| Id | Name | Description | Condition | Effective operations | Actions (control plane) | NotActions (control plane) | DataActions (data plane) | NotDataActions (data plane) | Used in Policy |
|---|---|---|---|---|---|---|---|---|---|
| 8311e382-0749-4cb8-b61a-304f252e45ec | AcrPush | acr push | False |
00002 effective control plane operations (unique) •read: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.ContainerRegistry/registries/pull/read •Microsoft.ContainerRegistry/registries/push/write | ||||
| 312a565d-c81f-4fd8-895a-4e21e48d571c | API Management Service Contributor | Can manage service and the APIs | False |
00514 effective control plane operations (unique) •: 1 •action: 67 •delete: 119 •read: 200 •write: 127 |
Actions: 007 resolved operations: 514 effective operations: 514 •: 1 •action: 67 •delete: 119 •read: 200 •write: 127 •Microsoft.ApiManagement/service/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 001 •Configure API Management services to disable access to API Management public service configuration endpoints | |||
| 7f951dda-4ed3-4680-a7ca-43fe172d538d | AcrPull | acr pull | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ContainerRegistry/registries/pull/read | ||||
| 6cef56e8-d556-48e5-a04f-b8e64114680f | AcrImageSigner | acr image signer | False |
00002 effective control plane and data plane operations (unique) •write: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •write: 1 •Microsoft.ContainerRegistry/registries/sign/write | DataActions: 001 resolved data operations: 1 effective data operations: 1 •write: 1 •Microsoft.ContainerRegistry/registries/trustedCollections/write | |||
| c2f4ef07-c644-48eb-af81-4b1b4947fb11 | AcrDelete | acr delete | False |
00001 effective control plane operations (unique) •delete: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •delete: 1 •Microsoft.ContainerRegistry/registries/artifacts/delete | ||||
| cdda3590-29a3-44f6-95f2-9f980659eb04 | AcrQuarantineReader | acr quarantine data reader | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ContainerRegistry/registries/quarantine/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | |||
| c8d4ff99-41c3-41a8-9f60-21dfdad59608 | AcrQuarantineWriter | acr quarantine data writer | False |
00004 effective control plane and data plane operations (unique) •read: 2 •write: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.ContainerRegistry/registries/quarantine/read •Microsoft.ContainerRegistry/registries/quarantine/write | DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read •Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | |||
| e022efe7-f5ba-4159-bbe4-b44f577e9b61 | API Management Service Operator Role | Can manage service but not the APIs | False |
00222 effective control plane operations (unique) •: 1 •action: 15 •delete: 3 •read: 199 •write: 4 |
Actions: 015 resolved operations: 223 effective operations: 222 •: 1 •action: 15 •delete: 3 •read: 199 •write: 4 •Microsoft.ApiManagement/service/*/read •Microsoft.ApiManagement/service/backup/action •Microsoft.ApiManagement/service/delete •Microsoft.ApiManagement/service/managedeployments/action •Microsoft.ApiManagement/service/read •Microsoft.ApiManagement/service/restore/action •Microsoft.ApiManagement/service/updatecertificate/action •Microsoft.ApiManagement/service/updatehostname/action •Microsoft.ApiManagement/service/write •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | NotActions: 001 resolved not operations: 1 effective not operations: 15164 •Microsoft.ApiManagement/service/users/keys/read | |||
| 71522526-b88f-4d52-b57f-d31fc3546d0d | API Management Service Reader Role | Read-only access to service and APIs | False |
00215 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 199 •Write: 3 |
Actions: 008 resolved operations: 216 effective operations: 215 •: 1 •Action: 10 •Delete: 2 •read: 199 •Write: 3 •Microsoft.ApiManagement/service/*/read •Microsoft.ApiManagement/service/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | NotActions: 001 resolved not operations: 1 effective not operations: 15171 •Microsoft.ApiManagement/service/users/keys/read | |||
| ae349356-3a1b-4a5e-921d-050484c6347e | Application Insights Component Contributor | Can manage Application Insights components | False |
00137 effective control plane operations (unique) •: 1 •Action: 17 •Delete: 16 •read: 83 •Write: 20 |
Actions: 013 resolved operations: 137 effective operations: 137 •: 1 •Action: 17 •Delete: 16 •read: 83 •Write: 20 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/generateLiveToken/read •Microsoft.Insights/metricAlerts/* •Microsoft.Insights/components/* •Microsoft.Insights/scheduledqueryrules/* •Microsoft.Insights/topology/read •Microsoft.Insights/transactions/read •Microsoft.Insights/webtests/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 001 •Configure Azure Application Insights components to disable public network access for log ingestion and querying | |||
| 08954f03-6346-4c2e-81c0-ec3a5cfae23b | Application Insights Snapshot Debugger | Gives user permission to use Application Insights Snapshot Debugger features | False |
00085 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 69 •Write: 3 |
Actions: 006 resolved operations: 85 effective operations: 85 •: 1 •Action: 10 •Delete: 2 •read: 69 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/components/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| fd1bd22b-8476-40bc-a0bc-69b95687b9f3 | Attestation Reader | Can read the attestation provider properties | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Attestation/attestationProviders/attestation/read | ||||
| 4fe576fe-1146-4730-92eb-48519fa6bf9f | Automation Job Operator | Create and Manage Jobs using Automation Runbooks. | False |
00063 effective control plane operations (unique) •: 1 •action: 13 •Delete: 2 •read: 43 •write: 4 |
Actions: 013 resolved operations: 63 effective operations: 63 •: 1 •action: 13 •Delete: 2 •read: 43 •write: 4 •Microsoft.Authorization/*/read •Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read •Microsoft.Automation/automationAccounts/jobs/read •Microsoft.Automation/automationAccounts/jobs/resume/action •Microsoft.Automation/automationAccounts/jobs/stop/action •Microsoft.Automation/automationAccounts/jobs/streams/read •Microsoft.Automation/automationAccounts/jobs/suspend/action •Microsoft.Automation/automationAccounts/jobs/write •Microsoft.Automation/automationAccounts/jobs/output/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 | Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. | False |
00056 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 |
Actions: 006 resolved operations: 56 effective operations: 56 •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Automation/automationAccounts/runbooks/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| d3881f73-407a-4167-8283-e981cbba0404 | Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs | False |
00071 effective control plane operations (unique) •: 1 •action: 13 •Delete: 2 •read: 49 •write: 6 |
Actions: 021 resolved operations: 71 effective operations: 71 •: 1 •action: 13 •Delete: 2 •read: 49 •write: 6 •Microsoft.Authorization/*/read •Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read •Microsoft.Automation/automationAccounts/jobs/read •Microsoft.Automation/automationAccounts/jobs/resume/action •Microsoft.Automation/automationAccounts/jobs/stop/action •Microsoft.Automation/automationAccounts/jobs/streams/read •Microsoft.Automation/automationAccounts/jobs/suspend/action •Microsoft.Automation/automationAccounts/jobs/write •Microsoft.Automation/automationAccounts/jobSchedules/read •Microsoft.Automation/automationAccounts/jobSchedules/write •Microsoft.Automation/automationAccounts/linkedWorkspace/read •Microsoft.Automation/automationAccounts/read •Microsoft.Automation/automationAccounts/runbooks/read •Microsoft.Automation/automationAccounts/schedules/read •Microsoft.Automation/automationAccounts/schedules/write •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Automation/automationAccounts/jobs/output/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 4f8fab4f-1852-4a58-a46a-8eaf358af14a | Avere Contributor | Can create and manage an Avere vFXT cluster. | False |
00679 effective control plane and data plane operations (unique) •: 1 •action: 70 •delete: 28 •read: 535 •write: 45 |
Actions: 020 resolved operations: 676 effective operations: 676 •: 1 •action: 70 •delete: 27 •read: 534 •write: 44 •Microsoft.Authorization/*/read •Microsoft.Compute/*/read •Microsoft.Compute/availabilitySets/* •Microsoft.Compute/proximityPlacementGroups/* •Microsoft.Compute/virtualMachines/* •Microsoft.Compute/disks/* •Microsoft.Network/*/read •Microsoft.Network/networkInterfaces/* •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Resources/deployments/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/*/read •Microsoft.Storage/storageAccounts/* •Microsoft.Support/* •Microsoft.Resources/subscriptions/resourceGroups/resources/read | DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | |||
| c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 | Avere Operator | Used by the Avere vFXT cluster to manage the cluster | False |
00014 effective control plane and data plane operations (unique) •action: 2 •delete: 2 •read: 7 •write: 3 |
Actions: 011 resolved operations: 11 effective operations: 11 •action: 2 •delete: 1 •read: 6 •write: 2 •Microsoft.Compute/virtualMachines/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/blobServices/containers/delete •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write | DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | |||
| 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 | Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. | False |
00004 effective control plane operations (unique) •action: 3 •read: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 3 •read: 1 •Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action •Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action •Microsoft.ContainerService/managedClusters/read •Microsoft.ContainerService/managedClusters/runcommand/action | ||||
| 4abbcc35-e782-43d8-92c5-2d3f1bd2253f | Azure Kubernetes Service Cluster User Role | List cluster user credential action. | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.ContainerService/managedClusters/listClusterUserCredential/action •Microsoft.ContainerService/managedClusters/read | ||||
| 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa | Azure Maps Data Reader | Grants access to read map related data from an Azure maps account. | False |
00012 effective data plane operations (unique) •read: 12 |
DataActions: 001 resolved data operations: 12 effective data operations: 12 •read: 12 •Microsoft.Maps/accounts/*/read | ||||
| 6f12a6df-dd06-4f3e-bcb1-ce8be600526a | Azure Stack Registration Owner | Lets you manage Azure Stack registrations. | False |
00007 effective control plane operations (unique) •action: 4 •read: 3 |
Actions: 004 resolved operations: 7 effective operations: 7 •action: 4 •read: 3 •Microsoft.AzureStack/edgeSubscriptions/read •Microsoft.AzureStack/registrations/products/*/action •Microsoft.AzureStack/registrations/products/read •Microsoft.AzureStack/registrations/read | ||||
| 5e467623-bb1f-42f4-a55d-6e525e11384b | Backup Contributor | Lets you manage backups, but can't delete vaults and give access to others | False |
00165 effective control plane operations (unique) •action: 44 •delete: 9 •read: 94 •write: 18 |
