last sync: 2023-Sep-26 18:00:52 UTC

All Azure RBAC Role definitions

Id Name Description Actions NotActions DataActions NotDataActions Used in Policy
8311e382-0749-4cb8-b61a-304f252e45ec AcrPush acr push count: 002
•Microsoft.ContainerRegistry/registries/pull/read
•Microsoft.ContainerRegistry/registries/push/write
312a565d-c81f-4fd8-895a-4e21e48d571c API Management Service Contributor Can manage service and the APIs count: 007
•Microsoft.ApiManagement/service/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 001
Configure API Management services to disable access to API Management public service configuration endpoints
7f951dda-4ed3-4680-a7ca-43fe172d538d AcrPull acr pull count: 001
•Microsoft.ContainerRegistry/registries/pull/read
6cef56e8-d556-48e5-a04f-b8e64114680f AcrImageSigner acr image signer count: 001
•Microsoft.ContainerRegistry/registries/sign/write
count: 001
•Microsoft.ContainerRegistry/registries/trustedCollections/write
c2f4ef07-c644-48eb-af81-4b1b4947fb11 AcrDelete acr delete count: 001
•Microsoft.ContainerRegistry/registries/artifacts/delete
cdda3590-29a3-44f6-95f2-9f980659eb04 AcrQuarantineReader acr quarantine data reader count: 001
•Microsoft.ContainerRegistry/registries/quarantine/read
count: 001
•Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read
c8d4ff99-41c3-41a8-9f60-21dfdad59608 AcrQuarantineWriter acr quarantine data writer count: 002
•Microsoft.ContainerRegistry/registries/quarantine/read
•Microsoft.ContainerRegistry/registries/quarantine/write
count: 002
•Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read
•Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write
e022efe7-f5ba-4159-bbe4-b44f577e9b61 API Management Service Operator Role Can manage service but not the APIs count: 015
•Microsoft.ApiManagement/service/*/read
•Microsoft.ApiManagement/service/backup/action
•Microsoft.ApiManagement/service/delete
•Microsoft.ApiManagement/service/managedeployments/action
•Microsoft.ApiManagement/service/read
•Microsoft.ApiManagement/service/restore/action
•Microsoft.ApiManagement/service/updatecertificate/action
•Microsoft.ApiManagement/service/updatehostname/action
•Microsoft.ApiManagement/service/write
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 001
•Microsoft.ApiManagement/service/users/keys/read
71522526-b88f-4d52-b57f-d31fc3546d0d API Management Service Reader Role Read-only access to service and APIs count: 008
•Microsoft.ApiManagement/service/*/read
•Microsoft.ApiManagement/service/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 001
•Microsoft.ApiManagement/service/users/keys/read
ae349356-3a1b-4a5e-921d-050484c6347e Application Insights Component Contributor Can manage Application Insights components count: 013
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/generateLiveToken/read
•Microsoft.Insights/metricAlerts/*
•Microsoft.Insights/components/*
•Microsoft.Insights/scheduledqueryrules/*
•Microsoft.Insights/topology/read
•Microsoft.Insights/transactions/read
•Microsoft.Insights/webtests/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 001
Configure Azure Application Insights components to disable public network access for log ingestion and querying
08954f03-6346-4c2e-81c0-ec3a5cfae23b Application Insights Snapshot Debugger Gives user permission to use Application Insights Snapshot Debugger features count: 006
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/components/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
fd1bd22b-8476-40bc-a0bc-69b95687b9f3 Attestation Reader Can read the attestation provider properties count: 001
•Microsoft.Attestation/attestationProviders/attestation/read
4fe576fe-1146-4730-92eb-48519fa6bf9f Automation Job Operator Create and Manage Jobs using Automation Runbooks. count: 013
•Microsoft.Authorization/*/read
•Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read
•Microsoft.Automation/automationAccounts/jobs/read
•Microsoft.Automation/automationAccounts/jobs/resume/action
•Microsoft.Automation/automationAccounts/jobs/stop/action
•Microsoft.Automation/automationAccounts/jobs/streams/read
•Microsoft.Automation/automationAccounts/jobs/suspend/action
•Microsoft.Automation/automationAccounts/jobs/write
•Microsoft.Automation/automationAccounts/jobs/output/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 Automation Runbook Operator Read Runbook properties - to be able to create Jobs of the runbook. count: 006
•Microsoft.Authorization/*/read
•Microsoft.Automation/automationAccounts/runbooks/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
d3881f73-407a-4167-8283-e981cbba0404 Automation Operator Automation Operators are able to start, stop, suspend, and resume jobs count: 021
•Microsoft.Authorization/*/read
•Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read
•Microsoft.Automation/automationAccounts/jobs/read
•Microsoft.Automation/automationAccounts/jobs/resume/action
•Microsoft.Automation/automationAccounts/jobs/stop/action
•Microsoft.Automation/automationAccounts/jobs/streams/read
•Microsoft.Automation/automationAccounts/jobs/suspend/action
•Microsoft.Automation/automationAccounts/jobs/write
•Microsoft.Automation/automationAccounts/jobSchedules/read
•Microsoft.Automation/automationAccounts/jobSchedules/write
•Microsoft.Automation/automationAccounts/linkedWorkspace/read
•Microsoft.Automation/automationAccounts/read
•Microsoft.Automation/automationAccounts/runbooks/read
•Microsoft.Automation/automationAccounts/schedules/read
•Microsoft.Automation/automationAccounts/schedules/write
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Automation/automationAccounts/jobs/output/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
4f8fab4f-1852-4a58-a46a-8eaf358af14a Avere Contributor Can create and manage an Avere vFXT cluster. count: 020
•Microsoft.Authorization/*/read
•Microsoft.Compute/*/read
•Microsoft.Compute/availabilitySets/*
•Microsoft.Compute/proximityPlacementGroups/*
•Microsoft.Compute/virtualMachines/*
•Microsoft.Compute/disks/*
•Microsoft.Network/*/read
•Microsoft.Network/networkInterfaces/*
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Resources/deployments/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/*/read
•Microsoft.Storage/storageAccounts/*
•Microsoft.Support/*
•Microsoft.Resources/subscriptions/resourceGroups/resources/read
count: 003
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 Avere Operator Used by the Avere vFXT cluster to manage the cluster count: 011
•Microsoft.Compute/virtualMachines/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/blobServices/containers/delete
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/blobServices/containers/write
count: 003
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 Azure Kubernetes Service Cluster Admin Role List cluster admin credential action. count: 004
•Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
•Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action
•Microsoft.ContainerService/managedClusters/read
•Microsoft.ContainerService/managedClusters/runcommand/action
4abbcc35-e782-43d8-92c5-2d3f1bd2253f Azure Kubernetes Service Cluster User Role List cluster user credential action. count: 002
•Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
•Microsoft.ContainerService/managedClusters/read
423170ca-a8f6-4b0f-8487-9e4eb8f49bfa Azure Maps Data Reader Grants access to read map related data from an Azure maps account. count: 001
•Microsoft.Maps/accounts/*/read
6f12a6df-dd06-4f3e-bcb1-ce8be600526a Azure Stack Registration Owner Lets you manage Azure Stack registrations. count: 004
•Microsoft.AzureStack/edgeSubscriptions/read
•Microsoft.AzureStack/registrations/products/*/action
•Microsoft.AzureStack/registrations/products/read
•Microsoft.AzureStack/registrations/read
5e467623-bb1f-42f4-a55d-6e525e11384b Backup Contributor Lets you manage backup service,but can't create vaults and give access to others count: 077
•Microsoft.Authorization/*/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.RecoveryServices/locations/*
•Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*
•Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action
•Microsoft.RecoveryServices/Vaults/backupJobs/*
•Microsoft.RecoveryServices/Vaults/backupJobsExport/action
•Microsoft.RecoveryServices/Vaults/backupOperationResults/*
•Microsoft.RecoveryServices/Vaults/backupPolicies/*
•Microsoft.RecoveryServices/Vaults/backupProtectableItems/*
•Microsoft.RecoveryServices/Vaults/backupProtectedItems/*
•Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*
•Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*
•Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
•Microsoft.RecoveryServices/Vaults/certificates/*
•Microsoft.RecoveryServices/Vaults/extendedInformation/*
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
•Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
•Microsoft.RecoveryServices/Vaults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/*
•Microsoft.RecoveryServices/Vaults/usages/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
•Microsoft.RecoveryServices/Vaults/backupconfig/*
•Microsoft.RecoveryServices/Vaults/backupValidateOperation/action
•Microsoft.RecoveryServices/Vaults/write
•Microsoft.RecoveryServices/Vaults/backupOperations/read
•Microsoft.RecoveryServices/Vaults/backupEngines/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read
•Microsoft.RecoveryServices/vaults/operationStatus/read
•Microsoft.RecoveryServices/vaults/operationResults/read
•Microsoft.RecoveryServices/locations/backupStatus/action
•Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
•Microsoft.RecoveryServices/locations/backupValidateFeatures/action
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
•Microsoft.RecoveryServices/operations/read
•Microsoft.RecoveryServices/locations/operationStatus/read
•Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
•Microsoft.Support/*
•Microsoft.DataProtection/locations/getBackupStatus/action
•Microsoft.DataProtection/backupVaults/backupInstances/write
•Microsoft.DataProtection/backupVaults/backupInstances/delete
•Microsoft.DataProtection/backupVaults/backupInstances/read
•Microsoft.DataProtection/backupVaults/backupInstances/read
•Microsoft.DataProtection/backupVaults/deletedBackupInstances/read
•Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action
•Microsoft.DataProtection/backupVaults/backupInstances/backup/action
•Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action
•Microsoft.DataProtection/backupVaults/backupInstances/restore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action
•Microsoft.DataProtection/backupVaults/backupPolicies/write
•Microsoft.DataProtection/backupVaults/backupPolicies/delete
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
•Microsoft.DataProtection/backupVaults/write
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/operationResults/read
•Microsoft.DataProtection/backupVaults/operationStatus/read
•Microsoft.DataProtection/locations/checkNameAvailability/action
•Microsoft.DataProtection/locations/checkFeatureSupport/action
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/locations/operationStatus/read
•Microsoft.DataProtection/locations/operationResults/read
•Microsoft.DataProtection/backupVaults/validateForBackup/action
•Microsoft.DataProtection/operations/read
count: 009
[Preview]: Configure Azure Recovery Services vaults to disable public network access
[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region
[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region
[Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults
[Preview]: Disable Cross Subscription Restore for Backup Vaults
Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy
Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location
Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location
fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 Billing Reader Allows read access to billing data count: 007
•Microsoft.Authorization/*/read
•Microsoft.Billing/*/read
•Microsoft.Commerce/*/read
•Microsoft.Consumption/*/read
•Microsoft.Management/managementGroups/read
•Microsoft.CostManagement/*/read
•Microsoft.Support/*
a795c7a0-d4a2-40c1-ae25-d81f01202912 Backup Reader Can view backup services, but can't make changes count: 067
•Microsoft.Authorization/*/read
•Microsoft.RecoveryServices/locations/allocatedStamp/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read
•Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupJobs/read
•Microsoft.RecoveryServices/Vaults/backupJobsExport/action
•Microsoft.RecoveryServices/Vaults/backupOperationResults/read
•Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupPolicies/read
•Microsoft.RecoveryServices/Vaults/backupProtectedItems/read
•Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read
•Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
•Microsoft.RecoveryServices/Vaults/extendedInformation/read
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
•Microsoft.RecoveryServices/Vaults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/read
•Microsoft.RecoveryServices/Vaults/backupstorageconfig/read
•Microsoft.RecoveryServices/Vaults/backupconfig/read
•Microsoft.RecoveryServices/Vaults/backupOperations/read
•Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read
•Microsoft.RecoveryServices/Vaults/backupEngines/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read
•Microsoft.RecoveryServices/locations/backupStatus/action
•Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
•Microsoft.RecoveryServices/operations/read
•Microsoft.RecoveryServices/locations/operationStatus/read
•Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
•Microsoft.RecoveryServices/Vaults/usages/read
•Microsoft.RecoveryServices/locations/backupValidateFeatures/action
•Microsoft.RecoveryServices/locations/backupCrrJobs/action
•Microsoft.RecoveryServices/locations/backupCrrJob/action
•Microsoft.RecoveryServices/locations/backupCrrOperationResults/read
•Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read
•Microsoft.DataProtection/locations/getBackupStatus/action
•Microsoft.DataProtection/backupVaults/backupInstances/write
•Microsoft.DataProtection/backupVaults/backupInstances/read
•Microsoft.DataProtection/backupVaults/deletedBackupInstances/read
•Microsoft.DataProtection/backupVaults/backupInstances/backup/action
•Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action
•Microsoft.DataProtection/backupVaults/backupInstances/restore/action
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/operationResults/read
•Microsoft.DataProtection/backupVaults/operationStatus/read
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/locations/operationStatus/read
•Microsoft.DataProtection/locations/operationResults/read
•Microsoft.DataProtection/backupVaults/validateForBackup/action
•Microsoft.DataProtection/operations/read
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action
•Microsoft.DataProtection/locations/checkFeatureSupport/action
31a002a1-acaf-453e-8a5b-297c9ca1ea24 Blockchain Member Node Access (Preview) Allows for access to Blockchain Member nodes count: 001
•Microsoft.Blockchain/blockchainMembers/transactionNodes/read
count: 001
•Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action
5e3c6656-6cfa-4708-81fe-0de47ac73342 BizTalk Contributor Lets you manage BizTalk services, but not access to them. count: 007
•Microsoft.Authorization/*/read
•Microsoft.BizTalkServices/BizTalk/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
426e0c7f-0c7e-4658-b36f-ff54d6c29b45 CDN Endpoint Contributor Can manage CDN endpoints, but can't grant access to other users. count: 008
•Microsoft.Authorization/*/read
•Microsoft.Cdn/edgenodes/read
•Microsoft.Cdn/operationresults/*
•Microsoft.Cdn/profiles/endpoints/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
ec156ff8-a8d1-4d15-830c-5b80698ca432 CDN Profile Contributor Can manage CDN profiles and their endpoints, but can't grant access to other users. count: 008
•Microsoft.Authorization/*/read
•Microsoft.Cdn/edgenodes/read
•Microsoft.Cdn/operationresults/*
•Microsoft.Cdn/profiles/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
8f96442b-4075-438f-813d-ad51ab4019af CDN Profile Reader Can view CDN profiles and their endpoints, but can't make changes. count: 008
•Microsoft.Authorization/*/read
•Microsoft.Cdn/edgenodes/read
•Microsoft.Cdn/operationresults/*
•Microsoft.Cdn/profiles/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
b34d265f-36f7-4a0d-a4d4-e158ca92e90f Classic Network Contributor Lets you manage classic networks, but not access to them. count: 007
•Microsoft.Authorization/*/read
•Microsoft.ClassicNetwork/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
86e8f5dc-a6e9-4c67-9d15-de283e8eac25 Classic Storage Account Contributor Lets you manage classic storage accounts, but not access to them. count: 007
•Microsoft.Authorization/*/read
•Microsoft.ClassicStorage/storageAccounts/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
985d6b00-f706-48f5-a6fe-d0ca12fb668d Classic Storage Account Key Operator Service Role Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts count: 002
•Microsoft.ClassicStorage/storageAccounts/listkeys/action
•Microsoft.ClassicStorage/storageAccounts/regeneratekey/action
9106cda0-8a86-4e81-b686-29a22c54effe ClearDB MySQL DB Contributor Lets you manage ClearDB MySQL databases, but not access to them. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•successbricks.cleardb/databases/*
d73bb868-a0df-4d4d-bd69-98a00b01fccb Classic Virtual Machine Contributor Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. count: 017
•Microsoft.Authorization/*/read
•Microsoft.ClassicCompute/domainNames/*
•Microsoft.ClassicCompute/virtualMachines/*
•Microsoft.ClassicNetwork/networkSecurityGroups/join/action
•Microsoft.ClassicNetwork/reservedIps/link/action
•Microsoft.ClassicNetwork/reservedIps/read
•Microsoft.ClassicNetwork/virtualNetworks/join/action
•Microsoft.ClassicNetwork/virtualNetworks/read
•Microsoft.ClassicStorage/storageAccounts/disks/read
•Microsoft.ClassicStorage/storageAccounts/images/read
•Microsoft.ClassicStorage/storageAccounts/listKeys/action
•Microsoft.ClassicStorage/storageAccounts/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
a97b65f3-24c7-4388-baec-2e87135dc908 Cognitive Services User Lets you read and list keys of Cognitive Services. count: 013
•Microsoft.CognitiveServices/*/read
•Microsoft.CognitiveServices/accounts/listkeys/action
•Microsoft.Insights/alertRules/read
•Microsoft.Insights/diagnosticSettings/read
•Microsoft.Insights/logDefinitions/read
•Microsoft.Insights/metricdefinitions/read
•Microsoft.Insights/metrics/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 001
•Microsoft.CognitiveServices/*
b59867f0-fa02-499b-be73-45a86b5b3e1c Cognitive Services Data Reader (Preview) Lets you read Cognitive Services data. count: 001
•Microsoft.CognitiveServices/*/read
25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 Cognitive Services Contributor Lets you create, read, update, delete and manage keys of Cognitive Services. count: 018
•Microsoft.Authorization/*/read
•Microsoft.CognitiveServices/*
•Microsoft.Features/features/read
•Microsoft.Features/providers/features/read
•Microsoft.Features/providers/features/register/action
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/diagnosticSettings/*
•Microsoft.Insights/logDefinitions/read
•Microsoft.Insights/metricdefinitions/read
•Microsoft.Insights/metrics/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 001
Configure Cognitive Services accounts with private endpoints
db7b14f2-5adf-42da-9f96-f2ee17bab5cb CosmosBackupOperator Can submit restore request for a Cosmos DB database or a container for an account count: 002
•Microsoft.DocumentDB/databaseAccounts/backup/action
•Microsoft.DocumentDB/databaseAccounts/restore/action
b24988ac-6180-42a0-ab88-20f7382dd24c Contributor Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. count: 001
•*
count: 008
•Microsoft.Authorization/*/Delete
•Microsoft.Authorization/*/Write
•Microsoft.Authorization/elevateAccess/Action
•Microsoft.Blueprint/blueprintAssignments/write
•Microsoft.Blueprint/blueprintAssignments/delete
•Microsoft.Compute/galleries/share/action
•Microsoft.Purview/consents/write
•Microsoft.Purview/consents/delete
count: 197
[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage
[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords
[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644
[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed
[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords
[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed
[Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'
[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties'
[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members
[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members
[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members
[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant
[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected
[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one
[Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running'
[Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled
[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords
[Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain
[Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone
[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters
[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption
[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days
[Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed
[Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot
[Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols
[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs.
[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs.
[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines
[Preview]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent
[Preview]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent
[Preview]: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace
[Preview]: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension
[Preview]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace
[Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace
[Preview]: Configure Azure Defender for SQL agent on virtual machine
[Preview]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent
[Preview]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace
[Preview]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
[Preview]: Configure the Microsoft Defender for SQL Log Analytics workspace
[Preview]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent
[Preview]: Create and assign a built-in user-assigned managed identity
[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines
[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines
Add a tag to resource groups
Add a tag to resources
Add or replace a tag on resource groups
Add or replace a tag on resources
Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities
Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity
Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers
Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers
Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers
Configure App Configuration stores to disable local authentication methods
Configure App Configuration to disable public network access
Configure Azure Automation account to disable local authentication
Configure Azure Automation accounts to disable public network access
Configure Azure Databricks Workspaces with private endpoints
Configure Azure Device Update for IoT Hub accounts to disable public network access
Configure Azure Device Update for IoT Hub accounts to use private DNS zones
Configure Azure Device Update for IoT Hub accounts with private endpoint
Configure Azure File Sync with private endpoints
Configure Azure HDInsight clusters with private endpoints
Configure Azure IoT Hub to disable local authentication
Configure Azure Kubernetes Service clusters to enable Defender profile
Configure Azure Machine Learning Computes to disable local authentication methods
Configure Azure Machine Learning Workspaces to disable public network access
Configure Azure Managed Grafana dashboards with private endpoints
Configure Azure Managed Grafana workspaces to disable public network access
Configure Azure Monitor Private Link Scope to block access to non private link resources
Configure Azure Monitor Private Link Scopes with private endpoints
Configure Azure Synapse Workspace Dedicated SQL minimum TLS version
Configure Azure Synapse workspaces to disable public network access
Configure Azure Synapse workspaces with private endpoints
Configure Azure Virtual Desktop hostpools with private endpoints
Configure Azure Virtual Desktop workspaces with private endpoints
Configure Batch accounts to disable local authentication
Configure Batch accounts to disable public network access
Configure Batch accounts with private endpoints
Configure Cognitive Services accounts to disable local authentication methods
Configure Cognitive Services accounts to disable public network access
Configure container registries to disable anonymous authentication.
Configure container registries to disable ARM audience token authentication.
Configure container registries to disable local admin account.
Configure Container registries to disable public network access
Configure container registries to disable repository scoped access token.
Configure Container registries with private endpoints
Configure CosmosDB accounts to disable public network access
Configure CosmosDB accounts with private endpoints
Configure disk access resources with private endpoints
Configure installation of Flux extension on Kubernetes cluster
Configure IoT Hub device provisioning instances to use private DNS zones
Configure IoT Hub device provisioning service instances to disable public network access
Configure IoT Hub device provisioning service instances with private endpoints
Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault
Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate
Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets
Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets
Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets
Configure Kubernetes clusters with Flux v2 configuration using public Git repository
Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets
Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets
Configure Kubernetes clusters with specified GitOps configuration using no secrets
Configure Kubernetes clusters with specified GitOps configuration using SSH secrets
Configure Log Analytics workspace and automation account to centralize logs and monitoring
Configure managed disks to disable public network access
Configure network security groups to enable traffic analytics
Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics
Configure private endpoint connections on Azure Automation accounts
Configure private endpoints for App Configuration
Configure Private Link for Azure AD with private endpoints
Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows servers
Configure Synapse Workspaces to use only Azure Active Directory identities for authentication
Configure virtual machines to be onboarded to Azure Automanage
Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile
Configure virtual network to enable traffic analytics
Configure virtual networks to use specific workspace, storage account and flowlog retention policy for traffic analytics
Deploy - Configure Azure IoT Hubs to use private DNS zones
Deploy - Configure Azure IoT Hubs with private endpoints
Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM
Deploy - Configure IoT Central to use private DNS zones
Deploy - Configure IoT Central with private endpoints
Deploy a flow log resource with target network security group
Deploy a flow log resource with target virtual network
Deploy associations for a custom provider
Deploy associations for a managed application
Deploy Diagnostic Settings for Azure SQL Database to Event Hub
Deploy Diagnostic Settings for Batch Account to Event Hub
Deploy Diagnostic Settings for Data Lake Analytics to Event Hub
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub
Deploy Diagnostic Settings for Event Hub to Event Hub
Deploy Diagnostic Settings for Key Vault to Event Hub
Deploy Diagnostic Settings for Logic Apps to Event Hub
Deploy Diagnostic Settings for Search Services to Event Hub
Deploy Diagnostic Settings for Service Bus to Event Hub
Deploy Diagnostic Settings for Stream Analytics to Event Hub
Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data
Deploy export to Event Hub for Microsoft Defender for Cloud data
Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data
Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster
Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
Deploy Workflow Automation for Microsoft Defender for Cloud alerts
Deploy Workflow Automation for Microsoft Defender for Cloud recommendations
Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace.
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace.
Inherit a tag from the resource group
Inherit a tag from the resource group if missing
Inherit a tag from the subscription
Inherit a tag from the subscription if missing
Modify - Configure Azure File Sync to disable public network access
Modify - Configure Azure IoT Hubs to disable public network access
Modify - Configure IoT Central to disable public network access
Modify API Management to disable username and password authentication
Protect your data with authentication requirements when exporting or uploading to a disk or snapshot.
Schedule recurring updates using Azure Update Manager
fbdf93bf-df7d-467e-a4d2-9458aa1360c8 Cosmos DB Account Reader Role Can read Azure Cosmos DB Accounts data count: 007
•Microsoft.Authorization/*/read
•Microsoft.DocumentDB/*/read
•Microsoft.DocumentDB/databaseAccounts/readonlykeys/action
•Microsoft.Insights/MetricDefinitions/read
•Microsoft.Insights/Metrics/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
434105ed-43f6-45c7-a02f-909b2ba83430 Cost Management Contributor Can view costs and manage cost configuration (e.g. budgets, exports) count: 010
•Microsoft.Consumption/*
•Microsoft.CostManagement/*
•Microsoft.Billing/billingPeriods/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Advisor/configurations/read
•Microsoft.Advisor/recommendations/read
•Microsoft.Management/managementGroups/read
•Microsoft.Billing/billingProperty/read
72fafb9e-0641-4937-9268-a91bfd8191a3 Cost Management Reader Can view cost data and configuration (e.g. budgets, exports) count: 010
•Microsoft.Consumption/*/read
•Microsoft.CostManagement/*/read
•Microsoft.Billing/billingPeriods/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Advisor/configurations/read
•Microsoft.Advisor/recommendations/read
•Microsoft.Management/managementGroups/read
•Microsoft.Billing/billingProperty/read
add466c9-e687-43fc-8d98-dfcf8d720be5 Data Box Contributor Lets you manage everything under Data Box Service except giving access to others. count: 006
•Microsoft.Authorization/*/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Databox/*
028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 Data Box Reader Lets you manage Data Box Service except creating order or editing order details and giving access to others. count: 010
•Microsoft.Authorization/*/read
•Microsoft.Databox/*/read
•Microsoft.Databox/jobs/listsecrets/action
•Microsoft.Databox/jobs/listcredentials/action
•Microsoft.Databox/locations/availableSkus/action
•Microsoft.Databox/locations/validateInputs/action
•Microsoft.Databox/locations/regionConfiguration/action
•Microsoft.Databox/locations/validateAddress/action
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Support/*
673868aa-7521-48a0-acc6-0f60742d39f5 Data Factory Contributor Create and manage data factories, as well as child resources within them. count: 009
•Microsoft.Authorization/*/read
•Microsoft.DataFactory/dataFactories/*
•Microsoft.DataFactory/factories/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.EventGrid/eventSubscriptions/write
count: 002
Configure Data Factories to disable public network access
Configure private endpoints for Data factories
150f5e0c-0603-4f03-8c7f-cf70034c4e90 Data Purger Can purge analytics data count: 004
•Microsoft.Insights/components/*/read
•Microsoft.Insights/components/purge/action
•Microsoft.OperationalInsights/workspaces/*/read
•Microsoft.OperationalInsights/workspaces/purge/action
47b7735b-770e-4598-a7da-8b91488b4c88 Data Lake Analytics Developer Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. count: 008
•Microsoft.Authorization/*/read
•Microsoft.BigAnalytics/accounts/*
•Microsoft.DataLakeAnalytics/accounts/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 014
•Microsoft.BigAnalytics/accounts/Delete
•Microsoft.BigAnalytics/accounts/TakeOwnership/action
•Microsoft.BigAnalytics/accounts/Write
•Microsoft.DataLakeAnalytics/accounts/Delete
•Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action
•Microsoft.DataLakeAnalytics/accounts/Write
•Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write
•Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete
•Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write
•Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete
•Microsoft.DataLakeAnalytics/accounts/firewallRules/Write
•Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete
•Microsoft.DataLakeAnalytics/accounts/computePolicies/Write
•Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete
76283e04-6283-4c54-8f91-bcf1374a3c64 DevTest Labs User Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. count: 032
•Microsoft.Authorization/*/read
•Microsoft.Compute/availabilitySets/read
•Microsoft.Compute/virtualMachines/*/read
•Microsoft.Compute/virtualMachines/deallocate/action
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/restart/action
•Microsoft.Compute/virtualMachines/start/action
•Microsoft.DevTestLab/*/read
•Microsoft.DevTestLab/labs/claimAnyVm/action
•Microsoft.DevTestLab/labs/createEnvironment/action
•Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action
•Microsoft.DevTestLab/labs/formulas/delete
•Microsoft.DevTestLab/labs/formulas/read
•Microsoft.DevTestLab/labs/formulas/write
•Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action
•Microsoft.DevTestLab/labs/virtualMachines/claim/action
•Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action
•Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action
•Microsoft.Network/loadBalancers/backendAddressPools/join/action
•Microsoft.Network/loadBalancers/inboundNatRules/join/action
•Microsoft.Network/networkInterfaces/*/read
•Microsoft.Network/networkInterfaces/join/action
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/publicIPAddresses/*/read
•Microsoft.Network/publicIPAddresses/join/action
•Microsoft.Network/publicIPAddresses/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/listKeys/action
count: 001
•Microsoft.Compute/virtualMachines/vmSizes/read
5bd9cd88-fe45-4216-938b-f97437e15450 DocumentDB Account Contributor Lets you manage DocumentDB accounts, but not access to them. count: 008
•Microsoft.Authorization/*/read
•Microsoft.DocumentDb/databaseAccounts/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
count: 003
Configure Cosmos DB database accounts to disable local authentication
Configure CosmosDB accounts to disable public network access
Configure CosmosDB accounts with private endpoints
befefa01-2a29-4197-83a8-272ff33ce314 DNS Zone Contributor Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Network/dnsZones/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
428e0ff0-5e57-4d9c-a221-2c70d0e0a443 EventGrid EventSubscription Contributor Lets you manage EventGrid event subscription operations. count: 009
•Microsoft.Authorization/*/read
•Microsoft.EventGrid/eventSubscriptions/*
•Microsoft.EventGrid/topicTypes/eventSubscriptions/read
•Microsoft.EventGrid/locations/eventSubscriptions/read
•Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
2414bbcf-6497-4faf-8c65-045460748405 EventGrid EventSubscription Reader Lets you read EventGrid event subscriptions. count: 006
•Microsoft.Authorization/*/read
•Microsoft.EventGrid/eventSubscriptions/read
•Microsoft.EventGrid/topicTypes/eventSubscriptions/read
•Microsoft.EventGrid/locations/eventSubscriptions/read
•Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
b60367af-1334-4454-b71e-769d9a4f83d9 Graph Owner Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions count: 014
•Microsoft.EnterpriseKnowledgeGraph/services/conflation/read
•Microsoft.EnterpriseKnowledgeGraph/services/conflation/write
•Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/read
•Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/write
•Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read
•Microsoft.EnterpriseKnowledgeGraph/services/knowledge/write
•Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/read
•Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/write
•Microsoft.EnterpriseKnowledgeGraph/services/ingestion/read
•Microsoft.EnterpriseKnowledgeGraph/services/ingestion/write
•Microsoft.EnterpriseKnowledgeGraph/services/ontology/read
•Microsoft.EnterpriseKnowledgeGraph/services/ontology/write
•Microsoft.EnterpriseKnowledgeGraph/services/delete
•Microsoft.EnterpriseKnowledgeGraph/operations/read
8d8d5a11-05d3-4bda-a417-a08778121c7c HDInsight Domain Services Contributor Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package count: 003
•Microsoft.AAD/*/read
•Microsoft.AAD/domainServices/*/read
•Microsoft.AAD/domainServices/oucontainer/*
03a6d094-3444-4b3d-88af-7477090a9e5e Intelligent Systems Account Contributor Lets you manage Intelligent Systems accounts, but not access to them. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.IntelligentSystems/accounts/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
f25e0fa2-a7c8-4377-a976-54943a77a395 Key Vault Contributor Lets you manage key vaults, but not access to them. count: 006
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.KeyVault/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 003
•Microsoft.KeyVault/locations/deletedVaults/purge/action
•Microsoft.KeyVault/hsmPools/*
•Microsoft.KeyVault/managedHsms/*
count: 002
Configure Azure Key Vaults with private endpoints
Configure key vaults to enable firewall
ee361c5d-f7b5-4119-b4b6-892157c8f64c Knowledge Consumer Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query count: 001
•Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read
b97fb8bc-a8b2-4522-a38b-dd33c7e65ead Lab Creator Lets you create new labs under your Azure Lab Accounts. count: 018
•Microsoft.Authorization/*/read
•Microsoft.LabServices/labAccounts/*/read
•Microsoft.LabServices/labAccounts/createLab/action
•Microsoft.LabServices/labAccounts/getPricingAndAvailability/action
•Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action
•Microsoft.Insights/alertRules/*
•Microsoft.LabServices/labPlans/images/read
•Microsoft.LabServices/labPlans/read
•Microsoft.LabServices/labPlans/saveImage/action
•Microsoft.LabServices/labs/read
•Microsoft.LabServices/labs/schedules/read
•Microsoft.LabServices/labs/users/read
•Microsoft.LabServices/labs/virtualMachines/read
•Microsoft.LabServices/locations/usages/read
•Microsoft.LabServices/skus/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 001
•Microsoft.LabServices/labPlans/createLab/action
73c42c96-874c-492b-b04d-ab87d138a893 Log Analytics Reader Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. count: 004
•*/read
•Microsoft.OperationalInsights/workspaces/analytics/query/action
•Microsoft.OperationalInsights/workspaces/search/action
•Microsoft.Support/*
count: 001
•Microsoft.OperationalInsights/workspaces/sharedKeys/read
92aaf0da-9dab-42b6-94a3-d43ce8d16293 Log Analytics Contributor Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. count: 013
•*/read
•Microsoft.ClassicCompute/virtualMachines/extensions/*
•Microsoft.ClassicStorage/storageAccounts/listKeys/action
•Microsoft.Compute/virtualMachines/extensions/*
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/diagnosticSettings/*
•Microsoft.OperationalInsights/*
•Microsoft.OperationsManagement/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourcegroups/deployments/*
•Microsoft.Storage/storageAccounts/listKeys/action
•Microsoft.Support/*
count: 174
[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace
[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group
[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group
[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group
[Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs
[Preview]: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL
[Preview]: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR
[Preview]: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR
[Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule
[Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule
[Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule
[Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule
[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension
[Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory
[Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory
[Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory
[Preview]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
[Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agent
[Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agent
[Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory
[Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory
[Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory
Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment.
