | count: 009 •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* •Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | ||||
| 420fcaa2-552c-430f-98ca-3264be4806c7 | SignalR App Server | Lets your app server access SignalR Service with AAD auth options. | count: 003 •Microsoft.SignalRService/SignalR/auth/accessKey/action •Microsoft.SignalRService/SignalR/serverConnection/write •Microsoft.SignalRService/SignalR/clientConnection/write | ||||
| fd53cd77-2268-407a-8f46-7e7863d0f521 | SignalR REST API Owner | Full access to Azure SignalR Service REST APIs | count: 011 •Microsoft.SignalRService/SignalR/auth/clientToken/action •Microsoft.SignalRService/SignalR/hub/send/action •Microsoft.SignalRService/SignalR/group/send/action •Microsoft.SignalRService/SignalR/group/read •Microsoft.SignalRService/SignalR/group/write •Microsoft.SignalRService/SignalR/clientConnection/send/action •Microsoft.SignalRService/SignalR/clientConnection/read •Microsoft.SignalRService/SignalR/clientConnection/write •Microsoft.SignalRService/SignalR/user/send/action •Microsoft.SignalRService/SignalR/user/read •Microsoft.SignalRService/SignalR/user/write | ||||
| daa9e50b-21df-454c-94a6-a8050adab352 | Collaborative Data Contributor | Can manage data packages of a collaborative. | count: 013 •Microsoft.IndustryDataLifecycle/custodianCollaboratives/*/read •Microsoft.IndustryDataLifecycle/memberCollaboratives/*/read •Microsoft.IndustryDataLifecycle/locations/dataPackages/* •Microsoft.IndustryDataLifecycle/custodianCollaboratives/receivedDataPackages/* •Microsoft.IndustryDataLifecycle/custodianCollaboratives/rejectDataPackage/action •Microsoft.IndustryDataLifecycle/memberCollaboratives/sharedDataPackages/* •Microsoft.IndustryDataLifecycle/custodianCollaboratives/dataModels/* •Microsoft.IndustryDataLifecycle/custodianCollaboratives/auditLogs/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f | Device Update Reader | Gives you read access to management and content operations, but does not allow making changes | count: 005 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | count: 002 •Microsoft.DeviceUpdate/accounts/instances/updates/read •Microsoft.DeviceUpdate/accounts/instances/management/read | |||
| 02ca0879-e8e4-47a5-a61e-5c618b76e64a | Device Update Administrator | Gives you full access to management and content operations | count: 005 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | count: 006 •Microsoft.DeviceUpdate/accounts/instances/updates/read •Microsoft.DeviceUpdate/accounts/instances/updates/write •Microsoft.DeviceUpdate/accounts/instances/updates/delete •Microsoft.DeviceUpdate/accounts/instances/management/read •Microsoft.DeviceUpdate/accounts/instances/management/write •Microsoft.DeviceUpdate/accounts/instances/management/delete | |||
| 0378884a-3af5-44ab-8323-f5b22f9f3c98 | Device Update Content Administrator | Gives you full access to content operations | count: 005 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | count: 003 •Microsoft.DeviceUpdate/accounts/instances/updates/read •Microsoft.DeviceUpdate/accounts/instances/updates/write •Microsoft.DeviceUpdate/accounts/instances/updates/delete | |||
| e4237640-0e3d-4a46-8fda-70bc94856432 | Device Update Deployments Administrator | Gives you full access to management operations | count: 005 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | count: 004 •Microsoft.DeviceUpdate/accounts/instances/management/read •Microsoft.DeviceUpdate/accounts/instances/management/write •Microsoft.DeviceUpdate/accounts/instances/management/delete •Microsoft.DeviceUpdate/accounts/instances/updates/read | |||
| 49e2f5d2-7741-4835-8efa-19e1fe35e47f | Device Update Deployments Reader | Gives you read access to management operations, but does not allow making changes | count: 005 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | count: 002 •Microsoft.DeviceUpdate/accounts/instances/management/read •Microsoft.DeviceUpdate/accounts/instances/updates/read | |||
| d1ee9a80-8b14-47f0-bdc2-f4a351625a7b | Device Update Content Reader | Gives you read access to content operations, but does not allow making changes | count: 005 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | count: 001 •Microsoft.DeviceUpdate/accounts/instances/updates/read | |||
| cb43c632-a144-4ec5-977c-e80c4affc34a | Cognitive Services Metrics Advisor Administrator | Full access to the project, including the system level configuration. | count: 001 •Microsoft.CognitiveServices/*/read | count: 001 •Microsoft.CognitiveServices/accounts/MetricsAdvisor/* | |||
| 3b20f47b-3825-43cb-8114-4bd2201156a8 | Cognitive Services Metrics Advisor User | Access to the project. | count: 001 •Microsoft.CognitiveServices/*/read | count: 001 •Microsoft.CognitiveServices/accounts/MetricsAdvisor/* | count: 001 •Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/* | ||
| 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 | Schema Registry Reader (Preview) | Read and list Schema Registry groups and schemas. | count: 001 •Microsoft.EventHub/namespaces/schemagroups/read | count: 001 •Microsoft.EventHub/namespaces/schemas/read | |||
| 5dffeca3-4936-4216-b2bc-10343a5abb25 | Schema Registry Contributor (Preview) | Read, write, and delete Schema Registry groups and schemas. | count: 001 •Microsoft.EventHub/namespaces/schemagroups/* | count: 001 •Microsoft.EventHub/namespaces/schemas/* | |||
| 7ec7ccdc-f61e-41fe-9aaf-980df0a44eba | AgFood Platform Service Reader | Provides read access to AgFood Platform Service | count: 001 •Microsoft.AgFoodPlatform/*/read | ||||
| 8508508a-4469-4e45-963b-2518ee0bb728 | AgFood Platform Service Contributor | Provides contribute access to AgFood Platform Service | count: 003 •Microsoft.AgFoodPlatform/*/action •Microsoft.AgFoodPlatform/*/read •Microsoft.AgFoodPlatform/*/write | count: 002 •Microsoft.AgFoodPlatform/farmers/write •Microsoft.AgFoodPlatform/deletionJobs/*/write | |||
| f8da80de-1ff9-4747-ad80-a19b7f6079e3 | AgFood Platform Service Admin | Provides admin access to AgFood Platform Service | count: 001 •Microsoft.AgFoodPlatform/* | ||||
| 18500a29-7fe2-46b2-a342-b16a415e101d | Managed HSM contributor | Lets you manage managed HSM pools, but not access to them. | count: 005 •Microsoft.KeyVault/managedHSMs/* •Microsoft.KeyVault/deletedManagedHsms/read •Microsoft.KeyVault/locations/deletedManagedHsms/read •Microsoft.KeyVault/locations/deletedManagedHsms/purge/action •Microsoft.KeyVault/locations/managedHsmOperationResults/read | count: 002 •[Preview]: Configure Azure Key Vault Managed HSM to disable public network access •[Preview]: Configure Azure Key Vault Managed HSM with private endpoints | |||
| 0b555d9b-b4a7-4f43-b330-627f0e5be8f0 | Security Detonation Chamber Submitter | Allowed to create submissions to Security Detonation Chamber | count: 008 •Microsoft.SecurityDetonation/chambers/submissions/delete •Microsoft.SecurityDetonation/chambers/submissions/write •Microsoft.SecurityDetonation/chambers/submissions/read •Microsoft.SecurityDetonation/chambers/submissions/files/read •Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read •Microsoft.SecurityDetonation/chambers/platforms/metadata/read •Microsoft.SecurityDetonation/chambers/workflows/metadata/read •Microsoft.SecurityDetonation/chambers/toolsets/metadata/read | ||||
| ddde6b66-c0df-4114-a159-3618637b3035 | SignalR REST API Reader | Read-only access to Azure SignalR Service REST APIs | count: 003 •Microsoft.SignalRService/SignalR/group/read •Microsoft.SignalRService/SignalR/clientConnection/read •Microsoft.SignalRService/SignalR/user/read | ||||
| 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 | SignalR Service Owner | Full access to Azure SignalR Service REST APIs | count: 014 •Microsoft.SignalRService/SignalR/auth/accessKey/action •Microsoft.SignalRService/SignalR/auth/clientToken/action •Microsoft.SignalRService/SignalR/hub/send/action •Microsoft.SignalRService/SignalR/group/send/action •Microsoft.SignalRService/SignalR/group/read •Microsoft.SignalRService/SignalR/group/write •Microsoft.SignalRService/SignalR/clientConnection/send/action •Microsoft.SignalRService/SignalR/clientConnection/read •Microsoft.SignalRService/SignalR/clientConnection/write •Microsoft.SignalRService/SignalR/serverConnection/write •Microsoft.SignalRService/SignalR/user/send/action •Microsoft.SignalRService/SignalR/user/read •Microsoft.SignalRService/SignalR/user/write •Microsoft.SignalRService/SignalR/livetrace/* | ||||
| f7b75c60-3036-4b75-91c3-6b41c27c1689 | Reservation Purchaser | Lets you purchase reservations | count: 011 •Microsoft.Authorization/roleAssignments/read •Microsoft.Capacity/catalogs/read •Microsoft.Capacity/register/action •Microsoft.Compute/register/action •Microsoft.Consumption/register/action •Microsoft.Consumption/reservationRecommendationDetails/read •Microsoft.Consumption/reservationRecommendations/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SQL/register/action •Microsoft.Support/supporttickets/write | ||||
| 635dd51f-9968-44d3-b7fb-6d9a6bd613ae | AzureML Metrics Writer (preview) | Lets you write metrics to AzureML workspace | count: 001 •Microsoft.MachineLearningServices/workspaces/metrics/*/write | ||||
| e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 | Storage Account Backup Contributor | Lets you perform backup and restore operations using Azure Backup on the storage account. | count: 018 •Microsoft.Authorization/*/read •Microsoft.Authorization/locks/read •Microsoft.Authorization/locks/write •Microsoft.Authorization/locks/delete •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/operations/read •Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete •Microsoft.Storage/storageAccounts/objectReplicationPolicies/read •Microsoft.Storage/storageAccounts/objectReplicationPolicies/write •Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/write •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/restoreBlobRanges/action | ||||