Actions: 077 resolved operations: 165 effective operations: 165 •action: 44 •delete: 9 •read: 94 •write: 18 •Microsoft.Authorization/*/read •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/locations/* •Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* •Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action •Microsoft.RecoveryServices/Vaults/backupJobs/* •Microsoft.RecoveryServices/Vaults/backupJobsExport/action •Microsoft.RecoveryServices/Vaults/backupOperationResults/* •Microsoft.RecoveryServices/Vaults/backupPolicies/* •Microsoft.RecoveryServices/Vaults/backupProtectableItems/* •Microsoft.RecoveryServices/Vaults/backupProtectedItems/* •Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* •Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* •Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read •Microsoft.RecoveryServices/Vaults/certificates/* •Microsoft.RecoveryServices/Vaults/extendedInformation/* •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/* •Microsoft.RecoveryServices/Vaults/usages/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.RecoveryServices/Vaults/backupstorageconfig/* •Microsoft.RecoveryServices/Vaults/backupconfig/* •Microsoft.RecoveryServices/Vaults/backupValidateOperation/action •Microsoft.RecoveryServices/Vaults/write •Microsoft.RecoveryServices/Vaults/backupOperations/read •Microsoft.RecoveryServices/Vaults/backupEngines/read •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* •Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read •Microsoft.RecoveryServices/vaults/operationStatus/read •Microsoft.RecoveryServices/vaults/operationResults/read •Microsoft.RecoveryServices/locations/backupStatus/action •Microsoft.RecoveryServices/locations/backupPreValidateProtection/action •Microsoft.RecoveryServices/locations/backupValidateFeatures/action •Microsoft.RecoveryServices/Vaults/monitoringAlerts/write •Microsoft.RecoveryServices/operations/read •Microsoft.RecoveryServices/locations/operationStatus/read •Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read •Microsoft.Support/* •Microsoft.DataProtection/locations/getBackupStatus/action •Microsoft.DataProtection/backupVaults/backupInstances/write •Microsoft.DataProtection/backupVaults/backupInstances/delete •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/deletedBackupInstances/read •Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action •Microsoft.DataProtection/backupVaults/backupInstances/backup/action •Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action •Microsoft.DataProtection/backupVaults/backupInstances/restore/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action •Microsoft.DataProtection/backupVaults/backupPolicies/write •Microsoft.DataProtection/backupVaults/backupPolicies/delete •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action •Microsoft.DataProtection/backupVaults/write •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/operationResults/read •Microsoft.DataProtection/backupVaults/operationStatus/read •Microsoft.DataProtection/locations/checkNameAvailability/action •Microsoft.DataProtection/locations/checkFeatureSupport/action •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/locations/operationStatus/read •Microsoft.DataProtection/locations/operationResults/read •Microsoft.DataProtection/backupVaults/validateForBackup/action •Microsoft.DataProtection/operations/read | count: 009 •[Preview]: Configure Azure Recovery Services vaults to disable public network access •[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region •[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region •[Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults •[Preview]: Disable Cross Subscription Restore for Backup Vaults •Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location •Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | |||
| fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 | Billing Reader | Allows read access to billing data | False |
00174 effective control plane operations (unique) •action: 3 •read: 170 •write: 1 |
Actions: 007 resolved operations: 174 effective operations: 174 •action: 3 •read: 170 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Billing/*/read •Microsoft.Commerce/*/read •Microsoft.Consumption/*/read •Microsoft.Management/managementGroups/read •Microsoft.CostManagement/*/read •Microsoft.Support/* | ||||
| a795c7a0-d4a2-40c1-ae25-d81f01202912 | Backup Reader | Can view backup services, but can't make changes | False |
00091 effective control plane operations (unique) •action: 15 •read: 73 •write: 3 |
Actions: 067 resolved operations: 91 effective operations: 91 •action: 15 •read: 73 •write: 3 •Microsoft.Authorization/*/read •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read •Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read •Microsoft.RecoveryServices/Vaults/backupJobs/read •Microsoft.RecoveryServices/Vaults/backupJobsExport/action •Microsoft.RecoveryServices/Vaults/backupOperationResults/read •Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read •Microsoft.RecoveryServices/Vaults/backupPolicies/read •Microsoft.RecoveryServices/Vaults/backupProtectedItems/read •Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read •Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/Vaults/backupstorageconfig/read •Microsoft.RecoveryServices/Vaults/backupconfig/read •Microsoft.RecoveryServices/Vaults/backupOperations/read •Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read •Microsoft.RecoveryServices/Vaults/backupEngines/read •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read •Microsoft.RecoveryServices/locations/backupStatus/action •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* •Microsoft.RecoveryServices/Vaults/monitoringAlerts/write •Microsoft.RecoveryServices/operations/read •Microsoft.RecoveryServices/locations/operationStatus/read •Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/locations/backupValidateFeatures/action •Microsoft.RecoveryServices/locations/backupCrrJobs/action •Microsoft.RecoveryServices/locations/backupCrrJob/action •Microsoft.RecoveryServices/locations/backupCrrOperationResults/read •Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read •Microsoft.DataProtection/locations/getBackupStatus/action •Microsoft.DataProtection/backupVaults/backupInstances/write •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/deletedBackupInstances/read •Microsoft.DataProtection/backupVaults/backupInstances/backup/action •Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action •Microsoft.DataProtection/backupVaults/backupInstances/restore/action •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/operationResults/read •Microsoft.DataProtection/backupVaults/operationStatus/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/locations/operationStatus/read •Microsoft.DataProtection/locations/operationResults/read •Microsoft.DataProtection/backupVaults/validateForBackup/action •Microsoft.DataProtection/operations/read •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action •Microsoft.DataProtection/locations/checkFeatureSupport/action | ||||
| 31a002a1-acaf-453e-8a5b-297c9ca1ea24 | Blockchain Member Node Access (Preview) | Allows for access to Blockchain Member nodes | False |
00002 effective control plane and data plane operations (unique) •action: 1 •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Blockchain/blockchainMembers/transactionNodes/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action | |||
| 5e3c6656-6cfa-4708-81fe-0de47ac73342 | BizTalk Contributor | Lets you manage BizTalk services, but not access to them. | False |
00056 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 |
Actions: 007 resolved operations: 56 effective operations: 56 •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.BizTalkServices/BizTalk/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 | CDN Endpoint Contributor | Can manage CDN endpoints, but can't grant access to other users. | False |
00149 effective control plane operations (unique) •: 1 •action: 40 •delete: 22 •read: 62 •write: 24 |
Actions: 008 resolved operations: 149 effective operations: 149 •: 1 •action: 40 •delete: 22 •read: 62 •write: 24 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/endpoints/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| ec156ff8-a8d1-4d15-830c-5b80698ca432 | CDN Profile Contributor | Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users. | False |
00207 effective control plane operations (unique) •: 1 •action: 58 •delete: 32 •read: 81 •write: 35 |
Actions: 008 resolved operations: 207 effective operations: 207 •: 1 •action: 58 •delete: 32 •read: 81 •write: 35 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 8f96442b-4075-438f-813d-ad51ab4019af | CDN Profile Reader | Can view CDN profiles and their endpoints, but can't make changes. | False |
00153 effective control plane operations (unique) •: 1 •action: 35 •delete: 18 •read: 80 •write: 19 |
Actions: 011 resolved operations: 153 effective operations: 153 •: 1 •action: 35 •delete: 18 •read: 80 •write: 19 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Cdn/profiles/CheckResourceUsage/action •Microsoft.Cdn/profiles/endpoints/CheckResourceUsage/action | ||||
| b34d265f-36f7-4a0d-a4d4-e158ca92e90f | Classic Network Contributor | Lets you manage classic networks, but not access to them. | False |
00128 effective control plane operations (unique) •: 1 •action: 32 •delete: 12 •read: 68 •write: 15 |
Actions: 007 resolved operations: 128 effective operations: 128 •: 1 •action: 32 •delete: 12 •read: 68 •write: 15 •Microsoft.Authorization/*/read •Microsoft.ClassicNetwork/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 | Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. | False |
00100 effective control plane operations (unique) •: 1 •action: 16 •delete: 7 •read: 63 •write: 13 |
Actions: 007 resolved operations: 100 effective operations: 100 •: 1 •action: 16 •delete: 7 •read: 63 •write: 13 •Microsoft.Authorization/*/read •Microsoft.ClassicStorage/storageAccounts/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 985d6b00-f706-48f5-a6fe-d0ca12fb668d | Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts | False |
00002 effective control plane operations (unique) •action: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 2 •Microsoft.ClassicStorage/storageAccounts/listkeys/action •Microsoft.ClassicStorage/storageAccounts/regeneratekey/action | ||||
| 9106cda0-8a86-4e81-b686-29a22c54effe | ClearDB MySQL DB Contributor | Lets you manage ClearDB MySQL databases, but not access to them. | False |
00056 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 |
Actions: 007 resolved operations: 56 effective operations: 56 •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •successbricks.cleardb/databases/* | ||||
| d73bb868-a0df-4d4d-bd69-98a00b01fccb | Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | False |
00161 effective control plane operations (unique) •: 1 •action: 35 •delete: 11 •read: 90 •write: 24 |
Actions: 017 resolved operations: 161 effective operations: 161 •: 1 •action: 35 •delete: 11 •read: 90 •write: 24 •Microsoft.Authorization/*/read •Microsoft.ClassicCompute/domainNames/* •Microsoft.ClassicCompute/virtualMachines/* •Microsoft.ClassicNetwork/networkSecurityGroups/join/action •Microsoft.ClassicNetwork/reservedIps/link/action •Microsoft.ClassicNetwork/reservedIps/read •Microsoft.ClassicNetwork/virtualNetworks/join/action •Microsoft.ClassicNetwork/virtualNetworks/read •Microsoft.ClassicStorage/storageAccounts/disks/read •Microsoft.ClassicStorage/storageAccounts/images/read •Microsoft.ClassicStorage/storageAccounts/listKeys/action •Microsoft.ClassicStorage/storageAccounts/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| a97b65f3-24c7-4388-baec-2e87135dc908 | Cognitive Services User | Lets you read and list keys of Cognitive Services. | False |
01355 effective control plane and data plane operations (unique) •action: 394 •delete: 180 •read: 580 •write: 201 |
Actions: 013 resolved operations: 54 effective operations: 54 •action: 4 •read: 49 •write: 1 •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/listkeys/action •Microsoft.Insights/alertRules/read •Microsoft.Insights/diagnosticSettings/read •Microsoft.Insights/logDefinitions/read •Microsoft.Insights/metricdefinitions/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | DataActions: 001 resolved data operations: 1301 effective data operations: 1301 •action: 390 •delete: 180 •read: 531 •write: 200 •Microsoft.CognitiveServices/* | |||
| b59867f0-fa02-499b-be73-45a86b5b3e1c | Cognitive Services Data Reader (Preview) | Lets you read Cognitive Services data. | False |
00531 effective data plane operations (unique) •read: 531 |
DataActions: 001 resolved data operations: 531 effective data operations: 531 •read: 531 •Microsoft.CognitiveServices/*/read | ||||
| 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 | Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. | False |
00147 effective control plane operations (unique) •: 1 •action: 23 •delete: 18 •read: 84 •write: 21 |
Actions: 018 resolved operations: 147 effective operations: 147 •: 1 •action: 23 •delete: 18 •read: 84 •write: 21 •Microsoft.Authorization/*/read •Microsoft.CognitiveServices/* •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Features/providers/features/register/action •Microsoft.Insights/alertRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Insights/logDefinitions/read •Microsoft.Insights/metricdefinitions/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 003 •Configure Azure AI Services resources to disable local key access (disable local authentication) •Configure Azure AI Services resources to disable local key access (disable local authentication) •Configure Cognitive Services accounts with private endpoints | |||
| db7b14f2-5adf-42da-9f96-f2ee17bab5cb | CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account | False |
00002 effective control plane operations (unique) •action: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 2 •Microsoft.DocumentDB/databaseAccounts/backup/action •Microsoft.DocumentDB/databaseAccounts/restore/action | ||||
| b24988ac-6180-42a0-ab88-20f7382dd24c | Contributor | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. | False |
15349 effective control plane operations (unique) •: 1 •action: 3420 •delete: 2309 •read: 6717 •write: 2902 |