Configure Azure Activity logs to stream to specified Log Analytics workspace
Configure Azure Kubernetes Service clusters to enable Defender profile
Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying
Configure Azure SQL database servers diagnostic settings to Log Analytics workspace
Configure Dependency agent on Azure Arc enabled Linux servers
Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings
Configure Dependency agent on Azure Arc enabled Windows servers
Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings
Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace
Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace
Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace
Configure diagnostic settings for Blob Services to Log Analytics workspace
Configure diagnostic settings for container groups to Log Analytics workspace
Configure diagnostic settings for File Services to Log Analytics workspace
Configure diagnostic settings for Queue Services to Log Analytics workspace
Configure diagnostic settings for Storage Accounts to Log Analytics workspace
Configure diagnostic settings for Table Services to Log Analytics workspace
Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below
Configure Log Analytics extension on Azure Arc enabled Windows servers
Configure SQL servers to have auditing enabled to Log Analytics workspace
Configure Synapse workspaces to have auditing enabled to Log Analytics workspace
Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Deploy - Configure Dependency agent to be enabled on Windows virtual machines
Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace
Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace
Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace
Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines
Deploy Dependency agent for Linux virtual machines
Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings
Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings
Deploy Diagnostic Settings for Batch Account to Log Analytics workspace
Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace
Deploy Diagnostic Settings for Event Hub to Log Analytics workspace
Deploy Diagnostic Settings for Key Vault to Log Analytics workspace
Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace
Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.
Deploy Diagnostic Settings for Search Services to Log Analytics workspace
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace
Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace
Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below
Deploy Log Analytics extension for Linux VMs. See deprecation notice below
Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub
Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics
Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage
Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub
Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics
Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage
Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub
Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics
Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage
Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub
Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics
Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage
Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub
Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics
Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage
Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub
Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics
Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage
Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub
Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics
Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage
Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub
Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics
Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage
Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub
Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics
Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage
Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub
Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics
Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage
Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub
Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics
Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage
Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub
Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics
Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage
Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub
Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics
Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage
Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub
Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics
Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage
Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub
Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics
Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage
Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub
Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics
Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage
Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub
Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics
Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage
Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub
Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics
Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage
Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub
Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics
Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage
Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub
Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics
Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage
Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub
Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics
Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage
Enable logging by category group for microsoft.network/p2svpngateways to Event Hub
Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics
Enable logging by category group for microsoft.network/p2svpngateways to Storage
Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub
Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics
Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage
Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub
Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics
Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage
Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub
Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics
Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage
Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub
Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics
Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage
Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub
Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics
Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage
Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub
Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics
Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage
Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub
Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics
Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage
Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub
Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics
Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage
Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub
Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics
Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage
Public IP addresses should have resource logs enabled for Azure DDoS Protection Standard
515c2055-d9d4-4321-b1b9-bd0c9a0f79fe Logic App Operator Lets you read, enable and disable logic app. count: 017
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*/read
•Microsoft.Insights/metricAlerts/*/read
•Microsoft.Insights/diagnosticSettings/*/read
•Microsoft.Insights/metricDefinitions/*/read
•Microsoft.Logic/*/read
•Microsoft.Logic/workflows/disable/action
•Microsoft.Logic/workflows/enable/action
•Microsoft.Logic/workflows/validate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Web/connectionGateways/*/read
•Microsoft.Web/connections/*/read
•Microsoft.Web/customApis/*/read
•Microsoft.Web/serverFarms/read
87a39d53-fc1b-424a-814c-f7e04687dc9e Logic App Contributor Lets you manage logic app, but not access to them. count: 021
•Microsoft.Authorization/*/read
•Microsoft.ClassicStorage/storageAccounts/listKeys/action
•Microsoft.ClassicStorage/storageAccounts/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/metricAlerts/*
•Microsoft.Insights/diagnosticSettings/*
•Microsoft.Insights/logdefinitions/*
•Microsoft.Insights/metricDefinitions/*
•Microsoft.Logic/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/listkeys/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Support/*
•Microsoft.Web/connectionGateways/*
•Microsoft.Web/connections/*
•Microsoft.Web/customApis/*
•Microsoft.Web/serverFarms/join/action
•Microsoft.Web/serverFarms/read
•Microsoft.Web/sites/functions/listSecrets/action
c7393b34-138c-406f-901b-d8cf2b17e6ae Managed Application Operator Role Lets you read and perform actions on Managed Application resources count: 003
•*/read
•Microsoft.Solutions/applications/read
•Microsoft.Solutions/*/action
b9331d33-8a36-4f8c-b097-4f54124fdb44 Managed Applications Reader Lets you read resources in a managed app and request JIT access. count: 003
•*/read
•Microsoft.Resources/deployments/*
•Microsoft.Solutions/jitRequests/*
f1a07417-d97a-45cb-824c-7a7467783830 Managed Identity Operator Read and Assign User Assigned Identity count: 007
•Microsoft.ManagedIdentity/userAssignedIdentities/*/read
•Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
count: 005
[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs
Configure App Service app slots to disable public network access
Configure App Service apps to disable public network access
Configure Function app slots to disable public network access
Configure Function apps to disable public network access
e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 Managed Identity Contributor Create, Read, Update, and Delete User Assigned Identity count: 008
•Microsoft.ManagedIdentity/userAssignedIdentities/read
•Microsoft.ManagedIdentity/userAssignedIdentities/write
•Microsoft.ManagedIdentity/userAssignedIdentities/delete
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
count: 001
[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs
5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c Management Group Contributor Management Group Contributor Role count: 007
•Microsoft.Management/managementGroups/delete
•Microsoft.Management/managementGroups/read
•Microsoft.Management/managementGroups/subscriptions/delete
•Microsoft.Management/managementGroups/subscriptions/write
•Microsoft.Management/managementGroups/write
•Microsoft.Management/managementGroups/subscriptions/read
•Microsoft.Authorization/*/read
ac63b705-f282-497d-ac71-919bf39d939d Management Group Reader Management Group Reader Role count: 003
•Microsoft.Management/managementGroups/read
•Microsoft.Management/managementGroups/subscriptions/read
•Microsoft.Authorization/*/read
43d0d8ad-25c7-4714-9337-8ba259a9fe05 Monitoring Reader Can read all monitoring data. count: 003
•*/read
•Microsoft.OperationalInsights/workspaces/search/action
•Microsoft.Support/*
4d97b98b-1d4f-4787-a291-c67834d212e7 Network Contributor Lets you manage networks, but not access to them. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Network/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 079
[Preview]: Configure Azure Key Vault Managed HSM with private endpoints
[Preview]: Configure Azure Recovery Services vaults to use private DNS zones
[Preview]: Configure private endpoints on Azure Recovery Services vaults
[Preview]: Configure Recovery Services vaults to use private DNS zones for backup
[Preview]: Configure Recovery Services vaults to use private endpoints for backup
Configure a private DNS Zone ID for blob groupID
Configure a private DNS Zone ID for blob_secondary groupID
Configure a private DNS Zone ID for dfs groupID
Configure a private DNS Zone ID for dfs_secondary groupID
Configure a private DNS Zone ID for file groupID
Configure a private DNS Zone ID for queue groupID
Configure a private DNS Zone ID for queue_secondary groupID
Configure a private DNS Zone ID for table groupID
Configure a private DNS Zone ID for table_secondary groupID
Configure a private DNS Zone ID for web groupID
Configure a private DNS Zone ID for web_secondary groupID
Configure App Service app slots to disable public network access
Configure App Service apps to disable public network access
Configure App Service apps to use private DNS zones
Configure Azure Arc Private Link Scopes to use private DNS zones
Configure Azure Arc Private Link Scopes with private endpoints
Configure Azure Automation accounts with private DNS zones
Configure Azure Cache for Redis to use private DNS zones
Configure Azure Cognitive Search services to disable public network access
Configure Azure Cognitive Search services to use private DNS zones
Configure Azure Cognitive Search services with private endpoints
Configure Azure Data Explorer clusters with private endpoints
Configure Azure Databricks workspace to use private DNS zones
Configure Azure Device Update for IoT Hub accounts to use private DNS zones
Configure Azure Device Update for IoT Hub accounts with private endpoint
Configure Azure File Sync to use private DNS zones
Configure Azure HDInsight clusters to use private DNS zones
Configure Azure Key Vaults to use private DNS zones
Configure Azure Key Vaults with private endpoints
Configure Azure Machine Learning workspace to use private DNS zones
Configure Azure Machine Learning workspaces with private endpoints
Configure Azure Managed Grafana workspaces to use private DNS zones
Configure Azure Media Services to use private DNS zones
Configure Azure Media Services with private endpoints
Configure Azure Migrate resources to use private DNS zones
Configure Azure Monitor Private Link Scope to use private DNS zones
Configure Azure SQL Server to enable private endpoint connections
Configure Azure Synapse workspaces to use private DNS zones
Configure Azure Virtual Desktop hostpool resources to use private DNS zones
Configure Azure Virtual Desktop workspace resources to use private DNS zones
Configure Azure Web PubSub Service to use private DNS zones
Configure Azure Web PubSub Service with private endpoints
Configure BotService resources to use private DNS zones
Configure BotService resources with private endpoints
Configure Cognitive Services accounts to use private DNS zones
Configure Cognitive Services accounts with private endpoints
Configure Container registries to use private DNS zones
Configure CosmosDB accounts to use private DNS zones
Configure disk access resources to use private DNS zones
Configure Event Hub namespaces to use private DNS zones
Configure Event Hub namespaces with private endpoints
Configure Function app slots to disable public network access
Configure Function apps to disable public network access
Configure private DNS zones for private endpoints connected to App Configuration
Configure private DNS zones for private endpoints that connect to Azure Data Factory
Configure private endpoint connections on Azure Automation accounts
Configure private endpoints for Data factories
Configure private endpoints to Azure SignalR Service
Configure Private Link for Azure AD to use private DNS zones
Configure Service Bus namespaces to use private DNS zones
Configure Service Bus namespaces with private endpoints
Configure Storage account to use a private link connection
Deploy - Configure Azure Event Grid domains to use private DNS zones
Deploy - Configure Azure Event Grid domains with private endpoints
Deploy - Configure Azure Event Grid topics to use private DNS zones
Deploy - Configure Azure Event Grid topics with private endpoints
Deploy - Configure Azure IoT Hubs to use private DNS zones
Deploy - Configure Azure IoT Hubs with private endpoints
Deploy - Configure IoT Central to use private DNS zones
Deploy - Configure IoT Central with private endpoints
Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service
Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts
Deploy network watcher when virtual networks are created
Virtual networks should be protected by Azure DDoS Protection Standard
5d28c62d-5b37-4476-8438-e587778df237 New Relic APM Account Contributor Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•NewRelic.APM/accounts/*
8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Owner Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. count: 001
•*
count: 006
Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed
Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed
Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery
Configure Microsoft Defender CSPM to be enabled
Configure Microsoft Defender for Storage to be enabled
Configure Synapse workspaces to have auditing enabled to Log Analytics workspace
acdd72a7-3385-48ef-bd42-f606fba81ae7 Reader View all resources, but does not allow you to make any changes. count: 001
•*/read
count: 002
[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension
[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension
e0f68234-74aa-48ed-b826-c38b57376e17 Redis Cache Contributor Lets you manage Redis caches, but not access to them. count: 008
•Microsoft.Authorization/*/read
•Microsoft.Cache/register/action
•Microsoft.Cache/redis/*
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 002
Configure Azure Cache for Redis to disable public network access
Configure Azure Cache for Redis with private endpoints
c12c1c16-33a1-487b-954d-41c89c60f349 Reader and Data Access Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. count: 003
•Microsoft.Storage/storageAccounts/listKeys/action
•Microsoft.Storage/storageAccounts/ListAccountSas/action
•Microsoft.Storage/storageAccounts/read
36243c78-bf99-498c-9df9-86d9f8d28608 Resource Policy Contributor Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. count: 008
•*/read
•Microsoft.Authorization/policyassignments/*
•Microsoft.Authorization/policydefinitions/*
•Microsoft.Authorization/policyexemptions/*
•Microsoft.Authorization/policysetdefinitions/*
•Microsoft.PolicyInsights/*
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
188a0f2f-5c9e-469b-ae67-2aa5ce574b94 Scheduler Job Collections Contributor Lets you manage Scheduler job collections, but not access to them. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Scheduler/jobcollections/*
•Microsoft.Support/*
7ca78c08-252a-4471-8644-bb5ff32d4ba0 Search Service Contributor Lets you manage Search services, but not access to them. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Search/searchServices/*
•Microsoft.Support/*
count: 003
Configure Azure Cognitive Search services to disable local authentication
Configure Azure Cognitive Search services to disable public network access
Configure Azure Cognitive Search services with private endpoints
e3d13bf0-dd5a-482e-ba6b-9b8433878d10 Security Manager (Legacy) This is a legacy role. Please use Security Administrator instead count: 010
•Microsoft.Authorization/*/read
•Microsoft.ClassicCompute/*/read
•Microsoft.ClassicCompute/virtualMachines/*/write
•Microsoft.ClassicNetwork/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Security/*
•Microsoft.Support/*
39bc4728-0917-49c7-9d2c-d95423bc2eb4 Security Reader Security Reader Role count: 014
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.operationalInsights/workspaces/*/read
•Microsoft.Resources/deployments/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Security/*/read
•Microsoft.IoTSecurity/*/read
•Microsoft.Support/*/read
•Microsoft.Security/iotDefenderSettings/packageDownloads/action
•Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action
•Microsoft.Security/iotSensors/downloadResetPassword/action
•Microsoft.IoTSecurity/defenderSettings/packageDownloads/action
•Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action
•Microsoft.Management/managementGroups/read
8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 Spatial Anchors Account Contributor Lets you manage spatial anchors in your account, but not delete them count: 006
•Microsoft.MixedReality/SpatialAnchorsAccounts/create/action
•Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read
•Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read
•Microsoft.MixedReality/SpatialAnchorsAccounts/query/read
•Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read
•Microsoft.MixedReality/SpatialAnchorsAccounts/write
6670b86e-a3f7-4917-ac9b-5d6ab1be4567 Site Recovery Contributor Lets you manage Site Recovery service except vault creation and role assignment count: 029
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Network/virtualNetworks/read
•Microsoft.RecoveryServices/locations/allocatedStamp/read
•Microsoft.RecoveryServices/locations/allocateStamp/action
•Microsoft.RecoveryServices/Vaults/certificates/write
•Microsoft.RecoveryServices/Vaults/extendedInformation/*
•Microsoft.RecoveryServices/Vaults/read
•Microsoft.RecoveryServices/Vaults/refreshContainers/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/*
•Microsoft.RecoveryServices/vaults/replicationAlertSettings/*
•Microsoft.RecoveryServices/vaults/replicationEvents/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/*
•Microsoft.RecoveryServices/vaults/replicationJobs/*
•Microsoft.RecoveryServices/vaults/replicationPolicies/*
•Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*
•Microsoft.RecoveryServices/vaults/replicationVaultSettings/*
•Microsoft.RecoveryServices/Vaults/storageConfig/*
•Microsoft.RecoveryServices/Vaults/tokenInfo/read
•Microsoft.RecoveryServices/Vaults/usages/read
•Microsoft.RecoveryServices/Vaults/vaultTokens/read
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/*
•Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.RecoveryServices/vaults/replicationOperationStatus/read
•Microsoft.Support/*
count: 001
[Preview]: Configure private endpoints on Azure Recovery Services vaults
494ae006-db33-4328-bf46-533a6560a3ca Site Recovery Operator Lets you failover and failback but not perform other Site Recovery management operations count: 059
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Network/virtualNetworks/read
•Microsoft.RecoveryServices/locations/allocatedStamp/read
•Microsoft.RecoveryServices/locations/allocateStamp/action
•Microsoft.RecoveryServices/Vaults/extendedInformation/read
•Microsoft.RecoveryServices/Vaults/read
•Microsoft.RecoveryServices/Vaults/refreshContainers/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/read
•Microsoft.RecoveryServices/vaults/replicationAlertSettings/read
•Microsoft.RecoveryServices/vaults/replicationEvents/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read
•Microsoft.RecoveryServices/vaults/replicationJobs/*
•Microsoft.RecoveryServices/vaults/replicationPolicies/read
•Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action
•Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action
•Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read
•Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action
•Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action
•Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action
•Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action
•Microsoft.RecoveryServices/vaults/replicationVaultSettings/read
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/*
•Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
•Microsoft.RecoveryServices/Vaults/storageConfig/read
•Microsoft.RecoveryServices/Vaults/tokenInfo/read
•Microsoft.RecoveryServices/Vaults/usages/read
•Microsoft.RecoveryServices/Vaults/vaultTokens/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.Support/*
5d51204f-eb77-4b1c-b86a-2ec626c49413 Spatial Anchors Account Reader Lets you locate and read properties of spatial anchors in your account count: 004
•Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read
•Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read
•Microsoft.MixedReality/SpatialAnchorsAccounts/query/read
•Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read
dbaa88c4-0c30-4179-9fb3-46319faa6149 Site Recovery Reader Lets you view Site Recovery status but not perform other management operations count: 032
•Microsoft.Authorization/*/read
•Microsoft.RecoveryServices/locations/allocatedStamp/read
•Microsoft.RecoveryServices/Vaults/extendedInformation/read
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
•Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read
•Microsoft.RecoveryServices/Vaults/read
•Microsoft.RecoveryServices/Vaults/refreshContainers/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/read
•Microsoft.RecoveryServices/vaults/replicationAlertSettings/read
•Microsoft.RecoveryServices/vaults/replicationEvents/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read
•Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read
•Microsoft.RecoveryServices/vaults/replicationJobs/read
•Microsoft.RecoveryServices/vaults/replicationPolicies/read
•Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read
•Microsoft.RecoveryServices/vaults/replicationVaultSettings/read
•Microsoft.RecoveryServices/Vaults/storageConfig/read
•Microsoft.RecoveryServices/Vaults/tokenInfo/read
•Microsoft.RecoveryServices/Vaults/usages/read
•Microsoft.RecoveryServices/Vaults/vaultTokens/read
•Microsoft.Support/*
70bbe301-9835-447d-afdd-19eb3167307c Spatial Anchors Account Owner Lets you manage spatial anchors in your account, including deleting them count: 007
•Microsoft.MixedReality/SpatialAnchorsAccounts/create/action
•Microsoft.MixedReality/SpatialAnchorsAccounts/delete
•Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read
•Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read
•Microsoft.MixedReality/SpatialAnchorsAccounts/query/read
•Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read
•Microsoft.MixedReality/SpatialAnchorsAccounts/write
4939a1f6-9ae0-4e48-a1e0-f2cbe897382d SQL Managed Instance Contributor Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. count: 015
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Network/networkSecurityGroups/*
•Microsoft.Network/routeTables/*
•Microsoft.Sql/locations/*/read
•Microsoft.Sql/locations/instanceFailoverGroups/*
•Microsoft.Sql/managedInstances/*
•Microsoft.Support/*
•Microsoft.Network/virtualNetworks/subnets/*
•Microsoft.Network/virtualNetworks/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
count: 002
•Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete
•Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write
9b7fa17d-e63e-47b0-bb0a-15c516ac86ec SQL DB Contributor Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. count: 011
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Sql/locations/*/read
•Microsoft.Sql/servers/databases/*
•Microsoft.Sql/servers/read
•Microsoft.Support/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
count: 024
•Microsoft.Sql/servers/databases/ledgerDigestUploads/write
•Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action
•Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
•Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
•Microsoft.Sql/managedInstances/securityAlertPolicies/*
•Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
•Microsoft.Sql/servers/databases/auditingSettings/*
•Microsoft.Sql/servers/databases/auditRecords/read
•Microsoft.Sql/servers/databases/currentSensitivityLabels/*
•Microsoft.Sql/servers/databases/dataMaskingPolicies/*
•Microsoft.Sql/servers/databases/extendedAuditingSettings/*
•Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
•Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
•Microsoft.Sql/servers/databases/securityAlertPolicies/*
•Microsoft.Sql/servers/databases/securityMetrics/*
•Microsoft.Sql/servers/databases/sensitivityLabels/*
•Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
•Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
•Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
•Microsoft.Sql/servers/vulnerabilityAssessments/*
count: 001
Deploy SQL DB transparent data encryption
056cd41c-7e88-42e1-933e-88ba6a50c9c3 SQL Security Manager Lets you manage the security-related policies of SQL servers and databases, but not access to them. count: 073
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Sql/locations/administratorAzureAsyncOperation/read
•Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read
•Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write
•Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read
•Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write
•Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read
•Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write
•Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read
•Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write
•Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
•Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
•Microsoft.Sql/servers/advancedThreatProtectionSettings/read
•Microsoft.Sql/servers/advancedThreatProtectionSettings/write
•Microsoft.Sql/managedInstances/securityAlertPolicies/*
•Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*
•Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
•Microsoft.Sql/managedInstances/serverConfigurationOptions/read
•Microsoft.Sql/managedInstances/serverConfigurationOptions/write
•Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read
•Microsoft.Sql/servers/advancedThreatProtectionSettings/read
•Microsoft.Sql/servers/advancedThreatProtectionSettings/write
•Microsoft.Sql/servers/auditingSettings/*
•Microsoft.Sql/servers/extendedAuditingSettings/read
•Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read
•Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write
•Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read
•Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write
•Microsoft.Sql/servers/databases/auditingSettings/*
•Microsoft.Sql/servers/databases/auditRecords/read
•Microsoft.Sql/servers/databases/currentSensitivityLabels/*
•Microsoft.Sql/servers/databases/dataMaskingPolicies/*
•Microsoft.Sql/servers/databases/extendedAuditingSettings/read
•Microsoft.Sql/servers/databases/read
•Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
•Microsoft.Sql/servers/databases/schemas/read
•Microsoft.Sql/servers/databases/schemas/tables/columns/read
•Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
•Microsoft.Sql/servers/databases/schemas/tables/read
•Microsoft.Sql/servers/databases/securityAlertPolicies/*
•Microsoft.Sql/servers/databases/securityMetrics/*
•Microsoft.Sql/servers/databases/sensitivityLabels/*
•Microsoft.Sql/servers/databases/transparentDataEncryption/*
•Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*
•Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
•Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
•Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
•Microsoft.Sql/servers/devOpsAuditingSettings/*
•Microsoft.Sql/servers/firewallRules/*
•Microsoft.Sql/servers/read
•Microsoft.Sql/servers/securityAlertPolicies/*
•Microsoft.Sql/servers/sqlvulnerabilityAssessments/*
•Microsoft.Sql/servers/vulnerabilityAssessments/*
•Microsoft.Support/*
•Microsoft.Sql/servers/azureADOnlyAuthentications/*
•Microsoft.Sql/managedInstances/read
•Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*
•Microsoft.Security/sqlVulnerabilityAssessments/*
•Microsoft.Sql/managedInstances/administrators/read
•Microsoft.Sql/servers/administrators/read
•Microsoft.Sql/servers/databases/ledgerDigestUploads/*
•Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read
•Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read
•Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*
count: 008
Configure Azure Defender to be enabled on SQL managed instances
Configure Azure Defender to be enabled on SQL servers
Configure Azure SQL database servers diagnostic settings to Log Analytics workspace
Configure Microsoft Defender for SQL to be enabled on Synapse workspaces
Configure SQL servers to have auditing enabled
Configure SQL servers to have auditing enabled to Log Analytics workspace
Configure Synapse workspaces to have auditing enabled
Deploy Advanced Data Security on SQL servers
17d1049b-9a84-46fb-8f53-869881c3d3ab Storage Account Contributor Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. count: 009
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/diagnosticSettings/*
•Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/*
•Microsoft.Support/*
count: 009
Configure secure transfer of data on a storage account
Configure SQL servers to have auditing enabled
Configure Storage account to use a private link connection
Configure storage accounts to disable public network access
Configure Synapse workspaces to have auditing enabled
Configure your Storage account public access to be disallowed
Deploy Advanced Data Security on SQL servers
Deploy Diagnostic Settings for Network Security Groups
Modify - Configure your Storage account to enable blob versioning
6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 SQL Server Contributor Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. count: 010
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Sql/locations/*/read
•Microsoft.Sql/servers/*
•Microsoft.Support/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
count: 030
•Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*
•Microsoft.Sql/managedInstances/databases/sensitivityLabels/*
•Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*
•Microsoft.Sql/managedInstances/securityAlertPolicies/*
•Microsoft.Sql/managedInstances/vulnerabilityAssessments/*
•Microsoft.Sql/servers/auditingSettings/*
•Microsoft.Sql/servers/databases/auditingSettings/*
•Microsoft.Sql/servers/databases/auditRecords/read
•Microsoft.Sql/servers/databases/currentSensitivityLabels/*
•Microsoft.Sql/servers/databases/dataMaskingPolicies/*
•Microsoft.Sql/servers/databases/extendedAuditingSettings/*
•Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*
•Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*
•Microsoft.Sql/servers/databases/securityAlertPolicies/*
•Microsoft.Sql/servers/databases/securityMetrics/*
•Microsoft.Sql/servers/databases/sensitivityLabels/*
•Microsoft.Sql/servers/databases/vulnerabilityAssessments/*
•Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*
•Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
•Microsoft.Sql/servers/devOpsAuditingSettings/*
•Microsoft.Sql/servers/extendedAuditingSettings/*
•Microsoft.Sql/servers/securityAlertPolicies/*
•Microsoft.Sql/servers/vulnerabilityAssessments/*
•Microsoft.Sql/servers/azureADOnlyAuthentications/delete
•Microsoft.Sql/servers/azureADOnlyAuthentications/write
•Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete
•Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write
count: 004
Configure Azure Data Explorer clusters with private endpoints
Configure Azure Data Explorer to disable public network access
Configure Azure SQL Server to disable public network access
Configure Azure SQL Server to enable private endpoint connections
81a9662b-bebf-436f-a333-f67b29880f12 Storage Account Key Operator Service Role Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts count: 002
