| Id | Name | Description | Actions | NotActions | DataActions | NotDataActions | Used in Policy |
|---|---|---|---|---|---|---|---|
| 8311e382-0749-4cb8-b61a-304f252e45ec | AcrPush | acr push | Microsoft.ContainerRegistry/registries/pull/read Microsoft.ContainerRegistry/registries/push/write | ||||
| 312a565d-c81f-4fd8-895a-4e21e48d571c | API Management Service Contributor | Can manage service and the APIs | Microsoft.ApiManagement/service/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 7f951dda-4ed3-4680-a7ca-43fe172d538d | AcrPull | acr pull | Microsoft.ContainerRegistry/registries/pull/read | ||||
| 6cef56e8-d556-48e5-a04f-b8e64114680f | AcrImageSigner | acr image signer | Microsoft.ContainerRegistry/registries/sign/write | ||||
| c2f4ef07-c644-48eb-af81-4b1b4947fb11 | AcrDelete | acr delete | Microsoft.ContainerRegistry/registries/artifacts/delete | ||||
| cdda3590-29a3-44f6-95f2-9f980659eb04 | AcrQuarantineReader | acr quarantine data reader | Microsoft.ContainerRegistry/registries/quarantine/read | ||||
| c8d4ff99-41c3-41a8-9f60-21dfdad59608 | AcrQuarantineWriter | acr quarantine data writer | Microsoft.ContainerRegistry/registries/quarantine/read Microsoft.ContainerRegistry/registries/quarantine/write | ||||
| e022efe7-f5ba-4159-bbe4-b44f577e9b61 | API Management Service Operator Role | Can manage service but not the APIs | Microsoft.ApiManagement/service/*/read Microsoft.ApiManagement/service/backup/action Microsoft.ApiManagement/service/delete Microsoft.ApiManagement/service/managedeployments/action Microsoft.ApiManagement/service/read Microsoft.ApiManagement/service/restore/action Microsoft.ApiManagement/service/updatecertificate/action Microsoft.ApiManagement/service/updatehostname/action Microsoft.ApiManagement/service/write Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.ApiManagement/service/users/keys/read | |||
| 71522526-b88f-4d52-b57f-d31fc3546d0d | API Management Service Reader Role | Read-only access to service and APIs | Microsoft.ApiManagement/service/*/read Microsoft.ApiManagement/service/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.ApiManagement/service/users/keys/read | |||
| ae349356-3a1b-4a5e-921d-050484c6347e | Application Insights Component Contributor | Can manage Application Insights components | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Insights/generateLiveToken/read Microsoft.Insights/metricAlerts/* Microsoft.Insights/components/* Microsoft.Insights/scheduledqueryrules/* Microsoft.Insights/topology/read Microsoft.Insights/transactions/read Microsoft.Insights/webtests/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 08954f03-6346-4c2e-81c0-ec3a5cfae23b | Application Insights Snapshot Debugger | Gives user permission to use Application Insights Snapshot Debugger features | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Insights/components/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| fd1bd22b-8476-40bc-a0bc-69b95687b9f3 | Attestation Reader | Can read the attestation provider properties | Microsoft.Attestation/attestationProviders/attestation/read | ||||
| 4fe576fe-1146-4730-92eb-48519fa6bf9f | Automation Job Operator | Create and Manage Jobs using Automation Runbooks. | Microsoft.Authorization/*/read Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read Microsoft.Automation/automationAccounts/jobs/read Microsoft.Automation/automationAccounts/jobs/resume/action Microsoft.Automation/automationAccounts/jobs/stop/action Microsoft.Automation/automationAccounts/jobs/streams/read Microsoft.Automation/automationAccounts/jobs/suspend/action Microsoft.Automation/automationAccounts/jobs/write Microsoft.Automation/automationAccounts/jobs/output/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 | Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. | Microsoft.Authorization/*/read Microsoft.Automation/automationAccounts/runbooks/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| d3881f73-407a-4167-8283-e981cbba0404 | Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs | Microsoft.Authorization/*/read Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read Microsoft.Automation/automationAccounts/jobs/read Microsoft.Automation/automationAccounts/jobs/resume/action Microsoft.Automation/automationAccounts/jobs/stop/action Microsoft.Automation/automationAccounts/jobs/streams/read Microsoft.Automation/automationAccounts/jobs/suspend/action Microsoft.Automation/automationAccounts/jobs/write Microsoft.Automation/automationAccounts/jobSchedules/read Microsoft.Automation/automationAccounts/jobSchedules/write Microsoft.Automation/automationAccounts/linkedWorkspace/read Microsoft.Automation/automationAccounts/read Microsoft.Automation/automationAccounts/runbooks/read Microsoft.Automation/automationAccounts/schedules/read Microsoft.Automation/automationAccounts/schedules/write Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Automation/automationAccounts/jobs/output/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 4f8fab4f-1852-4a58-a46a-8eaf358af14a | Avere Contributor | Can create and manage an Avere vFXT cluster. | Microsoft.Authorization/*/read Microsoft.Compute/*/read Microsoft.Compute/availabilitySets/* Microsoft.Compute/proximityPlacementGroups/* Microsoft.Compute/virtualMachines/* Microsoft.Compute/disks/* Microsoft.Network/*/read Microsoft.Network/networkInterfaces/* Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Microsoft.Network/networkSecurityGroups/join/action Microsoft.Resources/deployments/* Microsoft.Insights/alertRules/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/*/read Microsoft.Storage/storageAccounts/* Microsoft.Support/* Microsoft.Resources/subscriptions/resourceGroups/resources/read | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | |||
| c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 | Avere Operator | Used by the Avere vFXT cluster to manage the cluster | Microsoft.Compute/virtualMachines/read Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/write Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Network/networkSecurityGroups/join/action Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/blobServices/containers/delete Microsoft.Storage/storageAccounts/blobServices/containers/read Microsoft.Storage/storageAccounts/blobServices/containers/write | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | |||
| 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 | Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. | Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action Microsoft.ContainerService/managedClusters/read | ||||
| 4abbcc35-e782-43d8-92c5-2d3f1bd2253f | Azure Kubernetes Service Cluster User Role | List cluster user credential action. | Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Microsoft.ContainerService/managedClusters/read | ||||
| 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa | Azure Maps Data Reader | Grants access to read map related data from an Azure maps account. | Microsoft.Maps/accounts/*/read | ||||
| 6f12a6df-dd06-4f3e-bcb1-ce8be600526a | Azure Stack Registration Owner | Lets you manage Azure Stack registrations. | Microsoft.AzureStack/edgeSubscriptions/read Microsoft.AzureStack/registrations/products/*/action Microsoft.AzureStack/registrations/products/read Microsoft.AzureStack/registrations/read | ||||
| 5e467623-bb1f-42f4-a55d-6e525e11384b | Backup Contributor | Lets you manage backup service,but can't create vaults and give access to others | Microsoft.Authorization/*/read Microsoft.Network/virtualNetworks/read Microsoft.RecoveryServices/locations/* Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action Microsoft.RecoveryServices/Vaults/backupJobs/* Microsoft.RecoveryServices/Vaults/backupJobsExport/action Microsoft.RecoveryServices/Vaults/backupOperationResults/* Microsoft.RecoveryServices/Vaults/backupPolicies/* Microsoft.RecoveryServices/Vaults/backupProtectableItems/* Microsoft.RecoveryServices/Vaults/backupProtectedItems/* Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Microsoft.RecoveryServices/Vaults/certificates/* Microsoft.RecoveryServices/Vaults/extendedInformation/* Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/* Microsoft.RecoveryServices/Vaults/usages/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/read Microsoft.RecoveryServices/Vaults/backupstorageconfig/* Microsoft.RecoveryServices/Vaults/backupconfig/* Microsoft.RecoveryServices/Vaults/backupValidateOperation/action Microsoft.RecoveryServices/Vaults/write Microsoft.RecoveryServices/Vaults/backupOperations/read Microsoft.RecoveryServices/Vaults/backupEngines/read Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read Microsoft.RecoveryServices/locations/backupStatus/action Microsoft.RecoveryServices/locations/backupPreValidateProtection/action Microsoft.RecoveryServices/locations/backupValidateFeatures/action Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Microsoft.RecoveryServices/operations/read Microsoft.RecoveryServices/locations/operationStatus/read Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read Microsoft.Support/* | Configure backup on VMs without a given tag to an existing recovery services vault in the same location, [Preview]: Configure backup on VMs with a given tag to an existing recovery services vault in the same location, [Preview]: Configure backup on VMs with a given tag to a new recovery services vault with a default policy, [Preview]: Configure backup on VMs without a given tag to a new recovery services vault with a default policy | |||
| fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 | Billing Reader | Allows read access to billing data | Microsoft.Authorization/*/read Microsoft.Billing/*/read Microsoft.Commerce/*/read Microsoft.Consumption/*/read Microsoft.Management/managementGroups/read Microsoft.CostManagement/*/read Microsoft.Support/* | ||||
| 00c29273-979b-4161-815c-10b084fb9324 | Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others | Microsoft.Authorization/*/read Microsoft.Network/virtualNetworks/read Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action Microsoft.RecoveryServices/Vaults/backupJobs/* Microsoft.RecoveryServices/Vaults/backupJobsExport/action Microsoft.RecoveryServices/Vaults/backupOperationResults/* Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read Microsoft.RecoveryServices/Vaults/backupPolicies/read Microsoft.RecoveryServices/Vaults/backupProtectableItems/* Microsoft.RecoveryServices/Vaults/backupProtectedItems/read Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Microsoft.RecoveryServices/Vaults/certificates/write Microsoft.RecoveryServices/Vaults/extendedInformation/read Microsoft.RecoveryServices/Vaults/extendedInformation/write Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/read Microsoft.RecoveryServices/Vaults/registeredIdentities/write Microsoft.RecoveryServices/Vaults/usages/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/read Microsoft.RecoveryServices/Vaults/backupstorageconfig/* Microsoft.RecoveryServices/Vaults/backupValidateOperation/action Microsoft.RecoveryServices/Vaults/backupOperations/read Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action Microsoft.RecoveryServices/Vaults/backupEngines/read Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read Microsoft.RecoveryServices/locations/backupStatus/action Microsoft.RecoveryServices/locations/backupPreValidateProtection/action Microsoft.RecoveryServices/locations/backupValidateFeatures/action Microsoft.RecoveryServices/locations/backupAadProperties/read Microsoft.RecoveryServices/locations/backupCrrJobs/action Microsoft.RecoveryServices/locations/backupCrrJob/action Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action Microsoft.RecoveryServices/locations/backupCrrOperationResults/read Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Microsoft.RecoveryServices/operations/read Microsoft.RecoveryServices/locations/operationStatus/read Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read Microsoft.Support/* | ||||
| a795c7a0-d4a2-40c1-ae25-d81f01202912 | Backup Reader | Can view backup services, but can't make changes | Microsoft.Authorization/*/read Microsoft.RecoveryServices/locations/allocatedStamp/read Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read Microsoft.RecoveryServices/Vaults/backupJobs/read Microsoft.RecoveryServices/Vaults/backupJobsExport/action Microsoft.RecoveryServices/Vaults/backupOperationResults/read Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read Microsoft.RecoveryServices/Vaults/backupPolicies/read Microsoft.RecoveryServices/Vaults/backupProtectedItems/read Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Microsoft.RecoveryServices/Vaults/extendedInformation/read Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/read Microsoft.RecoveryServices/Vaults/backupstorageconfig/read Microsoft.RecoveryServices/Vaults/backupconfig/read Microsoft.RecoveryServices/Vaults/backupOperations/read Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read Microsoft.RecoveryServices/Vaults/backupEngines/read Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read Microsoft.RecoveryServices/locations/backupStatus/action Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Microsoft.RecoveryServices/operations/read Microsoft.RecoveryServices/locations/operationStatus/read Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read Microsoft.RecoveryServices/Vaults/usages/read Microsoft.RecoveryServices/locations/backupValidateFeatures/action | ||||
| 31a002a1-acaf-453e-8a5b-297c9ca1ea24 | Blockchain Member Node Access (Preview) | Allows for access to Blockchain Member nodes | Microsoft.Blockchain/blockchainMembers/transactionNodes/read | Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action | |||
| 5e3c6656-6cfa-4708-81fe-0de47ac73342 | BizTalk Contributor | Lets you manage BizTalk services, but not access to them. | Microsoft.Authorization/*/read Microsoft.BizTalkServices/BizTalk/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 | CDN Endpoint Contributor | Can manage CDN endpoints, but can’t grant access to other users. | Microsoft.Authorization/*/read Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/endpoints/* Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 871e35f6-b5c1-49cc-a043-bde969a0f2cd | CDN Endpoint Reader | Can view CDN endpoints, but can’t make changes. | Microsoft.Authorization/*/read Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/endpoints/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| ec156ff8-a8d1-4d15-830c-5b80698ca432 | CDN Profile Contributor | Can manage CDN profiles and their endpoints, but can’t grant access to other users. | Microsoft.Authorization/*/read Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/* Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 8f96442b-4075-438f-813d-ad51ab4019af | CDN Profile Reader | Can view CDN profiles and their endpoints, but can’t make changes. | Microsoft.Authorization/*/read Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| b34d265f-36f7-4a0d-a4d4-e158ca92e90f | Classic Network Contributor | Lets you manage classic networks, but not access to them. | Microsoft.Authorization/*/read Microsoft.ClassicNetwork/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 | Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. | Microsoft.Authorization/*/read Microsoft.ClassicStorage/storageAccounts/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 985d6b00-f706-48f5-a6fe-d0ca12fb668d | Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts | Microsoft.ClassicStorage/storageAccounts/listkeys/action Microsoft.ClassicStorage/storageAccounts/regeneratekey/action | ||||