| 6188b7c9-7d01-4f99-a59f-c88b630326c0 | Experimentation Metric Contributor | Allows for creation, writes and reads to the metric set via the metrics service APIs. | count: 001 •Microsoft.Experimentation/experimentWorkspaces/read | count: 004 •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action •Microsoft.Experimentation/experimentWorkspaces/metricwrite/action •Microsoft.Experimentation/experimentWorkspaces/read | |||
| 9ef4ef9c-a049-46b0-82ab-dd8ac094c889 | Project Babylon Data Curator | The Microsoft.ProjectBabylon data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. | count: 001 •Microsoft.ProjectBabylon/accounts/read | count: 002 •Microsoft.ProjectBabylon/accounts/data/read •Microsoft.ProjectBabylon/accounts/data/write | |||
| c8d896ba-346d-4f50-bc1d-7d1c84130446 | Project Babylon Data Reader | The Microsoft.ProjectBabylon data reader can read catalog data objects. This role is in preview and subject to change. | count: 001 •Microsoft.ProjectBabylon/accounts/read | count: 001 •Microsoft.ProjectBabylon/accounts/data/read | |||
| 05b7651b-dc44-475e-b74d-df3db49fae0f | Project Babylon Data Source Administrator | The Microsoft.ProjectBabylon data source administrator can manage data sources and data scans. This role is in preview and subject to change. | count: 001 •Microsoft.ProjectBabylon/accounts/read | count: 002 •Microsoft.ProjectBabylon/accounts/scan/read •Microsoft.ProjectBabylon/accounts/scan/write | |||
| 8a3c2885-9b38-4fd2-9d99-91af537c1347 | Purview role 1 (Deprecated) | Deprecated role. | count: 001 •Microsoft.Purview/accounts/read | count: 002 •Microsoft.Purview/accounts/data/read •Microsoft.Purview/accounts/data/write | |||
| ff100721-1b9d-43d8-af52-42b69c1272db | Purview role 3 (Deprecated) | Deprecated role. | count: 001 •Microsoft.Purview/accounts/read | count: 001 •Microsoft.Purview/accounts/data/read | |||
| 200bba9e-f0c8-430f-892b-6f0794863803 | Purview role 2 (Deprecated) | Deprecated role. | count: 001 •Microsoft.Purview/accounts/read | count: 002 •Microsoft.Purview/accounts/scan/read •Microsoft.Purview/accounts/scan/write | |||
| ca6382a4-1721-4bcf-a114-ff0c70227b6b | Application Group Contributor | Contributor of the Application Group. | count: 009 •Microsoft.DesktopVirtualization/applicationgroups/* •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/workspaces/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| 49a72310-ab8d-41df-bbb0-79b649203868 | Desktop Virtualization Reader | Reader of Desktop Virtualization. | count: 006 •Microsoft.DesktopVirtualization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Support/* | ||||
| 082f0a83-3be5-4ba1-904c-961cca79b387 | Desktop Virtualization Contributor | Contributor of Desktop Virtualization. | count: 006 •Microsoft.DesktopVirtualization/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| 21efdde3-836f-432b-bf3d-3e8e734d4b2b | Desktop Virtualization Workspace Contributor | Contributor of the Desktop Virtualization Workspace. | count: 007 •Microsoft.DesktopVirtualization/workspaces/* •Microsoft.DesktopVirtualization/applicationgroups/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 | Desktop Virtualization User Session Operator | Operator of the Desktop Virtualization Uesr Session. | count: 008 •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| 2ad6aaab-ead9-4eaa-8ac5-da422f562408 | Desktop Virtualization Session Host Operator | Operator of the Desktop Virtualization Session Host. | count: 007 •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| ceadfde2-b300-400a-ab7b-6143895aa822 | Desktop Virtualization Host Pool Reader | Reader of the Desktop Virtualization Host Pool. | count: 007 •Microsoft.DesktopVirtualization/hostpools/*/read •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Support/* | ||||
| e307426c-f9b6-4e81-87de-d99efb3c32bc | Desktop Virtualization Host Pool Contributor | Contributor of the Desktop Virtualization Host Pool. | count: 006 •Microsoft.DesktopVirtualization/hostpools/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 | Desktop Virtualization Application Group Reader | Reader of the Desktop Virtualization Application Group. | count: 009 •Microsoft.DesktopVirtualization/applicationgroups/*/read •Microsoft.DesktopVirtualization/applicationgroups/read •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Support/* | ||||
| 86240b0e-9422-4c43-887b-b61143f32ba8 | Desktop Virtualization Application Group Contributor | Contributor of the Desktop Virtualization Application Group. | count: 008 •Microsoft.DesktopVirtualization/applicationgroups/* •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d | Desktop Virtualization Workspace Reader | Reader of the Desktop Virtualization Workspace. | count: 007 •Microsoft.DesktopVirtualization/workspaces/read •Microsoft.DesktopVirtualization/applicationgroups/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Support/* | ||||
| 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 | Disk Backup Reader | Provides permission to backup vault to perform disk backup. | count: 003 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/read •Microsoft.Compute/disks/beginGetAccess/action | ||||
| b8b15564-4fa6-4a59-ab12-03e1d9594795 | Autonomous Development Platform Data Contributor (Preview) | Grants permissions to upload and manage new Autonomous Development Platform measurements. | count: 003 •Microsoft.AutonomousDevelopmentPlatform/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read | count: 012 •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/discoveries/* •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/uploads/* •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/* •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurementCollections/* •Microsoft.AutonomousDevelopmentPlatform/accounts/measurementCollections/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/read •Microsoft.AutonomousDevelopmentPlatform/workspaces/discoveries/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/uploads/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/classifications/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/dataStreams/classifications/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurementCollections/* | count: 002 •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/changeState/action •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/changeState/action | ||
| d63b75f7-47ea-4f27-92ac-e0d173aaf093 | Autonomous Development Platform Data Reader (Preview) | Grants read access to Autonomous Development Platform data. | count: 003 •Microsoft.AutonomousDevelopmentPlatform/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read | count: 001 •Microsoft.AutonomousDevelopmentPlatform/*/read | |||
| 27f8b550-c507-4db9-86f2-f4b8e816d59d | Autonomous Development Platform Data Owner (Preview) | Grants full access to Autonomous Development Platform data. | count: 003 •Microsoft.AutonomousDevelopmentPlatform/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read | count: 001 •Microsoft.AutonomousDevelopmentPlatform/* | |||
| b50d9833-a0cb-478e-945f-707fcc997c13 | Disk Restore Operator | Provides permission to backup vault to perform disk restore. | count: 004 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Compute/disks/write •Microsoft.Compute/disks/read | ||||
| 7efff54f-a5b4-42b5-a1c5-5411624893ce | Disk Snapshot Contributor | Provides permission to backup vault to manage disk snapshots. | count: 012 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Compute/snapshots/delete •Microsoft.Compute/snapshots/write •Microsoft.Compute/snapshots/read •Microsoft.Compute/snapshots/beginGetAccess/action •Microsoft.Compute/snapshots/endGetAccess/action •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/write •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/delete | ||||
| 5548b2cf-c94c-4228-90ba-30851930a12f | Microsoft.Kubernetes connected cluster role | Microsoft.Kubernetes connected cluster role. | count: 004 •Microsoft.Kubernetes/connectedClusters/read •Microsoft.Kubernetes/connectedClusters/write •Microsoft.Kubernetes/connectedClusters/delete •Microsoft.Kubernetes/registeredSubscriptions/read | ||||
| a37b566d-3efa-4beb-a2f2-698963fa42ce | Security Detonation Chamber Submission Manager | Allowed to create and manage submissions to Security Detonation Chamber | count: 011 •Microsoft.SecurityDetonation/chambers/submissions/delete •Microsoft.SecurityDetonation/chambers/submissions/write •Microsoft.SecurityDetonation/chambers/submissions/read •Microsoft.SecurityDetonation/chambers/submissions/files/read •Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read •Microsoft.SecurityDetonation/chambers/submissions/adminview/read •Microsoft.SecurityDetonation/chambers/submissions/analystview/read •Microsoft.SecurityDetonation/chambers/submissions/publicview/read •Microsoft.SecurityDetonation/chambers/platforms/metadata/read •Microsoft.SecurityDetonation/chambers/workflows/metadata/read •Microsoft.SecurityDetonation/chambers/toolsets/metadata/read | ||||
| 352470b3-6a9c-4686-b503-35deb827e500 | Security Detonation Chamber Publisher | Allowed to publish and modify platforms, workflows and toolsets to Security Detonation Chamber | count: 014 •Microsoft.SecurityDetonation/chambers/platforms/read •Microsoft.SecurityDetonation/chambers/platforms/write •Microsoft.SecurityDetonation/chambers/platforms/delete •Microsoft.SecurityDetonation/chambers/platforms/metadata/read •Microsoft.SecurityDetonation/chambers/workflows/read •Microsoft.SecurityDetonation/chambers/workflows/write •Microsoft.SecurityDetonation/chambers/workflows/delete •Microsoft.SecurityDetonation/chambers/workflows/metadata/read •Microsoft.SecurityDetonation/chambers/toolsets/read •Microsoft.SecurityDetonation/chambers/toolsets/write •Microsoft.SecurityDetonation/chambers/toolsets/delete •Microsoft.SecurityDetonation/chambers/toolsets/metadata/read •Microsoft.SecurityDetonation/chambers/publishRequests/read •Microsoft.SecurityDetonation/chambers/publishRequests/cancel/action | ||||