•Microsoft.Storage/storageAccounts/listkeys/action
•Microsoft.Storage/storageAccounts/regeneratekey/action
ba92f5b4-2d11-453d-a403-e96b0029c9fe Storage Blob Data Contributor Allows for read, write and delete access to Azure Storage blob containers and data count: 004
•Microsoft.Storage/storageAccounts/blobServices/containers/delete
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/blobServices/containers/write
•Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
count: 005
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
b7e6dc6d-f1e8-4753-8033-0f276bb0955b Storage Blob Data Owner Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control. count: 002
•Microsoft.Storage/storageAccounts/blobServices/containers/*
•Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
count: 001
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*
2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 Storage Blob Data Reader Allows for read access to Azure Storage blob containers and data count: 002
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
count: 001
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
974c5e8b-45b9-4653-ba55-5f855dd0fb88 Storage Queue Data Contributor Allows for read, write, and delete access to Azure Storage queues and queue messages count: 003
•Microsoft.Storage/storageAccounts/queueServices/queues/delete
•Microsoft.Storage/storageAccounts/queueServices/queues/read
•Microsoft.Storage/storageAccounts/queueServices/queues/write
count: 004
•Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete
•Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
•Microsoft.Storage/storageAccounts/queueServices/queues/messages/write
•Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action
8a0f0c08-91a1-4084-bc3d-661d67233fed Storage Queue Data Message Processor Allows for peek, receive, and delete access to Azure Storage queue messages count: 002
•Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
•Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action
c6a89b2d-59bc-44d0-9896-0f6e12d7b80a Storage Queue Data Message Sender Allows for sending of Azure Storage queue messages count: 001
•Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action
19e7f393-937e-4f77-808e-94535e297925 Storage Queue Data Reader Allows for read access to Azure Storage queues and queue messages count: 001
•Microsoft.Storage/storageAccounts/queueServices/queues/read
count: 001
•Microsoft.Storage/storageAccounts/queueServices/queues/messages/read
cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e Support Request Contributor Lets you create and manage Support requests count: 003
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 Traffic Manager Contributor Lets you manage Traffic Manager profiles, but does not let you control who has access to them. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Network/trafficManagerProfiles/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 User Access Administrator Lets you manage user access to Azure resources. count: 003
•*/read
•Microsoft.Authorization/*
•Microsoft.Support/*
count: 009
[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets
[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines
[Preview]: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace
[Preview]: Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
[Preview]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace
[Preview]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
[Preview]: Configure the Microsoft Defender for SQL Log Analytics workspace
[Preview]: Create and assign a built-in user-assigned managed identity
9980e02c-c2be-4d73-94e8-173b1dc7cf3c Virtual Machine Contributor Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. count: 043
•Microsoft.Authorization/*/read
•Microsoft.Compute/availabilitySets/*
•Microsoft.Compute/locations/*
•Microsoft.Compute/virtualMachines/*
•Microsoft.Compute/virtualMachineScaleSets/*
•Microsoft.Compute/cloudServices/*
•Microsoft.Compute/disks/write
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/delete
•Microsoft.DevTestLab/schedules/*
•Microsoft.Insights/alertRules/*
•Microsoft.Network/applicationGateways/backendAddressPools/join/action
•Microsoft.Network/loadBalancers/backendAddressPools/join/action
•Microsoft.Network/loadBalancers/inboundNatPools/join/action
•Microsoft.Network/loadBalancers/inboundNatRules/join/action
•Microsoft.Network/loadBalancers/probes/join/action
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/locations/*
•Microsoft.Network/networkInterfaces/*
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/publicIPAddresses/join/action
•Microsoft.Network/publicIPAddresses/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.RecoveryServices/locations/*
•Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write
•Microsoft.RecoveryServices/Vaults/backupPolicies/read
•Microsoft.RecoveryServices/Vaults/backupPolicies/write
•Microsoft.RecoveryServices/Vaults/read
•Microsoft.RecoveryServices/Vaults/usages/read
•Microsoft.RecoveryServices/Vaults/write
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.SerialConsole/serialPorts/connect/action
•Microsoft.SqlVirtualMachine/*
•Microsoft.Storage/storageAccounts/listKeys/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Support/*
count: 043
[Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets
[Preview]: Configure ChangeTracking Extension for Linux virtual machines
[Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets
[Preview]: Configure ChangeTracking Extension for Windows virtual machines
[Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity
[Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity
[Preview]: Configure SQL Virtual Machines to automatically install Azure Monitor Agent
[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent
[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension
[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot
[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent
[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension
[Preview]: Configure supported virtual machines to automatically enable vTPM
[Preview]: Configure supported Windows machines to automatically install the Azure Security agent
[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent
[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension
[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot
[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension
[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs
[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension
[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension
[Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity
[Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity
Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy
Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location
Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy
Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location
Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication
Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication
Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication
Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication
Configure periodic checking for missing system updates on azure virtual machines
Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity
Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication
Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity
Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication
Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets
Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets
Deploy default Microsoft IaaSAntimalware extension for Windows Server
Deploy Dependency agent for Linux virtual machine scale sets
Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings
Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings
Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below
2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b Web Plan Contributor Lets you manage the web plans for websites, but not access to them. count: 009
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Web/serverFarms/*
•Microsoft.Web/hostingEnvironments/Join/Action
•Microsoft.Insights/autoscalesettings/*
de139f84-1756-47ae-9be6-808fbbe84772 Website Contributor Lets you manage websites (not web plans), but not access to them. count: 012
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/components/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Web/certificates/*
•Microsoft.Web/listSitesAssignedToHostName/read
•Microsoft.Web/serverFarms/join/action
•Microsoft.Web/serverFarms/read
•Microsoft.Web/sites/*
count: 021
[Deprecated]: Configure App Services to disable public network access
Configure App Service app slots to disable local authentication for FTP deployments
Configure App Service app slots to disable local authentication for SCM sites
Configure App Service app slots to disable public network access
Configure App Service app slots to only be accessible over HTTPS
Configure App Service app slots to turn off remote debugging
Configure App Service app slots to use the latest TLS version
Configure App Service apps to disable local authentication for FTP deployments
Configure App Service apps to disable local authentication for SCM sites
Configure App Service apps to disable public network access
Configure App Service apps to only be accessible over HTTPS
Configure App Service apps to turn off remote debugging
Configure App Service apps to use the latest TLS version
Configure Function app slots to disable public network access
Configure Function app slots to only be accessible over HTTPS
Configure Function app slots to turn off remote debugging
Configure Function app slots to use the latest TLS version
Configure Function apps to disable public network access
Configure Function apps to only be accessible over HTTPS
Configure Function apps to turn off remote debugging
Configure Function apps to use the latest TLS version
090c5cfd-751d-490a-894a-3ce6f1109419 Azure Service Bus Data Owner Allows for full access to Azure Service Bus resources. count: 001
•Microsoft.ServiceBus/*
count: 001
•Microsoft.ServiceBus/*
count: 002
Configure Azure Service Bus namespaces to disable local authentication
Configure Service Bus namespaces with private endpoints
f526a384-b230-433a-b45c-95f59c4a2dec Azure Event Hubs Data Owner Allows for full access to Azure Event Hubs resources. count: 001
•Microsoft.EventHub/*
count: 001
•Microsoft.EventHub/*
count: 035
Configure Azure Event Hub namespaces to disable local authentication
Configure Event Hub namespaces with private endpoints
Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub
Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub
Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub
Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub
Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub
Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub
Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub
Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub
Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub
Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub
Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub
Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub
Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub
Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub
Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub
Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub
Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub
Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub
Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub
Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub
Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub
Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub
Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub
Enable logging by category group for microsoft.network/p2svpngateways to Event Hub
Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub
Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub
Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub
Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub
Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub
Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub
Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub
Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub
Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub
bbf86eb8-f7b4-4cce-96e4-18cddf81d86e Attestation Contributor Can read write or delete the attestation provider instance count: 003
•Microsoft.Attestation/attestationProviders/attestation/read
•Microsoft.Attestation/attestationProviders/attestation/write
•Microsoft.Attestation/attestationProviders/attestation/delete
61ed4efc-fab3-44fd-b111-e24485cc132a HDInsight Cluster Operator Lets you read and modify HDInsight cluster configurations. count: 009
•Microsoft.HDInsight/*/read
•Microsoft.HDInsight/clusters/getGatewaySettings/action
•Microsoft.HDInsight/clusters/updateGatewaySettings/action
•Microsoft.HDInsight/clusters/configurations/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/operations/read
•Microsoft.Insights/alertRules/*
•Microsoft.Authorization/*/read
•Microsoft.Support/*
230815da-be43-4aae-9cb4-875f7bd000aa Cosmos DB Operator Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. count: 008
•Microsoft.DocumentDb/databaseAccounts/*
•Microsoft.Insights/alertRules/*
•Microsoft.Authorization/*/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action
count: 012
•Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*
•Microsoft.DocumentDB/databaseAccounts/regenerateKey/*
•Microsoft.DocumentDB/databaseAccounts/listKeys/*
•Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*
•Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write
•Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete
•Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write
•Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete
•Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write
•Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete
•Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write
•Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete
48b40c6e-82e0-4eb3-90d5-19e40f49b624 Hybrid Server Resource Administrator Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. count: 002
•Microsoft.HybridCompute/machines/*
•Microsoft.HybridCompute/*/read
5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb Hybrid Server Onboarding Can onboard new Hybrid servers to the Hybrid Resource Provider. count: 002
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
a638d3c7-ab3a-418d-83e6-5f17a39d4fde Azure Event Hubs Data Receiver Allows receive access to Azure Event Hubs resources. count: 001
•Microsoft.EventHub/*/eventhubs/consumergroups/read
count: 001
•Microsoft.EventHub/*/receive/action
2b629674-e913-4c01-ae53-ef4638d8f975 Azure Event Hubs Data Sender Allows send access to Azure Event Hubs resources. count: 001
•Microsoft.EventHub/*/eventhubs/read
count: 001
•Microsoft.EventHub/*/send/action
4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 Azure Service Bus Data Receiver Allows for receive access to Azure Service Bus resources. count: 003
•Microsoft.ServiceBus/*/queues/read
•Microsoft.ServiceBus/*/topics/read
•Microsoft.ServiceBus/*/topics/subscriptions/read
count: 001
•Microsoft.ServiceBus/*/receive/action
69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 Azure Service Bus Data Sender Allows for send access to Azure Service Bus resources. count: 003
•Microsoft.ServiceBus/*/queues/read
•Microsoft.ServiceBus/*/topics/read
•Microsoft.ServiceBus/*/topics/subscriptions/read
count: 001
•Microsoft.ServiceBus/*/send/action
aba4ae5f-2193-4029-9191-0cb91df5e314 Storage File Data SMB Share Reader Allows for read access to Azure File Share over SMB count: 001
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb Storage File Data SMB Share Contributor Allows for read, write, and delete access in Azure Storage file shares over SMB count: 003
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete
b12aa53e-6015-4669-85d0-8515ebb3ae7f Private DNS Zone Contributor Lets you manage private DNS zone resources, but not the virtual networks they are linked to. count: 010
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Network/privateDnsZones/*
•Microsoft.Network/privateDnsOperationResults/*
•Microsoft.Network/privateDnsOperationStatuses/*
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/join/action
•Microsoft.Authorization/*/read
count: 001
Configure Azure File Sync to use private DNS zones
db58b8e5-c6ad-4a2a-8342-4190687cbf4a Storage Blob Delegator Allows for generation of a user delegation key which can be used to sign SAS tokens count: 001
•Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 Desktop Virtualization User Allows user to use the applications in an application group. count: 002
•Microsoft.DesktopVirtualization/applicationGroups/useApplications/action
•Microsoft.DesktopVirtualization/appAttachPackages/useApplications/action
a7264617-510b-434b-a828-9731dc254ea7 Storage File Data SMB Share Elevated Contributor Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB count: 004
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action
41077137-e803-4205-871c-5a86e6a753b4 Blueprint Contributor Can manage blueprint definitions, but not assign them. count: 005
•Microsoft.Authorization/*/read
•Microsoft.Blueprint/blueprints/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
437d2ced-4a38-4302-8479-ed2bcb43d090 Blueprint Operator Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. count: 005
•Microsoft.Authorization/*/read
•Microsoft.Blueprint/blueprintAssignments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
ab8e14d6-4a74-4a29-9ba8-549422addade Microsoft Sentinel Contributor Microsoft Sentinel Contributor count: 016
•Microsoft.SecurityInsights/*
•Microsoft.OperationalInsights/workspaces/analytics/query/action
•Microsoft.OperationalInsights/workspaces/*/read
•Microsoft.OperationalInsights/workspaces/savedSearches/*
•Microsoft.OperationsManagement/solutions/read
•Microsoft.OperationalInsights/workspaces/query/read
•Microsoft.OperationalInsights/workspaces/query/*/read
•Microsoft.OperationalInsights/workspaces/dataSources/read
•Microsoft.OperationalInsights/querypacks/*/read
•Microsoft.Insights/workbooks/*
•Microsoft.Insights/myworkbooks/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 002
•Microsoft.SecurityInsights/ConfidentialWatchlists/*
•Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
3e150937-b8fe-4cfb-8069-0eaf05ecd056 Microsoft Sentinel Responder Microsoft Sentinel Responder count: 027
•Microsoft.SecurityInsights/*/read
•Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action
•Microsoft.SecurityInsights/automationRules/*
•Microsoft.SecurityInsights/cases/*
•Microsoft.SecurityInsights/incidents/*
•Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action
•Microsoft.SecurityInsights/threatIntelligence/indicators/query/action
•Microsoft.SecurityInsights/threatIntelligence/bulkTag/action
•Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action
•Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action
•Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action
•Microsoft.OperationalInsights/workspaces/analytics/query/action
•Microsoft.OperationalInsights/workspaces/*/read
•Microsoft.OperationalInsights/workspaces/dataSources/read
•Microsoft.OperationalInsights/workspaces/savedSearches/read
•Microsoft.OperationsManagement/solutions/read
•Microsoft.OperationalInsights/workspaces/query/read
•Microsoft.OperationalInsights/workspaces/query/*/read
•Microsoft.OperationalInsights/workspaces/dataSources/read
•Microsoft.OperationalInsights/querypacks/*/read
•Microsoft.Insights/workbooks/read
•Microsoft.Insights/myworkbooks/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 004
•Microsoft.SecurityInsights/cases/*/Delete
•Microsoft.SecurityInsights/incidents/*/Delete
•Microsoft.SecurityInsights/ConfidentialWatchlists/*
•Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
8d289c81-5878-46d4-8554-54e1e3d8b5cb Microsoft Sentinel Reader Microsoft Sentinel Reader count: 021
•Microsoft.SecurityInsights/*/read
•Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action
•Microsoft.SecurityInsights/threatIntelligence/indicators/query/action
•Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action
•Microsoft.OperationalInsights/workspaces/analytics/query/action
•Microsoft.OperationalInsights/workspaces/*/read
•Microsoft.OperationalInsights/workspaces/LinkedServices/read
•Microsoft.OperationalInsights/workspaces/savedSearches/read
•Microsoft.OperationsManagement/solutions/read
•Microsoft.OperationalInsights/workspaces/query/read
•Microsoft.OperationalInsights/workspaces/query/*/read
•Microsoft.OperationalInsights/querypacks/*/read
•Microsoft.OperationalInsights/workspaces/dataSources/read
•Microsoft.Insights/workbooks/read
•Microsoft.Insights/myworkbooks/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/templateSpecs/*/read
•Microsoft.Support/*
count: 002
•Microsoft.SecurityInsights/ConfidentialWatchlists/*
•Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*
66bb4e9e-b016-4a94-8249-4c0511c2be84 Policy Insights Data Writer (Preview) Allows read access to resource policies and write access to resource component policy events. count: 004
•Microsoft.Authorization/policyassignments/read
•Microsoft.Authorization/policydefinitions/read
•Microsoft.Authorization/policyexemptions/read
•Microsoft.Authorization/policysetdefinitions/read
count: 002
•Microsoft.PolicyInsights/checkDataPolicyCompliance/action
•Microsoft.PolicyInsights/policyEvents/logDataEvents/action
04165923-9d83-45d5-8227-78b77b0a687e SignalR AccessKey Reader Read SignalR Service Access Keys count: 005
•Microsoft.SignalRService/*/read
•Microsoft.SignalRService/SignalR/listkeys/action
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 SignalR/Web PubSub Contributor Create, Read, Update, and Delete SignalR service resources count: 006
•Microsoft.SignalRService/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
count: 006
Configure Azure SignalR Service to disable local authentication
Configure Azure Web PubSub Service to disable local authentication
Configure Azure Web PubSub Service to disable public network access
Configure Azure Web PubSub Service with private endpoints
Configure private endpoints to Azure SignalR Service
Modify Azure SignalR Service resources to disable public network access
b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 Azure Connected Machine Onboarding Can onboard Azure Connected Machines. count: 004
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/privateLinkScopes/read
•Microsoft.GuestConfiguration/guestConfigurationAssignments/read
91c1777a-f3dc-4fae-b103-61d183457e46 Managed Services Registration assignment Delete Role Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. count: 003
•Microsoft.ManagedServices/registrationAssignments/read
•Microsoft.ManagedServices/registrationAssignments/delete
•Microsoft.ManagedServices/operationStatuses/read
5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b App Configuration Data Owner Allows full access to App Configuration data. count: 004
•Microsoft.AppConfiguration/configurationStores/*/read
•Microsoft.AppConfiguration/configurationStores/*/write
•Microsoft.AppConfiguration/configurationStores/*/delete
•Microsoft.AppConfiguration/configurationStores/*/action
516239f1-63e1-4d78-a4de-a74fb236a071 App Configuration Data Reader Allows read access to App Configuration data. count: 001
•Microsoft.AppConfiguration/configurationStores/*/read
34e09817-6cbe-4d01-b1a2-e0eac5743d41 Kubernetes Cluster - Azure Arc Onboarding Role definition to authorize any user/service to create connectedClusters resource count: 009
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Kubernetes/connectedClusters/Write
•Microsoft.Kubernetes/connectedClusters/read
•Microsoft.Support/*
count: 002
Configure Azure Arc Private Link Scopes with private endpoints
Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope
7f646f1b-fa08-80eb-a22b-edd6ce5c915c Experimentation Contributor Experimentation Contributor count: 002
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Experimentation/experimentWorkspaces/read
count: 008
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action
•Microsoft.Experimentation/experimentWorkspaces/read
•Microsoft.Experimentation/experimentWorkspaces/write
•Microsoft.Experimentation/experimentWorkspaces/delete
466ccd10-b268-4a11-b098-b4849f024126 Cognitive Services QnA Maker Reader Let's you read and test a KB only. count: 003
•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 018
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read
f4cc2bf9-21be-47a1-bdf1-5c5804381025 Cognitive Services QnA Maker Editor Let's you create, edit, import and export a KB. You cannot publish or delete a KB. count: 003
•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 039
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action
•Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read
•Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read
•Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write
•Microsoft.CognitiveServices/accounts/QnAMaker/operations/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write
•Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read
7f646f1b-fa08-80eb-a33b-edd6ce5c915c Experimentation Administrator Experimentation Administrator count: 002
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Experimentation/experimentWorkspaces/read
count: 013
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/admin/action
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/action
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action
•Microsoft.Experimentation/experimentWorkspaces/read
•Microsoft.Experimentation/experimentWorkspaces/write
•Microsoft.Experimentation/experimentWorkspaces/delete
•Microsoft.Experimentation/experimentWorkspaces/admin/action
•Microsoft.Experimentation/experimentWorkspaces/metricwrite/action
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action
3df8b902-2a6f-47c7-8cc5-360e9b272a7e Remote Rendering Administrator Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering count: 008
•Microsoft.MixedReality/RemoteRenderingAccounts/convert/action
•Microsoft.MixedReality/RemoteRenderingAccounts/convert/read
•Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete
•Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read
•Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action
•Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete
•Microsoft.MixedReality/RemoteRenderingAccounts/render/read
•Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read
d39065c4-c120-43c9-ab0a-63eed9795f0a Remote Rendering Client Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. count: 005
•Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read
•Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action
•Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete
•Microsoft.MixedReality/RemoteRenderingAccounts/render/read
•Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read
641177b8-a67a-45b9-a033-47bc880bb21e Managed Application Contributor Role Allows for creating managed application resources. count: 005
•*/read
•Microsoft.Solutions/applications/*
•Microsoft.Solutions/register/action
•Microsoft.Resources/subscriptions/resourceGroups/*
•Microsoft.Resources/deployments/*
612c2aa1-cb24-443b-ac28-3ab7272de6f5 Security Assessment Contributor Lets you push assessments to Security Center count: 001
•Microsoft.Security/assessments/write
4a9ae827-6dc8-4573-8ac7-8239d42aa03f Tag Contributor Lets you manage tags on entities, without providing access to the entities themselves. count: 008
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourceGroups/resources/read
•Microsoft.Resources/subscriptions/resources/read
•Microsoft.Resources/deployments/*
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
•Microsoft.Resources/tags/*
count: 002
Add a tag to subscriptions
Add or replace a tag on subscriptions
c7aa55d3-1abb-444a-a5ca-5e51e485d6ec Integration Service Environment Developer Allows developers to create and update workflows, integration accounts and API connections in integration service environments. count: 004
•Microsoft.Authorization/*/read
•Microsoft.Support/*
•Microsoft.Logic/integrationServiceEnvironments/read
•Microsoft.Logic/integrationServiceEnvironments/*/join/action
a41e2c5b-bd99-4a07-88f4-9bf657a760b8 Integration Service Environment Contributor Lets you manage integration service environments, but not access to them. count: 003
•Microsoft.Authorization/*/read
•Microsoft.Support/*
•Microsoft.Logic/integrationServiceEnvironments/*
ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 Azure Kubernetes Service Contributor Role Grants access to read and write Azure Kubernetes Service clusters count: 003
•Microsoft.ContainerService/managedClusters/read
•Microsoft.ContainerService/managedClusters/write
•Microsoft.Resources/deployments/*
count: 006
[Preview]: Deploy Image Integrity on Azure Kubernetes Service
Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access
Configure Node OS Auto upgrade on Azure Kubernetes Cluster
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
Deploy Image Cleaner on Azure Kubernetes Service
Disable Command Invoke on Azure Kubernetes Service clusters
d57506d4-4c8d-48b1-8587-93c323f6a5a3 Azure Digital Twins Data Reader Read-only role for Digital Twins data-plane properties count: 006
•Microsoft.DigitalTwins/digitaltwins/read
•Microsoft.DigitalTwins/digitaltwins/relationships/read
•Microsoft.DigitalTwins/eventroutes/read
•Microsoft.DigitalTwins/jobs/import/read
•Microsoft.DigitalTwins/models/read
•Microsoft.DigitalTwins/query/action
bcd981a7-7f74-457b-83e1-cceb9e632ffe Azure Digital Twins Data Owner Full access role for Digital Twins data-plane count: 007
•Microsoft.DigitalTwins/digitaltwins/*
•Microsoft.DigitalTwins/digitaltwins/commands/*
•Microsoft.DigitalTwins/digitaltwins/relationships/*
•Microsoft.DigitalTwins/eventroutes/*
•Microsoft.DigitalTwins/jobs/*
•Microsoft.DigitalTwins/models/*
•Microsoft.DigitalTwins/query/*
350f8d15-c687-4448-8ae1-157740a3936d Hierarchy Settings Administrator Allows users to edit and delete Hierarchy Settings count: 002
•Microsoft.Management/managementGroups/settings/write
•Microsoft.Management/managementGroups/settings/delete
5a1fc7df-4bf1-4951-a576-89034ee01acd FHIR Data Contributor Role allows user or principal full access to FHIR Data count: 002
•Microsoft.HealthcareApis/services/fhir/resources/*
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/*
count: 002
•Microsoft.HealthcareApis/services/fhir/resources/smart/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action
3db33094-8700-4567-8da5-1501d4e7e843 FHIR Data Exporter Role allows user or principal to read and export FHIR Data count: 004
•Microsoft.HealthcareApis/services/fhir/resources/read
•Microsoft.HealthcareApis/services/fhir/resources/export/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/read
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action
4c8d0bbc-75d3-4935-991f-5f3c56d81508 FHIR Data Reader Role allows user or principal to read FHIR Data count: 002
•Microsoft.HealthcareApis/services/fhir/resources/read
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/read
3f88fce4-5892-4214-ae73-ba5294559913 FHIR Data Writer Role allows user or principal to read and write FHIR Data count: 018
•Microsoft.HealthcareApis/services/fhir/resources/read
•Microsoft.HealthcareApis/services/fhir/resources/write
•Microsoft.HealthcareApis/services/fhir/resources/delete
•Microsoft.HealthcareApis/services/fhir/resources/export/action
•Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action
•Microsoft.HealthcareApis/services/fhir/resources/reindex/action
•Microsoft.HealthcareApis/services/fhir/resources/convertData/action
•Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action
•Microsoft.HealthcareApis/services/fhir/resources/import/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/read
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/write
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action
49632ef5-d9ac-41f4-b8e7-bbe587fa74a1 Experimentation Reader Experimentation Reader count: 001
•Microsoft.Experimentation/experimentWorkspaces/read
count: 002
•Microsoft.Experimentation/experimentWorkspaces/read
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
4dd61c23-6743-42fe-a388-d8bdd41cb745 Object Understanding Account Owner Provides user with ingestion capabilities for Azure Object Understanding. count: 002
•Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/action
•Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read
8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 Azure Maps Data Contributor Grants access to read, write, and delete access to map related data from an Azure maps account. count: 004
•Microsoft.Maps/accounts/*/read
•Microsoft.Maps/accounts/*/write
•Microsoft.Maps/accounts/*/delete
•Microsoft.Maps/accounts/*/action
c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 Cognitive Services Custom Vision Contributor Full access to the project, including the ability to view, create, edit, or delete projects. count: 001
•Microsoft.CognitiveServices/*/read
count: 001
•Microsoft.CognitiveServices/accounts/CustomVision/*
5c4089e1-6d96-4d2f-b296-c1bc7137275f Cognitive Services Custom Vision Deployment Publish, unpublish or export models. Deployment can view the project but can't update. count: 001
•Microsoft.CognitiveServices/*/read
count: 007
•Microsoft.CognitiveServices/accounts/CustomVision/*/read
•Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*
•Microsoft.CognitiveServices/accounts/CustomVision/classify/*
•Microsoft.CognitiveServices/accounts/CustomVision/detect/*
count: 001
•Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
88424f51-ebe7-446f-bc41-7fa16989e96c Cognitive Services Custom Vision Labeler View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. count: 001
•Microsoft.CognitiveServices/*/read
count: 006
•Microsoft.CognitiveServices/accounts/CustomVision/*/read
•Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action
•Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/*
•Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action
count: 001
•Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
93586559-c37d-4a6b-ba08-b9f0940c2d73 Cognitive Services Custom Vision Reader Read-only actions in the project. Readers can't create or update the project. count: 001
•Microsoft.CognitiveServices/*/read
count: 002
•Microsoft.CognitiveServices/accounts/CustomVision/*/read
•Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action
count: 001
•Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
0a5ae4ab-0d65-4eeb-be61-29fc9b54394b Cognitive Services Custom Vision Trainer View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. count: 001
•Microsoft.CognitiveServices/*/read
count: 001
•Microsoft.CognitiveServices/accounts/CustomVision/*
count: 004
•Microsoft.CognitiveServices/accounts/CustomVision/projects/action
•Microsoft.CognitiveServices/accounts/CustomVision/projects/delete
•Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action
•Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read
00482a5a-887f-4fb3-b363-3b7fe8e74483 Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. count: 010
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.KeyVault/checkNameAvailability/read
•Microsoft.KeyVault/deletedVaults/read
•Microsoft.KeyVault/locations/*/read
•Microsoft.KeyVault/vaults/*/read