Actions: 001 resolved operations: 15386 effective operations: 15349 •: 1 •action: 3420 •delete: 2309 •read: 6717 •write: 2902 •* | NotActions: 008 resolved not operations: 37 effective not operations: 37 •Microsoft.Authorization/*/Delete •Microsoft.Authorization/*/Write •Microsoft.Authorization/elevateAccess/Action •Microsoft.Blueprint/blueprintAssignments/write •Microsoft.Blueprint/blueprintAssignments/delete •Microsoft.Compute/galleries/share/action •Microsoft.Purview/consents/write •Microsoft.Purview/consents/delete | count: 204 •[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent •[Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent •[Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent •[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage •[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent •[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords •[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 •[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords •[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' •[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members •[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members •[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' •[Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled •[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords •[Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain •[Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone •[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption •[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days •[Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot •[Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols •[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. •[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. •[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines •[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension •[Preview]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace •[Preview]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace •[Preview]: Configure Azure Defender for SQL agent on virtual machine •[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines •[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines •[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines •[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines •[Preview]: Enable system-assigned identity to SQL VM •Add a tag to resource groups •Add a tag to resources •Add or replace a tag on resource groups •Add or replace a tag on resources •Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities •Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity •Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers •Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers •Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers •Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers •Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers •Configure App Configuration stores to disable local authentication methods •Configure App Configuration to disable public network access •Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace •Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace •Configure Azure Automation account to disable local authentication •Configure Azure Automation accounts to disable public network access •Configure Azure Databricks Workspaces with private endpoints •Configure Azure Device Update for IoT Hub accounts to disable public network access •Configure Azure Device Update for IoT Hub accounts to use private DNS zones •Configure Azure Device Update for IoT Hub accounts with private endpoint •Configure Azure File Sync with private endpoints •Configure Azure HDInsight clusters with private endpoints •Configure Azure IoT Hub to disable local authentication •Configure Azure Kubernetes Service clusters to enable Defender profile •Configure Azure Machine Learning Computes to disable local authentication methods •Configure Azure Machine Learning Workspaces to disable public network access •Configure Azure Managed Grafana dashboards with private endpoints •Configure Azure Managed Grafana workspaces to disable public network access •Configure Azure Monitor Private Link Scope to block access to non private link resources •Configure Azure Monitor Private Link Scopes with private endpoints •Configure Azure Synapse Workspace Dedicated SQL minimum TLS version •Configure Azure Synapse workspaces to disable public network access •Configure Azure Synapse workspaces with private endpoints •Configure Azure Virtual Desktop hostpools with private endpoints •Configure Azure Virtual Desktop workspaces with private endpoints •Configure Batch accounts to disable local authentication •Configure Batch accounts to disable public network access •Configure Batch accounts with private endpoints •Configure Cognitive Services accounts to disable local authentication methods •Configure Cognitive Services accounts to disable public network access •Configure container registries to disable anonymous authentication. •Configure container registries to disable ARM audience token authentication. •Configure container registries to disable local admin account. •Configure Container registries to disable public network access •Configure container registries to disable repository scoped access token. •Configure Container registries with private endpoints •Configure CosmosDB accounts to disable public network access •Configure CosmosDB accounts with private endpoints •Configure disk access resources with private endpoints •Configure installation of Flux extension on Kubernetes cluster •Configure IoT Hub device provisioning instances to use private DNS zones •Configure IoT Hub device provisioning service instances to disable public network access •Configure IoT Hub device provisioning service instances with private endpoints •Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault •Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate •Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets •Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets •Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets •Configure Kubernetes clusters with Flux v2 configuration using public Git repository •Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets •Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets •Configure Kubernetes clusters with specified GitOps configuration using no secrets •Configure Kubernetes clusters with specified GitOps configuration using SSH secrets •Configure Log Analytics workspace and automation account to centralize logs and monitoring •Configure managed disks to disable public network access •Configure network security groups to enable traffic analytics •Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics •Configure Packet Core Control Plane diagnostic access to use authentication type Microsoft EntraID •Configure periodic checking for missing system updates on azure virtual machines •Configure private endpoint connections on Azure Automation accounts •Configure private endpoints for App Configuration •Configure Private Link for Azure AD with private endpoints •Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines •Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace •Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace •Configure subscriptions to set up preview features •Configure Synapse Workspaces to use only Microsoft Entra identities for authentication •Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation •Configure the Microsoft Defender for SQL Log Analytics workspace •Configure virtual machines to be onboarded to Azure Automanage •Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile •Configure virtual network to enable Flow Log and Traffic Analytics •Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics •Create and assign a built-in user-assigned managed identity •Deploy - Configure Azure IoT Hubs to use private DNS zones •Deploy - Configure Azure IoT Hubs with private endpoints •Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM •Deploy - Configure IoT Central to use private DNS zones •Deploy - Configure IoT Central with private endpoints •Deploy a flow log resource with target network security group •Deploy a Flow Log resource with target virtual network •Deploy associations for a custom provider •Deploy associations for a managed application •Deploy Diagnostic Settings for Azure SQL Database to Event Hub •Deploy Diagnostic Settings for Batch Account to Event Hub •Deploy Diagnostic Settings for Data Lake Analytics to Event Hub •Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub •Deploy Diagnostic Settings for Event Hub to Event Hub •Deploy Diagnostic Settings for Key Vault to Event Hub •Deploy Diagnostic Settings for Logic Apps to Event Hub •Deploy Diagnostic Settings for Search Services to Event Hub •Deploy Diagnostic Settings for Service Bus to Event Hub •Deploy Diagnostic Settings for Stream Analytics to Event Hub •Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data •Deploy export to Event Hub for Microsoft Defender for Cloud data •Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data •Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster •Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs •Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs •Deploy Workflow Automation for Microsoft Defender for Cloud alerts •Deploy Workflow Automation for Microsoft Defender for Cloud recommendations •Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance •Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. •Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. •Inherit a tag from the resource group •Inherit a tag from the resource group if missing •Inherit a tag from the subscription •Inherit a tag from the subscription if missing •Modify - Configure Azure File Sync to disable public network access •Modify - Configure Azure IoT Hubs to disable public network access •Modify - Configure IoT Central to disable public network access •Modify API Management to disable username and password authentication •Protect your data with authentication requirements when exporting or uploading to a disk or snapshot. •Schedule recurring updates using Azure Update Manager | ||
| fbdf93bf-df7d-467e-a4d2-9458aa1360c8 | Cosmos DB Account Reader Role | Can read Azure Cosmos DB Accounts data | False |
00198 effective control plane operations (unique) •action: 4 •read: 193 •write: 1 |
Actions: 007 resolved operations: 198 effective operations: 198 •action: 4 •read: 193 •write: 1 •Microsoft.Authorization/*/read •Microsoft.DocumentDB/*/read •Microsoft.DocumentDB/databaseAccounts/readonlykeys/action •Microsoft.Insights/MetricDefinitions/read •Microsoft.Insights/Metrics/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 434105ed-43f6-45c7-a02f-909b2ba83430 | Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) | False |
00091 effective control plane operations (unique) •action: 20 •delete: 4 •read: 60 •write: 7 |
Actions: 010 resolved operations: 91 effective operations: 91 •action: 20 •delete: 4 •read: 60 •write: 7 •Microsoft.Consumption/* •Microsoft.CostManagement/* •Microsoft.Billing/billingPeriods/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Advisor/configurations/read •Microsoft.Advisor/recommendations/read •Microsoft.Management/managementGroups/read •Microsoft.Billing/billingProperty/read | ||||
| 72fafb9e-0641-4937-9268-a91bfd8191a3 | Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) | False |
00064 effective control plane operations (unique) •action: 3 •read: 60 •write: 1 |
Actions: 010 resolved operations: 64 effective operations: 64 •action: 3 •read: 60 •write: 1 •Microsoft.Consumption/*/read •Microsoft.CostManagement/*/read •Microsoft.Billing/billingPeriods/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Advisor/configurations/read •Microsoft.Advisor/recommendations/read •Microsoft.Management/managementGroups/read •Microsoft.Billing/billingProperty/read | ||||
| add466c9-e687-43fc-8d98-dfcf8d720be5 | Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. | False |
00071 effective control plane operations (unique) •action: 21 •delete: 3 •read: 43 •write: 4 |
Actions: 006 resolved operations: 71 effective operations: 71 •action: 21 •delete: 3 •read: 43 •write: 4 •Microsoft.Authorization/*/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Databox/* | ||||
| 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 | Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. | False |
00049 effective control plane operations (unique) •action: 9 •read: 39 •write: 1 |
Actions: 010 resolved operations: 49 effective operations: 49 •action: 9 •read: 39 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Databox/*/read •Microsoft.Databox/jobs/listsecrets/action •Microsoft.Databox/jobs/listcredentials/action •Microsoft.Databox/locations/availableSkus/action •Microsoft.Databox/locations/validateInputs/action •Microsoft.Databox/locations/regionConfiguration/action •Microsoft.Databox/locations/validateAddress/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Support/* | ||||
| 673868aa-7521-48a0-acc6-0f60742d39f5 | Data Factory Contributor | Create and manage data factories, as well as child resources within them. | False |
00218 effective control plane operations (unique) •: 1 •action: 66 •delete: 24 •read: 96 •write: 31 |
Actions: 009 resolved operations: 218 effective operations: 218 •: 1 •action: 66 •delete: 24 •read: 96 •write: 31 •Microsoft.Authorization/*/read •Microsoft.DataFactory/dataFactories/* •Microsoft.DataFactory/factories/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.EventGrid/eventSubscriptions/write | count: 002 •Configure Data Factories to disable public network access •Configure private endpoints for Data factories | |||
| 150f5e0c-0603-4f03-8c7f-cf70034c4e90 | Data Purger | Can purge analytics data | False |