| 9106cda0-8a86-4e81-b686-29a22c54effe | ClearDB MySQL DB Contributor | Lets you manage ClearDB MySQL databases, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* successbricks.cleardb/databases/* | ||||
| d73bb868-a0df-4d4d-bd69-98a00b01fccb | Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. | Microsoft.Authorization/*/read Microsoft.ClassicCompute/domainNames/* Microsoft.ClassicCompute/virtualMachines/* Microsoft.ClassicNetwork/networkSecurityGroups/join/action Microsoft.ClassicNetwork/reservedIps/link/action Microsoft.ClassicNetwork/reservedIps/read Microsoft.ClassicNetwork/virtualNetworks/join/action Microsoft.ClassicNetwork/virtualNetworks/read Microsoft.ClassicStorage/storageAccounts/disks/read Microsoft.ClassicStorage/storageAccounts/images/read Microsoft.ClassicStorage/storageAccounts/listKeys/action Microsoft.ClassicStorage/storageAccounts/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| a97b65f3-24c7-4388-baec-2e87135dc908 | Cognitive Services User | Lets you read and list keys of Cognitive Services. | Microsoft.CognitiveServices/*/read Microsoft.CognitiveServices/accounts/listkeys/action Microsoft.Insights/alertRules/read Microsoft.Insights/diagnosticSettings/read Microsoft.Insights/logDefinitions/read Microsoft.Insights/metricdefinitions/read Microsoft.Insights/metrics/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/operations/read Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.CognitiveServices/* | |||
| b59867f0-fa02-499b-be73-45a86b5b3e1c | Cognitive Services Data Reader (Preview) | Lets you read Cognitive Services data. | Microsoft.CognitiveServices/*/read | ||||
| 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 | Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. | Microsoft.Authorization/*/read Microsoft.CognitiveServices/* Microsoft.Features/features/read Microsoft.Features/providers/features/read Microsoft.Insights/alertRules/* Microsoft.Insights/diagnosticSettings/* Microsoft.Insights/logDefinitions/read Microsoft.Insights/metricdefinitions/read Microsoft.Insights/metrics/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/deployments/operations/read Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourcegroups/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| db7b14f2-5adf-42da-9f96-f2ee17bab5cb | CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account | Microsoft.DocumentDB/databaseAccounts/backup/action Microsoft.DocumentDB/databaseAccounts/restore/action | ||||
| b24988ac-6180-42a0-ab88-20f7382dd24c | Contributor | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. | * | Microsoft.Authorization/*/Delete Microsoft.Authorization/*/Write Microsoft.Authorization/elevateAccess/Action Microsoft.Blueprint/blueprintAssignments/write Microsoft.Blueprint/blueprintAssignments/delete Microsoft.Compute/galleries/share/action | [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management', Deploy a flow log resource with target network security group, Modify - Configure Azure File Sync to disable public network access, [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs., Configure Batch accounts with private endpoints, [Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root, Modify - Configure Azure IoT Hubs to disable public network access, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects', [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed, [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members, [Preview]: Deploy - Configure Windows machines to automatically install the Azure Security agent, [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day, Deploy associations for a managed application, Configure Kubernetes clusters with specified GitOps configuration using no secrets, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown', [Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters, Configure Azure Automation accounts to disable public network access, Configure virtual machines to be onboarded to Azure Automanage, [Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain, [Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running', Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs, [Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords, [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon', Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs, Configure Azure Synapse workspaces with private endpoints, Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Deploy Diagnostic Settings for Search Services to Event Hub, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System', Inherit a tag from the subscription if missing, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings', Configure Cognitive Services accounts to disable public network access, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit', [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed, Deploy Diagnostic Settings for Data Lake Analytics to Event Hub, Add a tag to resources, Deploy Workflow Automation for Azure Security Center regulatory compliance, Configure disk access resources with private endpoints, [Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one, [Preview]: Deploy - Configure Linux machines to automatically install the Azure Security agent, Add or replace a tag on resources, Configure time zone on Windows machines., Configure private endpoints for App Configuration, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices', [Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected, [Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled, Deploy Diagnostic Settings for Service Bus to Event Hub, Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace., [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components', [Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords, Add a tag to resource groups, Configure App Configuration to disable public network access, Deploy Workflow Automation for Azure Security Center recommendations, [Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled, [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment', Configure managed disks to disable public network access, Configure IoT Hub device provisioning service instances to disable public network access, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server', [Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access', Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace., [Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties', [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed, [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network', Deploy Diagnostic Settings for Azure SQL Database to Event Hub, Configure IoT Hub device provisioning service instances with private endpoints, Deploy Diagnostic Settings for Logic Apps to Event Hub, Configure Container registries to disable public network access, Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM, Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets, Configure IoT Hub device provisioning instances to use private DNS zones, Inherit a tag from the subscription, [Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols, Configure Azure File Sync with private endpoints, Configure CosmosDB accounts with private endpoints , [Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client', Deploy - Configure Azure IoT Hubs with private endpoints, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff', Configure Kubernetes clusters with specified GitOps configuration using SSH secrets, Configure private endpoint connections on Azure Automation accounts, Deploy associations for a custom provider, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon', [Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone, [Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days, [Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot, Deploy - Configure Azure IoT Hubs to use private DNS zones, Inherit a tag from the resource group, Deploy export to Event Hub for Azure Security Center data, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use', Add or replace a tag on resource groups, [Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant, Configure Container registries with private endpoints, Configure CosmosDB accounts to disable public network access , Deploy Diagnostic Settings for Batch Account to Event Hub, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console', [Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts', Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub, Inherit a tag from the resource group if missing, [Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel', Deploy Diagnostic Settings for Key Vault to Event Hub, Deploy Diagnostic Settings for Stream Analytics to Event Hub, Deploy Diagnostic Settings for Event Hub to Event Hub, [Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed, Deploy Workflow Automation for Azure Security Center alerts, [Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)', [Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days, [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access', [Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System', [Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs., Deploy export to Log Analytics workspace for Azure Security Center data | ||
| fbdf93bf-df7d-467e-a4d2-9458aa1360c8 | Cosmos DB Account Reader Role | Can read Azure Cosmos DB Accounts data | Microsoft.Authorization/*/read Microsoft.DocumentDB/*/read Microsoft.DocumentDB/databaseAccounts/readonlykeys/action Microsoft.Insights/MetricDefinitions/read Microsoft.Insights/Metrics/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 434105ed-43f6-45c7-a02f-909b2ba83430 | Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) | Microsoft.Consumption/* Microsoft.CostManagement/* Microsoft.Billing/billingPeriods/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Advisor/configurations/read Microsoft.Advisor/recommendations/read Microsoft.Management/managementGroups/read Microsoft.Billing/billingProperty/read | ||||
| 72fafb9e-0641-4937-9268-a91bfd8191a3 | Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) | Microsoft.Consumption/*/read Microsoft.CostManagement/*/read Microsoft.Billing/billingPeriods/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Advisor/configurations/read Microsoft.Advisor/recommendations/read Microsoft.Management/managementGroups/read Microsoft.Billing/billingProperty/read | ||||
| add466c9-e687-43fc-8d98-dfcf8d720be5 | Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. | Microsoft.Authorization/*/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Databox/* | ||||
| 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 | Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. | Microsoft.Authorization/*/read Microsoft.Databox/*/read Microsoft.Databox/jobs/listsecrets/action Microsoft.Databox/jobs/listcredentials/action Microsoft.Databox/locations/availableSkus/action Microsoft.Databox/locations/validateInputs/action Microsoft.Databox/locations/regionConfiguration/action Microsoft.Databox/locations/validateAddress/action Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Support/* | ||||
| 673868aa-7521-48a0-acc6-0f60742d39f5 | Data Factory Contributor | Create and manage data factories, as well as child resources within them. | Microsoft.Authorization/*/read Microsoft.DataFactory/dataFactories/* Microsoft.DataFactory/factories/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.EventGrid/eventSubscriptions/write | Configure Data Factories to disable public network access, Configure private endpoints for Data factories | |||
| 150f5e0c-0603-4f03-8c7f-cf70034c4e90 | Data Purger | Can purge analytics data | Microsoft.Insights/components/*/read Microsoft.Insights/components/purge/action Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/purge/action | ||||
| 47b7735b-770e-4598-a7da-8b91488b4c88 | Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | Microsoft.Authorization/*/read Microsoft.BigAnalytics/accounts/* Microsoft.DataLakeAnalytics/accounts/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.BigAnalytics/accounts/Delete Microsoft.BigAnalytics/accounts/TakeOwnership/action Microsoft.BigAnalytics/accounts/Write Microsoft.DataLakeAnalytics/accounts/Delete Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action Microsoft.DataLakeAnalytics/accounts/Write Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete Microsoft.DataLakeAnalytics/accounts/firewallRules/Write Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete Microsoft.DataLakeAnalytics/accounts/computePolicies/Write Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete | |||
| 76283e04-6283-4c54-8f91-bcf1374a3c64 | DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | Microsoft.Authorization/*/read Microsoft.Compute/availabilitySets/read Microsoft.Compute/virtualMachines/*/read Microsoft.Compute/virtualMachines/deallocate/action Microsoft.Compute/virtualMachines/read Microsoft.Compute/virtualMachines/restart/action Microsoft.Compute/virtualMachines/start/action Microsoft.DevTestLab/*/read Microsoft.DevTestLab/labs/claimAnyVm/action Microsoft.DevTestLab/labs/createEnvironment/action Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action Microsoft.DevTestLab/labs/formulas/delete Microsoft.DevTestLab/labs/formulas/read Microsoft.DevTestLab/labs/formulas/write Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action Microsoft.DevTestLab/labs/virtualMachines/claim/action Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action Microsoft.Network/loadBalancers/backendAddressPools/join/action Microsoft.Network/loadBalancers/inboundNatRules/join/action Microsoft.Network/networkInterfaces/*/read Microsoft.Network/networkInterfaces/join/action Microsoft.Network/networkInterfaces/read Microsoft.Network/networkInterfaces/write Microsoft.Network/publicIPAddresses/*/read Microsoft.Network/publicIPAddresses/join/action Microsoft.Network/publicIPAddresses/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.Resources/deployments/operations/read Microsoft.Resources/deployments/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/listKeys/action | Microsoft.Compute/virtualMachines/vmSizes/read | |||
| 5bd9cd88-fe45-4216-938b-f97437e15450 | DocumentDB Account Contributor | Lets you manage DocumentDB accounts, but not access to them. | Microsoft.Authorization/*/read Microsoft.DocumentDb/databaseAccounts/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Configure CosmosDB accounts with private endpoints , Configure CosmosDB accounts to disable public network access | |||