•Microsoft.KeyVault/operations/read
count: 001
•Microsoft.KeyVault/vaults/*
12338af0-0e69-4776-bea7-57ae8d297424 Key Vault Crypto User Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. count: 009
•Microsoft.KeyVault/vaults/keys/read
•Microsoft.KeyVault/vaults/keys/update/action
•Microsoft.KeyVault/vaults/keys/backup/action
•Microsoft.KeyVault/vaults/keys/encrypt/action
•Microsoft.KeyVault/vaults/keys/decrypt/action
•Microsoft.KeyVault/vaults/keys/wrap/action
•Microsoft.KeyVault/vaults/keys/unwrap/action
•Microsoft.KeyVault/vaults/keys/sign/action
•Microsoft.KeyVault/vaults/keys/verify/action
b86a8fe4-44ce-4948-aee5-eccb2c155cd7 Key Vault Secrets Officer Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. count: 010
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.KeyVault/checkNameAvailability/read
•Microsoft.KeyVault/deletedVaults/read
•Microsoft.KeyVault/locations/*/read
•Microsoft.KeyVault/vaults/*/read
•Microsoft.KeyVault/operations/read
count: 001
•Microsoft.KeyVault/vaults/secrets/*
4633458b-17de-408a-b874-0445c86b69e6 Key Vault Secrets User Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. count: 002
•Microsoft.KeyVault/vaults/secrets/getSecret/action
•Microsoft.KeyVault/vaults/secrets/readMetadata/action
a4417e6f-fecd-4de8-b567-7b0420556985 Key Vault Certificates Officer Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. count: 010
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.KeyVault/checkNameAvailability/read
•Microsoft.KeyVault/deletedVaults/read
•Microsoft.KeyVault/locations/*/read
•Microsoft.KeyVault/vaults/*/read
•Microsoft.KeyVault/operations/read
count: 003
•Microsoft.KeyVault/vaults/certificatecas/*
•Microsoft.KeyVault/vaults/certificates/*
•Microsoft.KeyVault/vaults/certificatecontacts/write
21090545-7ca7-4776-b22c-e363652d74d2 Key Vault Reader Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. count: 010
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.KeyVault/checkNameAvailability/read
•Microsoft.KeyVault/deletedVaults/read
•Microsoft.KeyVault/locations/*/read
•Microsoft.KeyVault/vaults/*/read
•Microsoft.KeyVault/operations/read
count: 002
•Microsoft.KeyVault/vaults/*/read
•Microsoft.KeyVault/vaults/secrets/readMetadata/action
e147488a-f6f5-4113-8e2d-b22465e65bf6 Key Vault Crypto Service Encryption User Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. count: 003
•Microsoft.EventGrid/eventSubscriptions/write
•Microsoft.EventGrid/eventSubscriptions/read
•Microsoft.EventGrid/eventSubscriptions/delete
count: 003
•Microsoft.KeyVault/vaults/keys/read
•Microsoft.KeyVault/vaults/keys/wrap/action
•Microsoft.KeyVault/vaults/keys/unwrap/action
63f0a09d-1495-4db4-a681-037d84835eb4 Azure Arc Kubernetes Viewer Lets you view all resources in cluster/namespace, except secrets. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 029
•Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
•Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read
•Microsoft.Kubernetes/connectedClusters/apps/deployments/read
•Microsoft.Kubernetes/connectedClusters/apps/replicasets/read
•Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read
•Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read
•Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read
•Microsoft.Kubernetes/connectedClusters/batch/jobs/read
•Microsoft.Kubernetes/connectedClusters/configmaps/read
•Microsoft.Kubernetes/connectedClusters/endpoints/read
•Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
•Microsoft.Kubernetes/connectedClusters/events/read
•Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read
•Microsoft.Kubernetes/connectedClusters/extensions/deployments/read
•Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read
•Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read
•Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read
•Microsoft.Kubernetes/connectedClusters/limitranges/read
•Microsoft.Kubernetes/connectedClusters/namespaces/read
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read
•Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read
•Microsoft.Kubernetes/connectedClusters/pods/read
•Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read
•Microsoft.Kubernetes/connectedClusters/resourcequotas/read
•Microsoft.Kubernetes/connectedClusters/serviceaccounts/read
•Microsoft.Kubernetes/connectedClusters/services/read
5b999177-9696-4545-85c7-50de3797e5a1 Azure Arc Kubernetes Writer Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 030
•Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
•Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
•Microsoft.Kubernetes/connectedClusters/apps/deployments/*
•Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
•Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
•Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
•Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
•Microsoft.Kubernetes/connectedClusters/batch/jobs/*
•Microsoft.Kubernetes/connectedClusters/configmaps/*
•Microsoft.Kubernetes/connectedClusters/endpoints/*
•Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
•Microsoft.Kubernetes/connectedClusters/events/read
•Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
•Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
•Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
•Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
•Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
•Microsoft.Kubernetes/connectedClusters/limitranges/read
•Microsoft.Kubernetes/connectedClusters/namespaces/read
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
•Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
•Microsoft.Kubernetes/connectedClusters/pods/*
•Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
•Microsoft.Kubernetes/connectedClusters/resourcequotas/read
•Microsoft.Kubernetes/connectedClusters/secrets/*
•Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
•Microsoft.Kubernetes/connectedClusters/services/*
8393591c-06b9-48a2-a542-1bd6b377f6a2 Azure Arc Kubernetes Cluster Admin Lets you manage all resources in the cluster. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 001
•Microsoft.Kubernetes/connectedClusters/*
dffb1e0c-446f-4dde-a09f-99eb5cc68b96 Azure Arc Kubernetes Admin Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. count: 007
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 033
•Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read
•Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*
•Microsoft.Kubernetes/connectedClusters/apps/deployments/*
•Microsoft.Kubernetes/connectedClusters/apps/replicasets/*
•Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*
•Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write
•Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/*
•Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*
•Microsoft.Kubernetes/connectedClusters/batch/jobs/*
•Microsoft.Kubernetes/connectedClusters/configmaps/*
•Microsoft.Kubernetes/connectedClusters/endpoints/*
•Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read
•Microsoft.Kubernetes/connectedClusters/events/read
•Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*
•Microsoft.Kubernetes/connectedClusters/extensions/deployments/*
•Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*
•Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*
•Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*
•Microsoft.Kubernetes/connectedClusters/limitranges/read
•Microsoft.Kubernetes/connectedClusters/namespaces/read
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*
•Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*
•Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*
•Microsoft.Kubernetes/connectedClusters/pods/*
•Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*
•Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/*
•Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
•Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*
•Microsoft.Kubernetes/connectedClusters/resourcequotas/read
•Microsoft.Kubernetes/connectedClusters/secrets/*
•Microsoft.Kubernetes/connectedClusters/serviceaccounts/*
•Microsoft.Kubernetes/connectedClusters/services/*
b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b Azure Kubernetes Service RBAC Cluster Admin Lets you manage all resources in the cluster. count: 005
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
count: 001
•Microsoft.ContainerService/managedClusters/*
3498e952-d568-435e-9b2c-8d77e338d7f7 Azure Kubernetes Service RBAC Admin Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. count: 005
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
count: 001
•Microsoft.ContainerService/managedClusters/*
count: 004
•Microsoft.ContainerService/managedClusters/resourcequotas/write
•Microsoft.ContainerService/managedClusters/resourcequotas/delete
•Microsoft.ContainerService/managedClusters/namespaces/write
•Microsoft.ContainerService/managedClusters/namespaces/delete
7f6c6a51-bcf8-42ba-9220-52d62157d7db Azure Kubernetes Service RBAC Reader Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. count: 004
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 031
•Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read
•Microsoft.ContainerService/managedClusters/apps/daemonsets/read
•Microsoft.ContainerService/managedClusters/apps/deployments/read
•Microsoft.ContainerService/managedClusters/apps/replicasets/read
•Microsoft.ContainerService/managedClusters/apps/statefulsets/read
•Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read
•Microsoft.ContainerService/managedClusters/batch/cronjobs/read
•Microsoft.ContainerService/managedClusters/batch/jobs/read
•Microsoft.ContainerService/managedClusters/configmaps/read
•Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read
•Microsoft.ContainerService/managedClusters/endpoints/read
•Microsoft.ContainerService/managedClusters/events.k8s.io/events/read
•Microsoft.ContainerService/managedClusters/events/read
•Microsoft.ContainerService/managedClusters/extensions/daemonsets/read
•Microsoft.ContainerService/managedClusters/extensions/deployments/read
•Microsoft.ContainerService/managedClusters/extensions/ingresses/read
•Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read
•Microsoft.ContainerService/managedClusters/extensions/replicasets/read
•Microsoft.ContainerService/managedClusters/limitranges/read
•Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read
•Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read
•Microsoft.ContainerService/managedClusters/namespaces/read
•Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read
•Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read
•Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read
•Microsoft.ContainerService/managedClusters/pods/read
•Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read
•Microsoft.ContainerService/managedClusters/replicationcontrollers/read
•Microsoft.ContainerService/managedClusters/resourcequotas/read
•Microsoft.ContainerService/managedClusters/serviceaccounts/read
•Microsoft.ContainerService/managedClusters/services/read
a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb Azure Kubernetes Service RBAC Writer Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. count: 004
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 035
•Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read
•Microsoft.ContainerService/managedClusters/apps/daemonsets/*
•Microsoft.ContainerService/managedClusters/apps/deployments/*
•Microsoft.ContainerService/managedClusters/apps/replicasets/*
•Microsoft.ContainerService/managedClusters/apps/statefulsets/*
•Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/*
•Microsoft.ContainerService/managedClusters/batch/cronjobs/*
•Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read
•Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write
•Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete
•Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read
•Microsoft.ContainerService/managedClusters/batch/jobs/*
•Microsoft.ContainerService/managedClusters/configmaps/*
•Microsoft.ContainerService/managedClusters/endpoints/*
•Microsoft.ContainerService/managedClusters/events.k8s.io/events/read
•Microsoft.ContainerService/managedClusters/events/*
•Microsoft.ContainerService/managedClusters/extensions/daemonsets/*
•Microsoft.ContainerService/managedClusters/extensions/deployments/*
•Microsoft.ContainerService/managedClusters/extensions/ingresses/*
•Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*
•Microsoft.ContainerService/managedClusters/extensions/replicasets/*
•Microsoft.ContainerService/managedClusters/limitranges/read
•Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read
•Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read
•Microsoft.ContainerService/managedClusters/namespaces/read
•Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*
•Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/*
•Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*
•Microsoft.ContainerService/managedClusters/pods/*
•Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*
•Microsoft.ContainerService/managedClusters/replicationcontrollers/*
•Microsoft.ContainerService/managedClusters/resourcequotas/read
•Microsoft.ContainerService/managedClusters/secrets/*
•Microsoft.ContainerService/managedClusters/serviceaccounts/*
•Microsoft.ContainerService/managedClusters/services/*
82200a5b-e217-47a5-b665-6d8765ee745b Services Hub Operator Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. count: 009
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.ServicesHub/connectors/write
•Microsoft.ServicesHub/connectors/read
•Microsoft.ServicesHub/connectors/delete
•Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action
•Microsoft.ServicesHub/supportOfferingEntitlement/read
•Microsoft.ServicesHub/workspaces/read
d18777c0-1514-4662-8490-608db7d334b6 Object Understanding Account Reader Lets you read ingestion jobs for an object understanding account. count: 001
•Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read
fd53cd77-2268-407a-8f46-7e7863d0f521 SignalR REST API Owner Full access to Azure SignalR Service REST APIs count: 005
•Microsoft.SignalRService/SignalR/auth/clientToken/action
•Microsoft.SignalRService/SignalR/hub/*
•Microsoft.SignalRService/SignalR/group/*
•Microsoft.SignalRService/SignalR/clientConnection/*
•Microsoft.SignalRService/SignalR/user/*
daa9e50b-21df-454c-94a6-a8050adab352 Collaborative Data Contributor Can manage data packages of a collaborative. count: 013
•Microsoft.IndustryDataLifecycle/custodianCollaboratives/*/read
•Microsoft.IndustryDataLifecycle/memberCollaboratives/*/read
•Microsoft.IndustryDataLifecycle/locations/dataPackages/*
•Microsoft.IndustryDataLifecycle/custodianCollaboratives/receivedDataPackages/*
•Microsoft.IndustryDataLifecycle/custodianCollaboratives/rejectDataPackage/action
•Microsoft.IndustryDataLifecycle/memberCollaboratives/sharedDataPackages/*
•Microsoft.IndustryDataLifecycle/custodianCollaboratives/dataModels/*
•Microsoft.IndustryDataLifecycle/custodianCollaboratives/auditLogs/action
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f Device Update Reader Gives you read access to management and content operations, but does not allow making changes count: 005
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
count: 002
•Microsoft.DeviceUpdate/accounts/instances/updates/read
•Microsoft.DeviceUpdate/accounts/instances/management/read
02ca0879-e8e4-47a5-a61e-5c618b76e64a Device Update Administrator Gives you full access to management and content operations count: 005
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
count: 006
•Microsoft.DeviceUpdate/accounts/instances/updates/read
•Microsoft.DeviceUpdate/accounts/instances/updates/write
•Microsoft.DeviceUpdate/accounts/instances/updates/delete
•Microsoft.DeviceUpdate/accounts/instances/management/read
•Microsoft.DeviceUpdate/accounts/instances/management/write
•Microsoft.DeviceUpdate/accounts/instances/management/delete
0378884a-3af5-44ab-8323-f5b22f9f3c98 Device Update Content Administrator Gives you full access to content operations count: 005
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
count: 003
•Microsoft.DeviceUpdate/accounts/instances/updates/read
•Microsoft.DeviceUpdate/accounts/instances/updates/write
•Microsoft.DeviceUpdate/accounts/instances/updates/delete
d1ee9a80-8b14-47f0-bdc2-f4a351625a7b Device Update Content Reader Gives you read access to content operations, but does not allow making changes count: 005
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
count: 001
•Microsoft.DeviceUpdate/accounts/instances/updates/read
cb43c632-a144-4ec5-977c-e80c4affc34a Cognitive Services Metrics Advisor Administrator Full access to the project, including the system level configuration. count: 001
•Microsoft.CognitiveServices/*/read
count: 001
•Microsoft.CognitiveServices/accounts/MetricsAdvisor/*
3b20f47b-3825-43cb-8114-4bd2201156a8 Cognitive Services Metrics Advisor User Access to the project. count: 001
•Microsoft.CognitiveServices/*/read
count: 001
•Microsoft.CognitiveServices/accounts/MetricsAdvisor/*
count: 001
•Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/*
2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 Schema Registry Reader (Preview) Read and list Schema Registry groups and schemas. count: 001
•Microsoft.EventHub/namespaces/schemagroups/read
count: 001
•Microsoft.EventHub/namespaces/schemas/read
5dffeca3-4936-4216-b2bc-10343a5abb25 Schema Registry Contributor (Preview) Read, write, and delete Schema Registry groups and schemas. count: 001
•Microsoft.EventHub/namespaces/schemagroups/*
count: 001
•Microsoft.EventHub/namespaces/schemas/*
7ec7ccdc-f61e-41fe-9aaf-980df0a44eba AgFood Platform Service Reader Provides read access to AgFood Platform Service count: 006
•Microsoft.AgFoodPlatform/*/list/action
•Microsoft.AgFoodPlatform/*/read
•Microsoft.AgFoodPlatform/*/search/action
•Microsoft.AgFoodPlatform/*/download/action
•Microsoft.AgFoodPlatform/*/overlap/action
•Microsoft.AgFoodPlatform/*/checkConsent/action
8508508a-4469-4e45-963b-2518ee0bb728 AgFood Platform Service Contributor Provides contribute access to AgFood Platform Service count: 003
•Microsoft.AgFoodPlatform/*/action
•Microsoft.AgFoodPlatform/*/read
•Microsoft.AgFoodPlatform/*/write
count: 003
•Microsoft.AgFoodPlatform/farmBeats/farmers/write
•Microsoft.AgFoodPlatform/farmBeats/deletionJobs/*/write
•Microsoft.AgFoodPlatform/farmBeats/parties/write
f8da80de-1ff9-4747-ad80-a19b7f6079e3 AgFood Platform Service Admin Provides admin access to AgFood Platform Service count: 001
•Microsoft.AgFoodPlatform/*
18500a29-7fe2-46b2-a342-b16a415e101d Managed HSM contributor Lets you manage managed HSM pools, but not access to them. count: 005
•Microsoft.KeyVault/managedHSMs/*
•Microsoft.KeyVault/deletedManagedHsms/read
•Microsoft.KeyVault/locations/deletedManagedHsms/read
•Microsoft.KeyVault/locations/deletedManagedHsms/purge/action
•Microsoft.KeyVault/locations/managedHsmOperationResults/read
count: 002
[Preview]: Configure Azure Key Vault Managed HSM to disable public network access
[Preview]: Configure Azure Key Vault Managed HSM with private endpoints
0b555d9b-b4a7-4f43-b330-627f0e5be8f0 Security Detonation Chamber Submitter Allowed to create submissions to Security Detonation Chamber count: 008
•Microsoft.SecurityDetonation/chambers/submissions/delete
•Microsoft.SecurityDetonation/chambers/submissions/write
•Microsoft.SecurityDetonation/chambers/submissions/read
•Microsoft.SecurityDetonation/chambers/submissions/files/read
•Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read
•Microsoft.SecurityDetonation/chambers/platforms/metadata/read
•Microsoft.SecurityDetonation/chambers/workflows/metadata/read
•Microsoft.SecurityDetonation/chambers/toolsets/metadata/read
ddde6b66-c0df-4114-a159-3618637b3035 SignalR REST API Reader Read-only access to Azure SignalR Service REST APIs count: 003
•Microsoft.SignalRService/SignalR/group/read
•Microsoft.SignalRService/SignalR/clientConnection/read
•Microsoft.SignalRService/SignalR/user/read
7e4f1700-ea5a-4f59-8f37-079cfe29dce3 SignalR Service Owner Full access to Azure SignalR Service REST APIs count: 001
•Microsoft.SignalRService/SignalR/*
f7b75c60-3036-4b75-91c3-6b41c27c1689 Reservation Purchaser Lets you purchase reservations count: 011
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Capacity/catalogs/read
•Microsoft.Capacity/register/action
•Microsoft.Compute/register/action
•Microsoft.Consumption/register/action
•Microsoft.Consumption/reservationRecommendationDetails/read
•Microsoft.Consumption/reservationRecommendations/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.SQL/register/action
•Microsoft.Support/supporttickets/write
635dd51f-9968-44d3-b7fb-6d9a6bd613ae AzureML Metrics Writer (preview) Lets you write metrics to AzureML workspace count: 001
•Microsoft.MachineLearningServices/workspaces/metrics/*/write
e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 Storage Account Backup Contributor Lets you perform backup and restore operations using Azure Backup on the storage account. count: 018
•Microsoft.Authorization/*/read
•Microsoft.Authorization/locks/read
•Microsoft.Authorization/locks/write
•Microsoft.Authorization/locks/delete
•Microsoft.Features/features/read
•Microsoft.Features/providers/features/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/operations/read
•Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete
•Microsoft.Storage/storageAccounts/objectReplicationPolicies/read
•Microsoft.Storage/storageAccounts/objectReplicationPolicies/write
•Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/blobServices/containers/write
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.Storage/storageAccounts/blobServices/write
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/restoreBlobRanges/action
6188b7c9-7d01-4f99-a59f-c88b630326c0 Experimentation Metric Contributor Allows for creation, writes and reads to the metric set via the metrics service APIs. count: 001
•Microsoft.Experimentation/experimentWorkspaces/read
count: 004
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read
•Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action
•Microsoft.Experimentation/experimentWorkspaces/metricwrite/action
•Microsoft.Experimentation/experimentWorkspaces/read
9ef4ef9c-a049-46b0-82ab-dd8ac094c889 Project Babylon Data Curator The Microsoft.ProjectBabylon data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. count: 001
•Microsoft.ProjectBabylon/accounts/read
count: 002
•Microsoft.ProjectBabylon/accounts/data/read
•Microsoft.ProjectBabylon/accounts/data/write
c8d896ba-346d-4f50-bc1d-7d1c84130446 Project Babylon Data Reader The Microsoft.ProjectBabylon data reader can read catalog data objects. This role is in preview and subject to change. count: 001
•Microsoft.ProjectBabylon/accounts/read
count: 001
•Microsoft.ProjectBabylon/accounts/data/read
05b7651b-dc44-475e-b74d-df3db49fae0f Project Babylon Data Source Administrator The Microsoft.ProjectBabylon data source administrator can manage data sources and data scans. This role is in preview and subject to change. count: 001
•Microsoft.ProjectBabylon/accounts/read
count: 002
•Microsoft.ProjectBabylon/accounts/scan/read
•Microsoft.ProjectBabylon/accounts/scan/write
ca6382a4-1721-4bcf-a114-ff0c70227b6b Application Group Contributor Contributor of the Application Group. count: 009
•Microsoft.DesktopVirtualization/applicationgroups/*
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.DesktopVirtualization/workspaces/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
49a72310-ab8d-41df-bbb0-79b649203868 Desktop Virtualization Reader Reader of Desktop Virtualization. count: 006
•Microsoft.DesktopVirtualization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Support/*
082f0a83-3be5-4ba1-904c-961cca79b387 Desktop Virtualization Contributor Contributor of Desktop Virtualization. count: 006
•Microsoft.DesktopVirtualization/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
21efdde3-836f-432b-bf3d-3e8e734d4b2b Desktop Virtualization Workspace Contributor Contributor of the Desktop Virtualization Workspace. count: 007
•Microsoft.DesktopVirtualization/workspaces/*
•Microsoft.DesktopVirtualization/applicationgroups/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
count: 001
Configure Azure Virtual Desktop workspaces to disable public network access
ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 Desktop Virtualization User Session Operator Operator of the Desktop Virtualization Uesr Session. count: 008
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
2ad6aaab-ead9-4eaa-8ac5-da422f562408 Desktop Virtualization Session Host Operator Operator of the Desktop Virtualization Session Host. count: 007
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
ceadfde2-b300-400a-ab7b-6143895aa822 Desktop Virtualization Host Pool Reader Reader of the Desktop Virtualization Host Pool. count: 007
•Microsoft.DesktopVirtualization/hostpools/*/read
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Support/*
e307426c-f9b6-4e81-87de-d99efb3c32bc Desktop Virtualization Host Pool Contributor Contributor of the Desktop Virtualization Host Pool. count: 006
•Microsoft.DesktopVirtualization/hostpools/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
count: 002
Configure Azure Virtual Desktop hostpools to disable public network access
Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts
aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 Desktop Virtualization Application Group Reader Reader of the Desktop Virtualization Application Group. count: 009
•Microsoft.DesktopVirtualization/applicationgroups/*/read
•Microsoft.DesktopVirtualization/applicationgroups/read
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Support/*
86240b0e-9422-4c43-887b-b61143f32ba8 Desktop Virtualization Application Group Contributor Contributor of the Desktop Virtualization Application Group. count: 008
•Microsoft.DesktopVirtualization/applicationgroups/*
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
0fa44ee9-7a7d-466b-9bb2-2bf446b1204d Desktop Virtualization Workspace Reader Reader of the Desktop Virtualization Workspace. count: 007
•Microsoft.DesktopVirtualization/workspaces/read
•Microsoft.DesktopVirtualization/applicationgroups/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/read
•Microsoft.Support/*
3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 Disk Backup Reader Provides permission to backup vault to perform disk backup. count: 003
•Microsoft.Authorization/*/read
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/beginGetAccess/action
b50d9833-a0cb-478e-945f-707fcc997c13 Disk Restore Operator Provides permission to backup vault to perform disk restore. count: 004
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Compute/disks/write
•Microsoft.Compute/disks/read
7efff54f-a5b4-42b5-a1c5-5411624893ce Disk Snapshot Contributor Provides permission to backup vault to manage disk snapshots. count: 012
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Compute/snapshots/delete
•Microsoft.Compute/snapshots/write
•Microsoft.Compute/snapshots/read
•Microsoft.Compute/snapshots/beginGetAccess/action
•Microsoft.Compute/snapshots/endGetAccess/action
•Microsoft.Compute/disks/beginGetAccess/action
•Microsoft.Storage/storageAccounts/listkeys/action
•Microsoft.Storage/storageAccounts/write
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/delete
5548b2cf-c94c-4228-90ba-30851930a12f Microsoft.Kubernetes connected cluster role Microsoft.Kubernetes connected cluster role. count: 004
•Microsoft.Kubernetes/connectedClusters/read
•Microsoft.Kubernetes/connectedClusters/write
•Microsoft.Kubernetes/connectedClusters/delete
•Microsoft.Kubernetes/registeredSubscriptions/read
a37b566d-3efa-4beb-a2f2-698963fa42ce Security Detonation Chamber Submission Manager Allowed to create and manage submissions to Security Detonation Chamber count: 011
•Microsoft.SecurityDetonation/chambers/submissions/delete
•Microsoft.SecurityDetonation/chambers/submissions/write
•Microsoft.SecurityDetonation/chambers/submissions/read
•Microsoft.SecurityDetonation/chambers/submissions/files/read
•Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read
•Microsoft.SecurityDetonation/chambers/submissions/adminview/read
•Microsoft.SecurityDetonation/chambers/submissions/analystview/read
•Microsoft.SecurityDetonation/chambers/submissions/publicview/read
•Microsoft.SecurityDetonation/chambers/platforms/metadata/read
•Microsoft.SecurityDetonation/chambers/workflows/metadata/read
•Microsoft.SecurityDetonation/chambers/toolsets/metadata/read
352470b3-6a9c-4686-b503-35deb827e500 Security Detonation Chamber Publisher Allowed to publish and modify platforms, workflows and toolsets to Security Detonation Chamber count: 014
•Microsoft.SecurityDetonation/chambers/platforms/read
•Microsoft.SecurityDetonation/chambers/platforms/write
•Microsoft.SecurityDetonation/chambers/platforms/delete
•Microsoft.SecurityDetonation/chambers/platforms/metadata/read
•Microsoft.SecurityDetonation/chambers/workflows/read
•Microsoft.SecurityDetonation/chambers/workflows/write
•Microsoft.SecurityDetonation/chambers/workflows/delete
•Microsoft.SecurityDetonation/chambers/workflows/metadata/read
•Microsoft.SecurityDetonation/chambers/toolsets/read
•Microsoft.SecurityDetonation/chambers/toolsets/write
•Microsoft.SecurityDetonation/chambers/toolsets/delete
•Microsoft.SecurityDetonation/chambers/toolsets/metadata/read
•Microsoft.SecurityDetonation/chambers/publishRequests/read
•Microsoft.SecurityDetonation/chambers/publishRequests/cancel/action
7a6f0e70-c033-4fb1-828c-08514e5f4102 Collaborative Runtime Operator Can manage resources created by AICS at runtime count: 008
•Microsoft.IndustryDataLifecycle/derivedModels/*
•Microsoft.IndustryDataLifecycle/pipelineSets/*
•Microsoft.IndustryDataLifecycle/modelMappings/*
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
5432c526-bc82-444a-b7ba-57c5b0b5b34f CosmosRestoreOperator Can perform restore action for Cosmos DB database account with continuous backup mode count: 003
•Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action
•Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read
•Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read
a1705bd2-3a8f-45a5-8683-466fcfd5cc24 FHIR Data Converter Role allows user or principal to convert data from legacy format to FHIR count: 002
•Microsoft.HealthcareApis/services/fhir/resources/convertData/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action
0e5f05e5-9ab9-446b-b98d-1e2157c94125 Quota Request Operator Read and create quota requests, get quota request status, and create support tickets. count: 014
•Microsoft.Capacity/resourceProviders/locations/serviceLimits/read
•Microsoft.Capacity/resourceProviders/locations/serviceLimits/write
•Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read
•Microsoft.Capacity/register/action
•Microsoft.Quota/usages/read
•Microsoft.Quota/quotas/read
•Microsoft.Quota/quotas/write
•Microsoft.Quota/quotaRequests/read
•Microsoft.Quota/register/action
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
1e241071-0855-49ea-94dc-649edcd759de EventGrid Contributor Lets you manage EventGrid operations. count: 006
•Microsoft.Authorization/*/read
•Microsoft.EventGrid/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
count: 007
Configure Azure Event Grid domains to disable local authentication
Configure Azure Event Grid partner namespaces to disable local authentication
Configure Azure Event Grid topics to disable local authentication
Deploy - Configure Azure Event Grid domains with private endpoints
Deploy - Configure Azure Event Grid topics with private endpoints
Modify - Configure Azure Event Grid domains to disable public network access
Modify - Configure Azure Event Grid topics to disable public network access
28241645-39f8-410b-ad48-87863e2951d5 Security Detonation Chamber Reader Allowed to query submission info and files from Security Detonation Chamber count: 002
•Microsoft.SecurityDetonation/chambers/submissions/read
•Microsoft.SecurityDetonation/chambers/submissions/files/read
4a167cdf-cb95-4554-9203-2347fe489bd9 Object Anchors Account Reader Lets you read ingestion jobs for an object anchors account. count: 001
•Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read
ca0835dd-bacc-42dd-8ed2-ed5e7230d15b Object Anchors Account Owner Provides user with ingestion capabilities for an object anchors account. count: 002
•Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/action
•Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read
d17ce0a2-0697-43bc-aac5-9113337ab61c WorkloadBuilder Migration Agent Role WorkloadBuilder Migration Agent Role. count: 002
•Microsoft.WorkloadBuilder/migrationAgents/Read
•Microsoft.WorkloadBuilder/migrationAgents/Write
b5537268-8956-4941-a8f0-646150406f0c Azure Spring Cloud Data Reader Allow read access to Azure Spring Cloud Data count: 001
•Microsoft.AppPlatform/Spring/*/read
0e75ca1e-0464-4b4d-8b93-68208a576181 Cognitive Services Speech Contributor Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. count: 003
•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 004
•Microsoft.CognitiveServices/accounts/SpeechServices/*
•Microsoft.CognitiveServices/accounts/CustomVoice/*
•Microsoft.CognitiveServices/accounts/AudioContentCreation/*
•Microsoft.CognitiveServices/accounts/VideoTranslation/*
9894cab4-e18a-44aa-828b-cb588cd6f2d7 Cognitive Services Face Recognizer Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. count: 008
•Microsoft.CognitiveServices/accounts/Face/detect/action
•Microsoft.CognitiveServices/accounts/Face/verify/action
•Microsoft.CognitiveServices/accounts/Face/identify/action
•Microsoft.CognitiveServices/accounts/Face/group/action
•Microsoft.CognitiveServices/accounts/Face/findsimilars/action
•Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action
•Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action
•Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action
054126f8-9a2b-4f1c-a9ad-eca461f08466 Media Services Account Administrator Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. count: 014
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Media/mediaservices/*/read
•Microsoft.Media/mediaservices/assets/listStreamingLocators/action
•Microsoft.Media/mediaservices/streamingLocators/listPaths/action
•Microsoft.Media/mediaservices/write
•Microsoft.Media/mediaservices/delete
•Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action
•Microsoft.Media/mediaservices/privateEndpointConnections/*
count: 001
Configure Azure Media Services with private endpoints
532bc159-b25e-42c0-969e-a1d439f60d77 Media Services Live Events Administrator Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. count: 012
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Media/mediaservices/*/read
•Microsoft.Media/mediaservices/assets/*
•Microsoft.Media/mediaservices/assets/assetfilters/*
•Microsoft.Media/mediaservices/streamingLocators/*
•Microsoft.Media/mediaservices/liveEvents/*
count: 002
•Microsoft.Media/mediaservices/assets/getEncryptionKey/action
•Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action
e4395492-1534-4db2-bedf-88c14621589c Media Services Media Operator Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. count: 012
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Media/mediaservices/*/read
•Microsoft.Media/mediaservices/assets/*
•Microsoft.Media/mediaservices/assets/assetfilters/*
•Microsoft.Media/mediaservices/streamingLocators/*
•Microsoft.Media/mediaservices/transforms/jobs/*
count: 002
•Microsoft.Media/mediaservices/assets/getEncryptionKey/action
•Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action
c4bba371-dacd-4a26-b320-7250bca963ae Media Services Policy Administrator Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. count: 014