00758 effective control plane operations (unique) •Action: 2 •Read: 756 |
Actions: 004 resolved operations: 758 effective operations: 758 •Action: 2 •Read: 756 •Microsoft.Insights/components/*/read •Microsoft.Insights/components/purge/action •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/purge/action | ||||
| 47b7735b-770e-4598-a7da-8b91488b4c88 | Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | False |
00075 effective control plane operations (unique) •: 1 •action: 12 •delete: 4 •read: 52 •write: 6 |
Actions: 008 resolved operations: 89 effective operations: 75 •: 1 •action: 12 •delete: 4 •read: 52 •write: 6 •Microsoft.Authorization/*/read •Microsoft.BigAnalytics/accounts/* •Microsoft.DataLakeAnalytics/accounts/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | NotActions: 014 resolved not operations: 14 effective not operations: 15311 •Microsoft.BigAnalytics/accounts/Delete •Microsoft.BigAnalytics/accounts/TakeOwnership/action •Microsoft.BigAnalytics/accounts/Write •Microsoft.DataLakeAnalytics/accounts/Delete •Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action •Microsoft.DataLakeAnalytics/accounts/Write •Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write •Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete •Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write •Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete •Microsoft.DataLakeAnalytics/accounts/firewallRules/Write •Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete •Microsoft.DataLakeAnalytics/accounts/computePolicies/Write •Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete | |||
| 76283e04-6283-4c54-8f91-bcf1374a3c64 | DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | False |
00102 effective control plane operations (unique) •action: 16 •delete: 1 •read: 83 •write: 2 |
Actions: 032 resolved operations: 103 effective operations: 102 •action: 16 •delete: 1 •read: 83 •write: 2 •Microsoft.Authorization/*/read •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/virtualMachines/*/read •Microsoft.Compute/virtualMachines/deallocate/action •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/restart/action •Microsoft.Compute/virtualMachines/start/action •Microsoft.DevTestLab/*/read •Microsoft.DevTestLab/labs/claimAnyVm/action •Microsoft.DevTestLab/labs/createEnvironment/action •Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action •Microsoft.DevTestLab/labs/formulas/delete •Microsoft.DevTestLab/labs/formulas/read •Microsoft.DevTestLab/labs/formulas/write •Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action •Microsoft.DevTestLab/labs/virtualMachines/claim/action •Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action •Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/inboundNatRules/join/action •Microsoft.Network/networkInterfaces/*/read •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/publicIPAddresses/*/read •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/listKeys/action | NotActions: 001 resolved not operations: 1 effective not operations: 15284 •Microsoft.Compute/virtualMachines/vmSizes/read | |||
| 5bd9cd88-fe45-4216-938b-f97437e15450 | DocumentDB Account Contributor | Lets you manage DocumentDB accounts, but not access to them. | False |
00328 effective control plane operations (unique) •: 1 •action: 61 •delete: 32 •read: 181 •write: 53 |
Actions: 008 resolved operations: 328 effective operations: 328 •: 1 •action: 61 •delete: 32 •read: 181 •write: 53 •Microsoft.Authorization/*/read •Microsoft.DocumentDb/databaseAccounts/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | count: 003 •Configure Cosmos DB database accounts to disable local authentication •Configure CosmosDB accounts to disable public network access •Configure CosmosDB accounts with private endpoints | |||
| befefa01-2a29-4197-83a8-272ff33ce314 | DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. | False |
00102 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 15 •read: 58 •Write: 18 |
Actions: 007 resolved operations: 102 effective operations: 102 •: 1 •Action: 10 •Delete: 15 •read: 58 •Write: 18 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/dnsZones/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 | EventGrid EventSubscription Contributor | Lets you manage EventGrid event subscription operations. | False |
00066 effective control plane operations (unique) •: 1 •action: 12 •delete: 3 •read: 45 •write: 5 |
Actions: 009 resolved operations: 66 effective operations: 66 •: 1 •action: 12 •delete: 3 •read: 45 •write: 5 •Microsoft.Authorization/*/read •Microsoft.EventGrid/eventSubscriptions/* •Microsoft.EventGrid/topicTypes/eventSubscriptions/read •Microsoft.EventGrid/locations/eventSubscriptions/read •Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 2414bbcf-6497-4faf-8c65-045460748405 | EventGrid EventSubscription Reader | Lets you read EventGrid event subscriptions. | False |
00032 effective control plane operations (unique) •read: 32 |
Actions: 006 resolved operations: 32 effective operations: 32 •read: 32 •Microsoft.Authorization/*/read •Microsoft.EventGrid/eventSubscriptions/read •Microsoft.EventGrid/topicTypes/eventSubscriptions/read •Microsoft.EventGrid/locations/eventSubscriptions/read •Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| b60367af-1334-4454-b71e-769d9a4f83d9 | Graph Owner | Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions | False |
00014 effective control plane operations (unique) •delete: 1 •read: 7 •write: 6 |
Actions: 014 resolved operations: 14 effective operations: 14 •delete: 1 •read: 7 •write: 6 •Microsoft.EnterpriseKnowledgeGraph/services/conflation/read •Microsoft.EnterpriseKnowledgeGraph/services/conflation/write •Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/read •Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/write •Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read •Microsoft.EnterpriseKnowledgeGraph/services/knowledge/write •Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/read •Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/write •Microsoft.EnterpriseKnowledgeGraph/services/ingestion/read •Microsoft.EnterpriseKnowledgeGraph/services/ingestion/write •Microsoft.EnterpriseKnowledgeGraph/services/ontology/read •Microsoft.EnterpriseKnowledgeGraph/services/ontology/write •Microsoft.EnterpriseKnowledgeGraph/services/delete •Microsoft.EnterpriseKnowledgeGraph/operations/read | ||||
| 8d8d5a11-05d3-4bda-a417-a08778121c7c | HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | False |
00010 effective control plane operations (unique) •delete: 1 •read: 8 •write: 1 |
Actions: 003 resolved operations: 10 effective operations: 10 •delete: 1 •read: 8 •write: 1 •Microsoft.AAD/*/read •Microsoft.AAD/domainServices/*/read •Microsoft.AAD/domainServices/oucontainer/* | ||||
| 03a6d094-3444-4b3d-88af-7477090a9e5e | Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. | False |
00056 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 |
Actions: 007 resolved operations: 56 effective operations: 56 •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.IntelligentSystems/accounts/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| f25e0fa2-a7c8-4377-a976-54943a77a395 | Key Vault Contributor | Lets you manage key vaults, but not access to them. | False |
00101 effective control plane operations (unique) •: 1 •Action: 20 •Delete: 8 •read: 60 •Write: 12 |
Actions: 006 resolved operations: 125 effective operations: 101 •: 1 •Action: 20 •Delete: 8 •read: 60 •Write: 12 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KeyVault/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | NotActions: 003 resolved not operations: 24 effective not operations: 15285 •Microsoft.KeyVault/locations/deletedVaults/purge/action •Microsoft.KeyVault/hsmPools/* •Microsoft.KeyVault/managedHsms/* | count: 002 •Configure Azure Key Vaults with private endpoints •Configure key vaults to enable firewall | ||
| ee361c5d-f7b5-4119-b4b6-892157c8f64c | Knowledge Consumer | Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read | ||||
| b97fb8bc-a8b2-4522-a38b-dd33c7e65ead | Lab Creator | Lets you create new labs under your Azure Lab Accounts. | False |
00076 effective control plane and data plane operations (unique) •: 1 •Action: 15 •Delete: 2 •read: 55 •Write: 3 |
Actions: 018 resolved operations: 75 effective operations: 75 •: 1 •Action: 14 •Delete: 2 •read: 55 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.LabServices/labAccounts/*/read •Microsoft.LabServices/labAccounts/createLab/action •Microsoft.LabServices/labAccounts/getPricingAndAvailability/action •Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labPlans/saveImage/action •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.LabServices/labPlans/createLab/action | |||
| 73c42c96-874c-492b-b04d-ab87d138a893 | Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | False |
06722 effective control plane operations (unique) •action: 5 •read: 6716 •write: 1 |
Actions: 004 resolved operations: 6723 effective operations: 6722 •action: 5 •read: 6716 •write: 1 •*/read •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/search/action •Microsoft.Support/* | NotActions: 001 resolved not operations: 1 effective not operations: 8664 •Microsoft.OperationalInsights/workspaces/sharedKeys/read | |||
| 92aaf0da-9dab-42b6-94a3-d43ce8d16293 | Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. | False |
06802 effective control plane operations (unique) •: 1 •action: 30 •delete: 24 •read: 6717 •write: 30 |
Actions: 013 resolved operations: 6802 effective operations: 6802 •: 1 •action: 30 •delete: 24 •read: 6717 •write: 30 •*/read •Microsoft.ClassicCompute/virtualMachines/extensions/* •Microsoft.ClassicStorage/storageAccounts/listKeys/action •Microsoft.Compute/virtualMachines/extensions/* •Microsoft.HybridCompute/machines/extensions/write •Microsoft.Insights/alertRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.OperationalInsights/* •Microsoft.OperationsManagement/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Support/* | count: 183 •[Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group •[Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs •[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension •[Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •[Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •[Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory •[Preview]: Configure supported Linux Arc machines to automatically install the Azure Security agent •[Preview]: Configure supported Windows Arc machines to automatically install the Azure Security agent •[Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •[Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •[Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. •Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL •Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR •Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR •Configure Azure Activity logs to stream to specified Log Analytics workspace •Configure Azure Kubernetes Service clusters to enable Defender profile •Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying •Configure Azure SQL database servers diagnostic settings to Log Analytics workspace •Configure Dependency agent on Azure Arc enabled Linux servers •Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings •Configure Dependency agent on Azure Arc enabled Windows servers •Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings •Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace •Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace •Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace •Configure diagnostic settings for Blob Services to Log Analytics workspace •Configure diagnostic settings for container groups to Log Analytics workspace •Configure diagnostic settings for File Services to Log Analytics workspace •Configure diagnostic settings for Queue Services to Log Analytics workspace •Configure diagnostic settings for Storage Accounts to Log Analytics workspace •Configure diagnostic settings for Table Services to Log Analytics workspace •Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below •Configure Log Analytics extension on Azure Arc enabled Windows servers •Configure SQL servers to have auditing enabled to Log Analytics workspace •Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL •Configure Synapse workspaces to have auditing enabled to Log Analytics workspace •Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Deploy - Configure Dependency agent to be enabled on Windows virtual machines •Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace •Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace •Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace •Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM •Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets •Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines •Deploy Dependency agent for Linux virtual machines •Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings •Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings •Deploy Diagnostic Settings for Batch Account to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace •Deploy Diagnostic Settings for Event Hub to Log Analytics workspace •Deploy Diagnostic Settings for