| befefa01-2a29-4197-83a8-272ff33ce314 | DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/dnsZones/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 | EventGrid EventSubscription Contributor | Lets you manage EventGrid event subscription operations. | Microsoft.Authorization/*/read Microsoft.EventGrid/eventSubscriptions/* Microsoft.EventGrid/topicTypes/eventSubscriptions/read Microsoft.EventGrid/locations/eventSubscriptions/read Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 2414bbcf-6497-4faf-8c65-045460748405 | EventGrid EventSubscription Reader | Lets you read EventGrid event subscriptions. | Microsoft.Authorization/*/read Microsoft.EventGrid/eventSubscriptions/read Microsoft.EventGrid/topicTypes/eventSubscriptions/read Microsoft.EventGrid/locations/eventSubscriptions/read Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| b60367af-1334-4454-b71e-769d9a4f83d9 | Graph Owner | Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions | Microsoft.EnterpriseKnowledgeGraph/services/conflation/read Microsoft.EnterpriseKnowledgeGraph/services/conflation/write Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/read Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/write Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read Microsoft.EnterpriseKnowledgeGraph/services/knowledge/write Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/read Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/write Microsoft.EnterpriseKnowledgeGraph/services/ingestion/read Microsoft.EnterpriseKnowledgeGraph/services/ingestion/write Microsoft.EnterpriseKnowledgeGraph/services/ontology/read Microsoft.EnterpriseKnowledgeGraph/services/ontology/write Microsoft.EnterpriseKnowledgeGraph/services/delete Microsoft.EnterpriseKnowledgeGraph/operations/read | ||||
| 8d8d5a11-05d3-4bda-a417-a08778121c7c | HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | Microsoft.AAD/*/read Microsoft.AAD/domainServices/*/read Microsoft.AAD/domainServices/oucontainer/* | ||||
| 03a6d094-3444-4b3d-88af-7477090a9e5e | Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.IntelligentSystems/accounts/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| f25e0fa2-a7c8-4377-a976-54943a77a395 | Key Vault Contributor | Lets you manage key vaults, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.KeyVault/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.KeyVault/locations/deletedVaults/purge/action Microsoft.KeyVault/hsmPools/* Microsoft.KeyVault/managedHsms/* | |||
| ee361c5d-f7b5-4119-b4b6-892157c8f64c | Knowledge Consumer | Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query | Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read | ||||
| b97fb8bc-a8b2-4522-a38b-dd33c7e65ead | Lab Creator | Lets you create new labs under your Azure Lab Accounts. | Microsoft.Authorization/*/read Microsoft.LabServices/labAccounts/*/read Microsoft.LabServices/labAccounts/createLab/action Microsoft.LabServices/labAccounts/getPricingAndAvailability/action Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 73c42c96-874c-492b-b04d-ab87d138a893 | Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | */read Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/search/action Microsoft.Support/* | Microsoft.OperationalInsights/workspaces/sharedKeys/read | |||
| 92aaf0da-9dab-42b6-94a3-d43ce8d16293 | Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources. | */read Microsoft.Automation/automationAccounts/* Microsoft.ClassicCompute/virtualMachines/extensions/* Microsoft.ClassicStorage/storageAccounts/listKeys/action Microsoft.Compute/virtualMachines/extensions/* Microsoft.HybridCompute/machines/extensions/write Microsoft.Insights/alertRules/* Microsoft.Insights/diagnosticSettings/* Microsoft.OperationalInsights/* Microsoft.OperationsManagement/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourcegroups/deployments/* Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Support/* | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace, Deploy Log Analytics agent for Linux VMs, Deploy - Configure Log Analytics agent to be enabled on Windows virtual machines, Deploy Diagnostic Settings for Search Services to Log Analytics workspace, [Preview]: Deploy - Configure Windows machines to automatically install the Azure Security agent, Deploy - Configure Dependency agent to be enabled on Windows virtual machines, Deploy Diagnostic Settings for Event Hub to Log Analytics workspace, Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace, Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace, Deploy - Configure Log Analytics agent to be enabled on Windows virtual machine scale sets, [Deprecated]: Deploy default Log Analytics Agent for Ubuntu VMs, Deploy Dependency agent for Linux virtual machines, Deploy Log Analytics agent for Linux virtual machine scale sets, [Preview]: Deploy - Configure Linux machines to automatically install the Azure Security agent, [Preview]: Deploy Log Analytics agent to Windows Azure Arc machines, Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace, Configure diagnostic settings for storage accounts to Log Analytics workspace, Public IP addresses should have resource logs enabled for Azure DDoS Protection Standard, Deploy - Configure diagnostic settings for Azure SQL Database server to Log Analytics workspace, Configure Dependency agent to be enabled on Windows Azure Arc machines, Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace, [Preview]: Deploy Log Analytics agent to Linux Azure Arc machines, Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM, Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace, Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace, Deploy Diagnostic Settings for Key Vault to Log Analytics workspace, Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories., Deploy Diagnostic Settings for Batch Account to Log Analytics workspace, Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace, [Preview]: Deploy Dependency agent to hybrid Linux Azure Arc machines | |||
| 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe | Logic App Operator | Lets you read, enable and disable logic app. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/*/read Microsoft.Insights/metricAlerts/*/read Microsoft.Insights/diagnosticSettings/*/read Microsoft.Insights/metricDefinitions/*/read Microsoft.Logic/*/read Microsoft.Logic/workflows/disable/action Microsoft.Logic/workflows/enable/action Microsoft.Logic/workflows/validate/action Microsoft.Resources/deployments/operations/read Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Web/connectionGateways/*/read Microsoft.Web/connections/*/read Microsoft.Web/customApis/*/read Microsoft.Web/serverFarms/read | ||||
| 87a39d53-fc1b-424a-814c-f7e04687dc9e | Logic App Contributor | Lets you manage logic app, but not access to them. | Microsoft.Authorization/*/read Microsoft.ClassicStorage/storageAccounts/listKeys/action Microsoft.ClassicStorage/storageAccounts/read Microsoft.Insights/alertRules/* Microsoft.Insights/metricAlerts/* Microsoft.Insights/diagnosticSettings/* Microsoft.Insights/logdefinitions/* Microsoft.Insights/metricDefinitions/* Microsoft.Logic/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/listkeys/action Microsoft.Storage/storageAccounts/read Microsoft.Support/* Microsoft.Web/connectionGateways/* Microsoft.Web/connections/* Microsoft.Web/customApis/* Microsoft.Web/serverFarms/join/action Microsoft.Web/serverFarms/read Microsoft.Web/sites/functions/listSecrets/action | ||||
| c7393b34-138c-406f-901b-d8cf2b17e6ae | Managed Application Operator Role | Lets you read and perform actions on Managed Application resources | */read Microsoft.Solutions/applications/read Microsoft.Solutions/*/action | ||||
| b9331d33-8a36-4f8c-b097-4f54124fdb44 | Managed Applications Reader | Lets you read resources in a managed app and request JIT access. | */read Microsoft.Resources/deployments/* Microsoft.Solutions/jitRequests/* | ||||
| f1a07417-d97a-45cb-824c-7a7467783830 | Managed Identity Operator | Read and Assign User Assigned Identity | Microsoft.ManagedIdentity/userAssignedIdentities/*/read Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* | ||||
| e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 | Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity | Microsoft.ManagedIdentity/userAssignedIdentities/read Microsoft.ManagedIdentity/userAssignedIdentities/write Microsoft.ManagedIdentity/userAssignedIdentities/delete Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* | ||||
| 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c | Management Group Contributor | Management Group Contributor Role | Microsoft.Management/managementGroups/delete Microsoft.Management/managementGroups/read Microsoft.Management/managementGroups/subscriptions/delete Microsoft.Management/managementGroups/subscriptions/write Microsoft.Management/managementGroups/write Microsoft.Management/managementGroups/subscriptions/read | ||||
| ac63b705-f282-497d-ac71-919bf39d939d | Management Group Reader | Management Group Reader Role | Microsoft.Management/managementGroups/read Microsoft.Management/managementGroups/subscriptions/read | ||||
| 3913510d-42f4-4e42-8a64-420c390055eb | Monitoring Metrics Publisher | Enables publishing metrics against Azure resources | Microsoft.Insights/Register/Action Microsoft.Support/* Microsoft.Resources/subscriptions/resourceGroups/read | Microsoft.Insights/Metrics/Write | |||
| 43d0d8ad-25c7-4714-9337-8ba259a9fe05 | Monitoring Reader | Can read all monitoring data. | */read Microsoft.OperationalInsights/workspaces/search/action Microsoft.Support/* | ||||
| 4d97b98b-1d4f-4787-a291-c67834d212e7 | Network Contributor | Lets you manage networks, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Configure Azure File Sync to use private DNS zones, Configure Azure Synapse workspaces to use private DNS zones, Deploy - Configure Azure Event Grid domains with private endpoints, Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts, Configure Azure Automation accounts with private DNS zones, Deploy - Configure Azure Event Grid topics with private endpoints, Configure Azure Migrate resources to use private DNS zones, Configure Azure Machine Learning workspaces with private endpoints, Configure private DNS zones for private endpoints connected to App Configuration, Configure Service Bus namespaces with private endpoints, Configure private DNS zones for private endpoints that connect to Azure Data Factory, Configure Azure SQL Server to enable private endpoint connections, Configure Event Hub namespaces with private endpoints, Virtual networks should be protected by Azure DDoS Protection Standard, Configure Azure Cognitive Search services to disable public network access, Configure Storage account to use a private link connection, Configure CosmosDB accounts to use private DNS zones, Deploy network watcher when virtual networks are created, Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service, Configure Azure Cognitive Search services with private endpoints, Deploy - Configure Azure Event Grid topics to use private DNS zones, Deploy - Configure Azure IoT Hubs with private endpoints, Configure private endpoint connections on Azure Automation accounts, Deploy - Configure Azure IoT Hubs to use private DNS zones, Deploy - Configure Azure Event Grid domains to use private DNS zones, Configure Azure Cache for Redis to use private DNS zones, Configure Container registries to use private DNS zones, Configure Event Hub namespaces to use private DNS zones, Configure Azure Machine Learning workspace to use private DNS zones, Configure private endpoints to Azure SignalR Service, Configure Service Bus namespaces to use private DNS zones, Configure Azure Cognitive Search services to use private DNS zones | |||
| 749f88d5-cbae-40b8-bcfc-e573ddc772fa | Monitoring Contributor | Can read all monitoring data and update monitoring settings. | */read Microsoft.AlertsManagement/alerts/* Microsoft.AlertsManagement/alertsSummary/* Microsoft.Insights/actiongroups/* Microsoft.Insights/activityLogAlerts/* Microsoft.Insights/AlertRules/* Microsoft.Insights/components/* Microsoft.Insights/dataCollectionRules/* Microsoft.Insights/dataCollectionRuleAssociations/* Microsoft.Insights/DiagnosticSettings/* Microsoft.Insights/eventtypes/* Microsoft.Insights/LogDefinitions/* Microsoft.Insights/metricalerts/* Microsoft.Insights/MetricDefinitions/* Microsoft.Insights/Metrics/* Microsoft.Insights/Register/Action Microsoft.Insights/scheduledqueryrules/* Microsoft.Insights/webtests/* Microsoft.Insights/workbooks/* Microsoft.Insights/privateLinkScopes/* Microsoft.Insights/privateLinkScopeOperationStatuses/* Microsoft.OperationalInsights/workspaces/write Microsoft.OperationalInsights/workspaces/intelligencepacks/* Microsoft.OperationalInsights/workspaces/savedSearches/* Microsoft.OperationalInsights/workspaces/search/action Microsoft.OperationalInsights/workspaces/sharedKeys/action Microsoft.OperationalInsights/workspaces/storageinsightconfigs/* Microsoft.Support/* Microsoft.WorkloadMonitor/monitors/* Microsoft.AlertsManagement/smartDetectorAlertRules/* Microsoft.AlertsManagement/actionRules/* Microsoft.AlertsManagement/smartGroups/* | Deploy Diagnostic Settings for Service Bus to Log Analytics workspace, Deploy Diagnostic Settings for Search Services to Log Analytics workspace, Deploy Diagnostic Settings for Event Hub to Log Analytics workspace, Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace, Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace, Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace, Configure diagnostic settings for storage accounts to Log Analytics workspace, Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace, Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM, Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace, Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace, Deploy Diagnostic Settings for Key Vault to Log Analytics workspace, Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories., Deploy Diagnostic Settings for Batch Account to Log Analytics workspace, Deploy Diagnostic Settings for Network Security Groups, Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | |||
| 5d28c62d-5b37-4476-8438-e587778df237 | New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* NewRelic.APM/accounts/* | ||||
| 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 | Owner | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. | * | Configure disaster recovery on virtual machines by enabling replication | |||
| acdd72a7-3385-48ef-bd42-f606fba81ae7 | Reader | View all resources, but does not allow you to make any changes. | */read | ||||
| e0f68234-74aa-48ed-b826-c38b57376e17 | Redis Cache Contributor | Lets you manage Redis caches, but not access to them. | Microsoft.Authorization/*/read Microsoft.Cache/register/action Microsoft.Cache/redis/* Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Configure Azure Cache for Redis to disable public network access | |||
| c12c1c16-33a1-487b-954d-41c89c60f349 | Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Storage/storageAccounts/ListAccountSas/action Microsoft.Storage/storageAccounts/read | ||||