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Media/mediaservices/*/read
•Microsoft.Media/mediaservices/assets/listStreamingLocators/action
•Microsoft.Media/mediaservices/streamingLocators/listPaths/action
•Microsoft.Media/mediaservices/accountFilters/*
•Microsoft.Media/mediaservices/streamingPolicies/*
•Microsoft.Media/mediaservices/contentKeyPolicies/*
•Microsoft.Media/mediaservices/transforms/*
count: 001
•Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action
99dba123-b5fe-44d5-874c-ced7199a5804 Media Services Streaming Endpoints Administrator Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. count: 011
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Media/mediaservices/*/read
•Microsoft.Media/mediaservices/assets/listStreamingLocators/action
•Microsoft.Media/mediaservices/streamingLocators/listPaths/action
•Microsoft.Media/mediaservices/streamingEndpoints/*
1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf Stream Analytics Query Tester Lets you perform query testing without creating a stream analytics job first count: 004
•Microsoft.StreamAnalytics/locations/TestQuery/action
•Microsoft.StreamAnalytics/locations/OperationResults/read
•Microsoft.StreamAnalytics/locations/SampleInput/action
•Microsoft.StreamAnalytics/locations/CompileQuery/action
a2138dac-4907-4679-a376-736901ed8ad8 AnyBuild Builder Basic user role for AnyBuild. This role allows listing of agent information and execution of remote build capabilities. count: 002
•Microsoft.AnyBuild/clusters/build/write
•Microsoft.AnyBuild/clusters/build/read
b447c946-2db7-41ec-983d-d8bf3b1c77e3 IoT Hub Data Reader Allows for full read access to IoT Hub data-plane properties count: 002
•Microsoft.Devices/IotHubs/*/read
•Microsoft.Devices/IotHubs/fileUpload/notifications/action
494bdba2-168f-4f31-a0a1-191d2f7c028c IoT Hub Twin Contributor Allows for read and write access to all IoT Hub device and module twins. count: 001
•Microsoft.Devices/IotHubs/twins/*
4ea46cd5-c1b2-4a8e-910b-273211f9ce47 IoT Hub Registry Contributor Allows for full access to IoT Hub device registry. count: 001
•Microsoft.Devices/IotHubs/devices/*
4fc6c259-987e-4a07-842e-c321cc9d413f IoT Hub Data Contributor Allows for full access to IoT Hub data plane operations. count: 001
•Microsoft.Devices/IotHubs/*
15e0f5a1-3450-4248-8e25-e2afe88a9e85 Test Base Reader Let you view and download packages and test results. count: 006
•Microsoft.TestBase/testBaseAccounts/packages/testResults/getDownloadUrl/action
•Microsoft.TestBase/testBaseAccounts/packages/testResults/getVideoDownloadUrl/action
•Microsoft.TestBase/testBaseAccounts/packages/getDownloadUrl/action
•Microsoft.TestBase/*/read
•Microsoft.TestBase/testBaseAccounts/customerEvents/write
•Microsoft.TestBase/testBaseAccounts/customerEvents/delete
1407120a-92aa-4202-b7e9-c0e197c71c8f Search Index Data Reader Grants read access to Azure Cognitive Search index data. count: 001
•Microsoft.Search/searchServices/indexes/documents/read
8ebe5a00-799e-43f5-93ac-243d3dce84a7 Search Index Data Contributor Grants full access to Azure Cognitive Search index data. count: 001
•Microsoft.Search/searchServices/indexes/documents/*
76199698-9eea-4c19-bc75-cec21354c6b6 Storage Table Data Reader Allows for read access to Azure Storage tables and entities count: 001
•Microsoft.Storage/storageAccounts/tableServices/tables/read
count: 001
•Microsoft.Storage/storageAccounts/tableServices/tables/entities/read
0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 Storage Table Data Contributor Allows for read, write and delete access to Azure Storage tables and entities count: 003
•Microsoft.Storage/storageAccounts/tableServices/tables/read
•Microsoft.Storage/storageAccounts/tableServices/tables/write
•Microsoft.Storage/storageAccounts/tableServices/tables/delete
count: 005
•Microsoft.Storage/storageAccounts/tableServices/tables/entities/read
•Microsoft.Storage/storageAccounts/tableServices/tables/entities/write
•Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete
•Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action
•Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action
e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a DICOM Data Reader Read and search DICOM data. count: 001
•Microsoft.HealthcareApis/workspaces/dicomservices/resources/read
58a3b984-7adf-4c20-983a-32417c86fbc8 DICOM Data Owner Full access to DICOM data. count: 001
•Microsoft.HealthcareApis/workspaces/dicomservices/resources/*
d5a91429-5739-47e2-a06b-3470a27159e7 EventGrid Data Sender Allows send access to event grid events. count: 005
•Microsoft.Authorization/*/read
•Microsoft.EventGrid/topics/read
•Microsoft.EventGrid/domains/read
•Microsoft.EventGrid/partnerNamespaces/read
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 001
•Microsoft.EventGrid/events/send/action
60fc6e62-5479-42d4-8bf4-67625fcc2840 Disk Pool Operator Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool. count: 006
•Microsoft.Compute/disks/write
•Microsoft.Compute/disks/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
f6c7c914-8db3-469d-8ca1-694a8f32e121 AzureML Data Scientist Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. count: 004
•Microsoft.MachineLearningServices/workspaces/*/read
•Microsoft.MachineLearningServices/workspaces/*/action
•Microsoft.MachineLearningServices/workspaces/*/delete
•Microsoft.MachineLearningServices/workspaces/*/write
count: 010
•Microsoft.MachineLearningServices/workspaces/delete
•Microsoft.MachineLearningServices/workspaces/write
•Microsoft.MachineLearningServices/workspaces/computes/*/write
•Microsoft.MachineLearningServices/workspaces/computes/*/delete
•Microsoft.MachineLearningServices/workspaces/computes/listKeys/action
•Microsoft.MachineLearningServices/workspaces/listKeys/action
•Microsoft.MachineLearningServices/workspaces/hubs/write
•Microsoft.MachineLearningServices/workspaces/hubs/delete
•Microsoft.MachineLearningServices/workspaces/featurestores/write
•Microsoft.MachineLearningServices/workspaces/featurestores/delete
22926164-76b3-42b3-bc55-97df8dab3e41 Grafana Admin Built-in Grafana admin role count: 001
•Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action
e8113dce-c529-4d33-91fa-e9b972617508 Azure Connected SQL Server Onboarding Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS. count: 002
•Microsoft.AzureArcData/sqlServerInstances/read
•Microsoft.AzureArcData/sqlServerInstances/write
26baccc8-eea7-41f1-98f4-1762cc7f685d Azure Relay Sender Allows for send access to Azure Relay resources. count: 002
•Microsoft.Relay/*/wcfRelays/read
•Microsoft.Relay/*/hybridConnections/read
count: 001
•Microsoft.Relay/*/send/action
2787bf04-f1f5-4bfe-8383-c8a24483ee38 Azure Relay Owner Allows for full access to Azure Relay resources. count: 001
•Microsoft.Relay/*
count: 001
•Microsoft.Relay/*
26e0b698-aa6d-4085-9386-aadae190014d Azure Relay Listener Allows for listen access to Azure Relay resources. count: 002
•Microsoft.Relay/*/wcfRelays/read
•Microsoft.Relay/*/hybridConnections/read
count: 001
•Microsoft.Relay/*/listen/action
60921a7e-fef1-4a43-9b16-a26c52ad4769 Grafana Viewer Built-in Grafana Viewer role count: 001
•Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action
a79a5197-3a5c-4973-a920-486035ffd60f Grafana Editor Built-in Grafana Editor role count: 001
•Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action
f353d9bd-d4a6-484e-a77a-8050b599b867 Automation Contributor Manage azure automation resources and other resources using azure automation. count: 011
•Microsoft.Automation/automationAccounts/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/ActionGroups/*
•Microsoft.Insights/ActivityLogAlerts/*
•Microsoft.Insights/MetricAlerts/*
•Microsoft.Insights/ScheduledQueryRules/*
•Microsoft.Insights/diagnosticSettings/*
•Microsoft.OperationalInsights/workspaces/sharedKeys/action
85cb6faf-e071-4c9b-8136-154b5a04f717 Kubernetes Extension Contributor Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations count: 008
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.KubernetesConfiguration/extensions/write
•Microsoft.KubernetesConfiguration/extensions/read
•Microsoft.KubernetesConfiguration/extensions/delete
•Microsoft.KubernetesConfiguration/extensions/operations/read
count: 001
Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension
10745317-c249-44a1-a5ce-3a4353c0bbd8 Device Provisioning Service Data Reader Allows for full read access to Device Provisioning Service data-plane properties. count: 001
•Microsoft.Devices/provisioningServices/*/read
dfce44e4-17b7-4bd1-a6d1-04996ec95633 Device Provisioning Service Data Contributor Allows for full access to Device Provisioning Service data-plane operations. count: 001
•Microsoft.Devices/provisioningServices/*
2837e146-70d7-4cfd-ad55-7efa6464f958 Code Signing Certificate Profile Signer Sign files with a certificate profile. This role is in preview and subject to change. count: 004
•Microsoft.CodeSigning/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 001
•Microsoft.CodeSigning/certificateProfiles/Sign/action
cff1b556-2399-4e7e-856d-a8f754be7b65 Azure Spring Cloud Service Registry Reader Allow read access to Azure Spring Cloud Service Registry count: 001
•Microsoft.AppPlatform/Spring/eurekaService/read
f5880b48-c26d-48be-b172-7927bfa1c8f1 Azure Spring Cloud Service Registry Contributor Allow read, write and delete access to Azure Spring Cloud Service Registry count: 003
•Microsoft.AppPlatform/Spring/eurekaService/read
•Microsoft.AppPlatform/Spring/eurekaService/write
•Microsoft.AppPlatform/Spring/eurekaService/delete
d04c6db6-4947-4782-9e91-30a88feb7be7 Azure Spring Cloud Config Server Reader Allow read access to Azure Spring Cloud Config Server count: 001
•Microsoft.AppPlatform/Spring/configService/read
a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b Azure Spring Cloud Config Server Contributor Allow read, write and delete access to Azure Spring Cloud Config Server count: 003
•Microsoft.AppPlatform/Spring/configService/read
•Microsoft.AppPlatform/Spring/configService/write
•Microsoft.AppPlatform/Spring/configService/delete
6ae96244-5829-4925-a7d3-5975537d91dd Azure VM Managed identities restore Contributor Azure VM Managed identities restore Contributors are allowed to perform Azure VM Restores with managed identities both user and system count: 001
•Microsoft.Authorization/*/read
6be48352-4f82-47c9-ad5e-0acacefdb005 Azure Maps Search and Render Data Reader Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs. count: 002
•Microsoft.Maps/accounts/services/render/read
•Microsoft.Maps/accounts/services/search/read
dba33070-676a-4fb0-87fa-064dc56ff7fb Azure Maps Contributor Grants access all Azure Maps resource management. count: 004
•Microsoft.Maps/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
b748a06d-6150-4f8a-aaa9-ce3940cd96cb Azure Arc VMware VM Contributor Arc VMware VM Contributor has permissions to perform all VM actions. count: 056
•Microsoft.ConnectedVMwarevSphere/virtualmachines/*
•Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/*
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
•Microsoft.HybridCompute/machines/assessPatches/action
•Microsoft.HybridCompute/machines/installPatches/action
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/operations/read
•Microsoft.HybridCompute/locations/operationresults/read
•Microsoft.HybridCompute/locations/operationstatus/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read
•Microsoft.HybridCompute/machines/patchInstallationResults/read
•Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read
•Microsoft.HybridCompute/locations/updateCenterOperationResults/read
•Microsoft.HybridCompute/machines/hybridIdentityMetadata/read
•Microsoft.HybridCompute/osType/agentVersions/read
•Microsoft.HybridCompute/osType/agentVersions/latest/read
•Microsoft.HybridCompute/machines/runcommands/read
•Microsoft.HybridCompute/machines/runcommands/write
•Microsoft.HybridCompute/machines/runcommands/delete
•Microsoft.HybridCompute/machines/licenseProfiles/read
•Microsoft.HybridCompute/machines/licenseProfiles/write
•Microsoft.HybridCompute/machines/licenseProfiles/delete
•Microsoft.HybridCompute/licenses/read
•Microsoft.HybridCompute/licenses/write
•Microsoft.HybridCompute/licenses/delete
ce551c02-7c42-47e0-9deb-e3b6fc3a9a83 Azure Arc VMware Private Cloud User Azure Arc VMware Private Cloud User has permissions to use the VMware cloud resources to deploy VMs. count: 039
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ConnectedVMwarevSphere/virtualnetworks/join/action
•Microsoft.ConnectedVMwarevSphere/virtualnetworks/Read
•Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/clone/action
•Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/Read
•Microsoft.ConnectedVMwarevSphere/resourcepools/deploy/action
•Microsoft.ConnectedVMwarevSphere/resourcepools/Read
•Microsoft.ConnectedVMwarevSphere/hosts/deploy/action
•Microsoft.ConnectedVMwarevSphere/hosts/Read
•Microsoft.ConnectedVMwarevSphere/clusters/deploy/action
•Microsoft.ConnectedVMwarevSphere/clusters/Read
•Microsoft.ConnectedVMwarevSphere/datastores/allocateSpace/action
•Microsoft.ConnectedVMwarevSphere/datastores/Read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/deploy/action
ddc140ed-e463-4246-9145-7c664192013f Azure Arc VMware Administrator role Arc VMware VM Contributor has permissions to perform all connected VMwarevSphere actions. count: 055
•Microsoft.ConnectedVMwarevSphere/*
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
•Microsoft.HybridCompute/machines/assessPatches/action
•Microsoft.HybridCompute/machines/installPatches/action
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/operations/read
•Microsoft.HybridCompute/locations/operationresults/read
•Microsoft.HybridCompute/locations/operationstatus/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/read
•Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read
•Microsoft.HybridCompute/machines/patchInstallationResults/read
•Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read
•Microsoft.HybridCompute/locations/updateCenterOperationResults/read
•Microsoft.HybridCompute/machines/hybridIdentityMetadata/read
•Microsoft.HybridCompute/osType/agentVersions/read
•Microsoft.HybridCompute/osType/agentVersions/latest/read
•Microsoft.HybridCompute/machines/runcommands/read
•Microsoft.HybridCompute/machines/runcommands/write
•Microsoft.HybridCompute/machines/runcommands/delete
•Microsoft.HybridCompute/machines/licenseProfiles/read
•Microsoft.HybridCompute/machines/licenseProfiles/write
•Microsoft.HybridCompute/machines/licenseProfiles/delete
•Microsoft.HybridCompute/licenses/read
•Microsoft.HybridCompute/licenses/write
•Microsoft.HybridCompute/licenses/delete
f72c8140-2111-481c-87ff-72b910f6e3f8 Cognitive Services LUIS Owner Has access to all Read, Test, Write, Deploy and Delete functions under LUIS count: 004
•Microsoft.CognitiveServices/*/read
•Microsoft.CognitiveServices/accounts/listkeys/action
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 001
•Microsoft.CognitiveServices/accounts/LUIS/*
7628b7b8-a8b2-4cdc-b46f-e9b35248918e Cognitive Services Language Reader Has access to Read and Test functions under Language portal count: 003
•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 016
•Microsoft.CognitiveServices/accounts/LanguageAuthoring/*/read
•Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*/read
•Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/action
•Microsoft.CognitiveServices/accounts/Language/*/read
•Microsoft.CognitiveServices/accounts/Language/*/projects/export/action
•Microsoft.CognitiveServices/accounts/Language/query-text/action
•Microsoft.CognitiveServices/accounts/Language/query-dataverse/action
•Microsoft.CognitiveServices/accounts/Language/analyze-text/jobs/action
•Microsoft.CognitiveServices/accounts/Language/analyze-text/action
•Microsoft.CognitiveServices/accounts/Language/analyze-text/jobscancel/action
•Microsoft.CognitiveServices/accounts/Language/analyze-conversations/action
•Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobscancel/action
•Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobs/action
•Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/action
•Microsoft.CognitiveServices/accounts/Language/generate/action
•Microsoft.CognitiveServices/accounts/TextAnalytics/*
count: 001
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*
f2310ca1-dc64-4889-bb49-c8e0fa3d47a8 Cognitive Services Language Writer Has access to all Read, Test, and Write functions under Language Portal count: 003
•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 004
•Microsoft.CognitiveServices/accounts/LanguageAuthoring/*
•Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*
•Microsoft.CognitiveServices/accounts/Language/*
•Microsoft.CognitiveServices/accounts/TextAnalytics/*
count: 007
•Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/action
•Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/deployments/write
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*
•Microsoft.CognitiveServices/accounts/Language/*/projects/delete
•Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/write
•Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/delete
•Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/swap/action
f07febfe-79bc-46b1-8b37-790e26e6e498 Cognitive Services Language Owner Has access to all Read, Test, Write, Deploy and Delete functions under Language portal count: 004
•Microsoft.CognitiveServices/*/read
•Microsoft.CognitiveServices/accounts/listkeys/action
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 004
•Microsoft.CognitiveServices/accounts/LanguageAuthoring/*
•Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*
•Microsoft.CognitiveServices/accounts/Language/*
•Microsoft.CognitiveServices/accounts/TextAnalytics/*
count: 001
•Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*
18e81cdc-4e98-4e29-a639-e7d10c5a6226 Cognitive Services LUIS Reader Has access to Read and Test functions under LUIS. count: 003
•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 002
•Microsoft.CognitiveServices/accounts/LUIS/*/read
•Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/write
6322a993-d5c9-4bed-b113-e49bbea25b27 Cognitive Services LUIS Writer Has access to all Read, Test, and Write functions under LUIS count: 003
•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 001
•Microsoft.CognitiveServices/accounts/LUIS/*
count: 006
•Microsoft.CognitiveServices/accounts/LUIS/apps/delete
•Microsoft.CognitiveServices/accounts/LUIS/apps/move/action
•Microsoft.CognitiveServices/accounts/LUIS/apps/publish/action
•Microsoft.CognitiveServices/accounts/LUIS/apps/settings/write
•Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/action
•Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/delete
a9a19cc5-31f4-447c-901f-56c0bb18fcaf PlayFab Reader Provides read access to PlayFab resources count: 003
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Authorization/*/read
•Microsoft.PlayFab/*/read
749a398d-560b-491b-bb21-08924219302e Load Test Contributor View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. count: 005
•Microsoft.LoadTestService/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/alertRules/*
count: 001
•Microsoft.LoadTestService/loadtests/*
45bb0b16-2f0c-4e78-afaa-a07599b003f6 Load Test Owner Execute all operations on load test resources and load tests count: 005
•Microsoft.LoadTestService/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/alertRules/*
count: 001
•Microsoft.LoadTestService/*
0c8b84dc-067c-4039-9615-fa1a4b77c726 PlayFab Contributor Provides contributor access to PlayFab resources count: 006
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.PlayFab/*/read
•Microsoft.PlayFab/*/write
•Microsoft.PlayFab/*/delete
3ae3fb29-0000-4ccd-bf80-542e7b26e081 Load Test Reader View and list all load tests and load test resources but can not make any changes count: 005
•Microsoft.LoadTestService/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/alertRules/*
count: 001
•Microsoft.LoadTestService/loadtests/readTest/action
b2de6794-95db-4659-8781-7e080d3f2b9d Cognitive Services Immersive Reader User Provides access to create Immersive Reader sessions and call APIs count: 001
•Microsoft.CognitiveServices/accounts/ImmersiveReader/getcontentmodelforreader/action
f69b8690-cc87-41d6-b77a-a4bc3c0a966f Lab Services Contributor The lab services contributor role count: 005
•Microsoft.LabServices/*
•Microsoft.Insights/alertRules/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 001
•Microsoft.LabServices/labPlans/createLab/action
2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc Lab Services Reader The lab services reader role count: 004
•Microsoft.LabServices/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
ce40b423-cede-4313-a93f-9b28290b72e1 Lab Assistant The lab assistant role count: 017
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.LabServices/labPlans/images/read
•Microsoft.LabServices/labPlans/read
•Microsoft.LabServices/labs/read
•Microsoft.LabServices/labs/schedules/read
•Microsoft.LabServices/labs/users/read
•Microsoft.LabServices/labs/users/invite/action
•Microsoft.LabServices/labs/virtualMachines/read
•Microsoft.LabServices/labs/virtualMachines/start/action
•Microsoft.LabServices/labs/virtualMachines/stop/action
•Microsoft.LabServices/labs/virtualMachines/reimage/action
•Microsoft.LabServices/labs/virtualMachines/redeploy/action
•Microsoft.LabServices/locations/usages/read
•Microsoft.LabServices/skus/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
a36e6959-b6be-4b12-8e9f-ef4b474d304d Lab Operator The lab operator role count: 024
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.LabServices/labPlans/images/read
•Microsoft.LabServices/labPlans/read
•Microsoft.LabServices/labPlans/saveImage/action
•Microsoft.LabServices/labs/publish/action
•Microsoft.LabServices/labs/read
•Microsoft.LabServices/labs/schedules/read
•Microsoft.LabServices/labs/schedules/write
•Microsoft.LabServices/labs/schedules/delete
•Microsoft.LabServices/labs/users/read
•Microsoft.LabServices/labs/users/write
•Microsoft.LabServices/labs/users/delete
•Microsoft.LabServices/labs/users/invite/action
•Microsoft.LabServices/labs/virtualMachines/read
•Microsoft.LabServices/labs/virtualMachines/start/action
•Microsoft.LabServices/labs/virtualMachines/stop/action
•Microsoft.LabServices/labs/virtualMachines/reimage/action
•Microsoft.LabServices/labs/virtualMachines/redeploy/action
•Microsoft.LabServices/labs/virtualMachines/resetPassword/action
•Microsoft.LabServices/locations/usages/read
•Microsoft.LabServices/skus/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
5daaa2af-1fe8-407c-9122-bba179798270 Lab Contributor The lab contributor role count: 027
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.LabServices/labPlans/images/read
•Microsoft.LabServices/labPlans/read
•Microsoft.LabServices/labPlans/saveImage/action
•Microsoft.LabServices/labs/read
•Microsoft.LabServices/labs/write
•Microsoft.LabServices/labs/delete
•Microsoft.LabServices/labs/publish/action
•Microsoft.LabServices/labs/syncGroup/action
•Microsoft.LabServices/labs/schedules/read
•Microsoft.LabServices/labs/schedules/write
•Microsoft.LabServices/labs/schedules/delete
•Microsoft.LabServices/labs/users/read
•Microsoft.LabServices/labs/users/write
•Microsoft.LabServices/labs/users/delete
•Microsoft.LabServices/labs/users/invite/action
•Microsoft.LabServices/labs/virtualMachines/read
•Microsoft.LabServices/labs/virtualMachines/start/action
•Microsoft.LabServices/labs/virtualMachines/stop/action
•Microsoft.LabServices/labs/virtualMachines/reimage/action
•Microsoft.LabServices/labs/virtualMachines/redeploy/action
•Microsoft.LabServices/labs/virtualMachines/resetPassword/action
•Microsoft.LabServices/locations/usages/read
•Microsoft.LabServices/skus/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 001
•Microsoft.LabServices/labPlans/createLab/action
fb1c8493-542b-48eb-b624-b4c8fea62acd Security Admin Security Admin Role count: 014
•Microsoft.Authorization/*/read
•Microsoft.Authorization/policyAssignments/*
•Microsoft.Authorization/policyDefinitions/*
•Microsoft.Authorization/policyExemptions/*
•Microsoft.Authorization/policySetDefinitions/*
•Microsoft.Insights/alertRules/*
•Microsoft.Management/managementGroups/read
•Microsoft.operationalInsights/workspaces/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Security/*
•Microsoft.IoTSecurity/*
•Microsoft.IoTFirmwareDefense/*
•Microsoft.Support/*
count: 021
[Deprecated]: Configure Azure Defender for container registries to be enabled
[Deprecated]: Configure Azure Defender for Kubernetes to be enabled
[Preview]: Configure Microsoft Defender for APIs should be enabled
Configure Azure Defender for App Service to be enabled
Configure Azure Defender for Azure SQL database to be enabled
Configure Azure Defender for DNS to be enabled
Configure Azure Defender for Key Vaults to be enabled
Configure Azure Defender for open-source relational databases to be enabled
Configure Azure Defender for Resource Manager to be enabled
Configure Azure Defender for servers to be enabled
Configure Azure Defender for SQL servers on machines to be enabled
Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only)
Configure machines to receive a vulnerability assessment provider
Configure Microsoft Defender for Azure Cosmos DB to be enabled
Configure Microsoft Defender for Containers to be enabled
Configure Microsoft Defender for Storage (Classic) to be enabled
Deploy - Configure suppression rules for Azure Security Center alerts
Deploy Advanced Threat Protection for Cosmos DB Accounts
Deploy Defender for Storage (Classic) on storage accounts
Enable Microsoft Defender for Cloud on your subscription
Setup subscriptions to transition to an alternative vulnerability assessment solution
12cf5a90-567b-43ae-8102-96cf46c7d9b4 Web PubSub Service Owner Full access to Azure Web PubSub Service REST APIs count: 001
•Microsoft.SignalRService/WebPubSub/*
bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf Web PubSub Service Reader Read-only access to Azure Web PubSub Service REST APIs count: 001
•Microsoft.SignalRService/WebPubSub/*/read
420fcaa2-552c-430f-98ca-3264be4806c7 SignalR App Server Lets your app server access SignalR Service with AAD auth options. count: 003
•Microsoft.SignalRService/SignalR/auth/accessKey/action
•Microsoft.SignalRService/SignalR/serverConnection/write
•Microsoft.SignalRService/SignalR/clientConnection/write
fb879df8-f326-4884-b1cf-06f3ad86be52 Virtual Machine User Login View Virtual Machines in the portal and login as a regular user. count: 007
•Microsoft.Network/publicIPAddresses/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Compute/virtualMachines/*/read
•Microsoft.HybridCompute/machines/*/read
•Microsoft.HybridConnectivity/endpoints/listCredentials/action
count: 002
•Microsoft.Compute/virtualMachines/login/action
•Microsoft.HybridCompute/machines/login/action
1c0163c0-47e6-4577-8991-ea5c82e286e4 Virtual Machine Administrator Login View Virtual Machines in the portal and login as administrator count: 007
•Microsoft.Network/publicIPAddresses/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Compute/virtualMachines/*/read
•Microsoft.HybridCompute/machines/*/read
•Microsoft.HybridConnectivity/endpoints/listCredentials/action
count: 004
•Microsoft.Compute/virtualMachines/login/action
•Microsoft.Compute/virtualMachines/loginAsAdmin/action
•Microsoft.HybridCompute/machines/login/action
•Microsoft.HybridCompute/machines/loginAsAdmin/action
cd570a14-e51a-42ad-bac8-bafd67325302 Azure Connected Machine Resource Administrator Can read, write, delete and re-onboard Azure Connected Machines. count: 010
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/privateLinkScopes/*
•Microsoft.HybridCompute/*/read
•Microsoft.Resources/deployments/*
count: 011
[Preview]: Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent
[Preview]: Configure ChangeTracking Extension for Linux Arc machines
[Preview]: Configure ChangeTracking Extension for Windows Arc machines
[Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory
[Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory
Configure Azure Arc Private Link Scopes to disable public network access
Configure Azure Arc Private Link Scopes with private endpoints
Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope
Configure Linux Arc-enabled machines to run Azure Monitor Agent
Configure periodic checking for missing system updates on azure Arc-enabled servers
Configure Windows Arc-enabled machines to run Azure Monitor Agent
00c29273-979b-4161-815c-10b084fb9324 Backup Operator Lets you manage backup services, except removal of backup, vault creation and giving access to others count: 092
•Microsoft.Authorization/*/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action
•Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action
•Microsoft.RecoveryServices/Vaults/backupJobs/*
•Microsoft.RecoveryServices/Vaults/backupJobsExport/action
•Microsoft.RecoveryServices/Vaults/backupOperationResults/*
•Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read
•Microsoft.RecoveryServices/Vaults/backupPolicies/read
•Microsoft.RecoveryServices/Vaults/backupProtectableItems/*
•Microsoft.RecoveryServices/Vaults/backupProtectedItems/read
•Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read
•Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read
•Microsoft.RecoveryServices/Vaults/certificates/write
•Microsoft.RecoveryServices/Vaults/extendedInformation/read
•Microsoft.RecoveryServices/Vaults/extendedInformation/write
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/read
•Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*
•Microsoft.RecoveryServices/Vaults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/read
•Microsoft.RecoveryServices/Vaults/registeredIdentities/write
•Microsoft.RecoveryServices/Vaults/usages/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.RecoveryServices/Vaults/backupstorageconfig/*
•Microsoft.RecoveryServices/Vaults/backupValidateOperation/action
•Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action
•Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read
•Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read
•Microsoft.RecoveryServices/Vaults/backupOperations/read
•Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action
•Microsoft.RecoveryServices/Vaults/backupEngines/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write
•Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read
•Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read
•Microsoft.RecoveryServices/locations/backupStatus/action
•Microsoft.RecoveryServices/locations/backupPreValidateProtection/action
•Microsoft.RecoveryServices/locations/backupValidateFeatures/action
•Microsoft.RecoveryServices/locations/backupAadProperties/read
•Microsoft.RecoveryServices/locations/backupCrrJobs/action
•Microsoft.RecoveryServices/locations/backupCrrJob/action
•Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action
•Microsoft.RecoveryServices/locations/backupCrrOperationResults/read
•Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read
•Microsoft.RecoveryServices/Vaults/monitoringAlerts/write
•Microsoft.RecoveryServices/operations/read
•Microsoft.RecoveryServices/locations/operationStatus/read
•Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read
•Microsoft.Support/*
•Microsoft.DataProtection/backupVaults/backupInstances/read
•Microsoft.DataProtection/backupVaults/backupInstances/read
•Microsoft.DataProtection/backupVaults/deletedBackupInstances/read
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupPolicies/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read
•Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/operationResults/read
•Microsoft.DataProtection/backupVaults/operationStatus/read
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/backupVaults/read
•Microsoft.DataProtection/locations/operationStatus/read
•Microsoft.DataProtection/locations/operationResults/read
•Microsoft.DataProtection/operations/read
•Microsoft.DataProtection/backupVaults/validateForBackup/action
•Microsoft.DataProtection/backupVaults/backupInstances/backup/action
•Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action
•Microsoft.DataProtection/backupVaults/backupInstances/restore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action
•Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action
•Microsoft.DataProtection/locations/checkFeatureSupport/action
e8ddcd69-c73f-4f9f-9844-4100522f16ad Workbook Contributor Can save shared workbooks. count: 007
•Microsoft.Insights/workbooks/write
•Microsoft.Insights/workbooks/delete
•Microsoft.Insights/workbooks/read
•Microsoft.Insights/workbooks/revisions/read
•Microsoft.Insights/workbooktemplates/write
•Microsoft.Insights/workbooktemplates/delete
•Microsoft.Insights/workbooktemplates/read
b279062a-9be3-42a0-92ae-8b3cf002ec4d Workbook Reader Can read workbooks. count: 003
•microsoft.insights/workbooks/read
•microsoft.insights/workbooks/revisions/read
•microsoft.insights/workbooktemplates/read
749f88d5-cbae-40b8-bcfc-e573ddc772fa Monitoring Contributor Can read all monitoring data and update monitoring settings. count: 037
•*/read
•Microsoft.AlertsManagement/alerts/*
•Microsoft.AlertsManagement/alertsSummary/*
•Microsoft.Insights/actiongroups/*
•Microsoft.Insights/activityLogAlerts/*
•Microsoft.Insights/AlertRules/*
•Microsoft.Insights/components/*
•Microsoft.Insights/createNotifications/*
•Microsoft.Insights/dataCollectionEndpoints/*
•Microsoft.Insights/dataCollectionRules/*
•Microsoft.Insights/dataCollectionRuleAssociations/*
•Microsoft.Insights/DiagnosticSettings/*
•Microsoft.Insights/eventtypes/*
•Microsoft.Insights/LogDefinitions/*
•Microsoft.Insights/metricalerts/*
•Microsoft.Insights/MetricDefinitions/*
•Microsoft.Insights/Metrics/*
•Microsoft.Insights/notificationStatus/*
•Microsoft.Insights/Register/Action
•Microsoft.Insights/scheduledqueryrules/*
•Microsoft.Insights/webtests/*
•Microsoft.Insights/workbooks/*
•Microsoft.Insights/workbooktemplates/*
•Microsoft.Insights/privateLinkScopes/*
•Microsoft.Insights/privateLinkScopeOperationStatuses/*
•Microsoft.OperationalInsights/workspaces/write
•Microsoft.OperationalInsights/workspaces/intelligencepacks/*
•Microsoft.OperationalInsights/workspaces/savedSearches/*
•Microsoft.OperationalInsights/workspaces/search/action
•Microsoft.OperationalInsights/workspaces/sharedKeys/action
•Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*
•Microsoft.Support/*
•Microsoft.WorkloadMonitor/monitors/*
•Microsoft.AlertsManagement/smartDetectorAlertRules/*
•Microsoft.AlertsManagement/actionRules/*
•Microsoft.AlertsManagement/smartGroups/*
•Microsoft.AlertsManagement/migrateFromSmartDetection/*
count: 051
[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace
[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group
[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group
[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group
[Preview]: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR
[Preview]: Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR
[Preview]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule
[Preview]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule
[Preview]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule
[Preview]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule
[Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory
[Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory
[Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory
[Preview]: Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
[Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory
[Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory
[Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory
Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment.