Key Vault to Log Analytics workspace •Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace •Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. •Deploy Diagnostic Settings for Search Services to Log Analytics workspace •Deploy Diagnostic Settings for Service Bus to Log Analytics workspace •Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace •Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below •Deploy Log Analytics extension for Linux VMs. See deprecation notice below •Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub •Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics •Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage •Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub •Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics •Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage •Enable logging by category group for App Service (microsoft.web/sites) to Log Analytics •Enable logging by category group for Application group (microsoft.desktopvirtualization/applicationgroups) to Log Analytics •Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics •Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub •Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics •Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage •Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub •Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics •Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage •Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub •Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics •Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage •Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub •Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics •Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage •Enable logging by category group for Azure Cosmos DB (microsoft.documentdb/databaseaccounts) to Log Analytics •Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub •Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics •Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage •Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub •Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics •Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage •Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub •Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics •Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage •Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub •Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics •Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage •Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub •Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics •Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage •Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub •Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics •Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage •Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub •Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics •Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage •Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub •Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics •Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage •Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub •Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics •Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage •Enable logging by category group for Firewall (microsoft.network/azurefirewalls) to Log Analytics •Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub •Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics •Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage •Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub •Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics •Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage •Enable logging by category group for Function App (microsoft.web/sites) to Log Analytics •Enable logging by category group for Host pool (microsoft.desktopvirtualization/hostpools) to Log Analytics •Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub •Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics •Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage •Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub •Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics •Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage •Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub •Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics •Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage •Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub •Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics •Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage •Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub •Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics •Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage •Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub •Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics •Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage •Enable logging by category group for microsoft.network/p2svpngateways to Event Hub •Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics •Enable logging by category group for microsoft.network/p2svpngateways to Storage •Enable logging by category group for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers) to Log Analytics •Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub •Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics •Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage •Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub •Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics •Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage •Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub •Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics •Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage •Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub •Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics •Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage •Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub •Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics •Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage •Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub •Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics •Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage •Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub •Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics •Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage •Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub •Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics •Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage •Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub •Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics •Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage •Enable logging by category group for Workspace (microsoft.desktopvirtualization/workspaces) to Log Analytics •Public IP addresses should have resource logs enabled for Azure DDoS Protection | |||
| 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe | Logic App Operator | Lets you read, enable and disable logic app. | False |
00089 effective control plane operations (unique) •action: 6 •read: 82 •write: 1 |
Actions: 017 resolved operations: 89 effective operations: 89 •action: 6 •read: 82 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/*/read •Microsoft.Insights/metricAlerts/*/read •Microsoft.Insights/diagnosticSettings/*/read •Microsoft.Insights/metricDefinitions/*/read •Microsoft.Logic/*/read •Microsoft.Logic/workflows/disable/action •Microsoft.Logic/workflows/enable/action •Microsoft.Logic/workflows/validate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/connectionGateways/*/read •Microsoft.Web/connections/*/read •Microsoft.Web/customApis/*/read •Microsoft.Web/serverFarms/read | ||||
| 87a39d53-fc1b-424a-814c-f7e04687dc9e | Logic App Contributor | Lets you manage logic app, but not access to them. | False |
00213 effective control plane operations (unique) •: 1 •action: 66 •Delete: 25 •read: 94 •Write: 27 |
Actions: 021 resolved operations: 213 effective operations: 213 •: 1 •action: 66 •Delete: 25 •read: 94 •Write: 27 •Microsoft.Authorization/*/read •Microsoft.ClassicStorage/storageAccounts/listKeys/action •Microsoft.ClassicStorage/storageAccounts/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metricAlerts/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Insights/logdefinitions/* •Microsoft.Insights/metricDefinitions/* •Microsoft.Logic/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* •Microsoft.Web/connectionGateways/* •Microsoft.Web/connections/* •Microsoft.Web/customApis/* •Microsoft.Web/serverFarms/join/action •Microsoft.Web/serverFarms/read •Microsoft.Web/sites/functions/listSecrets/action | ||||
| c7393b34-138c-406f-901b-d8cf2b17e6ae | Managed Application Operator Role | Lets you read and perform actions on Managed Application resources | False |
06723 effective control plane operations (unique) •action: 6 •read: 6717 |
Actions: 003 resolved operations: 6723 effective operations: 6723 •action: 6 •read: 6717 •*/read •Microsoft.Solutions/applications/read •Microsoft.Solutions/*/action | ||||
| b9331d33-8a36-4f8c-b097-4f54124fdb44 | Managed Applications Reader | Lets you read resources in a managed app and request JIT access. | False |
06725 effective control plane operations (unique) •action: 4 •delete: 2 •read: 6717 •write: 2 |
Actions: 003 resolved operations: 6725 effective operations: 6725 •action: 4 •delete: 2 •read: 6717 •write: 2 •*/read •Microsoft.Resources/deployments/* •Microsoft.Solutions/jitRequests/* | ||||
| f1a07417-d97a-45cb-824c-7a7467783830 | Managed Identity Operator | Read and Assign User Assigned Identity | False |
00056 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 |
Actions: 007 resolved operations: 56 effective operations: 56 •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 •Microsoft.ManagedIdentity/userAssignedIdentities/*/read •Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* | count: 005 •[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs •Configure App Service app slots to disable public network access •Configure App Service apps to disable public network access •Configure Function app slots to disable public network access •Configure Function apps to disable public network access | |||
| e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 | Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity | False |
00062 effective control plane operations (unique) •: 1 •Action: 11 •Delete: 4 •read: 41 •Write: 5 |
Actions: 012 resolved operations: 62 effective operations: 62 •: 1 •Action: 11 •Delete: 4 •read: 41 •Write: 5 •Microsoft.ManagedIdentity/userAssignedIdentities/read •Microsoft.ManagedIdentity/userAssignedIdentities/write •Microsoft.ManagedIdentity/userAssignedIdentities/delete •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete •Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* | count: 001 •[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | |||
| 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c | Management Group Contributor | Management Group Contributor Role | False |
00033 effective control plane operations (unique) •delete: 2 •read: 29 •write: 2 |
Actions: 007 resolved operations: 33 effective operations: 33 •delete: 2 •read: 29 •write: 2 •Microsoft.Management/managementGroups/delete •Microsoft.Management/managementGroups/read •Microsoft.Management/managementGroups/subscriptions/delete •Microsoft.Management/managementGroups/subscriptions/write •Microsoft.Management/managementGroups/write •Microsoft.Management/managementGroups/subscriptions/read •Microsoft.Authorization/*/read | ||||
| ac63b705-f282-497d-ac71-919bf39d939d | Management Group Reader | Management Group Reader Role | False |
00029 effective control plane operations (unique) •read: 29 |
Actions: 003 resolved operations: 29 effective operations: 29 •read: 29 •Microsoft.Management/managementGroups/read •Microsoft.Management/managementGroups/subscriptions/read •Microsoft.Authorization/*/read | ||||
| 43d0d8ad-25c7-4714-9337-8ba259a9fe05 | Monitoring Reader | Can read all monitoring data. | False |
06722 effective control plane operations (unique) •action: 4 •read: 6717 •write: 1 |
Actions: 003 resolved operations: 6722 effective operations: 6722 •action: 4 •read: 6717 •write: 1 •*/read •Microsoft.OperationalInsights/workspaces/search/action •Microsoft.Support/* | ||||
| 4d97b98b-1d4f-4787-a291-c67834d212e7 | Network Contributor | Lets you manage networks, but not access to them. | False |
01009 effective control plane operations (unique) •: 1 •Action: 257 •Delete: 177 •read: 374 •Write: 200 |