| 36243c78-bf99-498c-9df9-86d9f8d28608 | Resource Policy Contributor | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | */read Microsoft.Authorization/policyassignments/* Microsoft.Authorization/policydefinitions/* Microsoft.Authorization/policyexemptions/* Microsoft.Authorization/policysetdefinitions/* Microsoft.PolicyInsights/* Microsoft.Support/* | ||||
| 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 | Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Scheduler/jobcollections/* Microsoft.Support/* | ||||
| 7ca78c08-252a-4471-8644-bb5ff32d4ba0 | Search Service Contributor | Lets you manage Search services, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Search/searchServices/* Microsoft.Support/* | Configure Azure Cognitive Search services to disable public network access, Configure Azure Cognitive Search services with private endpoints | |||
| fb1c8493-542b-48eb-b624-b4c8fea62acd | Security Admin | Security Admin Role | Microsoft.Authorization/*/read Microsoft.Authorization/policyAssignments/* Microsoft.Authorization/policyDefinitions/* Microsoft.Authorization/policyExemptions/* Microsoft.Authorization/policySetDefinitions/* Microsoft.Insights/alertRules/* Microsoft.Management/managementGroups/read Microsoft.operationalInsights/workspaces/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Security/* Microsoft.Support/* | [Preview]: Configure machines to receive the Qualys vulnerability assessment agent, Deploy Advanced Threat Protection on Storage Accounts, Deploy - Configure suppression rules for Azure Security Center alerts, Enable Azure Security Center on your subscription, Deploy Advanced Threat Protection for Cosmos DB Accounts | |||
| e3d13bf0-dd5a-482e-ba6b-9b8433878d10 | Security Manager (Legacy) | This is a legacy role. Please use Security Administrator instead | Microsoft.Authorization/*/read Microsoft.ClassicCompute/*/read Microsoft.ClassicCompute/virtualMachines/*/write Microsoft.ClassicNetwork/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Security/* Microsoft.Support/* | ||||
| 39bc4728-0917-49c7-9d2c-d95423bc2eb4 | Security Reader | Security Reader Role | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/read Microsoft.operationalInsights/workspaces/*/read Microsoft.Resources/deployments/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Security/*/read Microsoft.Support/*/read Microsoft.Security/iotDefenderSettings/packageDownloads/action Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action Microsoft.Security/iotSensors/downloadResetPassword/action Microsoft.Management/managementGroups/read | ||||
| 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 | Spatial Anchors Account Contributor | Lets you manage spatial anchors in your account, but not delete them | Microsoft.MixedReality/SpatialAnchorsAccounts/create/action Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read Microsoft.MixedReality/SpatialAnchorsAccounts/query/read Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read Microsoft.MixedReality/SpatialAnchorsAccounts/write | ||||
| 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 | Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/virtualNetworks/read Microsoft.RecoveryServices/locations/allocatedStamp/read Microsoft.RecoveryServices/locations/allocateStamp/action Microsoft.RecoveryServices/Vaults/certificates/write Microsoft.RecoveryServices/Vaults/extendedInformation/* Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/refreshContainers/read Microsoft.RecoveryServices/Vaults/registeredIdentities/* Microsoft.RecoveryServices/vaults/replicationAlertSettings/* Microsoft.RecoveryServices/vaults/replicationEvents/read Microsoft.RecoveryServices/vaults/replicationFabrics/* Microsoft.RecoveryServices/vaults/replicationJobs/* Microsoft.RecoveryServices/vaults/replicationPolicies/* Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/* Microsoft.RecoveryServices/Vaults/storageConfig/* Microsoft.RecoveryServices/Vaults/tokenInfo/read Microsoft.RecoveryServices/Vaults/usages/read Microsoft.RecoveryServices/Vaults/vaultTokens/read Microsoft.RecoveryServices/Vaults/monitoringAlerts/* Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/read Microsoft.RecoveryServices/vaults/replicationOperationStatus/read Microsoft.Support/* | ||||
| 494ae006-db33-4328-bf46-533a6560a3ca | Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/virtualNetworks/read Microsoft.RecoveryServices/locations/allocatedStamp/read Microsoft.RecoveryServices/locations/allocateStamp/action Microsoft.RecoveryServices/Vaults/extendedInformation/read Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/refreshContainers/read Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/read Microsoft.RecoveryServices/vaults/replicationAlertSettings/read Microsoft.RecoveryServices/vaults/replicationEvents/read Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action Microsoft.RecoveryServices/vaults/replicationFabrics/read Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read Microsoft.RecoveryServices/vaults/replicationJobs/* Microsoft.RecoveryServices/vaults/replicationPolicies/read Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action Microsoft.RecoveryServices/Vaults/monitoringAlerts/* Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.RecoveryServices/Vaults/storageConfig/read Microsoft.RecoveryServices/Vaults/tokenInfo/read Microsoft.RecoveryServices/Vaults/usages/read Microsoft.RecoveryServices/Vaults/vaultTokens/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/read Microsoft.Support/* | ||||
| 5d51204f-eb77-4b1c-b86a-2ec626c49413 | Spatial Anchors Account Reader | Lets you locate and read properties of spatial anchors in your account | Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read Microsoft.MixedReality/SpatialAnchorsAccounts/query/read Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read | ||||
| dbaa88c4-0c30-4179-9fb3-46319faa6149 | Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations | Microsoft.Authorization/*/read Microsoft.RecoveryServices/locations/allocatedStamp/read Microsoft.RecoveryServices/Vaults/extendedInformation/read Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/refreshContainers/read Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read Microsoft.RecoveryServices/Vaults/registeredIdentities/read Microsoft.RecoveryServices/vaults/replicationAlertSettings/read Microsoft.RecoveryServices/vaults/replicationEvents/read Microsoft.RecoveryServices/vaults/replicationFabrics/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read Microsoft.RecoveryServices/vaults/replicationJobs/read Microsoft.RecoveryServices/vaults/replicationPolicies/read Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read Microsoft.RecoveryServices/Vaults/storageConfig/read Microsoft.RecoveryServices/Vaults/tokenInfo/read Microsoft.RecoveryServices/Vaults/usages/read Microsoft.RecoveryServices/Vaults/vaultTokens/read Microsoft.Support/* | ||||
| 70bbe301-9835-447d-afdd-19eb3167307c | Spatial Anchors Account Owner | Lets you manage spatial anchors in your account, including deleting them | Microsoft.MixedReality/SpatialAnchorsAccounts/create/action Microsoft.MixedReality/SpatialAnchorsAccounts/delete Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read Microsoft.MixedReality/SpatialAnchorsAccounts/query/read Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read Microsoft.MixedReality/SpatialAnchorsAccounts/write | ||||
| 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d | SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can’t give access to others. | Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Network/networkSecurityGroups/* Microsoft.Network/routeTables/* Microsoft.Sql/locations/*/read Microsoft.Sql/locations/instanceFailoverGroups/* Microsoft.Sql/managedInstances/* Microsoft.Support/* Microsoft.Network/virtualNetworks/subnets/* Microsoft.Network/virtualNetworks/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Insights/metrics/read Microsoft.Insights/metricDefinitions/read | Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write | |||
| 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec | SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Sql/locations/*/read Microsoft.Sql/servers/databases/* Microsoft.Sql/servers/read Microsoft.Support/* Microsoft.Insights/metrics/read Microsoft.Insights/metricDefinitions/read | Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/managedInstances/securityAlertPolicies/* Microsoft.Sql/managedInstances/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/auditingSettings/* Microsoft.Sql/servers/databases/auditRecords/read Microsoft.Sql/servers/databases/currentSensitivityLabels/* Microsoft.Sql/servers/databases/dataMaskingPolicies/* Microsoft.Sql/servers/databases/extendedAuditingSettings/* Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/securityAlertPolicies/* Microsoft.Sql/servers/databases/securityMetrics/* Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql/servers/vulnerabilityAssessments/* | Deploy SQL DB transparent data encryption | ||
| 056cd41c-7e88-42e1-933e-88ba6a50c9c3 | SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Sql/locations/administratorAzureAsyncOperation/read Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/managedInstances/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* Microsoft.Sql/managedInstances/vulnerabilityAssessments/* Microsoft.Sql/servers/auditingSettings/* Microsoft.Sql/servers/extendedAuditingSettings/read Microsoft.Sql/servers/databases/auditingSettings/* Microsoft.Sql/servers/databases/auditRecords/read Microsoft.Sql/servers/databases/currentSensitivityLabels/* Microsoft.Sql/servers/databases/dataMaskingPolicies/* Microsoft.Sql/servers/databases/extendedAuditingSettings/read Microsoft.Sql/servers/databases/read Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* Microsoft.Sql/servers/databases/schemas/read Microsoft.Sql/servers/databases/schemas/tables/columns/read Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/schemas/tables/read Microsoft.Sql/servers/databases/securityAlertPolicies/* Microsoft.Sql/servers/databases/securityMetrics/* Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/transparentDataEncryption/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql/servers/devOpsAuditingSettings/* Microsoft.Sql/servers/firewallRules/* Microsoft.Sql/servers/read Microsoft.Sql/servers/securityAlertPolicies/* Microsoft.Sql/servers/vulnerabilityAssessments/* Microsoft.Support/* Microsoft.Sql/servers/azureADOnlyAuthentications/* Microsoft.Sql/managedInstances/read Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* Microsoft.Security/sqlVulnerabilityAssessments/* Microsoft.Sql/managedInstances/administrators/read Microsoft.Sql/servers/administrators/read | Deploy Threat Detection on SQL servers, Deploy Advanced Data Security on SQL servers, Deploy - Configure diagnostic settings for Azure SQL Database server to Log Analytics workspace, Configure Synapse workspaces to have auditing enabled, Configure SQL servers to have auditing enabled | |||
| 17d1049b-9a84-46fb-8f53-869881c3d3ab | Storage Account Contributor | Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Insights/diagnosticSettings/* Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/storageAccounts/* Microsoft.Support/* | Deploy Advanced Data Security on SQL servers, Configure Storage account to use a private link connection, Configure Synapse workspaces to have auditing enabled, Deploy Diagnostic Settings for Network Security Groups, Configure SQL servers to have auditing enabled | |||
| 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 | SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Sql/locations/*/read Microsoft.Sql/servers/* Microsoft.Support/* Microsoft.Insights/metrics/read Microsoft.Insights/metricDefinitions/read | Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/managedInstances/securityAlertPolicies/* Microsoft.Sql/managedInstances/vulnerabilityAssessments/* Microsoft.Sql/servers/auditingSettings/* Microsoft.Sql/servers/databases/auditingSettings/* Microsoft.Sql/servers/databases/auditRecords/read Microsoft.Sql/servers/databases/currentSensitivityLabels/* Microsoft.Sql/servers/databases/dataMaskingPolicies/* Microsoft.Sql/servers/databases/extendedAuditingSettings/* Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/securityAlertPolicies/* Microsoft.Sql/servers/databases/securityMetrics/* Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql/servers/devOpsAuditingSettings/* Microsoft.Sql/servers/extendedAuditingSettings/* Microsoft.Sql/servers/securityAlertPolicies/* Microsoft.Sql/servers/vulnerabilityAssessments/* Microsoft.Sql/servers/azureADOnlyAuthentications/delete Microsoft.Sql/servers/azureADOnlyAuthentications/write | Configure Azure SQL Server to disable public network access, Configure Azure SQL Server to enable private endpoint connections | ||
| 81a9662b-bebf-436f-a333-f67b29880f12 | Storage Account Key Operator Service Role | Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts | Microsoft.Storage/storageAccounts/listkeys/action Microsoft.Storage/storageAccounts/regeneratekey/action | ||||
| ba92f5b4-2d11-453d-a403-e96b0029c9fe | Storage Blob Data Contributor | Allows for read, write and delete access to Azure Storage blob containers and data | Microsoft.Storage/storageAccounts/blobServices/containers/delete Microsoft.Storage/storageAccounts/blobServices/containers/read Microsoft.Storage/storageAccounts/blobServices/containers/write Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | |||
| b7e6dc6d-f1e8-4753-8033-0f276bb0955b | Storage Blob Data Owner | Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control. | Microsoft.Storage/storageAccounts/blobServices/containers/* Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* | |||
| 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 | Storage Blob Data Reader | Allows for read access to Azure Storage blob containers and data | Microsoft.Storage/storageAccounts/blobServices/containers/read Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | |||
| 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | Storage Queue Data Contributor | Allows for read, write, and delete access to Azure Storage queues and queue messages | Microsoft.Storage/storageAccounts/queueServices/queues/delete Microsoft.Storage/storageAccounts/queueServices/queues/read Microsoft.Storage/storageAccounts/queueServices/queues/write | Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete Microsoft.Storage/storageAccounts/queueServices/queues/messages/read Microsoft.Storage/storageAccounts/queueServices/queues/messages/write Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | |||
| 8a0f0c08-91a1-4084-bc3d-661d67233fed | Storage Queue Data Message Processor | Allows for peek, receive, and delete access to Azure Storage queue messages | Microsoft.Storage/storageAccounts/queueServices/queues/messages/read Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | ||||