| 7a6f0e70-c033-4fb1-828c-08514e5f4102 | Collaborative Runtime Operator | Can manage resources created by AICS at runtime | count: 008 •Microsoft.IndustryDataLifecycle/derivedModels/* •Microsoft.IndustryDataLifecycle/pipelineSets/* •Microsoft.IndustryDataLifecycle/modelMappings/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 5432c526-bc82-444a-b7ba-57c5b0b5b34f | CosmosRestoreOperator | Can perform restore action for Cosmos DB database account with continuous backup mode | count: 003 •Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action •Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read •Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read | ||||
| a1705bd2-3a8f-45a5-8683-466fcfd5cc24 | FHIR Data Converter | Role allows user or principal to convert data from legacy format to FHIR | count: 002 •Microsoft.HealthcareApis/services/fhir/resources/convertData/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action | ||||
| f4c81013-99ee-4d62-a7ee-b3f1f648599a | Microsoft Sentinel Automation Contributor | Microsoft Sentinel Automation Contributor | count: 007 •Microsoft.Authorization/*/read •Microsoft.Logic/workflows/triggers/read •Microsoft.Logic/workflows/triggers/listCallbackUrl/action •Microsoft.Logic/workflows/runs/read •Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read •Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action •Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read | ||||
| 0e5f05e5-9ab9-446b-b98d-1e2157c94125 | Quota Request Operator | Read and create quota requests, get quota request status, and create support tickets. | count: 009 •Microsoft.Capacity/resourceProviders/locations/serviceLimits/read •Microsoft.Capacity/resourceProviders/locations/serviceLimits/write •Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read •Microsoft.Capacity/register/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 1e241071-0855-49ea-94dc-649edcd759de | EventGrid Contributor | Lets you manage EventGrid operations. | count: 006 •Microsoft.Authorization/*/read •Microsoft.EventGrid/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 007 •Configure Azure Event Grid domains to disable local authentication •Configure Azure Event Grid partner namespaces to disable local authentication •Configure Azure Event Grid topics to disable local authentication •Deploy - Configure Azure Event Grid domains with private endpoints •Deploy - Configure Azure Event Grid topics with private endpoints •Modify - Configure Azure Event Grid domains to disable public network access •Modify - Configure Azure Event Grid topics to disable public network access | |||
| 28241645-39f8-410b-ad48-87863e2951d5 | Security Detonation Chamber Reader | Allowed to query submission info and files from Security Detonation Chamber | count: 002 •Microsoft.SecurityDetonation/chambers/submissions/read •Microsoft.SecurityDetonation/chambers/submissions/files/read | ||||
| 4a167cdf-cb95-4554-9203-2347fe489bd9 | Object Anchors Account Reader | Lets you read ingestion jobs for an object anchors account. | count: 001 •Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read | ||||
| ca0835dd-bacc-42dd-8ed2-ed5e7230d15b | Object Anchors Account Owner | Provides user with ingestion capabilities for an object anchors account. | count: 002 •Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/action •Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read | ||||
| d17ce0a2-0697-43bc-aac5-9113337ab61c | WorkloadBuilder Migration Agent Role | WorkloadBuilder Migration Agent Role. | count: 002 •Microsoft.WorkloadBuilder/migrationAgents/Read •Microsoft.WorkloadBuilder/migrationAgents/Write | ||||
| 12cf5a90-567b-43ae-8102-96cf46c7d9b4 | Web PubSub Service Owner (Preview) | Full access to Azure Web PubSub Service REST APIs | count: 001 •Microsoft.SignalRService/WebPubSub/* | ||||
| bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf | Web PubSub Service Reader (Preview) | Read-only access to Azure Web PubSub Service REST APIs | count: 001 •Microsoft.SignalRService/WebPubSub/*/read | ||||
| b5537268-8956-4941-a8f0-646150406f0c | Azure Spring Cloud Data Reader | Allow read access to Azure Spring Cloud Data | count: 001 •Microsoft.AppPlatform/Spring/*/read | ||||
| f2dc8367-1007-4938-bd23-fe263f013447 | Cognitive Services Speech User | Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. | count: 003 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 011 •Microsoft.CognitiveServices/accounts/SpeechServices/*/read •Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/read •Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/write •Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/delete •Microsoft.CognitiveServices/accounts/SpeechServices/*/frontend/action •Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/*/action •Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/*/action •Microsoft.CognitiveServices/accounts/CustomVoice/*/read •Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/* •Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/* •Microsoft.CognitiveServices/accounts/AudioContentCreation/* | count: 002 •Microsoft.CognitiveServices/accounts/CustomVoice/datasets/files/read •Microsoft.CognitiveServices/accounts/CustomVoice/datasets/utterances/read | ||
| 0e75ca1e-0464-4b4d-8b93-68208a576181 | Cognitive Services Speech Contributor | Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. | count: 003 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 003 •Microsoft.CognitiveServices/accounts/SpeechServices/* •Microsoft.CognitiveServices/accounts/CustomVoice/* •Microsoft.CognitiveServices/accounts/AudioContentCreation/* | |||
| 9894cab4-e18a-44aa-828b-cb588cd6f2d7 | Cognitive Services Face Recognizer | Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. | count: 005 •Microsoft.CognitiveServices/accounts/Face/detect/action •Microsoft.CognitiveServices/accounts/Face/verify/action •Microsoft.CognitiveServices/accounts/Face/identify/action •Microsoft.CognitiveServices/accounts/Face/group/action •Microsoft.CognitiveServices/accounts/Face/findsimilars/action | ||||
| 054126f8-9a2b-4f1c-a9ad-eca461f08466 | Media Services Account Administrator | Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. | count: 014 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Media/mediaservices/*/read •Microsoft.Media/mediaservices/assets/listStreamingLocators/action •Microsoft.Media/mediaservices/streamingLocators/listPaths/action •Microsoft.Media/mediaservices/write •Microsoft.Media/mediaservices/delete •Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action •Microsoft.Media/mediaservices/privateEndpointConnections/* | count: 001 •Configure Azure Media Services with private endpoints | |||
| 532bc159-b25e-42c0-969e-a1d439f60d77 | Media Services Live Events Administrator | Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. | count: 012 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Media/mediaservices/*/read •Microsoft.Media/mediaservices/assets/* •Microsoft.Media/mediaservices/assets/assetfilters/* •Microsoft.Media/mediaservices/streamingLocators/* •Microsoft.Media/mediaservices/liveEvents/* | count: 002 •Microsoft.Media/mediaservices/assets/getEncryptionKey/action •Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action | |||
| e4395492-1534-4db2-bedf-88c14621589c | Media Services Media Operator | Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. | count: 012 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Media/mediaservices/*/read •Microsoft.Media/mediaservices/assets/* •Microsoft.Media/mediaservices/assets/assetfilters/* •Microsoft.Media/mediaservices/streamingLocators/* •Microsoft.Media/mediaservices/transforms/jobs/* | count: 002 •Microsoft.Media/mediaservices/assets/getEncryptionKey/action •Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action | |||
| c4bba371-dacd-4a26-b320-7250bca963ae | Media Services Policy Administrator | Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. | count: 014 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Media/mediaservices/*/read •Microsoft.Media/mediaservices/assets/listStreamingLocators/action •Microsoft.Media/mediaservices/streamingLocators/listPaths/action •Microsoft.Media/mediaservices/accountFilters/* •Microsoft.Media/mediaservices/streamingPolicies/* •Microsoft.Media/mediaservices/contentKeyPolicies/* •Microsoft.Media/mediaservices/transforms/* | count: 001 •Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action | |||
| 99dba123-b5fe-44d5-874c-ced7199a5804 | Media Services Streaming Endpoints Administrator | Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. | count: 011 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Media/mediaservices/*/read •Microsoft.Media/mediaservices/assets/listStreamingLocators/action •Microsoft.Media/mediaservices/streamingLocators/listPaths/action •Microsoft.Media/mediaservices/streamingEndpoints/* | ||||
| 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf | Stream Analytics Query Tester | Lets you perform query testing without creating a stream analytics job first | count: 004 •Microsoft.StreamAnalytics/locations/TestQuery/action •Microsoft.StreamAnalytics/locations/OperationResults/read •Microsoft.StreamAnalytics/locations/SampleInput/action •Microsoft.StreamAnalytics/locations/CompileQuery/action | ||||
| a2138dac-4907-4679-a376-736901ed8ad8 | AnyBuild Builder | Basic user role for AnyBuild. This role allows listing of agent information and execution of remote build capabilities. | count: 002 •Microsoft.AnyBuild/clusters/build/write •Microsoft.AnyBuild/clusters/build/read | ||||
| b447c946-2db7-41ec-983d-d8bf3b1c77e3 | IoT Hub Data Reader | Allows for full read access to IoT Hub data-plane properties | count: 002 •Microsoft.Devices/IotHubs/*/read •Microsoft.Devices/IotHubs/fileUpload/notifications/action | ||||
| 494bdba2-168f-4f31-a0a1-191d2f7c028c | IoT Hub Twin Contributor | Allows for read and write access to all IoT Hub device and module twins. | count: 001 •Microsoft.Devices/IotHubs/twins/* | ||||