Actions: 007 resolved operations: 1009 effective operations: 1009 •: 1 •Action: 257 •Delete: 177 •read: 374 •Write: 200 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 081 •[Preview]: Configure Azure Key Vault Managed HSM with private endpoints •[Preview]: Configure Azure Recovery Services vaults to use private DNS zones •[Preview]: Configure private endpoints on Azure Recovery Services vaults •[Preview]: Configure Recovery Services vaults to use private DNS zones for backup •[Preview]: Configure Recovery Services vaults to use private endpoints for backup •Configure a private DNS Zone ID for blob groupID •Configure a private DNS Zone ID for blob_secondary groupID •Configure a private DNS Zone ID for dfs groupID •Configure a private DNS Zone ID for dfs_secondary groupID •Configure a private DNS Zone ID for file groupID •Configure a private DNS Zone ID for queue groupID •Configure a private DNS Zone ID for queue_secondary groupID •Configure a private DNS Zone ID for table groupID •Configure a private DNS Zone ID for table_secondary groupID •Configure a private DNS Zone ID for web groupID •Configure a private DNS Zone ID for web_secondary groupID •Configure App Service app slots to disable public network access •Configure App Service apps to disable public network access •Configure App Service apps to use private DNS zones •Configure Azure Arc Private Link Scopes to use private DNS zones •Configure Azure Arc Private Link Scopes with private endpoints •Configure Azure Automation accounts with private DNS zones •Configure Azure Cache for Redis to use private DNS zones •Configure Azure Cognitive Search services to disable public network access •Configure Azure Cognitive Search services to use private DNS zones •Configure Azure Cognitive Search services with private endpoints •Configure Azure Data Explorer clusters with private endpoints •Configure Azure Databricks workspace to use private DNS zones •Configure Azure Device Update for IoT Hub accounts to use private DNS zones •Configure Azure Device Update for IoT Hub accounts with private endpoint •Configure Azure Event Grid namespace MQTT broker with private endpoints •Configure Azure Event Grid namespaces with private endpoints •Configure Azure File Sync to use private DNS zones •Configure Azure HDInsight clusters to use private DNS zones •Configure Azure Key Vaults to use private DNS zones •Configure Azure Key Vaults with private endpoints •Configure Azure Machine Learning workspace to use private DNS zones •Configure Azure Machine Learning workspaces with private endpoints •Configure Azure Managed Grafana workspaces to use private DNS zones •Configure Azure Media Services to use private DNS zones •Configure Azure Media Services with private endpoints •Configure Azure Migrate resources to use private DNS zones •Configure Azure Monitor Private Link Scope to use private DNS zones •Configure Azure SQL Server to enable private endpoint connections •Configure Azure Synapse workspaces to use private DNS zones •Configure Azure Virtual Desktop hostpool resources to use private DNS zones •Configure Azure Virtual Desktop workspace resources to use private DNS zones •Configure Azure Web PubSub Service to use private DNS zones •Configure Azure Web PubSub Service with private endpoints •Configure BotService resources to use private DNS zones •Configure BotService resources with private endpoints •Configure Cognitive Services accounts to use private DNS zones •Configure Cognitive Services accounts with private endpoints •Configure Container registries to use private DNS zones •Configure CosmosDB accounts to use private DNS zones •Configure disk access resources to use private DNS zones •Configure Event Hub namespaces to use private DNS zones •Configure Event Hub namespaces with private endpoints •Configure Function app slots to disable public network access •Configure Function apps to disable public network access •Configure private DNS zones for private endpoints connected to App Configuration •Configure private DNS zones for private endpoints that connect to Azure Data Factory •Configure private endpoint connections on Azure Automation accounts •Configure private endpoints for Data factories •Configure private endpoints to Azure SignalR Service •Configure Private Link for Azure AD to use private DNS zones •Configure Service Bus namespaces to use private DNS zones •Configure Service Bus namespaces with private endpoints •Configure Storage account to use a private link connection •Deploy - Configure Azure Event Grid domains to use private DNS zones •Deploy - Configure Azure Event Grid domains with private endpoints •Deploy - Configure Azure Event Grid topics to use private DNS zones •Deploy - Configure Azure Event Grid topics with private endpoints •Deploy - Configure Azure IoT Hubs to use private DNS zones •Deploy - Configure Azure IoT Hubs with private endpoints •Deploy - Configure IoT Central to use private DNS zones •Deploy - Configure IoT Central with private endpoints •Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service •Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts •Deploy network watcher when virtual networks are created •Virtual networks should be protected by Azure DDoS Protection | |||
| 5d28c62d-5b37-4476-8438-e587778df237 | New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | False |
00056 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 |
Actions: 007 resolved operations: 56 effective operations: 56 •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •NewRelic.APM/accounts/* | ||||
| 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 | Owner | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. | False |
15386 effective control plane operations (unique) •: 1 •action: 3422 •delete: 2325 •read: 6717 •write: 2921 |
Actions: 001 resolved operations: 15386 effective operations: 15386 •: 1 •action: 3422 •delete: 2325 •read: 6717 •write: 2921 •* | count: 009 •Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed •Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed •Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery •Configure Microsoft Defender CSPM plan •Configure Microsoft Defender CSPM to be enabled •Configure Microsoft Defender for Containers plan •Configure Microsoft Defender for Servers plan •Configure Microsoft Defender for Storage to be enabled •Configure Synapse workspaces to have auditing enabled to Log Analytics workspace | |||
| acdd72a7-3385-48ef-bd42-f606fba81ae7 | Reader | View all resources, but does not allow you to make any changes. | False |
06717 effective control plane operations (unique) •read: 6717 |
Actions: 001 resolved operations: 6717 effective operations: 6717 •read: 6717 •*/read | count: 003 •[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension •[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension •Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates. | |||
| e0f68234-74aa-48ed-b826-c38b57376e17 | Redis Cache Contributor | Lets you manage Redis caches, but not access to them. | False |
00097 effective control plane operations (unique) •: 1 •action: 21 •delete: 11 •read: 52 •write: 12 |
Actions: 008 resolved operations: 97 effective operations: 97 •: 1 •action: 21 •delete: 11 •read: 52 •write: 12 •Microsoft.Authorization/*/read •Microsoft.Cache/register/action •Microsoft.Cache/redis/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 003 •Configure Azure Cache for Redis to disable non SSL ports •Configure Azure Cache for Redis to disable public network access •Configure Azure Cache for Redis with private endpoints | |||
| c12c1c16-33a1-487b-954d-41c89c60f349 | Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | False |
00003 effective control plane operations (unique) •action: 2 •read: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 2 •read: 1 •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/ListAccountSas/action •Microsoft.Storage/storageAccounts/read | ||||
| 36243c78-bf99-498c-9df9-86d9f8d28608 | Resource Policy Contributor | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | False |
06758 effective control plane operations (unique) •action: 16 •delete: 12 •read: 6717 •write: 13 |
Actions: 008 resolved operations: 6758 effective operations: 6758 •action: 16 •delete: 12 •read: 6717 •write: 13 •*/read •Microsoft.Authorization/policyassignments/* •Microsoft.Authorization/policydefinitions/* •Microsoft.Authorization/policyexemptions/* •Microsoft.Authorization/policysetdefinitions/* •Microsoft.PolicyInsights/* •Microsoft.Resources/deployments/* •Microsoft.Support/* | ||||
| 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 | Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. | False |
00056 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 |
Actions: 007 resolved operations: 56 effective operations: 56 •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Scheduler/jobcollections/* •Microsoft.Support/* | ||||
| 7ca78c08-252a-4471-8644-bb5ff32d4ba0 | Search Service Contributor | Lets you manage Search services, but not access to them. | False |
00106 effective control plane operations (unique) •: 1 •Action: 20 •Delete: 14 •read: 56 •Write: 15 |
Actions: 007 resolved operations: 106 effective operations: 106 •: 1 •Action: 20 •Delete: 14 •read: 56 •Write: 15 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Search/searchServices/* •Microsoft.Support/* | count: 004 •Configure Azure AI Services resources to disable local key access (disable local authentication) •Configure Azure Cognitive Search services to disable local authentication •Configure Azure Cognitive Search services to disable public network access •Configure Azure Cognitive Search services with private endpoints | |||
| e3d13bf0-dd5a-482e-ba6b-9b8433878d10 | Security Manager (Legacy) | This is a legacy role. Please use Security Administrator instead | False |
00323 effective control plane operations (unique) •: 1 •Action: 41 •Delete: 37 •read: 190 •write: 54 |
Actions: 010 resolved operations: 323 effective operations: 323 •: 1 •Action: 41 •Delete: 37 •read: 190 •write: 54 •Microsoft.Authorization/*/read •Microsoft.ClassicCompute/*/read •Microsoft.ClassicCompute/virtualMachines/*/write •Microsoft.ClassicNetwork/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/* •Microsoft.Support/* | ||||
| 39bc4728-0917-49c7-9d2c-d95423bc2eb4 | Security Reader | Security Reader Role | False |
00853 effective control plane operations (unique) •action: 5 •read: 848 |
Actions: 014 resolved operations: 853 effective operations: 853 •action: 5 •read: 848 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.operationalInsights/workspaces/*/read •Microsoft.Resources/deployments/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/*/read •Microsoft.IoTSecurity/*/read •Microsoft.Support/*/read •Microsoft.Security/iotDefenderSettings/packageDownloads/action •Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action •Microsoft.Security/iotSensors/downloadResetPassword/action •Microsoft.IoTSecurity/defenderSettings/packageDownloads/action •Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action •Microsoft.Management/managementGroups/read | ||||
| 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 | Spatial Anchors Account Contributor | Lets you manage spatial anchors in your account, but not delete them | False |
00006 effective data plane operations (unique) •action: 1 •read: 4 •write: 1 |
DataActions: 006 resolved data operations: 6 effective data operations: 6 •action: 1 •read: 4 •write: 1 •Microsoft.MixedReality/SpatialAnchorsAccounts/create/action •Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read •Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read •Microsoft.MixedReality/SpatialAnchorsAccounts/query/read •Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read •Microsoft.MixedReality/SpatialAnchorsAccounts/write | ||||
| 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 | Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment | False |
00180 effective control plane operations (unique) •: 1 •Action: 57 •Delete: 14 •read: 88 •Write: 20 |
Actions: 029 resolved operations: 180 effective operations: 180 •: 1 •Action: 57 •Delete: 14 •read: 88 •Write: 20 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/locations/allocateStamp/action •Microsoft.RecoveryServices/Vaults/certificates/write •Microsoft.RecoveryServices/Vaults/extendedInformation/* •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/refreshContainers/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/* •Microsoft.RecoveryServices/vaults/replicationAlertSettings/* •Microsoft.RecoveryServices/vaults/replicationEvents/read •Microsoft.RecoveryServices/vaults/replicationFabrics/* •Microsoft.RecoveryServices/vaults/replicationJobs/* •Microsoft.RecoveryServices/vaults/replicationPolicies/* •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/* •Microsoft.RecoveryServices/vaults/replicationVaultSettings/* •Microsoft.RecoveryServices/Vaults/storageConfig/* •Microsoft.RecoveryServices/Vaults/tokenInfo/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/vaultTokens/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/* •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.RecoveryServices/vaults/replicationOperationStatus/read •Microsoft.Support/* | count: 001 •[Preview]: Configure private endpoints on Azure Recovery Services vaults | |||
| 494ae006-db33-4328-bf46-533a6560a3ca | Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations | False |
00114 effective control plane operations (unique) •: 1 •Action: 34 •Delete: 2 •read: 73 •Write: 4 |