Configure Azure Activity logs to stream to specified Log Analytics workspace
Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace
Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace
Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace
Configure diagnostic settings for Blob Services to Log Analytics workspace
Configure diagnostic settings for container groups to Log Analytics workspace
Configure diagnostic settings for File Services to Log Analytics workspace
Configure diagnostic settings for Queue Services to Log Analytics workspace
Configure diagnostic settings for Storage Accounts to Log Analytics workspace
Configure diagnostic settings for Table Services to Log Analytics workspace
Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint
Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint
Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace
Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace
Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace
Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM
Deploy Diagnostic Settings for Batch Account to Log Analytics workspace
Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace
Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace
Deploy Diagnostic Settings for Event Hub to Log Analytics workspace
Deploy Diagnostic Settings for Key Vault to Log Analytics workspace
Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace
Deploy Diagnostic Settings for Network Security Groups
Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories.
Deploy Diagnostic Settings for Search Services to Log Analytics workspace
Deploy Diagnostic Settings for Service Bus to Log Analytics workspace
Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace
3913510d-42f4-4e42-8a64-420c390055eb Monitoring Metrics Publisher Enables publishing metrics against Azure resources count: 003
•Microsoft.Insights/Register/Action
•Microsoft.Support/*
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 002
•Microsoft.Insights/Metrics/Write
•Microsoft.Insights/Telemetry/Write
8a3c2885-9b38-4fd2-9d99-91af537c1347 Purview role 1 (Deprecated) Deprecated role. count: 001
•Microsoft.Purview/accounts/read
count: 002
•Microsoft.Purview/accounts/data/read
•Microsoft.Purview/accounts/data/write
200bba9e-f0c8-430f-892b-6f0794863803 Purview role 2 (Deprecated) Deprecated role. count: 001
•Microsoft.Purview/accounts/read
count: 002
•Microsoft.Purview/accounts/scan/read
•Microsoft.Purview/accounts/scan/write
ff100721-1b9d-43d8-af52-42b69c1272db Purview role 3 (Deprecated) Deprecated role. count: 001
•Microsoft.Purview/accounts/read
count: 001
•Microsoft.Purview/accounts/data/read
b8b15564-4fa6-4a59-ab12-03e1d9594795 Autonomous Development Platform Data Contributor (Preview) Grants permissions to upload and manage new Autonomous Development Platform measurements. count: 003
•Microsoft.AutonomousDevelopmentPlatform/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 012
•Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/discoveries/*
•Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/uploads/*
•Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/*
•Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurementCollections/*
•Microsoft.AutonomousDevelopmentPlatform/accounts/measurementCollections/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/read
•Microsoft.AutonomousDevelopmentPlatform/workspaces/discoveries/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/uploads/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/classifications/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/dataStreams/classifications/*
•Microsoft.AutonomousDevelopmentPlatform/workspaces/measurementCollections/*
count: 002
•Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/changeState/action
•Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/changeState/action
27f8b550-c507-4db9-86f2-f4b8e816d59d Autonomous Development Platform Data Owner (Preview) Grants full access to Autonomous Development Platform data. count: 003
•Microsoft.AutonomousDevelopmentPlatform/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 001
•Microsoft.AutonomousDevelopmentPlatform/*
d63b75f7-47ea-4f27-92ac-e0d173aaf093 Autonomous Development Platform Data Reader (Preview) Grants read access to Autonomous Development Platform data. count: 003
•Microsoft.AutonomousDevelopmentPlatform/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 001
•Microsoft.AutonomousDevelopmentPlatform/*/read
14b46e9e-c2b7-41b4-b07b-48a6ebf60603 Key Vault Crypto Officer Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. count: 010
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.KeyVault/checkNameAvailability/read
•Microsoft.KeyVault/deletedVaults/read
•Microsoft.KeyVault/locations/*/read
•Microsoft.KeyVault/vaults/*/read
•Microsoft.KeyVault/operations/read
count: 002
•Microsoft.KeyVault/vaults/keys/*
•Microsoft.KeyVault/vaults/keyrotationpolicies/*
49e2f5d2-7741-4835-8efa-19e1fe35e47f Device Update Deployments Reader Gives you read access to management operations, but does not allow making changes count: 005
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
count: 002
•Microsoft.DeviceUpdate/accounts/instances/management/read
•Microsoft.DeviceUpdate/accounts/instances/updates/read
e4237640-0e3d-4a46-8fda-70bc94856432 Device Update Deployments Administrator Gives you full access to management operations count: 005
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Insights/alertRules/*
count: 004
•Microsoft.DeviceUpdate/accounts/instances/management/read
•Microsoft.DeviceUpdate/accounts/instances/management/write
•Microsoft.DeviceUpdate/accounts/instances/management/delete
•Microsoft.DeviceUpdate/accounts/instances/updates/read
67d33e57-3129-45e6-bb0b-7cc522f762fa Azure Arc VMware Private Clouds Onboarding Azure Arc VMware Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vCenter instances to Azure. count: 044
•Microsoft.ConnectedVMwarevSphere/vcenters/Write
•Microsoft.ConnectedVMwarevSphere/vcenters/Read
•Microsoft.ConnectedVMwarevSphere/vcenters/Delete
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.KubernetesConfiguration/extensions/Write
•Microsoft.KubernetesConfiguration/extensions/Read
•Microsoft.KubernetesConfiguration/extensions/Delete
•Microsoft.KubernetesConfiguration/operations/read
•Microsoft.KubernetesConfiguration/extensions/operations/read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/Write
•Microsoft.ExtendedLocation/customLocations/Delete
•Microsoft.ExtendedLocation/customLocations/deploy/action
•Microsoft.ResourceConnector/appliances/Read
•Microsoft.ResourceConnector/appliances/Write
•Microsoft.ResourceConnector/appliances/Delete
•Microsoft.ResourceConnector/appliances/listClusterUserCredential/action
•Microsoft.BackupSolutions/vmwareapplications/write
•Microsoft.BackupSolutions/vmwareapplications/delete
•Microsoft.BackupSolutions/vmwareapplications/read
4e9b8407-af2e-495b-ae54-bb60a55b1b5a Chamber Admin Lets you manage everything under your Modeling and Simulation Workbench chamber. count: 005
•Microsoft.ModSimWorkbench/*/read
•Microsoft.ModSimWorkbench/workbenches/chambers/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 001
•Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/manage/action
count: 002
•Microsoft.ModSimWorkbench/workbenches/chambers/upload/action
•Microsoft.ModSimWorkbench/workbenches/chambers/files/*
f4c81013-99ee-4d62-a7ee-b3f1f648599a Microsoft Sentinel Automation Contributor Microsoft Sentinel Automation Contributor count: 007
•Microsoft.Authorization/*/read
•Microsoft.Logic/workflows/triggers/read
•Microsoft.Logic/workflows/triggers/listCallbackUrl/action
•Microsoft.Logic/workflows/runs/read
•Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read
•Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action
•Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read
871e35f6-b5c1-49cc-a043-bde969a0f2cd CDN Endpoint Reader Can view CDN endpoints, but can't make changes. count: 009
•Microsoft.Authorization/*/read
•Microsoft.Cdn/edgenodes/read
•Microsoft.Cdn/operationresults/*
•Microsoft.Cdn/profiles/endpoints/*/read
•Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
4447db05-44ed-4da3-ae60-6cbece780e32 Chamber User Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes. count: 007
•Microsoft.ModSimWorkbench/workbenches/chambers/*/read
•Microsoft.ModSimWorkbench/workbenches/chambers/workloads/*
•Microsoft.ModSimWorkbench/workbenches/chambers/getUploadUri/action
•Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/getDownloadUri/action
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 001
•Microsoft.ModSimWorkbench/workbenches/chambers/upload/action
f2dc8367-1007-4938-bd23-fe263f013447 Cognitive Services Speech User Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. count: 003
•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 012
•Microsoft.CognitiveServices/accounts/SpeechServices/*/read
•Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/read
•Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/write
•Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/delete
•Microsoft.CognitiveServices/accounts/SpeechServices/*/frontend/action
•Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/*/action
•Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/*/action
•Microsoft.CognitiveServices/accounts/CustomVoice/*/read
•Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/*
•Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/*
•Microsoft.CognitiveServices/accounts/AudioContentCreation/*
•Microsoft.CognitiveServices/accounts/VideoTranslation/*
count: 002
•Microsoft.CognitiveServices/accounts/CustomVoice/datasets/files/read
•Microsoft.CognitiveServices/accounts/CustomVoice/datasets/utterances/read
a6333a3e-0164-44c3-b281-7a577aff287f Windows Admin Center Administrator Login Let's you manage the OS of your resource via Windows Admin Center as an administrator. count: 039
•Microsoft.HybridCompute/machines/*/read
•Microsoft.HybridCompute/machines/extensions/*
•Microsoft.HybridCompute/machines/upgradeExtensions/action
•Microsoft.HybridCompute/operations/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/publicIPAddresses/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read
•Microsoft.Network/networkWatchers/securityGroupView/action
•Microsoft.Network/networkSecurityGroups/securityRules/read
•Microsoft.Network/networkSecurityGroups/securityRules/write
•Microsoft.HybridConnectivity/endpoints/write
•Microsoft.HybridConnectivity/endpoints/read
•Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read
•Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read
•Microsoft.Compute/virtualMachines/patchInstallationResults/read
•Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read
•Microsoft.Compute/virtualMachines/extensions/read
•Microsoft.Compute/virtualMachines/instanceView/read
•Microsoft.Compute/virtualMachines/runCommands/read
•Microsoft.Compute/virtualMachines/vmSizes/read
•Microsoft.Compute/locations/publishers/artifacttypes/types/read
•Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read
•Microsoft.Compute/diskAccesses/read
•Microsoft.Compute/galleries/images/read
•Microsoft.Compute/images/read
•Microsoft.AzureStackHCI/Clusters/Read
•Microsoft.AzureStackHCI/Clusters/ArcSettings/Read
•Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read
•Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write
•Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete
•Microsoft.AzureStackHCI/Operations/Read
•Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read
•Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write
•Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read
count: 004
•Microsoft.HybridCompute/machines/WACLoginAsAdmin/action
•Microsoft.Compute/virtualMachines/WACloginAsAdmin/action
•Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action
•Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action
18ed5180-3e48-46fd-8541-4ea054d57064 Azure Kubernetes Service Policy Add-on Deployment Deploy the Azure Policy add-on on Azure Kubernetes Service clusters count: 006
•Microsoft.Resources/deployments/*
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/publicIPPrefixes/join/action
•Microsoft.Network/publicIPAddresses/join/action
•Microsoft.Compute/diskEncryptionSets/read
•Microsoft.Compute/proximityPlacementGroups/write
count: 006
[Preview]: Deploy Image Integrity on Azure Kubernetes Service
Configure AAD integrated Azure Kubernetes Service Clusters with required Admin Group Access
Configure Node OS Auto upgrade on Azure Kubernetes Cluster
Deploy Azure Policy Add-on to Azure Kubernetes Service clusters
Deploy Image Cleaner on Azure Kubernetes Service
Disable Command Invoke on Azure Kubernetes Service clusters
088ab73d-1256-47ae-bea9-9de8e7131f31 Guest Configuration Resource Contributor Lets you read, write Guest Configuration Resource. count: 004
•Microsoft.GuestConfiguration/guestConfigurationAssignments/write
•Microsoft.GuestConfiguration/guestConfigurationAssignments/read
•Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read
•Microsoft.Resources/deployments/*
count: 004
[Preview]: Configure Windows Server to disable local users.
Configure Linux Server to disable local users.
Configure time zone on Windows machines.
Local authentication methods should be disabled on Linux machines
361898ef-9ed1-48c2-849c-a832951106bb Domain Services Reader Can view Azure AD Domain Services and related network configurations count: 028
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Insights/Logs/Read
•Microsoft.Insights/Metrics/read
•Microsoft.Insights/DiagnosticSettings/read
•Microsoft.Insights/DiagnosticSettingsCategories/Read
•Microsoft.AAD/domainServices/*/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/azureFirewalls/read
•Microsoft.Network/ddosProtectionPlans/read
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/*/read
•Microsoft.Network/natGateways/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/networkSecurityGroups/securityRules/read
•Microsoft.Network/routeTables/read
•Microsoft.Network/routeTables/routes/read
eeaeda52-9324-47f6-8069-5d5bade478b2 Domain Services Contributor Can manage Azure AD Domain Services and related network configurations count: 069
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Insights/Logs/Read
•Microsoft.Insights/Metrics/Read
•Microsoft.Insights/DiagnosticSettings/*
•Microsoft.Insights/DiagnosticSettingsCategories/Read
•Microsoft.AAD/register/action
•Microsoft.AAD/unregister/action
•Microsoft.AAD/domainServices/*
•Microsoft.Network/register/action
•Microsoft.Network/unregister/action
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/write
•Microsoft.Network/virtualNetworks/delete
•Microsoft.Network/virtualNetworks/peer/action
•Microsoft.Network/virtualNetworks/join/action
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/write
•Microsoft.Network/virtualNetworks/subnets/delete
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
•Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
•Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/azureFirewalls/read
•Microsoft.Network/ddosProtectionPlans/read
•Microsoft.Network/ddosProtectionPlans/join/action
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/delete
•Microsoft.Network/loadBalancers/*/read
•Microsoft.Network/loadBalancers/backendAddressPools/join/action
•Microsoft.Network/loadBalancers/inboundNatRules/join/action
•Microsoft.Network/natGateways/join/action
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/networkInterfaces/delete
•Microsoft.Network/networkInterfaces/join/action
•Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/networkSecurityGroups/write
•Microsoft.Network/networkSecurityGroups/delete
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Network/networkSecurityGroups/securityRules/read
•Microsoft.Network/networkSecurityGroups/securityRules/write
•Microsoft.Network/networkSecurityGroups/securityRules/delete
•Microsoft.Network/routeTables/read
•Microsoft.Network/routeTables/write
•Microsoft.Network/routeTables/delete
•Microsoft.Network/routeTables/join/action
•Microsoft.Network/routeTables/routes/read
•Microsoft.Network/routeTables/routes/write
•Microsoft.Network/routeTables/routes/delete
0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d DNS Resolver Contributor Lets you manage DNS resolver resources. count: 041
•Microsoft.Network/dnsResolvers/read
•Microsoft.Network/dnsResolvers/write
•Microsoft.Network/dnsResolvers/delete
•Microsoft.Network/dnsResolvers/join/action
•Microsoft.Network/dnsResolvers/inboundEndpoints/read
•Microsoft.Network/dnsResolvers/inboundEndpoints/write
•Microsoft.Network/dnsResolvers/inboundEndpoints/delete
•Microsoft.Network/dnsResolvers/inboundEndpoints/join/action
•Microsoft.Network/dnsResolvers/outboundEndpoints/read
•Microsoft.Network/dnsResolvers/outboundEndpoints/write
•Microsoft.Network/dnsResolvers/outboundEndpoints/delete
•Microsoft.Network/dnsResolvers/outboundEndpoints/join/action
•Microsoft.Network/dnsForwardingRulesets/read
•Microsoft.Network/dnsForwardingRulesets/write
•Microsoft.Network/dnsForwardingRulesets/delete
•Microsoft.Network/dnsForwardingRulesets/join/action
•Microsoft.Network/dnsForwardingRulesets/forwardingRules/read
•Microsoft.Network/dnsForwardingRulesets/forwardingRules/write
•Microsoft.Network/dnsForwardingRulesets/forwardingRules/delete
•Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/read
•Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/write
•Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/delete
•Microsoft.Network/locations/dnsResolverOperationResults/read
•Microsoft.Network/locations/dnsResolverOperationStatuses/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/join/action
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/write
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/join/action
•Microsoft.Network/virtualNetworks/joinLoadBalancer/action
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action
•Microsoft.Network/natGateways/join/action
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Network/routeTables/join/action
•Microsoft.Network/serviceEndpointPolicies/join/action
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/subscriptions/resourceGroups/read
00493d72-78f6-4148-b6c5-d3ce8e4799dd Azure Arc Enabled Kubernetes Cluster User Role List cluster user credentials action. count: 009
•Microsoft.Resources/deployments/write
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
•Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action
959f8984-c045-4866-89c7-12bf9737be2e Data Operator for Managed Disks Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. count: 004
•Microsoft.Compute/disks/download/action
•Microsoft.Compute/disks/upload/action
•Microsoft.Compute/snapshots/download/action
•Microsoft.Compute/snapshots/upload/action
6b77f0a0-0d89-41cc-acd1-579c22c17a67 AgFood Platform Sensor Partner Contributor Provides contribute access to manage sensor related entities in AgFood Platform Service count: 001
•Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/*
count: 001
•Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/delete
1ef6a3be-d0ac-425d-8c01-acb62866290b Compute Gallery Sharing Admin This role allows user to share gallery to another subscription/tenant or share it to the public. count: 001
•Microsoft.Compute/galleries/share/action
cd08ab90-6b14-449c-ad9a-8f8e549482c6 Scheduled Patching Contributor Provides access to manage maintenance configurations with maintenance scope InGuestPatch and corresponding configuration assignments count: 012
•Microsoft.Maintenance/maintenanceConfigurations/read
•Microsoft.Maintenance/maintenanceConfigurations/write
•Microsoft.Maintenance/maintenanceConfigurations/delete
•Microsoft.Maintenance/configurationAssignments/read
•Microsoft.Maintenance/configurationAssignments/write
•Microsoft.Maintenance/configurationAssignments/delete
•Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/read
•Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/write
•Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/delete
•Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/read
•Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/write
•Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/delete
45d50f46-0b78-4001-a660-4198cbe8cd05 DevCenter Dev Box User Provides access to create and manage dev boxes. count: 004
•Microsoft.DevCenter/projects/read
•Microsoft.DevCenter/projects/*/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 010
•Microsoft.DevCenter/projects/users/devboxes/userStop/action
•Microsoft.DevCenter/projects/users/devboxes/userStart/action
•Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action
•Microsoft.DevCenter/projects/users/devboxes/userRead/action
•Microsoft.DevCenter/projects/users/devboxes/userWrite/action
•Microsoft.DevCenter/projects/users/devboxes/userDelete/action
•Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionRead/action
•Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionManage/action
•Microsoft.DevCenter/projects/users/devboxes/userActionRead/action
•Microsoft.DevCenter/projects/users/devboxes/userActionManage/action
331c37c6-af14-46d9-b9f4-e1909e1b95a0 DevCenter Project Admin Provides access to manage project resources. count: 004
•Microsoft.DevCenter/projects/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
count: 002
•Microsoft.DevCenter/projects/write
•Microsoft.DevCenter/projects/delete
count: 019
•Microsoft.DevCenter/projects/users/devboxes/adminStart/action
•Microsoft.DevCenter/projects/users/devboxes/adminStop/action
•Microsoft.DevCenter/projects/users/devboxes/adminRead/action
•Microsoft.DevCenter/projects/users/devboxes/adminWrite/action
•Microsoft.DevCenter/projects/users/devboxes/adminDelete/action
•Microsoft.DevCenter/projects/users/devboxes/userStop/action
•Microsoft.DevCenter/projects/users/devboxes/userStart/action
•Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action
•Microsoft.DevCenter/projects/users/devboxes/userRead/action
•Microsoft.DevCenter/projects/users/devboxes/userWrite/action
•Microsoft.DevCenter/projects/users/devboxes/userDelete/action
•Microsoft.DevCenter/projects/users/devboxes/userActionRead/action
•Microsoft.DevCenter/projects/users/devboxes/userActionManage/action
•Microsoft.DevCenter/projects/users/environments/adminRead/action
•Microsoft.DevCenter/projects/users/environments/userWrite/action
•Microsoft.DevCenter/projects/users/environments/adminWrite/action
•Microsoft.DevCenter/projects/users/environments/userDelete/action
•Microsoft.DevCenter/projects/users/environments/adminDelete/action
•Microsoft.DevCenter/projects/users/environments/adminAction/action
602da2ba-a5c2-41da-b01d-5360126ab525 Virtual Machine Local User Login View Virtual Machines in the portal and login as a local user configured on the arc server count: 002
•Microsoft.HybridCompute/machines/*/read
•Microsoft.HybridConnectivity/endpoints/listCredentials/action
c0781e91-8102-4553-8951-97c6d4243cda Azure Arc ScVmm Private Cloud User Azure Arc ScVmm Private Cloud User has permissions to use the ScVmm resources to deploy VMs. count: 033
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•microsoft.scvmm/virtualnetworks/join/action
•microsoft.scvmm/virtualnetworks/Read
•microsoft.scvmm/virtualmachinetemplates/clone/action
•microsoft.scvmm/virtualmachinetemplates/Read
•microsoft.scvmm/clouds/deploy/action
•microsoft.scvmm/clouds/Read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/deploy/action
e582369a-e17b-42a5-b10c-874c387c530b Azure Arc ScVmm VM Contributor Arc ScVmm VM Contributor has permissions to perform all VM actions. count: 028
•microsoft.scvmm/virtualmachines/*
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/deploy/action
6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9 Azure Arc ScVmm Private Clouds Onboarding Azure Arc ScVmm Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vmm server instances to Azure. count: 030
•microsoft.scvmm/vmmservers/Read
•microsoft.scvmm/vmmservers/Write
•microsoft.scvmm/vmmservers/Delete
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/deploy/action
a92dfd61-77f9-4aec-a531-19858b406c87 Azure Arc ScVmm Administrator role Arc ScVmm VM Administrator has permissions to perform all ScVmm actions. count: 028
•Microsoft.ScVmm/*
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/cancel/action
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/whatIf/action
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.ExtendedLocation/customLocations/Read
•Microsoft.ExtendedLocation/customLocations/deploy/action
fd036e6b-1266-47a0-b0bb-a05d04831731 HDInsight on AKS Cluster Admin Grants a user/group the ability to create, delete and manage clusters within a given cluster pool. Cluster Admin can also run workloads, monitor, and manage all user activity on these clusters. count: 027
•Microsoft.HDInsight/clusterPools/clusters/read
•Microsoft.HDInsight/clusterPools/clusters/write
•Microsoft.HDInsight/clusterPools/clusters/delete
•Microsoft.HDInsight/clusterPools/clusters/resize/action
•Microsoft.HDInsight/clusterpools/clusters/instanceviews/read
•Microsoft.HDInsight/clusterPools/clusters/jobs/read
•Microsoft.HDInsight/clusterPools/clusters/runjob/action
•Microsoft.HDInsight/clusterpools/clusters/serviceconfigs/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/*/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Insights/metrics/read
•Microsoft.Insights/logs/read
7656b436-37d4-490a-a4ab-d39f838f0042 HDInsight on AKS Cluster Pool Admin Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters count: 024
•Microsoft.HDInsight/clusterPools/clusters/read
•Microsoft.HDInsight/clusterPools/clusters/write
•Microsoft.HDInsight/clusterPools/delete
•Microsoft.HDInsight/clusterPools/read
•Microsoft.HDInsight/clusterPools/write
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/validate/action
•Microsoft.Resources/deployments/*/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/exportTemplate/action
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/AlertRules/Write
•Microsoft.Insights/AlertRules/Delete
•Microsoft.Insights/AlertRules/Read
•Microsoft.Insights/AlertRules/Activated/Action
•Microsoft.Insights/AlertRules/Resolved/Action
•Microsoft.Insights/AlertRules/Throttled/Action
•Microsoft.Insights/AlertRules/Incidents/Read
•Microsoft.Insights/metrics/read
•Microsoft.Insights/logs/read
4465e953-8ced-4406-a58e-0f6e3f3b530b FHIR Data Importer Role allows user or principal to read and import FHIR Data count: 002
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/read
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action
c031e6a8-4391-4de0-8d69-4706a7ed3729 API Management Developer Portal Content Editor Can customize the developer portal, edit its content, and publish it. count: 008
•Microsoft.ApiManagement/service/portalRevisions/read
•Microsoft.ApiManagement/service/portalRevisions/write
•Microsoft.ApiManagement/service/contentTypes/read
•Microsoft.ApiManagement/service/contentTypes/delete
•Microsoft.ApiManagement/service/contentTypes/write
•Microsoft.ApiManagement/service/contentTypes/contentItems/read
•Microsoft.ApiManagement/service/contentTypes/contentItems/write
•Microsoft.ApiManagement/service/contentTypes/contentItems/delete
d24ecba3-c1f4-40fa-a7bb-4588a071e8fd VM Scanner Operator Role that provides access to disk snapshot for security analysis. count: 008
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/beginGetAccess/action
•Microsoft.Compute/virtualMachines/instanceView/read
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachineScaleSets/instanceView/read
•Microsoft.Compute/virtualMachineScaleSets/read
•Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
•Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read
80dcbedb-47ef-405d-95bd-188a1b4ac406 Elastic SAN Owner Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access count: 006