| 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 | IoT Hub Registry Contributor | Allows for full access to IoT Hub device registry. | count: 001 •Microsoft.Devices/IotHubs/devices/* | ||||
| 4fc6c259-987e-4a07-842e-c321cc9d413f | IoT Hub Data Contributor | Allows for full access to IoT Hub data plane operations. | count: 001 •Microsoft.Devices/IotHubs/* | ||||
| 15e0f5a1-3450-4248-8e25-e2afe88a9e85 | Test Base Reader | Let you view and download packages and test results. | count: 006 •Microsoft.TestBase/testBaseAccounts/packages/testResults/getDownloadUrl/action •Microsoft.TestBase/testBaseAccounts/packages/testResults/getVideoDownloadUrl/action •Microsoft.TestBase/testBaseAccounts/packages/getDownloadUrl/action •Microsoft.TestBase/*/read •Microsoft.TestBase/testBaseAccounts/customerEvents/write •Microsoft.TestBase/testBaseAccounts/customerEvents/delete | ||||
| 1407120a-92aa-4202-b7e9-c0e197c71c8f | Search Index Data Reader | Grants read access to Azure Cognitive Search index data. | count: 001 •Microsoft.Search/searchServices/indexes/documents/read | ||||
| 8ebe5a00-799e-43f5-93ac-243d3dce84a7 | Search Index Data Contributor | Grants full access to Azure Cognitive Search index data. | count: 001 •Microsoft.Search/searchServices/indexes/documents/* | ||||
| 76199698-9eea-4c19-bc75-cec21354c6b6 | Storage Table Data Reader | Allows for read access to Azure Storage tables and entities | count: 001 •Microsoft.Storage/storageAccounts/tableServices/tables/read | count: 001 •Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | |||
| 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 | Storage Table Data Contributor | Allows for read, write and delete access to Azure Storage tables and entities | count: 003 •Microsoft.Storage/storageAccounts/tableServices/tables/read •Microsoft.Storage/storageAccounts/tableServices/tables/write •Microsoft.Storage/storageAccounts/tableServices/tables/delete | count: 005 •Microsoft.Storage/storageAccounts/tableServices/tables/entities/read •Microsoft.Storage/storageAccounts/tableServices/tables/entities/write •Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete •Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action •Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action | |||
| e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a | DICOM Data Reader | Read and search DICOM data. | count: 001 •Microsoft.HealthcareApis/workspaces/dicomservices/resources/read | ||||
| 58a3b984-7adf-4c20-983a-32417c86fbc8 | DICOM Data Owner | Full access to DICOM data. | count: 001 •Microsoft.HealthcareApis/workspaces/dicomservices/resources/* | ||||
| d5a91429-5739-47e2-a06b-3470a27159e7 | EventGrid Data Sender | Allows send access to event grid events. | count: 005 •Microsoft.Authorization/*/read •Microsoft.EventGrid/topics/read •Microsoft.EventGrid/domains/read •Microsoft.EventGrid/partnerNamespaces/read •Microsoft.Resources/subscriptions/resourceGroups/read | count: 001 •Microsoft.EventGrid/events/send/action | |||
| 60fc6e62-5479-42d4-8bf4-67625fcc2840 | Disk Pool Operator | Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool. | count: 006 •Microsoft.Compute/disks/write •Microsoft.Compute/disks/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| f6c7c914-8db3-469d-8ca1-694a8f32e121 | AzureML Data Scientist | Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. | count: 004 •Microsoft.MachineLearningServices/workspaces/*/read •Microsoft.MachineLearningServices/workspaces/*/action •Microsoft.MachineLearningServices/workspaces/*/delete •Microsoft.MachineLearningServices/workspaces/*/write | count: 006 •Microsoft.MachineLearningServices/workspaces/delete •Microsoft.MachineLearningServices/workspaces/write •Microsoft.MachineLearningServices/workspaces/computes/*/write •Microsoft.MachineLearningServices/workspaces/computes/*/delete •Microsoft.MachineLearningServices/workspaces/computes/listKeys/action •Microsoft.MachineLearningServices/workspaces/listKeys/action | count: 001 •Configure Azure Machine Learning workspaces to disable public network access | ||
| 22926164-76b3-42b3-bc55-97df8dab3e41 | Grafana Admin | Built-in Grafana admin role | count: 001 •Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action | ||||
| e8113dce-c529-4d33-91fa-e9b972617508 | Azure Connected SQL Server Onboarding | Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS. | count: 002 •Microsoft.AzureArcData/sqlServerInstances/read •Microsoft.AzureArcData/sqlServerInstances/write | ||||
| 26baccc8-eea7-41f1-98f4-1762cc7f685d | Azure Relay Sender | Allows for send access to Azure Relay resources. | count: 002 •Microsoft.Relay/*/wcfRelays/read •Microsoft.Relay/*/hybridConnections/read | count: 001 •Microsoft.Relay/*/send/action | |||
| 2787bf04-f1f5-4bfe-8383-c8a24483ee38 | Azure Relay Owner | Allows for full access to Azure Relay resources. | count: 001 •Microsoft.Relay/* | count: 001 •Microsoft.Relay/* | |||
| 26e0b698-aa6d-4085-9386-aadae190014d | Azure Relay Listener | Allows for listen access to Azure Relay resources. | count: 002 •Microsoft.Relay/*/wcfRelays/read •Microsoft.Relay/*/hybridConnections/read | count: 001 •Microsoft.Relay/*/listen/action | |||
| 60921a7e-fef1-4a43-9b16-a26c52ad4769 | Grafana Viewer | Built-in Grafana Viewer role | count: 001 •Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action | ||||
| a79a5197-3a5c-4973-a920-486035ffd60f | Grafana Editor | Built-in Grafana Editor role | count: 001 •Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action | ||||
| f353d9bd-d4a6-484e-a77a-8050b599b867 | Automation Contributor | Manage azure automation resources and other resources using azure automation. | count: 011 •Microsoft.Automation/automationAccounts/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/ActionGroups/* •Microsoft.Insights/ActivityLogAlerts/* •Microsoft.Insights/MetricAlerts/* •Microsoft.Insights/ScheduledQueryRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.OperationalInsights/workspaces/sharedKeys/action | ||||
| 85cb6faf-e071-4c9b-8136-154b5a04f717 | Kubernetes Extension Contributor | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | count: 008 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read | count: 001 •[Preview]: Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | |||
| 10745317-c249-44a1-a5ce-3a4353c0bbd8 | Device Provisioning Service Data Reader | Allows for full read access to Device Provisioning Service data-plane properties. | count: 001 •Microsoft.Devices/provisioningServices/*/read | ||||
| dfce44e4-17b7-4bd1-a6d1-04996ec95633 | Device Provisioning Service Data Contributor | Allows for full access to Device Provisioning Service data-plane operations. | count: 001 •Microsoft.Devices/provisioningServices/* | ||||
| 2837e146-70d7-4cfd-ad55-7efa6464f958 | CodeSigning Certificate Profile Signer | Sign files with a certificate profile. This role is in preview and subject to change. | count: 004 •Microsoft.CodeSigning/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | count: 001 •Microsoft.CodeSigning/certificateProfiles/Sign/action | |||
| cff1b556-2399-4e7e-856d-a8f754be7b65 | Azure Spring Cloud Service Registry Reader | Allow read access to Azure Spring Cloud Service Registry | count: 001 •Microsoft.AppPlatform/Spring/eurekaService/read | ||||
| f5880b48-c26d-48be-b172-7927bfa1c8f1 | Azure Spring Cloud Service Registry Contributor | Allow read, write and delete access to Azure Spring Cloud Service Registry | count: 003 •Microsoft.AppPlatform/Spring/eurekaService/read •Microsoft.AppPlatform/Spring/eurekaService/write •Microsoft.AppPlatform/Spring/eurekaService/delete | ||||
| d04c6db6-4947-4782-9e91-30a88feb7be7 | Azure Spring Cloud Config Server Reader | Allow read access to Azure Spring Cloud Config Server | count: 001 •Microsoft.AppPlatform/Spring/configService/read | ||||
| a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b | Azure Spring Cloud Config Server Contributor | Allow read, write and delete access to Azure Spring Cloud Config Server | count: 003 •Microsoft.AppPlatform/Spring/configService/read •Microsoft.AppPlatform/Spring/configService/write •Microsoft.AppPlatform/Spring/configService/delete | ||||
| 6ae96244-5829-4925-a7d3-5975537d91dd | Azure VM Managed identities restore Contributor | Azure VM Managed identities restore Contributors are allowed to perform Azure VM Restores with managed identities both user and system | count: 001 •Microsoft.Authorization/*/read | ||||
| 6be48352-4f82-47c9-ad5e-0acacefdb005 | Azure Maps Search and Render Data Reader | Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs. | count: 002 •Microsoft.Maps/accounts/services/render/read •Microsoft.Maps/accounts/services/search/read | ||||
| dba33070-676a-4fb0-87fa-064dc56ff7fb | Azure Maps Contributor | Grants access all Azure Maps resource management. | count: 004 •Microsoft.Maps/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| b748a06d-6150-4f8a-aaa9-ce3940cd96cb | Azure Arc VMware VM Contributor | Arc VMware VM Contributor has permissions to perform all VM actions. | count: 026 •Microsoft.ConnectedVMwarevSphere/virtualmachines/* •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read | ||||
| ce551c02-7c42-47e0-9deb-e3b6fc3a9a83 | Azure Arc VMware Private Cloud User | Azure Arc VMware Private Cloud User has permissions to use the VMware cloud resources to deploy VMs. | count: 039 •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.ConnectedVMwarevSphere/virtualnetworks/join/action •Microsoft.ConnectedVMwarevSphere/virtualnetworks/Read •Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/clone/action •Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/Read •Microsoft.ConnectedVMwarevSphere/resourcepools/deploy/action •Microsoft.ConnectedVMwarevSphere/resourcepools/Read •Microsoft.ConnectedVMwarevSphere/hosts/deploy/action •Microsoft.ConnectedVMwarevSphere/hosts/Read •Microsoft.ConnectedVMwarevSphere/clusters/deploy/action •Microsoft.ConnectedVMwarevSphere/clusters/Read •Microsoft.ConnectedVMwarevSphere/datastores/allocateSpace/action •Microsoft.ConnectedVMwarevSphere/datastores/Read •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.ExtendedLocation/customLocations/deploy/action | ||||