| c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | Storage Queue Data Message Sender | Allows for sending of Azure Storage queue messages | Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action | ||||
| 19e7f393-937e-4f77-808e-94535e297925 | Storage Queue Data Reader | Allows for read access to Azure Storage queues and queue messages | Microsoft.Storage/storageAccounts/queueServices/queues/read | Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | |||
| cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e | Support Request Contributor | Lets you create and manage Support requests | Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 | Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Network/trafficManagerProfiles/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 1c0163c0-47e6-4577-8991-ea5c82e286e4 | Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator | Microsoft.Network/publicIPAddresses/read Microsoft.Network/virtualNetworks/read Microsoft.Network/loadBalancers/read Microsoft.Network/networkInterfaces/read Microsoft.Compute/virtualMachines/*/read | Microsoft.Compute/virtualMachines/login/action Microsoft.Compute/virtualMachines/loginAsAdmin/action | |||
| 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 | User Access Administrator | Lets you manage user access to Azure resources. | */read Microsoft.Authorization/* Microsoft.Support/* | ||||
| fb879df8-f326-4884-b1cf-06f3ad86be52 | Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. | Microsoft.Network/publicIPAddresses/read Microsoft.Network/virtualNetworks/read Microsoft.Network/loadBalancers/read Microsoft.Network/networkInterfaces/read Microsoft.Compute/virtualMachines/*/read | Microsoft.Compute/virtualMachines/login/action | |||
| 9980e02c-c2be-4d73-94e8-173b1dc7cf3c | Virtual Machine Contributor | Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | Microsoft.Authorization/*/read Microsoft.Compute/availabilitySets/* Microsoft.Compute/locations/* Microsoft.Compute/virtualMachines/* Microsoft.Compute/virtualMachineScaleSets/* Microsoft.Compute/disks/write Microsoft.Compute/disks/read Microsoft.Compute/disks/delete Microsoft.DevTestLab/schedules/* Microsoft.Insights/alertRules/* Microsoft.Network/applicationGateways/backendAddressPools/join/action Microsoft.Network/loadBalancers/backendAddressPools/join/action Microsoft.Network/loadBalancers/inboundNatPools/join/action Microsoft.Network/loadBalancers/inboundNatRules/join/action Microsoft.Network/loadBalancers/probes/join/action Microsoft.Network/loadBalancers/read Microsoft.Network/locations/* Microsoft.Network/networkInterfaces/* Microsoft.Network/networkSecurityGroups/join/action Microsoft.Network/networkSecurityGroups/read Microsoft.Network/publicIPAddresses/join/action Microsoft.Network/publicIPAddresses/read Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/subnets/join/action Microsoft.RecoveryServices/locations/* Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write Microsoft.RecoveryServices/Vaults/backupPolicies/read Microsoft.RecoveryServices/Vaults/backupPolicies/write Microsoft.RecoveryServices/Vaults/read Microsoft.RecoveryServices/Vaults/usages/read Microsoft.RecoveryServices/Vaults/write Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.SqlVirtualMachine/* Microsoft.Storage/storageAccounts/listKeys/action Microsoft.Storage/storageAccounts/read Microsoft.Support/* | Configure backup on VMs without a given tag to an existing recovery services vault in the same location, [Preview]: Configure machines to receive the Qualys vulnerability assessment agent, [ASC Private Preview] Deploy - Configure system-assigned managed identity to enable Azure Monitor assignments on VMs, Deploy default Microsoft IaaSAntimalware extension for Windows Server, [Preview]: Configure backup on VMs with a given tag to an existing recovery services vault in the same location, Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets, Deploy - Configure Log Analytics agent to be enabled on Windows virtual machine scale sets, Deploy Log Analytics agent for Linux virtual machine scale sets, Deploy Dependency agent for Linux virtual machine scale sets, [Preview]: Configure backup on VMs with a given tag to a new recovery services vault with a default policy, [Preview]: Configure backup on VMs without a given tag to a new recovery services vault with a default policy, [Preview]: Deploy - Configure Linux Azure Monitor agent to enable Azure Monitor assignments on Linux virtual machines, [Preview]: Deploy - Configure Windows Azure Monitor agent to enable Azure Monitor assignments on Windows virtual machines | |||
| 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b | Web Plan Contributor | Lets you manage the web plans for websites, but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Web/serverFarms/* Microsoft.Web/hostingEnvironments/Join/Action | ||||
| de139f84-1756-47ae-9be6-808fbbe84772 | Website Contributor | Lets you manage websites (not web plans), but not access to them. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Insights/components/* Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Web/certificates/* Microsoft.Web/listSitesAssignedToHostName/read Microsoft.Web/serverFarms/join/action Microsoft.Web/serverFarms/read Microsoft.Web/sites/* | ||||
| 090c5cfd-751d-490a-894a-3ce6f1109419 | Azure Service Bus Data Owner | Allows for full access to Azure Service Bus resources. | Microsoft.ServiceBus/* | Microsoft.ServiceBus/* | Configure Service Bus namespaces with private endpoints | ||
| f526a384-b230-433a-b45c-95f59c4a2dec | Azure Event Hubs Data Owner | Allows for full access to Azure Event Hubs resources. | Microsoft.EventHub/* | Microsoft.EventHub/* | Configure Event Hub namespaces with private endpoints | ||
| bbf86eb8-f7b4-4cce-96e4-18cddf81d86e | Attestation Contributor | Can read write or delete the attestation provider instance | Microsoft.Attestation/attestationProviders/attestation/read Microsoft.Attestation/attestationProviders/attestation/write Microsoft.Attestation/attestationProviders/attestation/delete | ||||
| 61ed4efc-fab3-44fd-b111-e24485cc132a | HDInsight Cluster Operator | Lets you read and modify HDInsight cluster configurations. | Microsoft.HDInsight/*/read Microsoft.HDInsight/clusters/getGatewaySettings/action Microsoft.HDInsight/clusters/updateGatewaySettings/action Microsoft.HDInsight/clusters/configurations/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/operations/read Microsoft.Insights/alertRules/* Microsoft.Authorization/*/read Microsoft.Support/* | ||||
| 230815da-be43-4aae-9cb4-875f7bd000aa | Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. | Microsoft.DocumentDb/databaseAccounts/* Microsoft.Insights/alertRules/* Microsoft.Authorization/*/read Microsoft.ResourceHealth/availabilityStatuses/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* Microsoft.DocumentDB/databaseAccounts/regenerateKey/* Microsoft.DocumentDB/databaseAccounts/listKeys/* Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete | |||
| 48b40c6e-82e0-4eb3-90d5-19e40f49b624 | Hybrid Server Resource Administrator | Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. | Microsoft.HybridCompute/machines/* Microsoft.HybridCompute/*/read | ||||
| 5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb | Hybrid Server Onboarding | Can onboard new Hybrid servers to the Hybrid Resource Provider. | Microsoft.HybridCompute/machines/read Microsoft.HybridCompute/machines/write | ||||
| a638d3c7-ab3a-418d-83e6-5f17a39d4fde | Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. | Microsoft.EventHub/*/eventhubs/consumergroups/read | Microsoft.EventHub/*/receive/action | |||
| 2b629674-e913-4c01-ae53-ef4638d8f975 | Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. | Microsoft.EventHub/*/eventhubs/read | Microsoft.EventHub/*/send/action | |||
| 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | Azure Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. | Microsoft.ServiceBus/*/queues/read Microsoft.ServiceBus/*/topics/read Microsoft.ServiceBus/*/topics/subscriptions/read | Microsoft.ServiceBus/*/receive/action | |||
| 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 | Azure Service Bus Data Sender | Allows for send access to Azure Service Bus resources. | Microsoft.ServiceBus/*/queues/read Microsoft.ServiceBus/*/topics/read Microsoft.ServiceBus/*/topics/subscriptions/read | Microsoft.ServiceBus/*/send/action | |||
| aba4ae5f-2193-4029-9191-0cb91df5e314 | Storage File Data SMB Share Reader | Allows for read access to Azure File Share over SMB | Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | ||||
| 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb | Storage File Data SMB Share Contributor | Allows for read, write, and delete access in Azure Storage file shares over SMB | Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | ||||
| b12aa53e-6015-4669-85d0-8515ebb3ae7f | Private DNS Zone Contributor | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. | Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Network/privateDnsZones/* Microsoft.Network/privateDnsOperationResults/* Microsoft.Network/privateDnsOperationStatuses/* Microsoft.Network/virtualNetworks/read Microsoft.Network/virtualNetworks/join/action Microsoft.Authorization/*/read | Configure Azure File Sync to use private DNS zones | |||
| db58b8e5-c6ad-4a2a-8342-4190687cbf4a | Storage Blob Delegator | Allows for generation of a user delegation key which can be used to sign SAS tokens | Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | ||||
| 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 | Desktop Virtualization User | Allows user to use the applications in an application group. | Microsoft.DesktopVirtualization/applicationGroups/useApplications/action | ||||
| a7264617-510b-434b-a828-9731dc254ea7 | Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB | Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | ||||
| 41077137-e803-4205-871c-5a86e6a753b4 | Blueprint Contributor | Can manage blueprint definitions, but not assign them. | Microsoft.Authorization/*/read Microsoft.Blueprint/blueprints/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* | ||||
| 437d2ced-4a38-4302-8479-ed2bcb43d090 | Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. | Microsoft.Authorization/*/read Microsoft.Blueprint/blueprintAssignments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* | ||||
| ab8e14d6-4a74-4a29-9ba8-549422addade | Azure Sentinel Contributor | Azure Sentinel Contributor | Microsoft.SecurityInsights/* Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/savedSearches/* Microsoft.OperationsManagement/solutions/read Microsoft.OperationalInsights/workspaces/query/read Microsoft.OperationalInsights/workspaces/query/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.Insights/workbooks/* Microsoft.Insights/myworkbooks/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 3e150937-b8fe-4cfb-8069-0eaf05ecd056 | Azure Sentinel Responder | Azure Sentinel Responder | Microsoft.SecurityInsights/*/read Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action Microsoft.SecurityInsights/automationRules/* Microsoft.SecurityInsights/cases/* Microsoft.SecurityInsights/incidents/* Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action Microsoft.SecurityInsights/threatIntelligence/indicators/query/action Microsoft.SecurityInsights/threatIntelligence/bulkTag/action Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.OperationalInsights/workspaces/savedSearches/read Microsoft.OperationsManagement/solutions/read Microsoft.OperationalInsights/workspaces/query/read Microsoft.OperationalInsights/workspaces/query/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.Insights/workbooks/read Microsoft.Insights/myworkbooks/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.SecurityInsights/cases/*/Delete Microsoft.SecurityInsights/incidents/*/Delete | |||
| 8d289c81-5878-46d4-8554-54e1e3d8b5cb | Azure Sentinel Reader | Azure Sentinel Reader | Microsoft.SecurityInsights/*/read Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action Microsoft.SecurityInsights/threatIntelligence/indicators/query/action Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action Microsoft.OperationalInsights/workspaces/analytics/query/action Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/LinkedServices/read Microsoft.OperationalInsights/workspaces/savedSearches/read Microsoft.OperationsManagement/solutions/read Microsoft.OperationalInsights/workspaces/query/read Microsoft.OperationalInsights/workspaces/query/*/read Microsoft.OperationalInsights/workspaces/dataSources/read Microsoft.Insights/workbooks/read Microsoft.Insights/myworkbooks/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| b279062a-9be3-42a0-92ae-8b3cf002ec4d | Workbook Reader | Can read workbooks. | microsoft.insights/workbooks/read | ||||
| e8ddcd69-c73f-4f9f-9844-4100522f16ad | Workbook Contributor | Can save shared workbooks. | Microsoft.Insights/workbooks/write Microsoft.Insights/workbooks/delete Microsoft.Insights/workbooks/read | ||||
| 66bb4e9e-b016-4a94-8249-4c0511c2be84 | Policy Insights Data Writer (Preview) | Allows read access to resource policies and write access to resource component policy events. | Microsoft.Authorization/policyassignments/read Microsoft.Authorization/policydefinitions/read Microsoft.Authorization/policyexemptions/read Microsoft.Authorization/policysetdefinitions/read | Microsoft.PolicyInsights/checkDataPolicyCompliance/action Microsoft.PolicyInsights/policyEvents/logDataEvents/action | |||
| 04165923-9d83-45d5-8227-78b77b0a687e | SignalR AccessKey Reader | Read SignalR Service Access Keys | Microsoft.SignalRService/*/read Microsoft.SignalRService/SignalR/listkeys/action Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 | SignalR Contributor | Create, Read, Update, and Delete SignalR service resources | Microsoft.SignalRService/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Support/* | Modify Azure SignalR Service resources to disable public network access, Configure private endpoints to Azure SignalR Service | |||
| b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 | Azure Connected Machine Onboarding | Can onboard Azure Connected Machines. | Microsoft.HybridCompute/machines/read Microsoft.HybridCompute/machines/write Microsoft.HybridCompute/privateLinkScopes/read Microsoft.GuestConfiguration/guestConfigurationAssignments/read | ||||
| cd570a14-e51a-42ad-bac8-bafd67325302 | Azure Connected Machine Resource Administrator | Can read, write, delete and re-onboard Azure Connected Machines. | Microsoft.HybridCompute/machines/read Microsoft.HybridCompute/machines/write Microsoft.HybridCompute/machines/delete Microsoft.HybridCompute/machines/extensions/write Microsoft.HybridCompute/privateLinkScopes/* Microsoft.HybridCompute/*/read | ||||
| 91c1777a-f3dc-4fae-b103-61d183457e46 | Managed Services Registration assignment Delete Role | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. | Microsoft.ManagedServices/registrationAssignments/read Microsoft.ManagedServices/registrationAssignments/delete Microsoft.ManagedServices/operationStatuses/read | ||||