Actions: 059 resolved operations: 114 effective operations: 114 •: 1 •Action: 34 •Delete: 2 •read: 73 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/locations/allocateStamp/action •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/refreshContainers/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/vaults/replicationAlertSettings/read •Microsoft.RecoveryServices/vaults/replicationEvents/read •Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action •Microsoft.RecoveryServices/vaults/replicationFabrics/read •Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action •Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read •Microsoft.RecoveryServices/vaults/replicationJobs/* •Microsoft.RecoveryServices/vaults/replicationPolicies/read •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action •Microsoft.RecoveryServices/vaults/replicationVaultSettings/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/* •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read •Microsoft.RecoveryServices/Vaults/storageConfig/read •Microsoft.RecoveryServices/Vaults/tokenInfo/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/vaultTokens/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* | ||||
| 5d51204f-eb77-4b1c-b86a-2ec626c49413 | Spatial Anchors Account Reader | Lets you locate and read properties of spatial anchors in your account | False |
00004 effective data plane operations (unique) •read: 4 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •read: 4 •Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read •Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read •Microsoft.MixedReality/SpatialAnchorsAccounts/query/read •Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read | ||||
| dbaa88c4-0c30-4179-9fb3-46319faa6149 | Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations | False |
00067 effective control plane operations (unique) •action: 3 •read: 63 •write: 1 |
Actions: 032 resolved operations: 67 effective operations: 67 •action: 3 •read: 63 •write: 1 •Microsoft.Authorization/*/read •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/refreshContainers/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/vaults/replicationAlertSettings/read •Microsoft.RecoveryServices/vaults/replicationEvents/read •Microsoft.RecoveryServices/vaults/replicationFabrics/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read •Microsoft.RecoveryServices/vaults/replicationJobs/read •Microsoft.RecoveryServices/vaults/replicationPolicies/read •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read •Microsoft.RecoveryServices/vaults/replicationVaultSettings/read •Microsoft.RecoveryServices/Vaults/storageConfig/read •Microsoft.RecoveryServices/Vaults/tokenInfo/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/vaultTokens/read •Microsoft.Support/* | ||||
| 70bbe301-9835-447d-afdd-19eb3167307c | Spatial Anchors Account Owner | Lets you manage spatial anchors in your account, including deleting them | False |
00007 effective data plane operations (unique) •action: 1 •delete: 1 •read: 4 •write: 1 |
DataActions: 007 resolved data operations: 7 effective data operations: 7 •action: 1 •delete: 1 •read: 4 •write: 1 •Microsoft.MixedReality/SpatialAnchorsAccounts/create/action •Microsoft.MixedReality/SpatialAnchorsAccounts/delete •Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read •Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read •Microsoft.MixedReality/SpatialAnchorsAccounts/query/read •Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read •Microsoft.MixedReality/SpatialAnchorsAccounts/write | ||||
| 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d | SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. | False |
00389 effective control plane operations (unique) •: 1 •Action: 59 •Delete: 31 •read: 249 •Write: 49 |
Actions: 015 resolved operations: 391 effective operations: 389 •: 1 •Action: 59 •Delete: 31 •read: 249 •Write: 49 •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Network/networkSecurityGroups/* •Microsoft.Network/routeTables/* •Microsoft.Sql/locations/*/read •Microsoft.Sql/locations/instanceFailoverGroups/* •Microsoft.Sql/managedInstances/* •Microsoft.Support/* •Microsoft.Network/virtualNetworks/subnets/* •Microsoft.Network/virtualNetworks/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read | NotActions: 002 resolved not operations: 2 effective not operations: 14997 •Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete •Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write | |||
| 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec | SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. | False |
00290 effective control plane operations (unique) •: 1 •Action: 31 •Delete: 10 •read: 224 •Write: 24 |
Actions: 011 resolved operations: 327 effective operations: 290 •: 1 •Action: 31 •Delete: 10 •read: 224 •Write: 24 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Sql/locations/*/read •Microsoft.Sql/servers/databases/* •Microsoft.Sql/servers/read •Microsoft.Support/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read | NotActions: 024 resolved not operations: 66 effective not operations: 15096 •Microsoft.Sql/servers/databases/ledgerDigestUploads/write •Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action •Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* •Microsoft.Sql/managedInstances/databases/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* •Microsoft.Sql/managedInstances/securityAlertPolicies/* •Microsoft.Sql/managedInstances/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/auditingSettings/* •Microsoft.Sql/servers/databases/auditRecords/read •Microsoft.Sql/servers/databases/currentSensitivityLabels/* •Microsoft.Sql/servers/databases/dataMaskingPolicies/* •Microsoft.Sql/servers/databases/extendedAuditingSettings/* •Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/servers/databases/securityAlertPolicies/* •Microsoft.Sql/servers/databases/securityMetrics/* •Microsoft.Sql/servers/databases/sensitivityLabels/* •Microsoft.Sql/servers/databases/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* •Microsoft.Sql/servers/vulnerabilityAssessments/* | count: 001 •Deploy SQL DB transparent data encryption | ||
| 056cd41c-7e88-42e1-933e-88ba6a50c9c3 | SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. | False |
00197 effective control plane operations (unique) •: 1 •Action: 24 •Delete: 18 •read: 111 •Write: 43 |
Actions: 073 resolved operations: 197 effective operations: 197 •: 1 •Action: 24 •Delete: 18 •read: 111 •Write: 43 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Sql/locations/administratorAzureAsyncOperation/read •Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read •Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write •Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read •Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write •Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read •Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write •Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read •Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write •Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* •Microsoft.Sql/managedInstances/databases/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* •Microsoft.Sql/servers/advancedThreatProtectionSettings/read •Microsoft.Sql/servers/advancedThreatProtectionSettings/write •Microsoft.Sql/managedInstances/securityAlertPolicies/* •Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* •Microsoft.Sql/managedInstances/vulnerabilityAssessments/* •Microsoft.Sql/managedInstances/serverConfigurationOptions/read •Microsoft.Sql/managedInstances/serverConfigurationOptions/write •Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read •Microsoft.Sql/servers/advancedThreatProtectionSettings/read •Microsoft.Sql/servers/advancedThreatProtectionSettings/write •Microsoft.Sql/servers/auditingSettings/* •Microsoft.Sql/servers/extendedAuditingSettings/read •Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read •Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write •Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read •Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write •Microsoft.Sql/servers/databases/auditingSettings/* •Microsoft.Sql/servers/databases/auditRecords/read •Microsoft.Sql/servers/databases/currentSensitivityLabels/* •Microsoft.Sql/servers/databases/dataMaskingPolicies/* •Microsoft.Sql/servers/databases/extendedAuditingSettings/read •Microsoft.Sql/servers/databases/read •Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/read •Microsoft.Sql/servers/databases/schemas/tables/columns/read •Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/tables/read •Microsoft.Sql/servers/databases/securityAlertPolicies/* •Microsoft.Sql/servers/databases/securityMetrics/* •Microsoft.Sql/servers/databases/sensitivityLabels/* •Microsoft.Sql/servers/databases/transparentDataEncryption/* •Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/* •Microsoft.Sql/servers/databases/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* •Microsoft.Sql/servers/devOpsAuditingSettings/* •Microsoft.Sql/servers/firewallRules/* •Microsoft.Sql/servers/read •Microsoft.Sql/servers/securityAlertPolicies/* •Microsoft.Sql/servers/sqlvulnerabilityAssessments/* •Microsoft.Sql/servers/vulnerabilityAssessments/* •Microsoft.Support/* •Microsoft.Sql/servers/azureADOnlyAuthentications/* •Microsoft.Sql/managedInstances/read •Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* •Microsoft.Security/sqlVulnerabilityAssessments/* •Microsoft.Sql/managedInstances/administrators/read •Microsoft.Sql/servers/administrators/read •Microsoft.Sql/servers/databases/ledgerDigestUploads/* •Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read •Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read •Microsoft.Sql/servers/externalPolicyBasedAuthorizations/* | count: 008 •Configure Azure Defender to be enabled on SQL managed instances •Configure Azure Defender to be enabled on SQL servers •Configure Azure SQL database servers diagnostic settings to Log Analytics workspace •Configure Microsoft Defender for SQL to be enabled on Synapse workspaces •Configure SQL servers to have auditing enabled •Configure SQL servers to have auditing enabled to Log Analytics workspace •Configure Synapse workspaces to have auditing enabled •Deploy Advanced Data Security on SQL servers | |||
| 17d1049b-9a84-46fb-8f53-869881c3d3ab | Storage Account Contributor | Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. | False |
00182 effective control plane operations (unique) •: 1 •Action: 40 •Delete: 20 •read: 85 •Write: 36 |
Actions: 009 resolved operations: 182 effective operations: 182 •: 1 •Action: 40 •Delete: 20 •read: 85 •Write: 36 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/* •Microsoft.Support/* | count: 010 •Configure secure transfer of data on a storage account •Configure SQL servers to have auditing enabled •Configure Storage account to use a private link connection •Configure storage accounts to disable public network access •Configure Storage Accounts to restrict network access through network ACL bypass configuration only. •Configure Synapse workspaces to have auditing enabled •Configure your Storage account public access to be disallowed •Deploy Advanced Data Security on SQL servers •Deploy Diagnostic Settings for Network Security Groups •Modify - Configure your Storage account to enable blob versioning | |||
| 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 | SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. | False |
00440 effective control plane operations (unique) •: 1 •Action: 51 •Delete: 34 •read: 293 •Write: 61 |
Actions: 010 resolved operations: 492 effective operations: 440 •: 1 •Action: 51 •Delete: 34 •read: 293 •Write: 61 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Sql/locations/*/read •Microsoft.Sql/servers/* •Microsoft.Support/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read | NotActions: 030 resolved not operations: 78 effective not operations: 14946 •Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* •Microsoft.Sql/managedInstances/databases/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* •Microsoft.Sql/managedInstances/securityAlertPolicies/* •Microsoft.Sql/managedInstances/vulnerabilityAssessments/* •Microsoft.Sql/servers/auditingSettings/* •Microsoft.Sql/servers/databases/auditingSettings/* •Microsoft.Sql/servers/databases/auditRecords/read •Microsoft.Sql/servers/databases/currentSensitivityLabels/* •Microsoft.Sql/servers/databases/dataMaskingPolicies/* •Microsoft.Sql/servers/databases/extendedAuditingSettings/* •Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/servers/databases/securityAlertPolicies/* •Microsoft.Sql/servers/databases/securityMetrics/* •Microsoft.Sql/servers/databases/sensitivityLabels/* •Microsoft.Sql/servers/databases/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* •Microsoft.Sql/servers/devOpsAuditingSettings/* •Microsoft.Sql/servers/extendedAuditingSettings/* •Microsoft.Sql/servers/securityAlertPolicies/* •Microsoft.Sql/servers/vulnerabilityAssessments/* •Microsoft.Sql/servers/azureADOnlyAuthentications/delete •Microsoft.Sql/servers/azureADOnlyAuthentications/write •Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete •Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write | count: 004 •Configure Azure Data Explorer clusters with private endpoints •Configure Azure Data Explorer to disable public network access •Configure Azure SQL Server to disable public network access •Configure Azure SQL Server to enable private endpoint connections | ||