| ddc140ed-e463-4246-9145-7c664192013f | Azure Arc VMware Administrator role | Arc VMware VM Contributor has permissions to perform all connected VMwarevSphere actions. | count: 026 •Microsoft.ConnectedVMwarevSphere/* •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read | ||||
| 67d33e57-3129-45e6-bb0b-7cc522f762fa | Azure Arc VMware Private Clouds Onboarding | Azure Arc VMware Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vCenter instances to Azure. | count: 042 •Microsoft.ConnectedVMwarevSphere/vcenters/Write •Microsoft.ConnectedVMwarevSphere/vcenters/Read •Microsoft.ConnectedVMwarevSphere/vcenters/Delete •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.KubernetesConfiguration/extensions/Write •Microsoft.KubernetesConfiguration/extensions/Read •Microsoft.KubernetesConfiguration/extensions/Delete •Microsoft.KubernetesConfiguration/operations/read •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.ExtendedLocation/customLocations/Write •Microsoft.ExtendedLocation/customLocations/Delete •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ResourceConnector/appliances/Read •Microsoft.ResourceConnector/appliances/Write •Microsoft.ResourceConnector/appliances/Delete •Microsoft.BackupSolutions/vmwareapplications/write •Microsoft.BackupSolutions/vmwareapplications/delete •Microsoft.BackupSolutions/vmwareapplications/read | ||||
| f72c8140-2111-481c-87ff-72b910f6e3f8 | Cognitive Services LUIS Owner | Has access to all Read, Test, Write, Deploy and Delete functions under LUIS | count: 004 •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/listkeys/action •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 001 •Microsoft.CognitiveServices/accounts/LUIS/* | |||
| 7628b7b8-a8b2-4cdc-b46f-e9b35248918e | Cognitive Services Language Reader | Has access to Read and Test functions under Language portal | count: 003 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 015 •Microsoft.CognitiveServices/accounts/LanguageAuthoring/*/read •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*/read •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/action •Microsoft.CognitiveServices/accounts/Language/*/read •Microsoft.CognitiveServices/accounts/Language/*/projects/export/action •Microsoft.CognitiveServices/accounts/Language/query-text/action •Microsoft.CognitiveServices/accounts/Language/query-dataverse/action •Microsoft.CognitiveServices/accounts/Language/analyze-text/jobs/action •Microsoft.CognitiveServices/accounts/Language/analyze-text/action •Microsoft.CognitiveServices/accounts/Language/analyze-text/jobscancel/action •Microsoft.CognitiveServices/accounts/Language/analyze-conversations/action •Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobscancel/action •Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobs/action •Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/action •Microsoft.CognitiveServices/accounts/TextAnalytics/* | count: 001 •Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/* | ||
| f2310ca1-dc64-4889-bb49-c8e0fa3d47a8 | Cognitive Services Language Writer | Has access to all Read, Test, and Write functions under Language Portal | count: 003 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 004 •Microsoft.CognitiveServices/accounts/LanguageAuthoring/* •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/* •Microsoft.CognitiveServices/accounts/Language/* •Microsoft.CognitiveServices/accounts/TextAnalytics/* | count: 007 •Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/action •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/deployments/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/* •Microsoft.CognitiveServices/accounts/Language/*/projects/delete •Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/write •Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/delete •Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/swap/action | ||
| f07febfe-79bc-46b1-8b37-790e26e6e498 | Cognitive Services Language Owner | Has access to all Read, Test, Write, Deploy and Delete functions under Language portal | count: 004 •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/listkeys/action •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 004 •Microsoft.CognitiveServices/accounts/LanguageAuthoring/* •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/* •Microsoft.CognitiveServices/accounts/Language/* •Microsoft.CognitiveServices/accounts/TextAnalytics/* | count: 001 •Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/* | ||
| 18e81cdc-4e98-4e29-a639-e7d10c5a6226 | Cognitive Services LUIS Reader | Has access to Read and Test functions under LUIS. | count: 003 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 002 •Microsoft.CognitiveServices/accounts/LUIS/*/read •Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/write | |||
| 6322a993-d5c9-4bed-b113-e49bbea25b27 | Cognitive Services LUIS Writer | Has access to all Read, Test, and Write functions under LUIS | count: 003 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | count: 001 •Microsoft.CognitiveServices/accounts/LUIS/* | count: 006 •Microsoft.CognitiveServices/accounts/LUIS/apps/delete •Microsoft.CognitiveServices/accounts/LUIS/apps/move/action •Microsoft.CognitiveServices/accounts/LUIS/apps/publish/action •Microsoft.CognitiveServices/accounts/LUIS/apps/settings/write •Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/action •Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/delete | ||
| a9a19cc5-31f4-447c-901f-56c0bb18fcaf | PlayFab Reader | Provides read access to PlayFab resources | count: 003 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Authorization/*/read •Microsoft.PlayFab/*/read | ||||
| 749a398d-560b-491b-bb21-08924219302e | Load Test Contributor | View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. | count: 005 •Microsoft.LoadTestService/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/* | count: 001 •Microsoft.LoadTestService/loadtests/* | |||
| 45bb0b16-2f0c-4e78-afaa-a07599b003f6 | Load Test Owner | Execute all operations on load test resources and load tests | count: 005 •Microsoft.LoadTestService/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/* | count: 001 •Microsoft.LoadTestService/* | |||
| 0c8b84dc-067c-4039-9615-fa1a4b77c726 | PlayFab Contributor | Provides contributor access to PlayFab resources | count: 006 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.PlayFab/*/read •Microsoft.PlayFab/*/write •Microsoft.PlayFab/*/delete | ||||
| 3ae3fb29-0000-4ccd-bf80-542e7b26e081 | Load Test Reader | View and list all load tests and load test resources but can not make any changes | count: 005 •Microsoft.LoadTestService/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/* | count: 001 •Microsoft.LoadTestService/loadtests/readTest/action | |||
| b2de6794-95db-4659-8781-7e080d3f2b9d | Cognitive Services Immersive Reader User | Provides access to create Immersive Reader sessions and call APIs | count: 001 •Microsoft.CognitiveServices/accounts/ImmersiveReader/getcontentmodelforreader/action | ||||
| f69b8690-cc87-41d6-b77a-a4bc3c0a966f | Lab Services Contributor | The lab services contributor role | count: 005 •Microsoft.LabServices/* •Microsoft.Insights/alertRules/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | count: 001 •Microsoft.LabServices/labPlans/createLab/action | |||
| 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc | Lab Services Reader | The lab services reader role | count: 004 •Microsoft.LabServices/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| ce40b423-cede-4313-a93f-9b28290b72e1 | Lab Assistant | The lab assistant role | count: 017 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/users/invite/action •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/labs/virtualMachines/start/action •Microsoft.LabServices/labs/virtualMachines/stop/action •Microsoft.LabServices/labs/virtualMachines/reimage/action •Microsoft.LabServices/labs/virtualMachines/redeploy/action •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a36e6959-b6be-4b12-8e9f-ef4b474d304d | Lab Operator | The lab operator role | count: 024 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labPlans/saveImage/action •Microsoft.LabServices/labs/publish/action •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/schedules/write •Microsoft.LabServices/labs/schedules/delete •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/users/write •Microsoft.LabServices/labs/users/delete •Microsoft.LabServices/labs/users/invite/action •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/labs/virtualMachines/start/action •Microsoft.LabServices/labs/virtualMachines/stop/action •Microsoft.LabServices/labs/virtualMachines/reimage/action •Microsoft.LabServices/labs/virtualMachines/redeploy/action •Microsoft.LabServices/labs/virtualMachines/resetPassword/action •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 5daaa2af-1fe8-407c-9122-bba179798270 | Lab Contributor | The lab contributor role | count: 027 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labPlans/saveImage/action •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/write •Microsoft.LabServices/labs/delete •Microsoft.LabServices/labs/publish/action •Microsoft.LabServices/labs/syncGroup/action •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/schedules/write •Microsoft.LabServices/labs/schedules/delete •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/users/write •Microsoft.LabServices/labs/users/delete •Microsoft.LabServices/labs/users/invite/action •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/labs/virtualMachines/start/action •Microsoft.LabServices/labs/virtualMachines/stop/action •Microsoft.LabServices/labs/virtualMachines/reimage/action •Microsoft.LabServices/labs/virtualMachines/redeploy/action •Microsoft.LabServices/labs/virtualMachines/resetPassword/action •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | count: 001 •Microsoft.LabServices/labPlans/createLab/action | |||