| 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b | App Configuration Data Owner | Allows full access to App Configuration data. | Microsoft.AppConfiguration/configurationStores/*/read Microsoft.AppConfiguration/configurationStores/*/write Microsoft.AppConfiguration/configurationStores/*/delete | ||||
| 516239f1-63e1-4d78-a4de-a74fb236a071 | App Configuration Data Reader | Allows read access to App Configuration data. | Microsoft.AppConfiguration/configurationStores/*/read | ||||
| 34e09817-6cbe-4d01-b1a2-e0eac5743d41 | Kubernetes Cluster - Azure Arc Onboarding | Role definition to authorize any user/service to create connectedClusters resource | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Kubernetes/connectedClusters/Write Microsoft.Kubernetes/connectedClusters/read Microsoft.Support/* | ||||
| 7f646f1b-fa08-80eb-a22b-edd6ce5c915c | Experimentation Contributor | Experimentation Contributor | Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Experimentation/experimentWorkspaces/read | Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action Microsoft.Experimentation/experimentWorkspaces/read Microsoft.Experimentation/experimentWorkspaces/write Microsoft.Experimentation/experimentWorkspaces/delete | |||
| 466ccd10-b268-4a11-b098-b4849f024126 | Cognitive Services QnA Maker Reader | Let’s you read and test a KB only. | Microsoft.CognitiveServices/*/read Microsoft.Authorization/roleAssignments/read Microsoft.Authorization/roleDefinitions/read | Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read | |||
| f4cc2bf9-21be-47a1-bdf1-5c5804381025 | Cognitive Services QnA Maker Editor | Let’s you create, edit, import and export a KB. You cannot publish or delete a KB. | Microsoft.CognitiveServices/*/read Microsoft.Authorization/roleAssignments/read Microsoft.Authorization/roleDefinitions/read | Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write Microsoft.CognitiveServices/accounts/QnAMaker/operations/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read | |||
| 7f646f1b-fa08-80eb-a33b-edd6ce5c915c | Experimentation Administrator | Experimentation Administrator | Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Experimentation/experimentWorkspaces/read | Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/admin/action Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/action Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action Microsoft.Experimentation/experimentWorkspaces/read Microsoft.Experimentation/experimentWorkspaces/write Microsoft.Experimentation/experimentWorkspaces/delete Microsoft.Experimentation/experimentWorkspaces/admin/action Microsoft.Experimentation/experimentWorkspaces/metricwrite/action Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action | |||
| 3df8b902-2a6f-47c7-8cc5-360e9b272a7e | Remote Rendering Administrator | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | Microsoft.MixedReality/RemoteRenderingAccounts/convert/action Microsoft.MixedReality/RemoteRenderingAccounts/convert/read Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete Microsoft.MixedReality/RemoteRenderingAccounts/render/read Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read | ||||
| d39065c4-c120-43c9-ab0a-63eed9795f0a | Remote Rendering Client | Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. | Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete Microsoft.MixedReality/RemoteRenderingAccounts/render/read Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read | ||||
| 641177b8-a67a-45b9-a033-47bc880bb21e | Managed Application Contributor Role | Allows for creating managed application resources. | */read Microsoft.Solutions/applications/* Microsoft.Solutions/register/action Microsoft.Resources/subscriptions/resourceGroups/* Microsoft.Resources/deployments/* | ||||
| 612c2aa1-cb24-443b-ac28-3ab7272de6f5 | Security Assessment Contributor | Lets you push assessments to Security Center | Microsoft.Security/assessments/write | ||||
| 4a9ae827-6dc8-4573-8ac7-8239d42aa03f | Tag Contributor | Lets you manage tags on entities, without providing access to the entities themselves. | Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/subscriptions/resourceGroups/resources/read Microsoft.Resources/subscriptions/resources/read Microsoft.Resources/deployments/* Microsoft.Insights/alertRules/* Microsoft.Support/* Microsoft.Resources/tags/* | Add or replace a tag on subscriptions, Add a tag to subscriptions | |||
| c7aa55d3-1abb-444a-a5ca-5e51e485d6ec | Integration Service Environment Developer | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | Microsoft.Authorization/*/read Microsoft.Support/* Microsoft.Logic/integrationServiceEnvironments/read Microsoft.Logic/integrationServiceEnvironments/*/join/action | ||||
| a41e2c5b-bd99-4a07-88f4-9bf657a760b8 | Integration Service Environment Contributor | Lets you manage integration service environments, but not access to them. | Microsoft.Authorization/*/read Microsoft.Support/* Microsoft.Logic/integrationServiceEnvironments/* | ||||
| ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 | Azure Kubernetes Service Contributor Role | Grants access to read and write Azure Kubernetes Service clusters | Microsoft.ContainerService/managedClusters/read Microsoft.ContainerService/managedClusters/write Microsoft.Resources/deployments/* | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | |||
| d57506d4-4c8d-48b1-8587-93c323f6a5a3 | Azure Digital Twins Data Reader | Read-only role for Digital Twins data-plane properties | Microsoft.DigitalTwins/digitaltwins/read Microsoft.DigitalTwins/digitaltwins/relationships/read Microsoft.DigitalTwins/eventroutes/read Microsoft.DigitalTwins/models/read Microsoft.DigitalTwins/query/action | ||||
| bcd981a7-7f74-457b-83e1-cceb9e632ffe | Azure Digital Twins Data Owner | Full access role for Digital Twins data-plane | Microsoft.DigitalTwins/eventroutes/* Microsoft.DigitalTwins/digitaltwins/* Microsoft.DigitalTwins/digitaltwins/commands/* Microsoft.DigitalTwins/digitaltwins/relationships/* Microsoft.DigitalTwins/models/* Microsoft.DigitalTwins/query/* | ||||
| 350f8d15-c687-4448-8ae1-157740a3936d | Hierarchy Settings Administrator | Allows users to edit and delete Hierarchy Settings | Microsoft.Management/managementGroups/settings/write Microsoft.Management/managementGroups/settings/delete | ||||
| 5a1fc7df-4bf1-4951-a576-89034ee01acd | FHIR Data Contributor | Role allows user or principal full access to FHIR Data | Microsoft.HealthcareApis/services/fhir/resources/* | ||||
| 3db33094-8700-4567-8da5-1501d4e7e843 | FHIR Data Exporter | Role allows user or principal to read and export FHIR Data | Microsoft.HealthcareApis/services/fhir/resources/read Microsoft.HealthcareApis/services/fhir/resources/export/action | ||||
| 4c8d0bbc-75d3-4935-991f-5f3c56d81508 | FHIR Data Reader | Role allows user or principal to read FHIR Data | Microsoft.HealthcareApis/services/fhir/resources/read | ||||
| 3f88fce4-5892-4214-ae73-ba5294559913 | FHIR Data Writer | Role allows user or principal to read and write FHIR Data | Microsoft.HealthcareApis/services/fhir/resources/* | Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action | |||
| 49632ef5-d9ac-41f4-b8e7-bbe587fa74a1 | Experimentation Reader | Experimentation Reader | Microsoft.Experimentation/experimentWorkspaces/read | Microsoft.Experimentation/experimentWorkspaces/read Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read | |||
| 4dd61c23-6743-42fe-a388-d8bdd41cb745 | Object Understanding Account Owner | Provides user with ingestion capabilities for Azure Object Understanding. | Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/action Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read | ||||
| 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 | Azure Maps Data Contributor | Grants access to read, write, and delete access to map related data from an Azure maps account. | Microsoft.Maps/accounts/*/read Microsoft.Maps/accounts/*/write Microsoft.Maps/accounts/*/delete | ||||
| c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 | Cognitive Services Custom Vision Contributor | Full access to the project, including the ability to view, create, edit, or delete projects. | Microsoft.CognitiveServices/*/read | Microsoft.CognitiveServices/accounts/CustomVision/* | |||
| 5c4089e1-6d96-4d2f-b296-c1bc7137275f | Cognitive Services Custom Vision Deployment | Publish, unpublish or export models. Deployment can view the project but can’t update. | Microsoft.CognitiveServices/*/read | Microsoft.CognitiveServices/accounts/CustomVision/*/read Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/* Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/* Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/* Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/* Microsoft.CognitiveServices/accounts/CustomVision/classify/* Microsoft.CognitiveServices/accounts/CustomVision/detect/* | Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 88424f51-ebe7-446f-bc41-7fa16989e96c | Cognitive Services Custom Vision Labeler | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can’t update anything other than training images and tags. | Microsoft.CognitiveServices/*/read | Microsoft.CognitiveServices/accounts/CustomVision/*/read Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action Microsoft.CognitiveServices/accounts/CustomVision/projects/images/* Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/* Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/* Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action | Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 93586559-c37d-4a6b-ba08-b9f0940c2d73 | Cognitive Services Custom Vision Reader | Read-only actions in the project. Readers can’t create or update the project. | Microsoft.CognitiveServices/*/read | Microsoft.CognitiveServices/accounts/CustomVision/*/read Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action | Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b | Cognitive Services Custom Vision Trainer | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can’t create or delete the project. | Microsoft.CognitiveServices/*/read | Microsoft.CognitiveServices/accounts/CustomVision/* | Microsoft.CognitiveServices/accounts/CustomVision/projects/action Microsoft.CognitiveServices/accounts/CustomVision/projects/delete Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 00482a5a-887f-4fb3-b363-3b7fe8e74483 | Key Vault Administrator | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read | Microsoft.KeyVault/vaults/* | |||
| 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 | Key Vault Crypto Officer | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read | Microsoft.KeyVault/vaults/keys/* | |||
| 12338af0-0e69-4776-bea7-57ae8d297424 | Key Vault Crypto User | Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/keys/update/action Microsoft.KeyVault/vaults/keys/backup/action Microsoft.KeyVault/vaults/keys/encrypt/action Microsoft.KeyVault/vaults/keys/decrypt/action Microsoft.KeyVault/vaults/keys/wrap/action Microsoft.KeyVault/vaults/keys/unwrap/action Microsoft.KeyVault/vaults/keys/sign/action Microsoft.KeyVault/vaults/keys/verify/action | ||||
| b86a8fe4-44ce-4948-aee5-eccb2c155cd7 | Key Vault Secrets Officer | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read | Microsoft.KeyVault/vaults/secrets/* | |||
| 4633458b-17de-408a-b874-0445c86b69e6 | Key Vault Secrets User | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | Microsoft.KeyVault/vaults/secrets/getSecret/action Microsoft.KeyVault/vaults/secrets/readMetadata/action | ||||
| a4417e6f-fecd-4de8-b567-7b0420556985 | Key Vault Certificates Officer | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read | Microsoft.KeyVault/vaults/certificatecas/* Microsoft.KeyVault/vaults/certificates/* | |||
| 21090545-7ca7-4776-b22c-e363652d74d2 | Key Vault Reader | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.KeyVault/checkNameAvailability/read Microsoft.KeyVault/deletedVaults/read Microsoft.KeyVault/locations/*/read Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/operations/read | Microsoft.KeyVault/vaults/*/read Microsoft.KeyVault/vaults/secrets/readMetadata/action | |||
| e147488a-f6f5-4113-8e2d-b22465e65bf6 | Key Vault Crypto Service Encryption User | Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. | Microsoft.EventGrid/eventSubscriptions/write Microsoft.EventGrid/eventSubscriptions/read Microsoft.EventGrid/eventSubscriptions/delete | Microsoft.KeyVault/vaults/keys/read Microsoft.KeyVault/vaults/keys/wrap/action Microsoft.KeyVault/vaults/keys/unwrap/action | |||
| 63f0a09d-1495-4db4-a681-037d84835eb4 | Azure Arc Kubernetes Viewer | Lets you view all resources in cluster/namespace, except secrets. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read Microsoft.Kubernetes/connectedClusters/apps/deployments/read Microsoft.Kubernetes/connectedClusters/apps/replicasets/read Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read Microsoft.Kubernetes/connectedClusters/batch/jobs/read Microsoft.Kubernetes/connectedClusters/configmaps/read Microsoft.Kubernetes/connectedClusters/endpoints/read Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Microsoft.Kubernetes/connectedClusters/events/read Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read Microsoft.Kubernetes/connectedClusters/extensions/deployments/read Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read Microsoft.Kubernetes/connectedClusters/limitranges/read Microsoft.Kubernetes/connectedClusters/namespaces/read Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read Microsoft.Kubernetes/connectedClusters/pods/read Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read Microsoft.Kubernetes/connectedClusters/resourcequotas/read Microsoft.Kubernetes/connectedClusters/serviceaccounts/read Microsoft.Kubernetes/connectedClusters/services/read | |||
| 5b999177-9696-4545-85c7-50de3797e5a1 | Azure Arc Kubernetes Writer | Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* Microsoft.Kubernetes/connectedClusters/apps/deployments/* Microsoft.Kubernetes/connectedClusters/apps/replicasets/* Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* Microsoft.Kubernetes/connectedClusters/batch/jobs/* Microsoft.Kubernetes/connectedClusters/configmaps/* Microsoft.Kubernetes/connectedClusters/endpoints/* Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Microsoft.Kubernetes/connectedClusters/events/read Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* Microsoft.Kubernetes/connectedClusters/extensions/deployments/* Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* Microsoft.Kubernetes/connectedClusters/limitranges/read Microsoft.Kubernetes/connectedClusters/namespaces/read Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* Microsoft.Kubernetes/connectedClusters/pods/* Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* Microsoft.Kubernetes/connectedClusters/resourcequotas/read Microsoft.Kubernetes/connectedClusters/secrets/* Microsoft.Kubernetes/connectedClusters/serviceaccounts/* Microsoft.Kubernetes/connectedClusters/services/* | |||