•Microsoft.Authorization/*/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ElasticSan/elasticSans/*
•Microsoft.ElasticSan/locations/*
af6a70f8-3c9f-4105-acf1-d719e9fca4ca Elastic SAN Reader Allows for control path read access to Azure Elastic SAN count: 005
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ElasticSan/elasticSans/*/read
489581de-a3bd-480d-9518-53dea7416b33 Desktop Virtualization Power On Contributor This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines. count: 007
•Microsoft.Compute/virtualMachines/start/action
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/instanceView/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
a959dbd1-f747-45e3-8ba6-dd80f235f97c Desktop Virtualization Virtual Machine Contributor This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines. count: 056
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/write
•Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/write
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action
•Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read
•Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action
•Microsoft.Compute/availabilitySets/read
•Microsoft.Compute/availabilitySets/write
•Microsoft.Compute/availabilitySets/vmSizes/read
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/write
•Microsoft.Compute/disks/delete
•Microsoft.Compute/galleries/read
•Microsoft.Compute/galleries/images/read
•Microsoft.Compute/galleries/images/versions/read
•Microsoft.Compute/images/read
•Microsoft.Compute/locations/usages/read
•Microsoft.Compute/locations/vmSizes/read
•Microsoft.Compute/operations/read
•Microsoft.Compute/skus/read
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/write
•Microsoft.Compute/virtualMachines/delete
•Microsoft.Compute/virtualMachines/start/action
•Microsoft.Compute/virtualMachines/powerOff/action
•Microsoft.Compute/virtualMachines/restart/action
•Microsoft.Compute/virtualMachines/deallocate/action
•Microsoft.Compute/virtualMachines/runCommand/action
•Microsoft.Compute/virtualMachines/extensions/read
•Microsoft.Compute/virtualMachines/extensions/write
•Microsoft.Compute/virtualMachines/extensions/delete
•Microsoft.Compute/virtualMachines/runCommands/read
•Microsoft.Compute/virtualMachines/runCommands/write
•Microsoft.Compute/virtualMachines/vmSizes/read
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/join/action
•Microsoft.Network/networkInterfaces/delete
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/usages/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read
•Microsoft.KeyVault/vaults/deploy/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
40c5ff49-9181-41f8-ae61-143b0e78555e Desktop Virtualization Power On Off Contributor This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines. count: 018
•Microsoft.Compute/virtualMachines/start/action
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/instanceView/read
•Microsoft.Compute/virtualMachines/deallocate/action
•Microsoft.Compute/virtualMachines/restart/action
•Microsoft.Compute/virtualMachines/powerOff/action
•Microsoft.Insights/eventtypes/values/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.DesktopVirtualization/hostpools/read
•Microsoft.DesktopVirtualization/hostpools/write
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/write
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read
•Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action
76cc9ee4-d5d3-4a45-a930-26add3d73475 Access Review Operator Service Role Lets you grant Access Review System app permissions to discover and revoke access as needed by the access review process. count: 003
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleAssignments/delete
•Microsoft.Management/getEntities/action
a8281131-f312-4f34-8d98-ae12be9f0d23 Elastic SAN Volume Group Owner Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access count: 004
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
•Microsoft.ElasticSan/elasticSans/volumeGroups/*
•Microsoft.ElasticSan/locations/asyncoperations/read
4339b7cf-9826-4e41-b4ed-c7f4505dac08 Code Signing Identity Verifier Manage identity or business verification requests. This role is in preview and subject to change. count: 001
•Microsoft.CodeSigning/*/read
count: 002
•Microsoft.CodeSigning/IdentityVerification/Read
•Microsoft.CodeSigning/IdentityVerification/Write
a2c4a527-7dc0-4ee3-897b-403ade70fafb Video Indexer Restricted Viewer Has access to view and search through all video's insights and transcription in the Video Indexer portal. No access to model customization, embedding of widget, downloading videos, or sharing the account. count: 002
•Microsoft.VideoIndexer/*/read
•Microsoft.VideoIndexer/accounts/*/action
count: 003
•Microsoft.VideoIndexer/*/write
•Microsoft.VideoIndexer/*/delete
•Microsoft.VideoIndexer/accounts/generateAccessToken/action
b0d8363b-8ddd-447d-831f-62ca05bff136 Monitoring Data Reader Can access the data in an Azure Monitor Workspace. count: 001
•Microsoft.Monitor/accounts/data/metrics/read
30b27cfc-9c84-438e-b0ce-70e35255df80 Azure Kubernetes Fleet Manager RBAC Reader Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. count: 006
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/fleets/read
•Microsoft.ContainerService/fleets/listCredentials/action
count: 026
•Microsoft.ContainerService/fleets/apps/controllerrevisions/read
•Microsoft.ContainerService/fleets/apps/daemonsets/read
•Microsoft.ContainerService/fleets/apps/deployments/read
•Microsoft.ContainerService/fleets/apps/statefulsets/read
•Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read
•Microsoft.ContainerService/fleets/batch/cronjobs/read
•Microsoft.ContainerService/fleets/batch/jobs/read
•Microsoft.ContainerService/fleets/configmaps/read
•Microsoft.ContainerService/fleets/endpoints/read
•Microsoft.ContainerService/fleets/events.k8s.io/events/read
•Microsoft.ContainerService/fleets/events/read
•Microsoft.ContainerService/fleets/extensions/daemonsets/read
•Microsoft.ContainerService/fleets/extensions/deployments/read
•Microsoft.ContainerService/fleets/extensions/ingresses/read
•Microsoft.ContainerService/fleets/extensions/networkpolicies/read
•Microsoft.ContainerService/fleets/limitranges/read
•Microsoft.ContainerService/fleets/namespaces/read
•Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read
•Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read
•Microsoft.ContainerService/fleets/persistentvolumeclaims/read
•Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read
•Microsoft.ContainerService/fleets/replicationcontrollers/read
•Microsoft.ContainerService/fleets/replicationcontrollers/read
•Microsoft.ContainerService/fleets/resourcequotas/read
•Microsoft.ContainerService/fleets/serviceaccounts/read
•Microsoft.ContainerService/fleets/services/read
18ab4d3d-a1bf-4477-8ad9-8359bc988f69 Azure Kubernetes Fleet Manager RBAC Cluster Admin Lets you manage all resources in the fleet manager cluster. count: 006
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/fleets/read
•Microsoft.ContainerService/fleets/listCredentials/action
count: 001
•Microsoft.ContainerService/fleets/*
434fb43a-c01c-447e-9f67-c3ad923cfaba Azure Kubernetes Fleet Manager RBAC Admin This role grants admin access - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. count: 006
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/fleets/read
•Microsoft.ContainerService/fleets/listCredentials/action
count: 030
•Microsoft.ContainerService/fleets/apps/controllerrevisions/read
•Microsoft.ContainerService/fleets/apps/daemonsets/*
•Microsoft.ContainerService/fleets/apps/deployments/*
•Microsoft.ContainerService/fleets/apps/statefulsets/*
•Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write
•Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
•Microsoft.ContainerService/fleets/batch/cronjobs/*
•Microsoft.ContainerService/fleets/batch/jobs/*
•Microsoft.ContainerService/fleets/configmaps/*
•Microsoft.ContainerService/fleets/endpoints/*
•Microsoft.ContainerService/fleets/events.k8s.io/events/read
•Microsoft.ContainerService/fleets/events/read
•Microsoft.ContainerService/fleets/extensions/daemonsets/*
•Microsoft.ContainerService/fleets/extensions/deployments/*
•Microsoft.ContainerService/fleets/extensions/ingresses/*
•Microsoft.ContainerService/fleets/extensions/networkpolicies/*
•Microsoft.ContainerService/fleets/limitranges/read
•Microsoft.ContainerService/fleets/namespaces/read
•Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
•Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
•Microsoft.ContainerService/fleets/persistentvolumeclaims/*
•Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
•Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*
•Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*
•Microsoft.ContainerService/fleets/replicationcontrollers/*
•Microsoft.ContainerService/fleets/replicationcontrollers/*
•Microsoft.ContainerService/fleets/resourcequotas/read
•Microsoft.ContainerService/fleets/secrets/*
•Microsoft.ContainerService/fleets/serviceaccounts/*
•Microsoft.ContainerService/fleets/services/*
5af6afb3-c06c-4fa4-8848-71a8aee05683 Azure Kubernetes Fleet Manager RBAC Writer Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. count: 006
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ContainerService/fleets/read
•Microsoft.ContainerService/fleets/listCredentials/action
count: 027
•Microsoft.ContainerService/fleets/apps/controllerrevisions/read
•Microsoft.ContainerService/fleets/apps/daemonsets/*
•Microsoft.ContainerService/fleets/apps/deployments/*
•Microsoft.ContainerService/fleets/apps/statefulsets/*
•Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*
•Microsoft.ContainerService/fleets/batch/cronjobs/*
•Microsoft.ContainerService/fleets/batch/jobs/*
•Microsoft.ContainerService/fleets/configmaps/*
•Microsoft.ContainerService/fleets/endpoints/*
•Microsoft.ContainerService/fleets/events.k8s.io/events/read
•Microsoft.ContainerService/fleets/events/read
•Microsoft.ContainerService/fleets/extensions/daemonsets/*
•Microsoft.ContainerService/fleets/extensions/deployments/*
•Microsoft.ContainerService/fleets/extensions/ingresses/*
•Microsoft.ContainerService/fleets/extensions/networkpolicies/*
•Microsoft.ContainerService/fleets/limitranges/read
•Microsoft.ContainerService/fleets/namespaces/read
•Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*
•Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*
•Microsoft.ContainerService/fleets/persistentvolumeclaims/*
•Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*
•Microsoft.ContainerService/fleets/replicationcontrollers/*
•Microsoft.ContainerService/fleets/replicationcontrollers/*
•Microsoft.ContainerService/fleets/resourcequotas/read
•Microsoft.ContainerService/fleets/secrets/*
•Microsoft.ContainerService/fleets/serviceaccounts/*
•Microsoft.ContainerService/fleets/services/*
63bb64ad-9799-4770-b5c3-24ed299a07bf Azure Kubernetes Fleet Manager Contributor Role Grants access to read and write Azure Kubernetes Fleet Manager clusters count: 002
•Microsoft.ContainerService/fleets/*
•Microsoft.Resources/deployments/*
ba79058c-0414-4a34-9e42-c3399d80cd5a Kubernetes Namespace User Allows a user to read namespace resources and retrieve kubeconfig for the cluster count: 002
•Microsoft.KubernetesConfiguration/namespaces/read
•Microsoft.KubernetesConfiguration/namespaces/listUserCredential/action
c6decf44-fd0a-444c-a844-d653c394e7ab Data Labeling - Labeler Can label data in Labeling. count: 006
•Microsoft.MachineLearningServices/workspaces/read
•Microsoft.MachineLearningServices/workspaces/experiments/runs/read
•Microsoft.MachineLearningServices/workspaces/labeling/projects/read
•Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read
•Microsoft.MachineLearningServices/workspaces/labeling/labels/read
•Microsoft.MachineLearningServices/workspaces/labeling/labels/write
f58310d9-a9f6-439a-9e8d-f62e7b41a168 Role Based Access Control Administrator (Preview) Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. count: 004
•Microsoft.Authorization/roleAssignments/write
•Microsoft.Authorization/roleAssignments/delete
•*/read
•Microsoft.Support/*
392ae280-861d-42bd-9ea5-08ee6d83b80e Template Spec Reader Allows read access to Template Specs at the assigned scope. count: 001
•Microsoft.Resources/templateSpecs/*/read
1c9b6475-caf0-4164-b5a1-2142a7116f4b Template Spec Contributor Allows full access to Template Spec operations at the assigned scope. count: 004
•Microsoft.Resources/templateSpecs/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
51d6186e-6489-4900-b93f-92e23144cca5 Microsoft Sentinel Playbook Operator Microsoft Sentinel Playbook Operator count: 004
•Microsoft.Logic/workflows/read
•Microsoft.Logic/workflows/triggers/listCallbackUrl/action
•Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action
•Microsoft.Web/sites/read
18e40d4e-8d2e-438d-97e1-9528336e149c Deployment Environments User Provides access to manage environment resources. count: 006
•Microsoft.DevCenter/projects/read
•Microsoft.DevCenter/projects/*/read
•Microsoft.Fidalgo/projects/read
•Microsoft.Fidalgo/projects/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Authorization/*/read
count: 003
•Microsoft.DevCenter/projects/pools/read
•Microsoft.Fidalgo/projects/pools/read
•Microsoft.DevCenter/projects/pools/schedules/read
count: 004
•Microsoft.DevCenter/projects/users/environments/adminRead/action
•Microsoft.DevCenter/projects/users/environments/userWrite/action
•Microsoft.DevCenter/projects/users/environments/userDelete/action
•Microsoft.DevCenter/projects/users/environments/adminAction/action
80558df3-64f9-4c0f-b32d-e5094b036b0b Azure Spring Apps Connect Role Azure Spring Apps Connect Role count: 001
•Microsoft.AppPlatform/Spring/apps/deployments/connect/action
a99b0159-1064-4c22-a57b-c9b3caa1c054 Azure Spring Apps Remote Debugging Role Azure Spring Apps Remote Debugging Role count: 001
•Microsoft.AppPlatform/Spring/apps/deployments/remotedebugging/action
1823dd4f-9b8c-4ab6-ab4e-7397a3684615 AzureML Registry User Can perform all actions on Machine Learning Services Registry assets as well as get Registry resources. count: 002
•Microsoft.MachineLearningServices/registries/read
•Microsoft.MachineLearningServices/registries/assets/*
e503ece1-11d0-4e8e-8e2c-7a6c3bf38815 AzureML Compute Operator Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). count: 002
•Microsoft.MachineLearningServices/workspaces/computes/*
•Microsoft.MachineLearningServices/workspaces/notebooks/vm/*
05352d14-a920-4328-a0de-4cbe7430e26b Azure Center for SAP solutions reader This role provides read access to all capabilities of Azure Center for SAP solutions. count: 043
•Microsoft.Advisor/configurations/read
•Microsoft.Advisor/recommendations/read
•Microsoft.Workloads/sapvirtualInstances/*/read
•Microsoft.Workloads/Locations/*/action
•Microsoft.Workloads/Operations/read
•Microsoft.Workloads/Locations/OperationStatuses/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/virtualMachines/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/ipconfigurations/read
•Microsoft.Network/networkInterfaces/loadBalancers/read
•Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/backendAddressPools/read
•Microsoft.Network/loadBalancers/frontendIPConfigurations/read
•Microsoft.Network/loadBalancers/loadBalancingRules/read
•Microsoft.Network/loadBalancers/inboundNatRules/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read
•Microsoft.Network/loadBalancers/networkInterfaces/read
•Microsoft.Network/loadBalancers/outboundRules/read
•Microsoft.Network/loadBalancers/virtualMachines/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/privateEndpoints/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/fileServices/read
•Microsoft.Storage/storageAccounts/fileServices/shares/read
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/availabilitySets/read
•Microsoft.Compute/virtualMachines/extensions/read
•Microsoft.Compute/disks/read
aabbc5dd-1af0-458b-a942-81af88f9c138 Azure Center for SAP solutions service role Azure Center for SAP solutions service role - This role is intended to be used for providing the permissions to user assigned managed identity. Azure Center for SAP solutions will use this identity to deploy and manage SAP systems. count: 055
•Microsoft.Resources/subscriptions/resourceGroups/write
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/*
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/write
•Microsoft.Network/loadBalancers/backendAddressPools/read
•Microsoft.Network/loadBalancers/backendAddressPools/write
•Microsoft.Network/loadBalancers/frontendIPConfigurations/read
•Microsoft.Network/loadBalancers/loadBalancingRules/read
•Microsoft.Network/loadBalancers/inboundNatRules/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read
•Microsoft.Network/loadBalancers/networkInterfaces/read
•Microsoft.Network/loadBalancers/outboundRules/read
•Microsoft.Network/loadBalancers/virtualMachines/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/networkInterfaces/ipconfigurations/read
•Microsoft.Network/networkInterfaces/loadBalancers/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/virtualMachines/read
•Microsoft.Network/virtualNetworks/virtualMachines/read
•Microsoft.Network/networkInterfaces/ipconfigurations/join/action
•Microsoft.Network/privateEndpoints/read
•Microsoft.Network/privateEndpoints/write
•Microsoft.Network/networkInterfaces/join/action
•Microsoft.Network/loadBalancers/backendAddressPools/join/action
•Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/write
•Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/fileServices/read
•Microsoft.Storage/storageAccounts/fileServices/write
•Microsoft.Storage/storageAccounts/fileServices/shares/read
•Microsoft.Storage/storageAccounts/fileServices/shares/write
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/virtualMachines/write
•Microsoft.Compute/virtualMachines/instanceView/read
•Microsoft.Compute/availabilitySets/read
•Microsoft.Compute/availabilitySets/write
•Microsoft.Compute/skus/read
•Microsoft.Compute/sshPublicKeys/read
•Microsoft.Compute/virtualMachines/extensions/read
•Microsoft.Compute/virtualMachines/extensions/write
•Microsoft.Compute/virtualMachines/extensions/delete
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/write
7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7 Azure Center for SAP solutions administrator This role provides read and write access to all capabilities of Azure Center for SAP solutions. count: 057
•Microsoft.Advisor/configurations/read
•Microsoft.Advisor/recommendations/read
•Microsoft.Workloads/sapvirtualInstances/*/read
•Microsoft.Workloads/sapVirtualInstances/*/write
•Microsoft.Workloads/sapVirtualInstances/*/delete
•Microsoft.Workloads/Locations/*/action
•Microsoft.Workloads/Locations/*/read
•Microsoft.Workloads/sapVirtualInstances/*/start/action
•Microsoft.Workloads/sapVirtualInstances/*/stop/action
•Microsoft.Workloads/connectors/*/read
•Microsoft.Workloads/connectors/*/write
•Microsoft.Workloads/connectors/*/delete
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
•Microsoft.Resources/deployments/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/*
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/subnets/write
•Microsoft.Network/virtualNetworks/subnets/virtualMachines/read
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/ipconfigurations/read
•Microsoft.Network/networkInterfaces/loadBalancers/read
•Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/loadBalancers/read
•Microsoft.Network/loadBalancers/backendAddressPools/read
•Microsoft.Network/loadBalancers/frontendIPConfigurations/read
•Microsoft.Network/loadBalancers/loadBalancingRules/read
•Microsoft.Network/loadBalancers/inboundNatRules/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read
•Microsoft.Network/loadBalancers/networkInterfaces/read
•Microsoft.Network/loadBalancers/outboundRules/read
•Microsoft.Network/loadBalancers/virtualMachines/read
•Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read
•Microsoft.Network/privateEndpoints/read
•Microsoft.Network/networkSecurityGroups/join/action
•Microsoft.Network/routeTables/join/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/fileServices/read
•Microsoft.Storage/storageAccounts/fileServices/shares/read
•Microsoft.Compute/virtualMachines/read
•Microsoft.Compute/availabilitySets/read
•Microsoft.Compute/sshPublicKeys/read
•Microsoft.Compute/sshPublicKeys/write
•Microsoft.Compute/sshPublicKeys/*/generateKeyPair/action
•Microsoft.Compute/virtualMachines/extensions/read
•Microsoft.Compute/virtualMachines/extensions/delete
•Microsoft.Compute/disks/read
count: 001
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
fbc52c3f-28ad-4303-a892-8a056630b8f1 AppGw for Containers Configuration Manager Allows access and configuration updates to Application Gateway for Containers resource. count: 013
•Microsoft.ServiceNetworking/trafficControllers/read
•Microsoft.ServiceNetworking/trafficControllers/write
•Microsoft.ServiceNetworking/trafficControllers/delete
•Microsoft.ServiceNetworking/trafficControllers/frontends/read
•Microsoft.ServiceNetworking/trafficControllers/frontends/write
•Microsoft.ServiceNetworking/trafficControllers/frontends/delete
•Microsoft.ServiceNetworking/trafficControllers/associations/read
•Microsoft.ServiceNetworking/trafficControllers/associations/write
•Microsoft.ServiceNetworking/trafficControllers/associations/delete
•Microsoft.Resources/subscriptions/resourcegroups/deployments/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/write
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read
•Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read
count: 003
•Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/read
•Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/write
•Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/delete
4ba50f17-9666-485c-a643-ff00808643f0 FHIR SMART User Role allows user to access FHIR Service according to SMART on FHIR specification count: 004
•Microsoft.HealthcareApis/services/fhir/resources/read
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/read
•Microsoft.HealthcareApis/services/fhir/resources/smart/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action
a001fd3d-188f-4b5d-821b-7da978bf7442 Cognitive Services OpenAI Contributor Full access including the ability to fine-tune, deploy and generate text count: 011
•Microsoft.CognitiveServices/*/read
•Microsoft.CognitiveServices/accounts/deployments/write
•Microsoft.CognitiveServices/accounts/deployments/delete
•Microsoft.CognitiveServices/accounts/raiPolicies/read
•Microsoft.CognitiveServices/accounts/raiPolicies/write
•Microsoft.CognitiveServices/accounts/raiPolicies/delete
•Microsoft.CognitiveServices/accounts/commitmentplans/read
•Microsoft.CognitiveServices/accounts/commitmentplans/write
•Microsoft.CognitiveServices/accounts/commitmentplans/delete
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 001
•Microsoft.CognitiveServices/accounts/OpenAI/*
5e0bd9bd-7b93-4f28-af87-19fc36ad61bd Cognitive Services OpenAI User Ability to view files, models, deployments. Readers are able to call inference operations such as chat completions and image generation. count: 003
•Microsoft.CognitiveServices/*/read
•Microsoft.Authorization/roleAssignments/read
•Microsoft.Authorization/roleDefinitions/read
count: 012
•Microsoft.CognitiveServices/accounts/OpenAI/*/read
•Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action
•Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action
•Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action
•Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/write
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/completions/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action
•Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/write
•Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action
36e80216-a7e8-4f42-a7e1-f12c98cbaf8a Impact Reporter Allows access to create/report, read and delete impacts count: 002
•Microsoft.Impact/WorkloadImpacts/*
•Microsoft.Impact/ImpactCategories/read
68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e Impact Reader Allows read-only access to reported impacts and impact categories count: 002
•Microsoft.Impact/WorkloadImpacts/read
•Microsoft.Impact/ImpactCategories/read
ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b ContainerApp Reader View all containerapp resources, but does not allow you to make any changes. count: 006
•Microsoft.App/containerApps/*/read
•Microsoft.App/containerApps/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
1afdec4b-e479-420e-99e7-f82237c7c5e6 Azure Kubernetes Service Cluster Monitoring User List cluster monitoring user credential action. count: 002
•Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action
•Microsoft.ContainerService/managedClusters/read
f5819b54-e033-4d82-ac66-4fec3cbf3f4c Azure Connected Machine Resource Manager Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group count: 012
•Microsoft.HybridConnectivity/endpoints/read
•Microsoft.HybridConnectivity/endpoints/write
•Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read
•Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write
•Microsoft.HybridCompute/machines/read
•Microsoft.HybridCompute/machines/write
•Microsoft.HybridCompute/machines/delete
•Microsoft.HybridCompute/machines/extensions/read
•Microsoft.HybridCompute/machines/extensions/write
•Microsoft.HybridCompute/machines/extensions/delete
•Microsoft.HybridCompute/*/read
•Microsoft.HybridCompute/machines/UpgradeExtensions/action
189207d4-bb67-4208-a635-b06afe8b2c57 SqlDb Migration Role Role for SqlDb migration count: 024
•Microsoft.Sql/servers/read
•Microsoft.Sql/servers/write
•Microsoft.Sql/servers/databases/read
•Microsoft.Sql/servers/databases/write
•Microsoft.Sql/servers/databases/delete
•Microsoft.DataMigration/locations/operationResults/read
•Microsoft.DataMigration/locations/operationStatuses/read
•Microsoft.DataMigration/locations/sqlMigrationServiceOperationResults/read
•Microsoft.DataMigration/databaseMigrations/write
•Microsoft.DataMigration/databaseMigrations/read
•Microsoft.DataMigration/databaseMigrations/delete
•Microsoft.DataMigration/databaseMigrations/cancel/action
•Microsoft.DataMigration/databaseMigrations/cutover/action
•Microsoft.DataMigration/sqlMigrationServices/write
•Microsoft.DataMigration/sqlMigrationServices/delete
•Microsoft.DataMigration/sqlMigrationServices/read
•Microsoft.DataMigration/sqlMigrationServices/listAuthKeys/action
•Microsoft.DataMigration/sqlMigrationServices/regenerateAuthKeys/action
•Microsoft.DataMigration/sqlMigrationServices/deleteNode/action
•Microsoft.DataMigration/sqlMigrationServices/listMonitoringData/action
•Microsoft.DataMigration/sqlMigrationServices/listMigrations/read
•Microsoft.DataMigration/sqlMigrationServices/MonitoringData/read
•Microsoft.DataMigration/register/action
•Microsoft.DataMigration/operations/read
c4bc862a-3b64-4a35-a021-a380c159b042 Bayer Ag Powered Services GDU Solution Provide access to GDU Solution by Bayer Ag Powered Services count: 003
•Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/*
ef29765d-0d37-4119-a4f8-f9f9902c9588 Bayer Ag Powered Services Imagery Solution Provide access to Imagery Solution by Bayer Ag Powered Services count: 006
•Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read
•Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/write
•Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/*
•Microsoft.AgFoodPlatform/farmBeats/scenes/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/*
0105a6b0-4bb9-43d2-982a-12806f9faddb Azure Center for SAP solutions Service role for management This role has permissions that the user assigned managed identity must have to enable registration for the existing systems.