| 4447db05-44ed-4da3-ae60-6cbece780e32 | Chamber User | Lets you view everything under your HPC Workbench chamber, but not make any changes. | count: 008 •Microsoft.HpcWorkbench/instances/chambers/*/read •Microsoft.HpcWorkbench/instances/chambers/workloads/* •Microsoft.HpcWorkbench/instances/chambers/getUploadUri/action •Microsoft.HpcWorkbench/instances/chambers/fileRequests/getDownloadUri/action •Microsoft.HpcWorkbench/instances/consortiums/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 4e9b8407-af2e-495b-ae54-bb60a55b1b5a | Chamber Admin | Lets you manage everything under your HPC Workbench chamber. | count: 006 •Microsoft.HpcWorkbench/*/read •Microsoft.HpcWorkbench/instances/chambers/* •Microsoft.HpcWorkbench/instances/consortiums/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a6333a3e-0164-44c3-b281-7a577aff287f | Windows Admin Center Administrator Login | Let's you manage the OS of your resource via Windows Admin Center as an administrator. | count: 036 •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridCompute/machines/extensions/* •Microsoft.HybridCompute/machines/upgradeExtensions/action •Microsoft.HybridCompute/operations/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read •Microsoft.Network/networkWatchers/securityGroupView/action •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/networkSecurityGroups/securityRules/write •Microsoft.HybridConnectivity/endpoints/write •Microsoft.HybridConnectivity/endpoints/read •Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read •Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read •Microsoft.Compute/virtualMachines/patchInstallationResults/read •Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/runCommands/read •Microsoft.Compute/virtualMachines/vmSizes/read •Microsoft.Compute/locations/publishers/artifacttypes/types/read •Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read •Microsoft.Compute/diskAccesses/read •Microsoft.Compute/galleries/images/read •Microsoft.Compute/images/read •Microsoft.AzureStackHCI/Clusters/Read •Microsoft.AzureStackHCI/Clusters/ArcSettings/Read •Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read •Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write •Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete •Microsoft.AzureStackHCI/Operations/Read | count: 003 •Microsoft.HybridCompute/machines/WACLoginAsAdmin/action •Microsoft.Compute/virtualMachines/WACloginAsAdmin/action •Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action | |||
| 088ab73d-1256-47ae-bea9-9de8e7131f31 | Guest Configuration Resource Contributor | Lets you read, write Guest Configuration Resource. | count: 004 •Microsoft.GuestConfiguration/guestConfigurationAssignments/write •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read •Microsoft.Resources/deployments/* | count: 002 •[Preview]: Configure Windows Server to disable local users. •Configure time zone on Windows machines. | |||
| 18ed5180-3e48-46fd-8541-4ea054d57064 | Azure Kubernetes Service Policy Add-on Deployment | Deploy the Azure Policy add-on on Azure Kubernetes Service clusters | count: 006 •Microsoft.Resources/deployments/* •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/publicIPPrefixes/join/action •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Compute/diskEncryptionSets/read •Microsoft.Compute/proximityPlacementGroups/write | count: 003 •Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access •Deploy Azure Policy Add-on to Azure Kubernetes Service clusters •Disable Command Invoke on Azure Kubernetes Service clusters | |||
| 361898ef-9ed1-48c2-849c-a832951106bb | Domain Services Reader | Can view Azure AD Domain Services and related network configurations | count: 028 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/Logs/Read •Microsoft.Insights/Metrics/read •Microsoft.Insights/DiagnosticSettings/read •Microsoft.Insights/DiagnosticSettingsCategories/Read •Microsoft.AAD/domainServices/*/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/azureFirewalls/read •Microsoft.Network/ddosProtectionPlans/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/*/read •Microsoft.Network/natGateways/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/routeTables/read •Microsoft.Network/routeTables/routes/read | ||||
| eeaeda52-9324-47f6-8069-5d5bade478b2 | Domain Services Contributor | Can manage Azure AD Domain Services and related network configurations | count: 069 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/Logs/Read •Microsoft.Insights/Metrics/Read •Microsoft.Insights/DiagnosticSettings/* •Microsoft.Insights/DiagnosticSettingsCategories/Read •Microsoft.AAD/register/action •Microsoft.AAD/unregister/action •Microsoft.AAD/domainServices/* •Microsoft.Network/register/action •Microsoft.Network/unregister/action •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/write •Microsoft.Network/virtualNetworks/delete •Microsoft.Network/virtualNetworks/peer/action •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/virtualNetworks/subnets/delete •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/azureFirewalls/read •Microsoft.Network/ddosProtectionPlans/read •Microsoft.Network/ddosProtectionPlans/join/action •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/delete •Microsoft.Network/loadBalancers/*/read •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/inboundNatRules/join/action •Microsoft.Network/natGateways/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/write •Microsoft.Network/networkSecurityGroups/delete •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/networkSecurityGroups/securityRules/write •Microsoft.Network/networkSecurityGroups/securityRules/delete •Microsoft.Network/routeTables/read •Microsoft.Network/routeTables/write •Microsoft.Network/routeTables/delete •Microsoft.Network/routeTables/join/action •Microsoft.Network/routeTables/routes/read •Microsoft.Network/routeTables/routes/write •Microsoft.Network/routeTables/routes/delete | ||||
| 0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d | DNS Resolver Contributor | Lets you manage DNS resolver resources. | count: 041 •Microsoft.Network/dnsResolvers/read •Microsoft.Network/dnsResolvers/write •Microsoft.Network/dnsResolvers/delete •Microsoft.Network/dnsResolvers/join/action •Microsoft.Network/dnsResolvers/inboundEndpoints/read •Microsoft.Network/dnsResolvers/inboundEndpoints/write •Microsoft.Network/dnsResolvers/inboundEndpoints/delete •Microsoft.Network/dnsResolvers/inboundEndpoints/join/action •Microsoft.Network/dnsResolvers/outboundEndpoints/read •Microsoft.Network/dnsResolvers/outboundEndpoints/write •Microsoft.Network/dnsResolvers/outboundEndpoints/delete •Microsoft.Network/dnsResolvers/outboundEndpoints/join/action •Microsoft.Network/dnsForwardingRulesets/read •Microsoft.Network/dnsForwardingRulesets/write •Microsoft.Network/dnsForwardingRulesets/delete •Microsoft.Network/dnsForwardingRulesets/join/action •Microsoft.Network/dnsForwardingRulesets/forwardingRules/read •Microsoft.Network/dnsForwardingRulesets/forwardingRules/write •Microsoft.Network/dnsForwardingRulesets/forwardingRules/delete •Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/read •Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/write •Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/delete •Microsoft.Network/locations/dnsResolverOperationResults/read •Microsoft.Network/locations/dnsResolverOperationStatuses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/joinLoadBalancer/action •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action •Microsoft.Network/natGateways/join/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/routeTables/join/action •Microsoft.Network/serviceEndpointPolicies/join/action •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 959f8984-c045-4866-89c7-12bf9737be2e | Data Operator for Managed Disks | Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. | count: 004 •Microsoft.Compute/disks/download/action •Microsoft.Compute/disks/upload/action •Microsoft.Compute/snapshots/download/action •Microsoft.Compute/snapshots/upload/action | ||||
| 6b77f0a0-0d89-41cc-acd1-579c22c17a67 | AgFood Platform Sensor Partner Contributor | Provides contribute access to manage sensor related entities in AgFood Platform Service | count: 001 •Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/* | count: 001 •Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/delete | |||
| 1ef6a3be-d0ac-425d-8c01-acb62866290b | Compute Gallery Sharing Admin | This role allows user to share gallery to another subscription/tenant or share it to the public. | count: 001 •Microsoft.Compute/galleries/share/action | ||||
| cd08ab90-6b14-449c-ad9a-8f8e549482c6 | Scheduled Patching Contributor | Provides access to manage maintenance configurations with maintenance scope InGuestPatch and corresponding configuration assignments | count: 012 •Microsoft.Maintenance/maintenanceConfigurations/read •Microsoft.Maintenance/maintenanceConfigurations/write •Microsoft.Maintenance/maintenanceConfigurations/delete •Microsoft.Maintenance/configurationAssignments/read •Microsoft.Maintenance/configurationAssignments/write •Microsoft.Maintenance/configurationAssignments/delete •Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/read •Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/write •Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/delete •Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/read •Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/write •Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/delete | ||||