| 8393591c-06b9-48a2-a542-1bd6b377f6a2 | Azure Arc Kubernetes Cluster Admin | Lets you manage all resources in the cluster. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.Kubernetes/connectedClusters/* | |||
| dffb1e0c-446f-4dde-a09f-99eb5cc68b96 | Azure Arc Kubernetes Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* Microsoft.Kubernetes/connectedClusters/apps/deployments/* Microsoft.Kubernetes/connectedClusters/apps/replicasets/* Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* Microsoft.Kubernetes/connectedClusters/batch/jobs/* Microsoft.Kubernetes/connectedClusters/configmaps/* Microsoft.Kubernetes/connectedClusters/endpoints/* Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read Microsoft.Kubernetes/connectedClusters/events/read Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* Microsoft.Kubernetes/connectedClusters/extensions/deployments/* Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* Microsoft.Kubernetes/connectedClusters/limitranges/read Microsoft.Kubernetes/connectedClusters/namespaces/read Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* Microsoft.Kubernetes/connectedClusters/pods/* Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* Microsoft.Kubernetes/connectedClusters/resourcequotas/read Microsoft.Kubernetes/connectedClusters/secrets/* Microsoft.Kubernetes/connectedClusters/serviceaccounts/* Microsoft.Kubernetes/connectedClusters/services/* | |||
| b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b | Azure Kubernetes Service RBAC Cluster Admin | Lets you manage all resources in the cluster. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Microsoft.ContainerService/managedClusters/* | |||
| 3498e952-d568-435e-9b2c-8d77e338d7f7 | Azure Kubernetes Service RBAC Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | Microsoft.ContainerService/managedClusters/* | Microsoft.ContainerService/managedClusters/resourcequotas/write Microsoft.ContainerService/managedClusters/resourcequotas/delete Microsoft.ContainerService/managedClusters/namespaces/write Microsoft.ContainerService/managedClusters/namespaces/delete | ||
| 7f6c6a51-bcf8-42ba-9220-52d62157d7db | Azure Kubernetes Service RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read Microsoft.ContainerService/managedClusters/apps/daemonsets/read Microsoft.ContainerService/managedClusters/apps/deployments/read Microsoft.ContainerService/managedClusters/apps/replicasets/read Microsoft.ContainerService/managedClusters/apps/statefulsets/read Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read Microsoft.ContainerService/managedClusters/batch/cronjobs/read Microsoft.ContainerService/managedClusters/batch/jobs/read Microsoft.ContainerService/managedClusters/configmaps/read Microsoft.ContainerService/managedClusters/endpoints/read Microsoft.ContainerService/managedClusters/events.k8s.io/events/read Microsoft.ContainerService/managedClusters/events/read Microsoft.ContainerService/managedClusters/extensions/daemonsets/read Microsoft.ContainerService/managedClusters/extensions/deployments/read Microsoft.ContainerService/managedClusters/extensions/ingresses/read Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read Microsoft.ContainerService/managedClusters/extensions/replicasets/read Microsoft.ContainerService/managedClusters/limitranges/read Microsoft.ContainerService/managedClusters/namespaces/read Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read Microsoft.ContainerService/managedClusters/pods/read Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read Microsoft.ContainerService/managedClusters/replicationcontrollers/read Microsoft.ContainerService/managedClusters/replicationcontrollers/read Microsoft.ContainerService/managedClusters/resourcequotas/read Microsoft.ContainerService/managedClusters/serviceaccounts/read Microsoft.ContainerService/managedClusters/services/read | |||
| a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb | Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read Microsoft.ContainerService/managedClusters/apps/daemonsets/* Microsoft.ContainerService/managedClusters/apps/deployments/* Microsoft.ContainerService/managedClusters/apps/replicasets/* Microsoft.ContainerService/managedClusters/apps/statefulsets/* Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* Microsoft.ContainerService/managedClusters/batch/cronjobs/* Microsoft.ContainerService/managedClusters/batch/jobs/* Microsoft.ContainerService/managedClusters/configmaps/* Microsoft.ContainerService/managedClusters/endpoints/* Microsoft.ContainerService/managedClusters/events.k8s.io/events/read Microsoft.ContainerService/managedClusters/events/read Microsoft.ContainerService/managedClusters/extensions/daemonsets/* Microsoft.ContainerService/managedClusters/extensions/deployments/* Microsoft.ContainerService/managedClusters/extensions/ingresses/* Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* Microsoft.ContainerService/managedClusters/extensions/replicasets/* Microsoft.ContainerService/managedClusters/limitranges/read Microsoft.ContainerService/managedClusters/namespaces/read Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* Microsoft.ContainerService/managedClusters/pods/* Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* Microsoft.ContainerService/managedClusters/replicationcontrollers/* Microsoft.ContainerService/managedClusters/replicationcontrollers/* Microsoft.ContainerService/managedClusters/resourcequotas/read Microsoft.ContainerService/managedClusters/secrets/* Microsoft.ContainerService/managedClusters/serviceaccounts/* Microsoft.ContainerService/managedClusters/services/* | |||
| 82200a5b-e217-47a5-b665-6d8765ee745b | Services Hub Operator | Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. | Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.ServicesHub/connectors/write Microsoft.ServicesHub/connectors/read Microsoft.ServicesHub/connectors/delete Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action Microsoft.ServicesHub/supportOfferingEntitlement/read Microsoft.ServicesHub/workspaces/read | ||||
| d18777c0-1514-4662-8490-608db7d334b6 | Object Understanding Account Reader | Lets you read ingestion jobs for an object understanding account. | Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read | ||||
| 00493d72-78f6-4148-b6c5-d3ce8e4799dd | Azure Arc Enabled Kubernetes Cluster User Role | List cluster user credentials action. | Microsoft.Resources/deployments/write Microsoft.Resources/subscriptions/operationresults/read Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Support/* | ||||
| 420fcaa2-552c-430f-98ca-3264be4806c7 | SignalR App Server (Preview) | Lets your app server access SignalR Service with AAD auth options. | Microsoft.SignalRService/SignalR/auth/accessKey/action Microsoft.SignalRService/SignalR/serverConnection/write | ||||
| fd53cd77-2268-407a-8f46-7e7863d0f521 | SignalR Serverless Contributor (Preview) | Lets your app access service in serverless mode with AAD auth options. | Microsoft.SignalRService/SignalR/auth/clientToken/action | ||||
| daa9e50b-21df-454c-94a6-a8050adab352 | Collaborative Data Contributor | Can manage data packages of a collaborative. | Microsoft.IndustryDataLifecycle/custodianCollaboratives/*/read Microsoft.IndustryDataLifecycle/memberCollaboratives/*/read Microsoft.IndustryDataLifecycle/locations/dataPackages/* Microsoft.IndustryDataLifecycle/custodianCollaboratives/receivedDataPackages/* Microsoft.IndustryDataLifecycle/custodianCollaboratives/rejectDataPackage/action Microsoft.IndustryDataLifecycle/memberCollaboratives/sharedDataPackages/* Microsoft.IndustryDataLifecycle/custodianCollaboratives/dataModels/* Microsoft.IndustryDataLifecycle/custodianCollaboratives/auditLogs/action Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f | Device Update Reader | Gives you read access to management and content operations, but does not allow making changes | Microsoft.Authorization/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Insights/alertRules/* | Microsoft.DeviceUpdate/accounts/instances/updates/read Microsoft.DeviceUpdate/accounts/instances/management/read | |||
| 02ca0879-e8e4-47a5-a61e-5c618b76e64a | Device Update Administrator | Gives you full access to management and content operations | Microsoft.Authorization/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Insights/alertRules/* | Microsoft.DeviceUpdate/accounts/instances/updates/read Microsoft.DeviceUpdate/accounts/instances/updates/write Microsoft.DeviceUpdate/accounts/instances/updates/delete Microsoft.DeviceUpdate/accounts/instances/management/read Microsoft.DeviceUpdate/accounts/instances/management/write Microsoft.DeviceUpdate/accounts/instances/management/delete | |||
| 0378884a-3af5-44ab-8323-f5b22f9f3c98 | Device Update Content Administrator | Gives you full access to content operations | Microsoft.Authorization/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Insights/alertRules/* | Microsoft.DeviceUpdate/accounts/instances/updates/read Microsoft.DeviceUpdate/accounts/instances/updates/write Microsoft.DeviceUpdate/accounts/instances/updates/delete | |||
| e4237640-0e3d-4a46-8fda-70bc94856432 | Device Update Deployments Administrator | Gives you full access to management operations | Microsoft.Authorization/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Insights/alertRules/* | Microsoft.DeviceUpdate/accounts/instances/management/read Microsoft.DeviceUpdate/accounts/instances/management/write Microsoft.DeviceUpdate/accounts/instances/management/delete | |||
| 49e2f5d2-7741-4835-8efa-19e1fe35e47f | Device Update Deployments Reader | Gives you read access to management operations, but does not allow making changes | Microsoft.Authorization/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Insights/alertRules/* | Microsoft.DeviceUpdate/accounts/instances/management/read | |||
| d1ee9a80-8b14-47f0-bdc2-f4a351625a7b | Device Update Content Reader | Gives you read access to content operations, but does not allow making changes | Microsoft.Authorization/*/read Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* Microsoft.Insights/alertRules/* | Microsoft.DeviceUpdate/accounts/instances/updates/read | |||
| cb43c632-a144-4ec5-977c-e80c4affc34a | Cognitive Services Metrics Advisor Administrator | Full access to the project, including the system level configuration. | Microsoft.CognitiveServices/*/read | Microsoft.CognitiveServices/accounts/MetricsAdvisor/* | |||
| 3b20f47b-3825-43cb-8114-4bd2201156a8 | Cognitive Services Metrics Advisor User | Access to the project. | Microsoft.CognitiveServices/*/read | Microsoft.CognitiveServices/accounts/MetricsAdvisor/* | Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/* | ||
| 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 | Schema Registry Reader (Preview) | Read and list Schema Registry groups and schemas. | Microsoft.EventHub/namespaces/schemagroups/read | Microsoft.EventHub/namespaces/schemas/read | |||
| 5dffeca3-4936-4216-b2bc-10343a5abb25 | Schema Registry Contributor (Preview) | Read, write, and delete Schema Registry groups and schemas. | Microsoft.EventHub/namespaces/schemagroups/* | Microsoft.EventHub/namespaces/schemas/* | |||
| 7ec7ccdc-f61e-41fe-9aaf-980df0a44eba | AgFood Platform Service Reader | Provides read access to AgFood Platform Service | Microsoft.AgFoodPlatform/*/read | ||||
| 8508508a-4469-4e45-963b-2518ee0bb728 | AgFood Platform Service Contributor | Provides contribute access to AgFood Platform Service | Microsoft.AgFoodPlatform/*/action Microsoft.AgFoodPlatform/*/read Microsoft.AgFoodPlatform/*/write | Microsoft.AgFoodPlatform/farmers/write | |||
| f8da80de-1ff9-4747-ad80-a19b7f6079e3 | AgFood Platform Service Admin | Provides admin access to AgFood Platform Service | Microsoft.AgFoodPlatform/* | ||||
| 18500a29-7fe2-46b2-a342-b16a415e101d | Managed HSM contributor | Lets you manage managed HSM pools, but not access to them. | Microsoft.KeyVault/managedHSMs/* | ||||
| 0b555d9b-b4a7-4f43-b330-627f0e5be8f0 | Security Detonation Chamber Submitter | Allowed to create submissions to Security Detonation Chamber | Microsoft.SecurityDetonation/chambers/submissions/delete Microsoft.SecurityDetonation/chambers/submissions/write Microsoft.SecurityDetonation/chambers/submissions/read Microsoft.SecurityDetonation/chambers/submissions/files/read Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read | ||||
| ddde6b66-c0df-4114-a159-3618637b3035 | SignalR Service Reader (Preview) | Read-only access to Azure SignalR Service REST APIs | Microsoft.SignalRService/SignalR/group/read Microsoft.SignalRService/SignalR/clientConnection/read Microsoft.SignalRService/SignalR/user/read | ||||
| 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 | SignalR Service Owner (Preview) | Full access to Azure SignalR Service REST APIs | Microsoft.SignalRService/SignalR/auth/accessKey/action Microsoft.SignalRService/SignalR/auth/clientToken/action Microsoft.SignalRService/SignalR/hub/send/action Microsoft.SignalRService/SignalR/group/send/action Microsoft.SignalRService/SignalR/group/read Microsoft.SignalRService/SignalR/group/write Microsoft.SignalRService/SignalR/clientConnection/send/action Microsoft.SignalRService/SignalR/clientConnection/read Microsoft.SignalRService/SignalR/clientConnection/write Microsoft.SignalRService/SignalR/user/send/action Microsoft.SignalRService/SignalR/user/read Microsoft.SignalRService/SignalR/user/write | ||||
| f7b75c60-3036-4b75-91c3-6b41c27c1689 | Reservation Purchaser | Lets you purchase reservations | Microsoft.Resources/subscriptions/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Capacity/register/action Microsoft.Compute/register/action Microsoft.SQL/register/action Microsoft.Consumption/register/action Microsoft.Capacity/catalogs/read Microsoft.Authorization/roleAssignments/read Microsoft.Consumption/reservationRecommendations/read Microsoft.Support/supporttickets/write | ||||
| 635dd51f-9968-44d3-b7fb-6d9a6bd613ae | AzureML Metrics Writer (preview) | Lets you write metrics to AzureML workspace | Microsoft.MachineLearningServices/workspaces/metrics/*/write | ||||
| e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 | Storage Account Backup Contributor Role | Storage Account Backup Contributors are allowed to perform backup and restore of Storage Account. | Microsoft.Authorization/*/read Microsoft.Authorization/locks/read Microsoft.Authorization/locks/write Microsoft.Authorization/locks/delete Microsoft.Features/features/read Microsoft.Features/providers/features/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Storage/operations/read Microsoft.Storage/storageAccounts/blobServices/containers/read Microsoft.Storage/storageAccounts/blobServices/read Microsoft.Storage/storageAccounts/blobServices/write Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/restoreBlobRanges/action | ||||
| 6188b7c9-7d01-4f99-a59f-c88b630326c0 | Experimentation Metric Contributor | Allows for creation, writes and reads to the metric set via the metrics service APIs. | Microsoft.Experimentation/experimentWorkspaces/read | Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action Microsoft.Experimentation/experimentWorkspaces/metricwrite/action Microsoft.Experimentation/experimentWorkspaces/read | |||