6d949e1d-41e2-46e3-8920-c6e4f31a8310 Azure Center for SAP solutions Management role This role has permissions which allow users to register existing systems, view and manage systems.
d5a2ae44-610b-4500-93be-660a0c5f5ca6 Kubernetes Agentless Operator Grants Microsoft Defender for Cloud access to Azure Kubernetes Services count: 008
•Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write
•Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read
•Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete
•Microsoft.ContainerService/managedClusters/read
•Microsoft.Features/features/read
•Microsoft.Features/providers/features/read
•Microsoft.Features/providers/features/register/action
•Microsoft.Security/pricings/securityoperators/read
f0310ce6-e953-4cf8-b892-fb1c87eaf7f6 Azure Usage Billing Data Sender Azure Usage Billing shared BuiltIn role to be used for all Customer Account Authentication count: 001
•Microsoft.UsageBilling/accounts/inputs/send/action
1d335eef-eee1-47fe-a9e0-53214eba8872 SqlMI Migration Role Role for SqlMI migration count: 030
•Microsoft.Sql/managedInstances/read
•Microsoft.Sql/managedInstances/write
•Microsoft.Sql/managedInstances/databases/read
•Microsoft.Sql/managedInstances/databases/write
•Microsoft.Sql/managedInstances/databases/delete
•Microsoft.Sql/managedInstances/metrics/read
•Microsoft.DataMigration/locations/operationResults/read
•Microsoft.DataMigration/locations/operationStatuses/read
•Microsoft.DataMigration/locations/sqlMigrationServiceOperationResults/read
•Microsoft.DataMigration/databaseMigrations/write
•Microsoft.DataMigration/databaseMigrations/read
•Microsoft.DataMigration/databaseMigrations/delete
•Microsoft.DataMigration/databaseMigrations/cancel/action
•Microsoft.DataMigration/databaseMigrations/cutover/action
•Microsoft.DataMigration/sqlMigrationServices/write
•Microsoft.DataMigration/sqlMigrationServices/delete
•Microsoft.DataMigration/sqlMigrationServices/read
•Microsoft.DataMigration/sqlMigrationServices/listAuthKeys/action
•Microsoft.DataMigration/sqlMigrationServices/regenerateAuthKeys/action
•Microsoft.DataMigration/sqlMigrationServices/deleteNode/action
•Microsoft.DataMigration/sqlMigrationServices/listMonitoringData/action
•Microsoft.DataMigration/sqlMigrationServices/listMigrations/read
•Microsoft.DataMigration/sqlMigrationServices/MonitoringData/read
•Microsoft.DataMigration/register/action
•Microsoft.DataMigration/operations/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/listkeys/action
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.Storage/storageAccounts/blobServices/write
•Microsoft.Storage/storageAccounts/blobServices/containers/read
ae8036db-e102-405b-a1b9-bae082ea436d SqlVM Migration Role Role for SqlVM migration count: 026
•Microsoft.DataMigration/locations/operationResults/read
•Microsoft.DataMigration/locations/operationStatuses/read
•Microsoft.DataMigration/locations/sqlMigrationServiceOperationResults/read
•Microsoft.DataMigration/databaseMigrations/write
•Microsoft.DataMigration/databaseMigrations/read
•Microsoft.DataMigration/databaseMigrations/delete
•Microsoft.DataMigration/databaseMigrations/cancel/action
•Microsoft.DataMigration/databaseMigrations/cutover/action
•Microsoft.DataMigration/sqlMigrationServices/write
•Microsoft.DataMigration/sqlMigrationServices/delete
•Microsoft.DataMigration/sqlMigrationServices/read
•Microsoft.DataMigration/sqlMigrationServices/listAuthKeys/action
•Microsoft.DataMigration/sqlMigrationServices/regenerateAuthKeys/action
•Microsoft.DataMigration/sqlMigrationServices/deleteNode/action
•Microsoft.DataMigration/sqlMigrationServices/listMonitoringData/action
•Microsoft.DataMigration/sqlMigrationServices/listMigrations/read
•Microsoft.DataMigration/sqlMigrationServices/MonitoringData/read
•Microsoft.DataMigration/register/action
•Microsoft.DataMigration/operations/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/listkeys/action
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.Storage/storageAccounts/blobServices/write
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.SqlVirtualMachine/sqlVirtualMachines/read
•Microsoft.SqlVirtualMachine/sqlVirtualMachines/write
a9b99099-ead7-47db-8fcf-072597a61dfa Bayer Ag Powered Services CWUM Solution User Role Provide access to CWUM Solution by Bayer Ag Powered Services count: 005
•Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read
•Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/write
•Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/*
•Microsoft.AgFoodPlatform/farmBeats/scenes/*
•Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/*
0ab34830-df19-4f8c-b84e-aa85b8afa6e8 Azure Front Door Domain Contributor Can manage Azure Front Door domains, but can't grant access to other users. count: 005
•Microsoft.Cdn/operationresults/profileresults/customdomainresults/read
•Microsoft.Cdn/profiles/customdomains/read
•Microsoft.Cdn/profiles/customdomains/write
•Microsoft.Cdn/profiles/customdomains/delete
•Microsoft.Resources/subscriptions/resourceGroups/read
3f2eb865-5811-4578-b90a-6fc6fa0df8e5 Azure Front Door Secret Contributor Can manage Azure Front Door secrets, but can't grant access to other users. count: 005
•Microsoft.Cdn/operationresults/profileresults/secretresults/read
•Microsoft.Cdn/profiles/secrets/read
•Microsoft.Cdn/profiles/secrets/write
•Microsoft.Cdn/profiles/secrets/delete
•Microsoft.Resources/subscriptions/resourceGroups/read
0f99d363-226e-4dca-9920-b807cf8e1a5f Azure Front Door Domain Reader Can view Azure Front Door domains, but can't make changes. count: 003
•Microsoft.Cdn/operationresults/profileresults/customdomainresults/read
•Microsoft.Cdn/profiles/customdomains/read
•Microsoft.Resources/subscriptions/resourceGroups/read
0db238c4-885e-4c4f-a933-aa2cef684fca Azure Front Door Secret Reader Can view Azure Front Door secrets, but can't make changes. count: 003
•Microsoft.Cdn/operationresults/profileresults/secretresults/read
•Microsoft.Cdn/profiles/secrets/read
•Microsoft.Resources/subscriptions/resourceGroups/read
d18ad5f3-1baf-4119-b49b-d944edb1f9d0 MySQL Backup And Export Operator Grants full access to manage backup and export resources count: 006
•Microsoft.DBforMySQL/flexibleServers/validateBackup/action
•Microsoft.DBforMySQL/flexibleServers/backupAndExport/action
•Microsoft.DBforMySQL/locations/operationResults/read
•Microsoft.DBforMySQL/locations/azureAsyncOperation/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2 LocalNGFirewallAdministrator role Allows user to create, modify, describe, or delete NGFirewalls. count: 028
•PaloAltoNetworks.Cloudngfw/firewalls/*
•PaloAltoNetworks.Cloudngfw/localRulestacks/read
•PaloAltoNetworks.Cloudngfw/globalRulestacks/read
•PaloAltoNetworks.Cloudngfw/Locations/operationStatuses/read
•Microsoft.OperationalInsights/workspaces/write
•Microsoft.OperationalInsights/workspaces/sharedKeys/read
•Microsoft.OperationalInsights/workspaces/read
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/metrics/read
•Microsoft.Insights/metricDefinitions/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Support/*
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/subnets/join/action
•Microsoft.Network/publicIPAddresses/write
•Microsoft.Network/publicIPAddresses/read
•Microsoft.Network/publicIPAddresses/join/action
•Microsoft.Network/networkVirtualAppliances/read
•Microsoft.Network/networkVirtualAppliances/write
•Microsoft.Network/networkVirtualAppliances/delete
•Microsoft.Network/virtualHubs/read
•Microsoft.Network/virtualWans/read
•Microsoft.Network/virtualWans/virtualHubs/read
•Microsoft.Network/networkSecurityGroups/read
•Microsoft.Network/networkSecurityGroups/join/action
bda0d508-adf1-4af0-9c28-88919fc3ae06 Azure Stack HCI registration role Custom Azure role to allow subscription-level access to register Azure Stack HCI count: 009
•Microsoft.AzureStackHCI/register/action
•Microsoft.AzureStackHCI/Unregister/Action
•Microsoft.AzureStackHCI/clusters/*
•Microsoft.HybridCompute/register/action
•Microsoft.GuestConfiguration/register/action
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourceGroups/write
•Microsoft.Resources/subscriptions/resourceGroups/delete
•Microsoft.HybridConnectivity/register/action
bfc3b73d-c6ff-45eb-9a5f-40298295bf20 LocalRulestacksAdministrator role Allows users to create, modify, describe, or delete Rulestacks. count: 007
•PaloAltoNetworks.Cloudngfw/localRulestacks/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Authorization/*/read
•Microsoft.ResourceHealth/availabilityStatuses/read
•Microsoft.Resources/deployments/*
•Microsoft.Insights/alertRules/*
•Microsoft.Support/*
7392c568-9289-4bde-aaaa-b7131215889d Azure Extension for SQL Server Deployment Microsoft.AzureArcData service role to enable deployment of Azure Extension for SQL Server count: 002
•Microsoft.Resources/deployments/write
•Microsoft.HybridCompute/machines/extensions/write
count: 001
Configure Arc-enabled machines running SQL Server to have SQL Server extension installed.
d6470a16-71bd-43ab-86b3-6f3a73f4e787 Azure Maps Data Read and Batch Role This role can be used to assign read and batch actions on Azure Maps. count: 002
•Microsoft.Maps/accounts/services/*/read
•Microsoft.Maps/accounts/services/batch/action
ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2 API Management Workspace Reader Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. count: 002
•Microsoft.ApiManagement/service/workspaces/*/read
•Microsoft.Authorization/*/read
73c2c328-d004-4c5e-938c-35c6f5679a1f API Management Workspace API Product Manager Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. count: 007
•Microsoft.ApiManagement/service/workspaces/*/read
•Microsoft.ApiManagement/service/workspaces/products/*
•Microsoft.ApiManagement/service/workspaces/subscriptions/*
•Microsoft.ApiManagement/service/workspaces/groups/*
•Microsoft.ApiManagement/service/workspaces/tags/*
•Microsoft.ApiManagement/service/workspaces/notifications/*
•Microsoft.Authorization/*/read
56328988-075d-4c6a-8766-d93edd6725b6 API Management Workspace API Developer Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. count: 010
•Microsoft.ApiManagement/service/workspaces/*/read
•Microsoft.ApiManagement/service/workspaces/apis/*
•Microsoft.ApiManagement/service/workspaces/apiVersionSets/*
•Microsoft.ApiManagement/service/workspaces/policies/*
•Microsoft.ApiManagement/service/workspaces/schemas/*
•Microsoft.ApiManagement/service/workspaces/products/*
•Microsoft.ApiManagement/service/workspaces/policyFragments/*
•Microsoft.ApiManagement/service/workspaces/namedValues/*
•Microsoft.ApiManagement/service/workspaces/tags/*
•Microsoft.Authorization/*/read
d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da API Management Service Workspace API Product Manager Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. count: 011
•Microsoft.ApiManagement/service/users/read
•Microsoft.ApiManagement/service/tags/read
•Microsoft.ApiManagement/service/tags/apiLinks/*
•Microsoft.ApiManagement/service/tags/operationLinks/*
•Microsoft.ApiManagement/service/tags/productLinks/*
•Microsoft.ApiManagement/service/products/read
•Microsoft.ApiManagement/service/products/apiLinks/*
•Microsoft.ApiManagement/service/groups/read
•Microsoft.ApiManagement/service/groups/users/*
•Microsoft.ApiManagement/service/read
•Microsoft.Authorization/*/read
9565a273-41b9-4368-97d2-aeb0c976a9b3 API Management Service Workspace API Developer Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. count: 008
•Microsoft.ApiManagement/service/tags/read
•Microsoft.ApiManagement/service/tags/apiLinks/*
•Microsoft.ApiManagement/service/tags/operationLinks/*
•Microsoft.ApiManagement/service/tags/productLinks/*
•Microsoft.ApiManagement/service/products/read
•Microsoft.ApiManagement/service/products/apiLinks/*
•Microsoft.ApiManagement/service/read
•Microsoft.Authorization/*/read
0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 API Management Workspace Contributor Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. count: 002
•Microsoft.ApiManagement/service/workspaces/*
•Microsoft.Authorization/*/read
b8eda974-7b85-4f76-af95-65846b26df6d Storage File Data Privileged Reader Customer has read access on Azure Storage file shares. count: 002
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
•Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
69566ab7-960f-475b-8e7c-b3118f30c6bd Storage File Data Privileged Contributor Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares. count: 006
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete
•Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action
•Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action
•Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
7eabc9a4-85f7-4f71-b8ab-75daaccc1033 Windows 365 Network User This role is used by Windows 365 to read virtual networks and join the designated virtual networks. count: 004
•Microsoft.Network/virtualNetworks/read
•Microsoft.Network/virtualNetworks/subnets/read
•Microsoft.Network/virtualNetworks/usages/read
•Microsoft.Network/virtualNetworks/subnets/join/action
1f135831-5bbe-4924-9016-264044c00788 Windows 365 Network Interface Contributor This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces. count: 015
•Microsoft.Resources/subscriptions/resourcegroups/read
•Microsoft.Resources/deployments/read
•Microsoft.Resources/deployments/write
•Microsoft.Resources/deployments/delete
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/deployments/operationstatuses/read
•Microsoft.Network/locations/operations/read
•Microsoft.Network/locations/operationResults/read
•Microsoft.Network/locations/usages/read
•Microsoft.Network/networkInterfaces/write
•Microsoft.Network/networkInterfaces/read
•Microsoft.Network/networkInterfaces/delete
•Microsoft.Network/networkInterfaces/join/action
•Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action
•Microsoft.Network/networkInterfaces/effectiveRouteTable/action
3d55a8f6-4133-418d-8051-facdb1735758 Windows365SubscriptionReader Read subscriptions, images, azure firewalls. This role is used in Windows365 scenarios. count: 003
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Authorization/*/read
0f37683f-2463-46b6-9ce7-9b788b988ba2 App Compliance Automation Administrator Create, read, download, modify and delete reports objects and related other resource objects. count: 028
•Microsoft.AppComplianceAutomation/*
•Microsoft.Storage/storageAccounts/blobServices/write
•Microsoft.Storage/storageAccounts/fileservices/write
•Microsoft.Storage/storageAccounts/listKeys/action
•Microsoft.Storage/storageAccounts/write
•Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/blobServices/containers/write
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.PolicyInsights/policyStates/queryResults/action
•Microsoft.PolicyInsights/policyStates/triggerEvaluation/action
•Microsoft.Resources/resources/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourceGroups/resources/read
•Microsoft.Resources/subscriptions/resources/read
•Microsoft.Resources/subscriptions/resourceGroups/delete
•Microsoft.Resources/subscriptions/resourceGroups/write
•Microsoft.Resources/tags/read
•Microsoft.Resources/deployments/validate/action
•Microsoft.Security/automations/read
•Microsoft.Resources/deployments/write
•Microsoft.Security/automations/delete
•Microsoft.Security/automations/write
•Microsoft.Security/register/action
•Microsoft.Security/unregister/action
•*/read
ffc6bbe0-e443-4c3b-bf54-26581bb2f78e App Compliance Automation Reader Read, download the reports objects and related other resource objects. count: 010
•Microsoft.AppComplianceAutomation/*/read
•Microsoft.Storage/storageAccounts/read
•Microsoft.Storage/storageAccounts/blobServices/containers/read
•Microsoft.Storage/storageAccounts/blobServices/read
•Microsoft.Resources/resources/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resources/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/resourceGroups/resources/read
•Microsoft.Resources/tags/read
8b9dfcab-4b77-4632-a6df-94bd07820648 Azure Sphere Contributor Allows user read and write access to Azure Sphere resources. count: 007
•Microsoft.AzureSphere/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/alertRules/*
•Microsoft.Insights/DiagnosticSettings/*
•Microsoft.Insights/DiagnosticSettingsCategories/Read
e9b8712a-cbcf-4ea7-b0f7-e71b803401e6 SaaS Hub Contributor SaaS Hub contributor can manage SaaS Hub resource count: 004
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.SaaSHub/cloudservices/read
•Microsoft.SaaSHub/cloudservices/write
•Microsoft.SaaSHub/cloudservices/delete
c8ae6279-5a0b-4cb2-b3f0-d4d62845742c Azure Sphere Reader Allows user to read Azure Sphere resources. count: 012
•Microsoft.AzureSphere/*/read
•Microsoft.AzureSphere/catalogs/countDevices/action
•Microsoft.AzureSphere/catalogs/listDeviceGroups/action
•Microsoft.AzureSphere/catalogs/listDeviceInsights/action
•Microsoft.AzureSphere/catalogs/listDevices/action
•Microsoft.AzureSphere/catalogs/listDeployments/action
•Microsoft.AzureSphere/catalogs/products/countDevices/action
•Microsoft.AzureSphere/catalogs/products/deviceGroups/countDevices/action
•Microsoft.AzureSphere/catalogs/certificates/retrieveCertChain/action
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/DiagnosticSettings/Read
6d994134-994b-4a59-9974-f479f0b227fb Azure Sphere Publisher Allows user to read and download Azure Sphere resources and upload images. count: 013
•Microsoft.AzureSphere/*/read
•Microsoft.AzureSphere/catalogs/countDevices/action
•Microsoft.AzureSphere/catalogs/listDeviceGroups/action
•Microsoft.AzureSphere/catalogs/listDeviceInsights/action
•Microsoft.AzureSphere/catalogs/listDevices/action
•Microsoft.AzureSphere/catalogs/products/countDevices/action
•Microsoft.AzureSphere/catalogs/products/deviceGroups/countDevices/action
•Microsoft.AzureSphere/catalogs/certificates/retrieveProofOfPossessionNonce/action
•Microsoft.AzureSphere/catalogs/certificates/retrieveCertChain/action
•Microsoft.AzureSphere/catalogs/images/write
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Insights/DiagnosticSettings/Read
be1a1ac2-09d3-4261-9e57-a73a6e227f53 Procurement Contributor Lets you manage the procurement of products and services. count: 005
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.SaaSHub/cloudservices/read
•Microsoft.SaaSHub/cloudservices/write
•Microsoft.SaaSHub/cloudservices/delete
•Microsoft.SaaSHub/register/action
79b01272-bf9f-4f4c-9517-5506269cf524 Cognitive Search Serverless Data Reader Read Cognitive Search serverless index schema and documents. This role is in preview and subject to change. count: 002
•Microsoft.CognitiveSearch/indexes/schema/read
•Microsoft.CognitiveSearch/indexes/documents/read
7ac06ca7-21ca-47e3-a67b-cbd6e6223baf Cognitive Search Serverless Data Contributor Create, read, modify and delete Cognitive Search serverless index schema and documents. This role is in preview and subject to change. count: 002
•Microsoft.CognitiveSearch/indexes/schema/*
•Microsoft.CognitiveSearch/indexes/documents/*
5e28a61e-8040-49db-b175-bb5b88af6239 Community Owner Role Community Owner Role to access the resources of Microsoft.Mission stored with RPSAAS. count: 020
•Microsoft.Mission/register/action
•Microsoft.Mission/unregister/action
•Microsoft.Mission/Locations/OperationStatuses/read
•Microsoft.Mission/Locations/OperationStatuses/write
•Microsoft.Mission/Operations/read
•Microsoft.Mission/catalogs/read
•Microsoft.Mission/catalogs/write
•Microsoft.Mission/catalogs/delete
•Microsoft.Mission/communities/read
•Microsoft.Mission/communities/write
•Microsoft.Mission/communities/delete
•Microsoft.Mission/internalConnections/read
•Microsoft.Mission/internalConnections/write
•Microsoft.Mission/internalConnections/delete
•Microsoft.Mission/virtualEnclaves/read
•Microsoft.Mission/virtualEnclaves/write
•Microsoft.Mission/virtualEnclaves/delete
•Microsoft.Mission/virtualEnclaves/workloads/read
•Microsoft.Mission/virtualEnclaves/workloads/write
•Microsoft.Mission/virtualEnclaves/workloads/delete
9c1607d1-791d-4c68-885d-c7b7aaff7c8a Firmware Analysis Admin Upload and analyze firmware images in Defender for IoT count: 004
•Microsoft.IoTFirmwareDefense/*
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/deployments/*
8b54135c-b56d-4d72-a534-26097cfdc8d8 Key Vault Data Access Administrator (preview) Add or remove key vault data plane role assignments and read resources of all types, except secrets. Includes an ABAC condition to constrain role assignments. count: 009
•Microsoft.Authorization/roleAssignments/write
•Microsoft.Authorization/roleAssignments/delete
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Management/managementGroups/read
•Microsoft.Resources/deployments/*
•Microsoft.Support/*
1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 Defender for Storage Data Scanner Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. count: 001
•Microsoft.Storage/storageAccounts/blobServices/containers/read
count: 003
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write
•Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read
df2711a6-406d-41cf-b366-b0250bff9ad1 Compute Diagnostics Role Grants permissions to execute diagnostics provided by Compute Diagnostic Service for Compute Resources. count: 003
•Microsoft.Authorization/*/read
•Microsoft.Compute/disks/beginGetAccess/action
•Microsoft.Compute/virtualmachinescalesets/disks/beginGetAccess/action
fa6cecf6-5db3-4c43-8470-c540bcb4eafa Elastic SAN Network Admin Allows access to create Private Endpoints on SAN resources, and to read SAN resources count: 005
•Microsoft.ElasticSan/elasticSans/*/read
•Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action
•Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write
•Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete
•Microsoft.ElasticSan/locations/asyncoperations/read
bba48692-92b0-4667-a9ad-c31c7b334ac2 Cognitive Services Usages Reader Minimal permission to view Cognitive Services usages. count: 001
•Microsoft.CognitiveServices/locations/usages/read
c088a766-074b-43ba-90d4-1fb21feae531 PostgreSQL Flexible Server Long Term Retention Backup Role Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup. count: 007
•Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read
•Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action
•Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action
•Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read
•Microsoft.DBforPostgreSQL/locations/operationResults/read
•Microsoft.Resources/subscriptions/read
•Microsoft.Resources/subscriptions/resourceGroups/read
a02f7c31-354d-4106-865a-deedf37fa038 Search Parameter Manager Role allows user or principal access to $status and $reindex to update search parameters count: 004
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/read
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/write
•Microsoft.HealthcareApis/workspaces/fhirservices/resources/searchparameter/action
4accf36b-2c05-432f-91c8-5c532dff4c73 Logic Apps Standard Reader (Preview) You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history. count: 016
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Web/connectionGateways/*/read
•Microsoft.Web/connections/*/read
•Microsoft.Web/customApis/*/read
•Microsoft.Web/serverFarms/read
•microsoft.web/sites/hostruntime/webhooks/api/workflows/triggers/read
•microsoft.web/sites/hostruntime/webhooks/api/workflows/runs/read
•microsoft.web/sites/workflows/read
•microsoft.web/sites/workflowsconfiguration/read
•microsoft.web/sites/slots/workflows/read
•microsoft.web/sites/slots/workflowsconfiguration/read
523776ba-4eb2-4600-a3c8-f2dc93da4bdb Logic Apps Standard Developer (Preview) You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope. count: 034
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Web/connectionGateways/*/read
•Microsoft.Web/connections/*
•Microsoft.Web/customApis/*
•Microsoft.Web/serverFarms/read
•microsoft.web/sites/config/appsettings/read
•Microsoft.Web/sites/config/list/Action
•Microsoft.Web/sites/config/Read
•microsoft.web/sites/config/Write
•microsoft.web/sites/config/web/appsettings/delete
•microsoft.web/sites/config/web/appsettings/read
•microsoft.web/sites/config/web/appsettings/write
•microsoft.web/sites/deployWorkflowArtifacts/action
•microsoft.web/sites/hostruntime/*
•microsoft.web/sites/listworkflowsconnections/action
•Microsoft.Web/sites/publish/Action
•Microsoft.Web/sites/Read
•microsoft.web/sites/slots/config/appsettings/read
•microsoft.web/sites/slots/config/appsettings/write
•Microsoft.Web/sites/slots/config/list/Action
•Microsoft.Web/sites/slots/config/Read
•microsoft.web/sites/slots/config/web/appsettings/delete
•microsoft.web/sites/slots/deployWorkflowArtifacts/action
•microsoft.web/sites/slots/listworkflowsconnections/action
•Microsoft.Web/sites/slots/publish/Action
•microsoft.web/sites/slots/workflows/read
•microsoft.web/sites/slots/workflowsconfiguration/read
•microsoft.web/sites/workflows/*
•microsoft.web/sites/workflowsconfiguration/*
ad710c24-b039-4e85-a019-deb4a06e8570 Logic Apps Standard Contributor (Preview) You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership. count: 013
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Web/certificates/*
•Microsoft.Web/connectionGateways/*
•Microsoft.Web/connections/*
•Microsoft.Web/customApis/*
•Microsoft.Web/listSitesAssignedToHostName/read
•Microsoft.Web/serverFarms/*
•Microsoft.Web/sites/*
b70c96e9-66fe-4c09-b6e7-c98e69c98555 Logic Apps Standard Operator (Preview) You can enable, resubmit, and disable workflows as well as create connections. You can't edit workflows or settings. count: 029
•Microsoft.Authorization/*/read
•Microsoft.Insights/alertRules/*
•Microsoft.Resources/deployments/operations/read
•Microsoft.Resources/subscriptions/operationresults/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.Support/*
•Microsoft.Web/connectionGateways/*/read
•Microsoft.Web/connections/*/read
•Microsoft.Web/customApis/*/read
•Microsoft.Web/serverFarms/read
•Microsoft.Web/sites/applySlotConfig/Action
•Microsoft.Web/sites/config/Read
•microsoft.web/sites/hostruntime/*
•Microsoft.Web/sites/Read
•Microsoft.Web/sites/restart/Action
•Microsoft.Web/sites/slots/config/Read
•Microsoft.Web/sites/slots/restart/Action
•Microsoft.Web/sites/slots/slotsswap/Action
•Microsoft.Web/sites/slots/start/Action
•Microsoft.Web/sites/slots/stop/Action
•microsoft.web/sites/slots/workflows/read
•microsoft.web/sites/slots/workflowsconfiguration/read
•Microsoft.Web/sites/slotsdiffs/Action
•Microsoft.Web/sites/slotsswap/Action
•Microsoft.Web/sites/start/Action
•Microsoft.Web/sites/stop/Action
•microsoft.web/sites/workflows/read
•microsoft.web/sites/workflowsconfiguration/read
•Microsoft.Web/sites/write
7b3e853f-ad5d-4fb5-a7b8-56a3581c7037 IPAM Pool Contributor Read IPAM Pools and child resources. Create and remove associations. This role is in preview and subject to change.
e9c9ed2b-2a99-4071-b2ff-5b113ebf73a1 SpatialMapsAccounts Account Owner Lets you manage data in your account, including deleting them count: 003
•Microsoft.MixedReality/spatialMapsAccounts/read
•Microsoft.MixedReality/spatialMapsAccounts/delete
•Microsoft.MixedReality/spatialMapsAccounts/write
0b962ed2-6d56-471c-bd5f-3477d83a7ba4 Azure Resource Notifications System Topics Subscriber Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications count: 005
•Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action
•Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/action
•Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResources/action
•Microsoft.EventGrid/eventSubscriptions/write
•Microsoft.EventGrid/systemTopics/eventSubscriptions/write
1c4770c0-34f7-4110-a1ea-a5855cc7a939 Elastic SAN Snapshot Exporter Allows for creating and exporting Snapshot of Elastic San Volume count: 014
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ElasticSan/elasticSans/*/read
•Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/write
•Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/delete
•Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/beginGetAccess/action
•Microsoft.ElasticSan/locations/*
•Microsoft.Compute/locations/*
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/write
•Microsoft.Compute/disks/delete
•Microsoft.Compute/snapshots/read
•Microsoft.Compute/snapshots/write
•Microsoft.Compute/snapshots/delete
90e8b822-3e73-47b5-868a-787dc80c008f Elastic SAN Volume Importer Allows for Importing Elastic San Volume count: 012
•Microsoft.Authorization/*/read
•Microsoft.Resources/subscriptions/resourceGroups/read
•Microsoft.ElasticSan/elasticSans/volumeGroups/*/read
•Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/write
•Microsoft.ElasticSan/locations/*
•Microsoft.Compute/locations/*
•Microsoft.Compute/disks/read
•Microsoft.Compute/disks/beginGetAccess/action
•Microsoft.Compute/disks/endGetAccess/action
•Microsoft.Compute/snapshots/read
•Microsoft.Compute/snapshots/beginGetAccess/action
•Microsoft.Compute/snapshots/endGetAccess/action
49435da6-99fe-48a5-a235-fc668b9dc04a Community Contributor Role Community Contributor Role to access the resources of Microsoft.Mission stored with RPSAAS. count: 019
•Microsoft.Mission/register/action
•Microsoft.Mission/unregister/action
•Microsoft.Mission/Locations/OperationStatuses/read
•Microsoft.Mission/Locations/OperationStatuses/write
•Microsoft.Mission/Operations/read
•Microsoft.Mission/catalogs/read
•Microsoft.Mission/catalogs/write
•Microsoft.Mission/communities/read
•Microsoft.Mission/communities/write
•Microsoft.Mission/internalConnections/read
•Microsoft.Mission/internalConnections/write
•Microsoft.Mission/externalConnections/read
•Microsoft.Mission/externalConnections/write
•Microsoft.Mission/virtualEnclaves/read
•Microsoft.Mission/virtualEnclaves/write
•Microsoft.Mission/virtualEnclaves/endpoints/read
•Microsoft.Mission/virtualEnclaves/endpoints/write
•Microsoft.Mission/virtualEnclaves/workloads/read
•Microsoft.Mission/virtualEnclaves/workloads/write
4b0f2fd7-60b4-4eca-896f-4435034f8bf5 EventGrid TopicSpaces Subscriber Lets you subscribe messages on topicspaces. count: 001
•Microsoft.EventGrid/topicSpaces/subscribe/action
a12b0b94-b317-4dcd-84a8-502ce99884c6 EventGrid TopicSpaces Publisher Lets you publish messages on topicspaces. count: 001
•Microsoft.EventGrid/topicSpaces/publish/action
d1a38570-4b05-4d70-b8e4-1100bcf76d12 Data Boundary Tenant Administrator Allows tenant level administration for data boundaries. count: 004
•Microsoft.Resources/dataBoundaries/write
•Microsoft.Authorization/*/read
•Microsoft.Resources/deployments/*
•Microsoft.Resources/subscriptions/resourceGroups/read