| 45d50f46-0b78-4001-a660-4198cbe8cd05 | DevCenter Dev Box User | Provides access to create and manage dev boxes. | count: 006 •Microsoft.DevCenter/projects/read •Microsoft.DevCenter/projects/*/read •Microsoft.Fidalgo/projects/read •Microsoft.Fidalgo/projects/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read | count: 012 •Microsoft.DevCenter/projects/users/devboxes/userStop/action •Microsoft.DevCenter/projects/users/devboxes/userStart/action •Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action •Microsoft.DevCenter/projects/users/devboxes/userRead/action •Microsoft.DevCenter/projects/users/devboxes/userWrite/action •Microsoft.DevCenter/projects/users/devboxes/userDelete/action •Microsoft.Fidalgo/projects/users/virtualMachines/userStop/action •Microsoft.Fidalgo/projects/users/virtualMachines/userStart/action •Microsoft.Fidalgo/projects/users/virtualMachines/userGetRdpFileContent/action •Microsoft.Fidalgo/projects/users/virtualMachines/userRead/action •Microsoft.Fidalgo/projects/users/virtualMachines/userWrite/action •Microsoft.Fidalgo/projects/users/virtualMachines/userDelete/action | |||
| 331c37c6-af14-46d9-b9f4-e1909e1b95a0 | DevCenter Project Admin | Provides access to manage project resources. | count: 005 •Microsoft.DevCenter/projects/* •Microsoft.Fidalgo/projects/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | count: 004 •Microsoft.DevCenter/projects/write •Microsoft.DevCenter/projects/delete •Microsoft.Fidalgo/projects/write •Microsoft.Fidalgo/projects/delete | count: 027 •Microsoft.DevCenter/projects/users/devboxes/adminStart/action •Microsoft.DevCenter/projects/users/devboxes/adminStop/action •Microsoft.DevCenter/projects/users/devboxes/adminRead/action •Microsoft.DevCenter/projects/users/devboxes/adminWrite/action •Microsoft.DevCenter/projects/users/devboxes/adminDelete/action •Microsoft.DevCenter/projects/users/devboxes/userStop/action •Microsoft.DevCenter/projects/users/devboxes/userStart/action •Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action •Microsoft.DevCenter/projects/users/devboxes/userRead/action •Microsoft.DevCenter/projects/users/devboxes/userWrite/action •Microsoft.DevCenter/projects/users/devboxes/userDelete/action •Microsoft.DevCenter/projects/users/environments/adminRead/action •Microsoft.DevCenter/projects/users/environments/userWrite/action •Microsoft.DevCenter/projects/users/environments/userDelete/action •Microsoft.DevCenter/projects/users/environments/adminDelete/action •Microsoft.DevCenter/projects/users/environments/adminAction/action •Microsoft.Fidalgo/projects/users/virtualMachines/adminStart/action •Microsoft.Fidalgo/projects/users/virtualMachines/adminStop/action •Microsoft.Fidalgo/projects/users/virtualMachines/adminRead/action •Microsoft.Fidalgo/projects/users/virtualMachines/adminWrite/action •Microsoft.Fidalgo/projects/users/virtualMachines/adminDelete/action •Microsoft.Fidalgo/projects/users/virtualMachines/userStop/action •Microsoft.Fidalgo/projects/users/virtualMachines/userStart/action •Microsoft.Fidalgo/projects/users/virtualMachines/userGetRdpFileContent/action •Microsoft.Fidalgo/projects/users/virtualMachines/userRead/action •Microsoft.Fidalgo/projects/users/virtualMachines/userWrite/action •Microsoft.Fidalgo/projects/users/virtualMachines/userDelete/action | ||
| 602da2ba-a5c2-41da-b01d-5360126ab525 | Virtual Machine Local User Login | View Virtual Machines in the portal and login as a local user configured on the arc server | count: 002 •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridConnectivity/endpoints/listCredentials/action | ||||
| e582369a-e17b-42a5-b10c-874c387c530b | Azure Arc ScVmm VM Contributor | Arc ScVmm VM Contributor has permissions to perform all VM actions. | count: 026 •microsoft.scvmm/virtualmachines/* •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read | ||||
| 6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9 | Azure Arc ScVmm Private Clouds Onboarding | Azure Arc ScVmm Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vmm server instances to Azure. | count: 028 •microsoft.scvmm/vmmservers/Read •microsoft.scvmm/vmmservers/Write •microsoft.scvmm/vmmservers/Delete •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read | ||||
| c0781e91-8102-4553-8951-97c6d4243cda | Azure Arc ScVmm Private Cloud User | Azure Arc ScVmm Private Cloud User has permissions to use the ScVmm resources to deploy VMs. | count: 031 •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •microsoft.scvmm/virtualnetworks/join/action •microsoft.scvmm/virtualnetworks/Read •microsoft.scvmm/virtualmachinetemplates/clone/action •microsoft.scvmm/virtualmachinetemplates/Read •microsoft.scvmm/clouds/deploy/action •microsoft.scvmm/clouds/Read | ||||
| a92dfd61-77f9-4aec-a531-19858b406c87 | Azure Arc ScVmm Administrator role | Arc ScVmm VM Administrator has permissions to perform all ScVmm actions. | count: 026 •Microsoft.ScVmm/* •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read | ||||
| 4465e953-8ced-4406-a58e-0f6e3f3b530b | FHIR Data Importer | Role allows user or principal to read and import FHIR Data | count: 002 •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action | ||||
| c031e6a8-4391-4de0-8d69-4706a7ed3729 | API Management Developer Portal Content Editor | Can customize the developer portal, edit its content, and publish it. | count: 008 •Microsoft.ApiManagement/service/portalRevisions/read •Microsoft.ApiManagement/service/portalRevisions/write •Microsoft.ApiManagement/service/contentTypes/read •Microsoft.ApiManagement/service/contentTypes/delete •Microsoft.ApiManagement/service/contentTypes/write •Microsoft.ApiManagement/service/contentTypes/contentItems/read •Microsoft.ApiManagement/service/contentTypes/contentItems/write •Microsoft.ApiManagement/service/contentTypes/contentItems/delete | ||||
| d24ecba3-c1f4-40fa-a7bb-4588a071e8fd | VM Scanner Operator | Role that provides access to disk snapshot for security analysis. | count: 008 •Microsoft.Compute/disks/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachineScaleSets/instanceView/read •Microsoft.Compute/virtualMachineScaleSets/read •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read | ||||
| 80dcbedb-47ef-405d-95bd-188a1b4ac406 | Elastic SAN Owner | Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access | count: 006 •Microsoft.Authorization/*/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ElasticSan/elasticSans/* •Microsoft.ElasticSan/locations/* | ||||
| af6a70f8-3c9f-4105-acf1-d719e9fca4ca | Elastic SAN Reader | Allows for control path read access to Azure Elastic SAN | count: 005 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ElasticSan/elasticSans/*/read | ||||
| 489581de-a3bd-480d-9518-53dea7416b33 | Desktop Virtualization Power On Contributor | This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines. | count: 007 •Microsoft.Compute/virtualMachines/start/action •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a959dbd1-f747-45e3-8ba6-dd80f235f97c | Desktop Virtualization Virtual Machine Contributor | This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines. | count: 052 •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/write •Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/write •Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action •Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/availabilitySets/write •Microsoft.Compute/availabilitySets/vmSizes/read •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Compute/disks/delete •Microsoft.Compute/galleries/read •Microsoft.Compute/galleries/images/read •Microsoft.Compute/galleries/images/versions/read •Microsoft.Compute/images/read •Microsoft.Compute/locations/usages/read •Microsoft.Compute/locations/vmSizes/read •Microsoft.Compute/operations/read •Microsoft.Compute/skus/read •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write •Microsoft.Compute/virtualMachines/delete •Microsoft.Compute/virtualMachines/start/action •Microsoft.Compute/virtualMachines/powerOff/action •Microsoft.Compute/virtualMachines/restart/action •Microsoft.Compute/virtualMachines/deallocate/action •Microsoft.Compute/virtualMachines/runCommand/action •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/extensions/write •Microsoft.Compute/virtualMachines/extensions/delete •Microsoft.Compute/virtualMachines/runCommands/read •Microsoft.Compute/virtualMachines/runCommands/write •Microsoft.Compute/virtualMachines/vmSizes/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read •Microsoft.KeyVault/vaults/deploy/action •Microsoft.Storage/storageAccounts/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 40c5ff49-9181-41f8-ae61-143b0e78555e | Desktop Virtualization Power On Off Contributor | This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines. | count: 018 •Microsoft.Compute/virtualMachines/start/action •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/deallocate/action •Microsoft.Compute/virtualMachines/restart/action •Microsoft.Compute/virtualMachines/powerOff/action •Microsoft.Insights/eventtypes/values/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/write •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/write •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action | ||||
| a8281131-f312-4f34-8d98-ae12be9f0d23 | Elastic SAN Volume Group Owner | Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access | count: 004 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.ElasticSan/elasticSans/volumeGroups/* •Microsoft.ElasticSan/locations/asyncoperations/read | ||||
| 76cc9ee4-d5d3-4a45-a930-26add3d73475 | Access Review Operator Service Role | Lets you grant Access Review System app permissions to discover and revoke access as needed by the access review process. | count: 003 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleAssignments/delete •Microsoft.Management/getEntities/action | ||||
| 4339b7cf-9826-4e41-b4ed-c7f4505dac08 | Code Signing Identity Verifier | Manage identity or business verification requests. This role is in preview and subject to change. | count: 001 •Microsoft.CodeSigning/*/read | count: 002 •Microsoft.CodeSigning/IdentityVerification/Read •Microsoft.CodeSigning/IdentityVerification/Write | |||