| 9ef4ef9c-a049-46b0-82ab-dd8ac094c889 | Project Babylon Data Curator | The Microsoft.ProjectBabylon data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. | Microsoft.ProjectBabylon/accounts/read | Microsoft.ProjectBabylon/accounts/data/read Microsoft.ProjectBabylon/accounts/data/write | |||
| c8d896ba-346d-4f50-bc1d-7d1c84130446 | Project Babylon Data Reader | The Microsoft.ProjectBabylon data reader can read catalog data objects. This role is in preview and subject to change. | Microsoft.ProjectBabylon/accounts/read | Microsoft.ProjectBabylon/accounts/data/read | |||
| 05b7651b-dc44-475e-b74d-df3db49fae0f | Project Babylon Data Source Administrator | The Microsoft.ProjectBabylon data source administrator can manage data sources and data scans. This role is in preview and subject to change. | Microsoft.ProjectBabylon/accounts/read | Microsoft.ProjectBabylon/accounts/scan/read Microsoft.ProjectBabylon/accounts/scan/write | |||
| 8a3c2885-9b38-4fd2-9d99-91af537c1347 | Purview Data Curator | The Microsoft.Purview data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. | Microsoft.Purview/accounts/read | Microsoft.Purview/accounts/data/read Microsoft.Purview/accounts/data/write | |||
| ff100721-1b9d-43d8-af52-42b69c1272db | Purview Data Reader | The Microsoft.Purview data reader can read catalog data objects. This role is in preview and subject to change. | Microsoft.Purview/accounts/read | Microsoft.Purview/accounts/data/read | |||
| 200bba9e-f0c8-430f-892b-6f0794863803 | Purview Data Source Administrator | The Microsoft.Purview data source administrator can manage data sources and data scans. This role is in preview and subject to change. | Microsoft.Purview/accounts/read | Microsoft.Purview/accounts/scan/read Microsoft.Purview/accounts/scan/write | |||
| ca6382a4-1721-4bcf-a114-ff0c70227b6b | Application Group Contributor | Contributor of the Application Group. | Microsoft.DesktopVirtualization/applicationgroups/* Microsoft.DesktopVirtualization/hostpools/read Microsoft.DesktopVirtualization/hostpools/sessionhosts/read Microsoft.DesktopVirtualization/workspaces/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Support/* | ||||
| 49a72310-ab8d-41df-bbb0-79b649203868 | Desktop Virtualization Reader | Reader of Desktop Virtualization. | Microsoft.DesktopVirtualization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/read Microsoft.Support/* | ||||
| 082f0a83-3be5-4ba1-904c-961cca79b387 | Desktop Virtualization Contributor | Contributor of Desktop Virtualization. | Microsoft.DesktopVirtualization/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Support/* | ||||
| 21efdde3-836f-432b-bf3d-3e8e734d4b2b | Desktop Virtualization Workspace Contributor | Contributor of the Desktop Virtualization Workspace. | Microsoft.DesktopVirtualization/workspaces/* Microsoft.DesktopVirtualization/applicationgroups/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Support/* | ||||
| ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 | Desktop Virtualization User Session Operator | Operator of the Desktop Virtualization Uesr Session. | Microsoft.DesktopVirtualization/hostpools/read Microsoft.DesktopVirtualization/hostpools/sessionhosts/read Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Support/* | ||||
| 2ad6aaab-ead9-4eaa-8ac5-da422f562408 | Desktop Virtualization Session Host Operator | Operator of the Desktop Virtualization Session Host. | Microsoft.DesktopVirtualization/hostpools/read Microsoft.DesktopVirtualization/hostpools/sessionhosts/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Support/* | ||||
| ceadfde2-b300-400a-ab7b-6143895aa822 | Desktop Virtualization Host Pool Reader | Reader of the Desktop Virtualization Host Pool. | Microsoft.DesktopVirtualization/hostpools/*/read Microsoft.DesktopVirtualization/hostpools/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/read Microsoft.Support/* | ||||
| e307426c-f9b6-4e81-87de-d99efb3c32bc | Desktop Virtualization Host Pool Contributor | Contributor of the Desktop Virtualization Host Pool. | Microsoft.DesktopVirtualization/hostpools/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Support/* | ||||
| aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 | Desktop Virtualization Application Group Reader | Reader of the Desktop Virtualization Application Group. | Microsoft.DesktopVirtualization/applicationgroups/*/read Microsoft.DesktopVirtualization/applicationgroups/read Microsoft.DesktopVirtualization/hostpools/read Microsoft.DesktopVirtualization/hostpools/sessionhosts/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/read Microsoft.Support/* | ||||
| 86240b0e-9422-4c43-887b-b61143f32ba8 | Desktop Virtualization Application Group Contributor | Contributor of the Desktop Virtualization Application Group. | Microsoft.DesktopVirtualization/applicationgroups/* Microsoft.DesktopVirtualization/hostpools/read Microsoft.DesktopVirtualization/hostpools/sessionhosts/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Support/* | ||||
| 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d | Desktop Virtualization Workspace Reader | Reader of the Desktop Virtualization Workspace. | Microsoft.DesktopVirtualization/workspaces/read Microsoft.DesktopVirtualization/applicationgroups/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Resources/deployments/read Microsoft.Authorization/*/read Microsoft.Insights/alertRules/read Microsoft.Support/* | ||||
| 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 | Disk Backup Reader | Provides permission to backup vault to perform disk backup. | Microsoft.Authorization/*/read Microsoft.Compute/disks/read Microsoft.Compute/disks/beginGetAccess/action | ||||
| b8b15564-4fa6-4a59-ab12-03e1d9594795 | Autonomous Development Platform Data Contributor (Preview) | Grants permissions to upload and manage new Autonomous Development Platform measurements. | Microsoft.AutonomousDevelopmentPlatform/accounts/*/read Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read | Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/discoveries/* Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/uploads/* Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/* Microsoft.AutonomousDevelopmentPlatform/accounts/measurementCollections/* | Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/changeState/action | ||
| d63b75f7-47ea-4f27-92ac-e0d173aaf093 | Autonomous Development Platform Data Reader (Preview) | Grants read access to Autonomous Development Platform data. | Microsoft.AutonomousDevelopmentPlatform/accounts/*/read Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read | Microsoft.AutonomousDevelopmentPlatform/accounts/*/read | |||
| 27f8b550-c507-4db9-86f2-f4b8e816d59d | Autonomous Development Platform Data Owner (Preview) | Grants full access to Autonomous Development Platform data. | Microsoft.AutonomousDevelopmentPlatform/accounts/*/read Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read | Microsoft.AutonomousDevelopmentPlatform/accounts/* | |||
| b50d9833-a0cb-478e-945f-707fcc997c13 | Disk Restore Operator | Provides permission to backup vault to perform disk restore. | Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Compute/disks/write Microsoft.Compute/disks/read | ||||
| 7efff54f-a5b4-42b5-a1c5-5411624893ce | Disk Snapshot Contributor | Provides permission to backup vault to manage disk snapshots. | Microsoft.Authorization/*/read Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Compute/snapshots/delete Microsoft.Compute/snapshots/write Microsoft.Compute/snapshots/read Microsoft.Compute/snapshots/beginGetAccess/action Microsoft.Compute/snapshots/endGetAccess/action Microsoft.Compute/disks/beginGetAccess/action Microsoft.Storage/storageAccounts/listkeys/action Microsoft.Storage/storageAccounts/write Microsoft.Storage/storageAccounts/read Microsoft.Storage/storageAccounts/delete | ||||
| 5548b2cf-c94c-4228-90ba-30851930a12f | Microsoft.Kubernetes connected cluster role | Microsoft.Kubernetes connected cluster role. | Microsoft.Kubernetes/connectedClusters/read Microsoft.Kubernetes/connectedClusters/write Microsoft.Kubernetes/connectedClusters/delete Microsoft.Kubernetes/registeredSubscriptions/read | ||||
| a37b566d-3efa-4beb-a2f2-698963fa42ce | Security Detonation Chamber Submission Manager | Allowed to create and manage submissions to Security Detonation Chamber | Microsoft.SecurityDetonation/chambers/submissions/delete Microsoft.SecurityDetonation/chambers/submissions/write Microsoft.SecurityDetonation/chambers/submissions/read Microsoft.SecurityDetonation/chambers/submissions/files/read Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read Microsoft.SecurityDetonation/chambers/submissions/adminview/read Microsoft.SecurityDetonation/chambers/submissions/analystview/read Microsoft.SecurityDetonation/chambers/submissions/publicview/read | ||||
| 352470b3-6a9c-4686-b503-35deb827e500 | Security Detonation Chamber Publisher | Allowed to publish and modify platforms, workflows and toolsets to Security Detonation Chamber | Microsoft.SecurityDetonation/chambers/platforms/read Microsoft.SecurityDetonation/chambers/platforms/write Microsoft.SecurityDetonation/chambers/platforms/delete Microsoft.SecurityDetonation/chambers/platforms/metadata/read Microsoft.SecurityDetonation/chambers/workflows/read Microsoft.SecurityDetonation/chambers/workflows/write Microsoft.SecurityDetonation/chambers/workflows/delete Microsoft.SecurityDetonation/chambers/workflows/metadata/read Microsoft.SecurityDetonation/chambers/toolsets/read Microsoft.SecurityDetonation/chambers/toolsets/write Microsoft.SecurityDetonation/chambers/toolsets/delete Microsoft.SecurityDetonation/chambers/toolsets/metadata/read Microsoft.SecurityDetonation/chambers/publishRequests/read Microsoft.SecurityDetonation/chambers/publishRequests/cancel/action | ||||
| 7a6f0e70-c033-4fb1-828c-08514e5f4102 | Collaborative Runtime Operator | Can manage resources created by AICS at runtime | Microsoft.IndustryDataLifecycle/derivedModels/* Microsoft.IndustryDataLifecycle/pipelineSets/* Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 5432c526-bc82-444a-b7ba-57c5b0b5b34f | CosmosRestoreOperator | Can perform restore action for Cosmos DB database account with continuous backup mode | Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read | ||||
| a1705bd2-3a8f-45a5-8683-466fcfd5cc24 | FHIR Data Converter | Role allows user or principal to convert data from legacy format to FHIR | Microsoft.HealthcareApis/services/fhir/resources/convertData/action | ||||
| f4c81013-99ee-4d62-a7ee-b3f1f648599a | Azure Sentinel Automation Contributor | Azure Sentinel Automation Contributor | Microsoft.Authorization/*/read Microsoft.Logic/workflows/triggers/read Microsoft.Logic/workflows/triggers/listCallbackUrl/action Microsoft.Logic/workflows/runs/read | ||||
| 0e5f05e5-9ab9-446b-b98d-1e2157c94125 | Quota Request Operator | Read and create quota requests, get quota request status, and create support tickets. | Microsoft.Capacity/resourceProviders/locations/serviceLimits/read Microsoft.Capacity/resourceProviders/locations/serviceLimits/write Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read Microsoft.Capacity/register/action Microsoft.Authorization/*/read Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | ||||
| 1e241071-0855-49ea-94dc-649edcd759de | EventGrid Contributor | Lets you manage EventGrid operations. | Microsoft.Authorization/*/read Microsoft.EventGrid/* Microsoft.Insights/alertRules/* Microsoft.Resources/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.Support/* | Modify - Configure Azure Event Grid topics to disable public network access, Deploy - Configure Azure Event Grid domains with private endpoints, Deploy - Configure Azure Event Grid topics with private endpoints, Modify - Configure Azure Event Grid domains to disable public network access | |||
| 28241645-39f8-410b-ad48-87863e2951d5 | Security Detonation Chamber Reader | Allowed to query submission info and files from Security Detonation Chamber | Microsoft.SecurityDetonation/chambers/submissions/read Microsoft.SecurityDetonation/chambers/submissions/files/read | ||||
| 4a167cdf-cb95-4554-9203-2347fe489bd9 | Object Anchors Account Reader | Lets you read ingestion jobs for an object anchors account. | Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read | ||||
| ca0835dd-bacc-42dd-8ed2-ed5e7230d15b | Object Anchors Account Owner | Provides user with ingestion capabilities for an object anchors account. | Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/action Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read | ||||
| d17ce0a2-0697-43bc-aac5-9113337ab61c | WorkloadBuilder Migration Agent Role | WorkloadBuilder Migration Agent Role. | Microsoft.WorkloadBuilder/migrationAgents/Read Microsoft.WorkloadBuilder/migrationAgents/Write | ||||
| 12cf5a90-567b-43ae-8102-96cf46c7d9b4 | Web PubSub Service Owner (Preview) | Full access to Azure Web PubSub Service REST APIs | Microsoft.SignalRService/WebPubSub/clientConnection/read Microsoft.SignalRService/WebPubSub/clientConnection/send/action Microsoft.SignalRService/WebPubSub/clientConnection/write Microsoft.SignalRService/WebPubSub/group/read Microsoft.SignalRService/WebPubSub/group/send/action Microsoft.SignalRService/WebPubSub/group/write Microsoft.SignalRService/WebPubSub/hub/send/action Microsoft.SignalRService/WebPubSub/user/read Microsoft.SignalRService/WebPubSub/user/send/action | ||||
| bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf | Web PubSub Service Reader (Preview) | Read-only access to Azure Web PubSub Service REST APIs | Microsoft.SignalRService/WebPubSub/clientConnection/read Microsoft.SignalRService/WebPubSub/group/read Microsoft.SignalRService/WebPubSub/user/read | ||||
| b5537268-8956-4941-a8f0-646150406f0c | Azure Spring Cloud Data Reader | Allow read access to Azure Spring Cloud Data | Microsoft.AppPlatform/Spring/*/read | ||||
| f2dc8367-1007-4938-bd23-fe263f013447 | Cognitive Services Speech User | This is a role that can create, read, change and delete batch transcriptions, do real time transcriptions and list or get other speech resources. | Microsoft.CognitiveServices/accounts/SpeechServices/*/read Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/write Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/delete Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/read Microsoft.CognitiveServices/accounts/SpeechServices/*/frontend/action | ||||
| 0e75ca1e-0464-4b4d-8b93-68208a576181 | Cognitive Services Speech Contributor | This is a role that can read, write and delete all speech resources. | Microsoft.CognitiveServices/accounts/SpeechServices/* | ||||
| 9894cab4-e18a-44aa-828b-cb588cd6f2d7 | Cognitive Services Face Recognizer | Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. | Microsoft.CognitiveServices/accounts/Face/detect/action Microsoft.CognitiveServices/accounts/Face/verify/action Microsoft.CognitiveServices/accounts/Face/identify/action Microsoft.CognitiveServices/accounts/Face/group/action Microsoft.CognitiveServices/accounts/Face/findsimilars/action |