| a2c4a527-7dc0-4ee3-897b-403ade70fafb | Video Indexer Restricted Viewer | Has access to view and search through all video's insights and transcription in the Video Indexer portal. No access to model customization, embedding of widget, downloading videos, or sharing the account. | count: 002 •Microsoft.VideoIndexer/*/read •Microsoft.VideoIndexer/accounts/*/action | count: 003 •Microsoft.VideoIndexer/*/write •Microsoft.VideoIndexer/*/delete •Microsoft.VideoIndexer/accounts/generateAccessToken/action | |||
| b0d8363b-8ddd-447d-831f-62ca05bff136 | Monitoring Data Reader | Can access the data in an Azure Monitor Workspace. | count: 001 •Microsoft.Monitor/accounts/data/metrics/read | ||||
| 63bb64ad-9799-4770-b5c3-24ed299a07bf | Azure Kubernetes Fleet Manager Contributor Role | Grants access to read and write Azure Kubernetes Fleet Manager clusters | count: 002 •Microsoft.ContainerService/fleets/* •Microsoft.Resources/deployments/* | ||||
| 5af6afb3-c06c-4fa4-8848-71a8aee05683 | Azure Kubernetes Fleet Manager RBAC Writer | Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | count: 006 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/fleets/read •Microsoft.ContainerService/fleets/listCredentials/action | count: 027 •Microsoft.ContainerService/fleets/apps/controllerrevisions/read •Microsoft.ContainerService/fleets/apps/daemonsets/* •Microsoft.ContainerService/fleets/apps/deployments/* •Microsoft.ContainerService/fleets/apps/statefulsets/* •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* •Microsoft.ContainerService/fleets/batch/cronjobs/* •Microsoft.ContainerService/fleets/batch/jobs/* •Microsoft.ContainerService/fleets/configmaps/* •Microsoft.ContainerService/fleets/endpoints/* •Microsoft.ContainerService/fleets/events.k8s.io/events/read •Microsoft.ContainerService/fleets/events/read •Microsoft.ContainerService/fleets/extensions/daemonsets/* •Microsoft.ContainerService/fleets/extensions/deployments/* •Microsoft.ContainerService/fleets/extensions/ingresses/* •Microsoft.ContainerService/fleets/extensions/networkpolicies/* •Microsoft.ContainerService/fleets/limitranges/read •Microsoft.ContainerService/fleets/namespaces/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* •Microsoft.ContainerService/fleets/persistentvolumeclaims/* •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* •Microsoft.ContainerService/fleets/replicationcontrollers/* •Microsoft.ContainerService/fleets/replicationcontrollers/* •Microsoft.ContainerService/fleets/resourcequotas/read •Microsoft.ContainerService/fleets/secrets/* •Microsoft.ContainerService/fleets/serviceaccounts/* •Microsoft.ContainerService/fleets/services/* | |||
| 434fb43a-c01c-447e-9f67-c3ad923cfaba | Azure Kubernetes Fleet Manager RBAC Admin | This role grants admin access - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. | count: 006 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/fleets/read •Microsoft.ContainerService/fleets/listCredentials/action | count: 030 •Microsoft.ContainerService/fleets/apps/controllerrevisions/read •Microsoft.ContainerService/fleets/apps/daemonsets/* •Microsoft.ContainerService/fleets/apps/deployments/* •Microsoft.ContainerService/fleets/apps/statefulsets/* •Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* •Microsoft.ContainerService/fleets/batch/cronjobs/* •Microsoft.ContainerService/fleets/batch/jobs/* •Microsoft.ContainerService/fleets/configmaps/* •Microsoft.ContainerService/fleets/endpoints/* •Microsoft.ContainerService/fleets/events.k8s.io/events/read •Microsoft.ContainerService/fleets/events/read •Microsoft.ContainerService/fleets/extensions/daemonsets/* •Microsoft.ContainerService/fleets/extensions/deployments/* •Microsoft.ContainerService/fleets/extensions/ingresses/* •Microsoft.ContainerService/fleets/extensions/networkpolicies/* •Microsoft.ContainerService/fleets/limitranges/read •Microsoft.ContainerService/fleets/namespaces/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* •Microsoft.ContainerService/fleets/persistentvolumeclaims/* •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* •Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* •Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* •Microsoft.ContainerService/fleets/replicationcontrollers/* •Microsoft.ContainerService/fleets/replicationcontrollers/* •Microsoft.ContainerService/fleets/resourcequotas/read •Microsoft.ContainerService/fleets/secrets/* •Microsoft.ContainerService/fleets/serviceaccounts/* •Microsoft.ContainerService/fleets/services/* | |||
| 18ab4d3d-a1bf-4477-8ad9-8359bc988f69 | Azure Kubernetes Fleet Manager RBAC Cluster Admin | Lets you manage all resources in the fleet manager cluster. | count: 006 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/fleets/read •Microsoft.ContainerService/fleets/listCredentials/action | count: 001 •Microsoft.ContainerService/fleets/* | |||
| 30b27cfc-9c84-438e-b0ce-70e35255df80 | Azure Kubernetes Fleet Manager RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | count: 006 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/fleets/read •Microsoft.ContainerService/fleets/listCredentials/action | count: 026 •Microsoft.ContainerService/fleets/apps/controllerrevisions/read •Microsoft.ContainerService/fleets/apps/daemonsets/read •Microsoft.ContainerService/fleets/apps/deployments/read •Microsoft.ContainerService/fleets/apps/statefulsets/read •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read •Microsoft.ContainerService/fleets/batch/cronjobs/read •Microsoft.ContainerService/fleets/batch/jobs/read •Microsoft.ContainerService/fleets/configmaps/read •Microsoft.ContainerService/fleets/endpoints/read •Microsoft.ContainerService/fleets/events.k8s.io/events/read •Microsoft.ContainerService/fleets/events/read •Microsoft.ContainerService/fleets/extensions/daemonsets/read •Microsoft.ContainerService/fleets/extensions/deployments/read •Microsoft.ContainerService/fleets/extensions/ingresses/read •Microsoft.ContainerService/fleets/extensions/networkpolicies/read •Microsoft.ContainerService/fleets/limitranges/read •Microsoft.ContainerService/fleets/namespaces/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read •Microsoft.ContainerService/fleets/persistentvolumeclaims/read •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read •Microsoft.ContainerService/fleets/replicationcontrollers/read •Microsoft.ContainerService/fleets/replicationcontrollers/read •Microsoft.ContainerService/fleets/resourcequotas/read •Microsoft.ContainerService/fleets/serviceaccounts/read •Microsoft.ContainerService/fleets/services/read | |||
| ba79058c-0414-4a34-9e42-c3399d80cd5a | Kubernetes Namespace User | Allows a user to read namespace resources and retrieve kubeconfig for the cluster | count: 002 •Microsoft.KubernetesConfiguration/namespaces/read •Microsoft.KubernetesConfiguration/namespaces/listUserCredential/action | ||||
| c6decf44-fd0a-444c-a844-d653c394e7ab | Data Labeling - Labeler | Can label data in Labeling. | count: 006 •Microsoft.MachineLearningServices/workspaces/read •Microsoft.MachineLearningServices/workspaces/experiments/runs/read •Microsoft.MachineLearningServices/workspaces/labeling/projects/read •Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read •Microsoft.MachineLearningServices/workspaces/labeling/labels/read •Microsoft.MachineLearningServices/workspaces/labeling/labels/write | ||||
| f58310d9-a9f6-439a-9e8d-f62e7b41a168 | Role Based Access Control Administrator (Preview) | Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. | count: 004 •Microsoft.Authorization/roleAssignments/write •Microsoft.Authorization/roleAssignments/delete •*/read •Microsoft.Support/* | ||||
| 392ae280-861d-42bd-9ea5-08ee6d83b80e | Template Spec Reader | Allows read access to Template Specs at the assigned scope. | count: 001 •Microsoft.Resources/templateSpecs/*/read | ||||
| 1c9b6475-caf0-4164-b5a1-2142a7116f4b | Template Spec Contributor | Allows full access to Template Spec operations at the assigned scope. | count: 004 •Microsoft.Resources/templateSpecs/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 51d6186e-6489-4900-b93f-92e23144cca5 | Microsoft Sentinel Playbook Operator | Microsoft Sentinel Playbook Operator | count: 002 •Microsoft.Logic/workflows/read •Microsoft.Logic/workflows/triggers/listCallbackUrl/action | ||||
| 18e40d4e-8d2e-438d-97e1-9528336e149c | Deployment Environments User | Provides access to manage environment resources. | count: 006 •Microsoft.DevCenter/projects/read •Microsoft.DevCenter/projects/*/read •Microsoft.Fidalgo/projects/read •Microsoft.Fidalgo/projects/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Authorization/*/read | count: 003 •Microsoft.DevCenter/projects/pools/read •Microsoft.Fidalgo/projects/pools/read •Microsoft.DevCenter/projects/pools/schedules/read | count: 004 •Microsoft.DevCenter/projects/users/environments/adminRead/action •Microsoft.DevCenter/projects/users/environments/userWrite/action •Microsoft.DevCenter/projects/users/environments/userDelete/action •Microsoft.DevCenter/projects/users/environments/adminAction/action | ||
| 80558df3-64f9-4c0f-b32d-e5094b036b0b | Azure Spring Apps Connect Role | Azure Spring Apps Connect Role | count: 001 •Microsoft.AppPlatform/Spring/apps/deployments/connect/action | ||||
| a99b0159-1064-4c22-a57b-c9b3caa1c054 | Azure Spring Apps Remote Debugging Role | Azure Spring Apps Remote Debugging Role | count: 001 •Microsoft.AppPlatform/Spring/apps/deployments/remotedebugging/action | ||||
| e503ece1-11d0-4e8e-8e2c-7a6c3bf38815 | AzureML Compute Operator | Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). | count: 002 •Microsoft.MachineLearningServices/workspaces/computes/* •Microsoft.MachineLearningServices/workspaces/notebooks/vm/* | ||||
| 1823dd4f-9b8c-4ab6-ab4e-7397a3684615 | AzureML Registry User | Can perform all actions on Machine Learning Services Registry assets as well as get Registry resources. | count: 002 •Microsoft.MachineLearningServices/registries/read •Microsoft.MachineLearningServices/registries/assets/* |