| 81a9662b-bebf-436f-a333-f67b29880f12 | Storage Account Key Operator Service Role | Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts | False |
00002 effective control plane operations (unique) •action: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 2 •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/regeneratekey/action | ||||
| ba92f5b4-2d11-453d-a403-e96b0029c9fe | Storage Blob Data Contributor | Allows for read, write and delete access to Azure Storage blob containers and data | False |
00009 effective control plane and data plane operations (unique) •action: 3 •delete: 2 •read: 2 •write: 2 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 1 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/delete •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | DataActions: 005 resolved data operations: 5 effective data operations: 5 •action: 2 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | |||
| b7e6dc6d-f1e8-4753-8033-0f276bb0955b | Storage Blob Data Owner | Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control. | False |
00027 effective control plane and data plane operations (unique) •action: 16 •delete: 3 •read: 4 •write: 4 |
Actions: 002 resolved operations: 13 effective operations: 13 •action: 7 •delete: 2 •read: 2 •write: 2 •Microsoft.Storage/storageAccounts/blobServices/containers/* •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | DataActions: 001 resolved data operations: 14 effective data operations: 14 •action: 9 •delete: 1 •read: 2 •write: 2 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* | |||
| 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 | Storage Blob Data Reader | Allows for read access to Azure Storage blob containers and data | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | |||
| 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | Storage Queue Data Contributor | Allows for read, write, and delete access to Azure Storage queues and queue messages | False |
00007 effective control plane and data plane operations (unique) •action: 1 •delete: 2 •read: 2 •write: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/delete •Microsoft.Storage/storageAccounts/queueServices/queues/read •Microsoft.Storage/storageAccounts/queueServices/queues/write | DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 1 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete •Microsoft.Storage/storageAccounts/queueServices/queues/messages/read •Microsoft.Storage/storageAccounts/queueServices/queues/messages/write •Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | |||
| 8a0f0c08-91a1-4084-bc3d-661d67233fed | Storage Queue Data Message Processor | Allows for peek, receive, and delete access to Azure Storage queue messages | False |
00002 effective data plane operations (unique) •action: 1 •read: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/read •Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action | ||||
| c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | Storage Queue Data Message Sender | Allows for sending of Azure Storage queue messages | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action | ||||
| 19e7f393-937e-4f77-808e-94535e297925 | Storage Queue Data Reader | Allows for read access to Azure Storage queues and queue messages | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | |||
| cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e | Support Request Contributor | Lets you create and manage Support requests | False |
00038 effective control plane operations (unique) •action: 3 •read: 34 •write: 1 |
Actions: 003 resolved operations: 38 effective operations: 38 •action: 3 •read: 34 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 | Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. | False |
00073 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 6 •read: 48 •Write: 8 |
Actions: 007 resolved operations: 73 effective operations: 73 •: 1 •Action: 10 •Delete: 6 •read: 48 •Write: 8 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/trafficManagerProfiles/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 | User Access Administrator | Lets you manage user access to Azure resources. | False |
06761 effective control plane operations (unique) •action: 12 •delete: 14 •read: 6717 •write: 18 |
Actions: 003 resolved operations: 6761 effective operations: 6761 •action: 12 •delete: 14 •read: 6717 •write: 18 •*/read •Microsoft.Authorization/* •Microsoft.Support/* | count: 004 •[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines •[Preview]: Enable system-assigned identity to SQL VM | |||
| 9980e02c-c2be-4d73-94e8-173b1dc7cf3c | Virtual Machine Contributor | Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | False |
00350 effective control plane operations (unique) •: 1 •action: 127 •delete: 21 •read: 169 •write: 32 |
Actions: 043 resolved operations: 350 effective operations: 350 •: 1 •action: 127 •delete: 21 •read: 169 •write: 32 •Microsoft.Authorization/*/read •Microsoft.Compute/availabilitySets/* •Microsoft.Compute/locations/* •Microsoft.Compute/virtualMachines/* •Microsoft.Compute/virtualMachineScaleSets/* •Microsoft.Compute/cloudServices/* •Microsoft.Compute/disks/write •Microsoft.Compute/disks/read •Microsoft.Compute/disks/delete •Microsoft.DevTestLab/schedules/* •Microsoft.Insights/alertRules/* •Microsoft.Network/applicationGateways/backendAddressPools/join/action •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/inboundNatPools/join/action •Microsoft.Network/loadBalancers/inboundNatRules/join/action •Microsoft.Network/loadBalancers/probes/join/action •Microsoft.Network/loadBalancers/read •Microsoft.Network/locations/* •Microsoft.Network/networkInterfaces/* •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.RecoveryServices/locations/* •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write •Microsoft.RecoveryServices/Vaults/backupPolicies/read •Microsoft.RecoveryServices/Vaults/backupPolicies/write •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SerialConsole/serialPorts/connect/action •Microsoft.SqlVirtualMachine/* •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* | count: 042 •[Preview]: Configure ChangeTracking Extension for Linux virtual machine scale sets •[Preview]: Configure ChangeTracking Extension for Linux virtual machines •[Preview]: Configure ChangeTracking Extension for Windows virtual machine scale sets •[Preview]: Configure ChangeTracking Extension for Windows virtual machines •[Preview]: Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity •[Preview]: Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity •[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent •[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension •[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot •[Preview]: Configure supported Linux virtual machines to automatically install the Azure Security agent •[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension •[Preview]: Configure supported virtual machines to automatically enable vTPM •[Preview]: Configure supported Windows machines to automatically install the Azure Security agent •[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent •[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension •[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot •[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension •[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs •[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension •[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension •[Preview]: Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity •[Preview]: Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity •Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location •Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location •Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication •Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication •Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication •Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication •Configure SQL Virtual Machines to automatically install Azure Monitor Agent •Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity •Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication •Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity •Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication •Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets •Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets •Deploy default Microsoft IaaSAntimalware extension for Windows Server •Deploy Dependency agent for Linux virtual machine scale sets •Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings •Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings •Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below | |||
| 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b | Web Plan Contributor | Lets you manage the web plans for websites, but not access to them. | False |
00105 effective control plane operations (unique) •: 1 •Action: 20 •Delete: 8 •read: 64 •Write: 12 |
Actions: 009 resolved operations: 105 effective operations: 105 •: 1 •Action: 20 •Delete: 8 •read: 64 •Write: 12 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/serverFarms/* •Microsoft.Web/hostingEnvironments/Join/Action •Microsoft.Insights/autoscalesettings/* | ||||
| de139f84-1756-47ae-9be6-808fbbe84772 | Website Contributor | Lets you manage websites (not web plans), but not access to them. | False |
00495 effective control plane operations (unique) •: 1 •Action: 111 •Delete: 62 •read: 248 •Write: 73 |
Actions: 012 resolved operations: 495 effective operations: 495 •: 1 •Action: 111 •Delete: 62 •read: 248 •Write: 73 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/components/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/certificates/* •Microsoft.Web/listSitesAssignedToHostName/read •Microsoft.Web/serverFarms/join/action •Microsoft.Web/serverFarms/read •Microsoft.Web/sites/* | count: 021 •[Deprecated]: Configure App Services to disable public network access •Configure App Service app slots to disable local authentication for FTP deployments •Configure App Service app slots to disable local authentication for SCM sites •Configure App Service app slots to disable public network access •Configure App Service app slots to only be accessible over HTTPS •Configure App Service app slots to turn off remote debugging •Configure App Service app slots to use the latest TLS version •Configure App Service apps to disable local authentication for FTP deployments •Configure App Service apps to disable local authentication for SCM sites •Configure App Service apps to disable public network access •Configure App Service apps to only be accessible over HTTPS •Configure App Service apps to turn off remote debugging •Configure App Service apps to use the latest TLS version •Configure Function app slots to disable public network access •Configure Function app slots to only be accessible over HTTPS •Configure Function app slots to turn off remote debugging •Configure Function app slots to use the latest TLS version •Configure Function apps to disable public network access •Configure Function apps to only be accessible over HTTPS •Configure Function apps to turn off remote debugging •Configure Function apps to use the latest TLS version | |||
| 090c5cfd-751d-490a-894a-3ce6f1109419 | Azure Service Bus Data Owner | Allows for full access to Azure Service Bus resources. | False |
00093 effective control plane and data plane operations (unique) •action: 26 •delete: 17 •read: 31 •write: 19 |
Actions: 001 resolved operations: 91 effective operations: 91 •action: 24 •delete: 17 •read: 31 •write: 19 •Microsoft.ServiceBus/* | DataActions: 001 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.ServiceBus/* | count: 002 •Configure Azure Service Bus namespaces to disable local authentication •Configure Service Bus namespaces with private endpoints | ||
| f526a384-b230-433a-b45c-95f59c4a2dec | Azure Event Hubs Data Owner | Allows for full access to Azure Event Hubs resources. | False |
00091 effective control plane and data plane operations (unique) •action: 24 •delete: 16 •read: 33 •write: 18 |
Actions: 001 resolved operations: 86 effective operations: 86 •action: 22 •delete: 15 •read: 32 •write: 17 •Microsoft.EventHub/* | DataActions: 001 resolved data operations: 5 effective data operations: 5 •action: 2 •delete: 1 •read: 1 •write: 1 •Microsoft.EventHub/* | count: 035 •Configure Azure Event Hub namespaces to disable local authentication •Configure Event Hub namespaces with private endpoints •Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub •Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub •Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub •Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub •Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub •Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub •Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub •Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub •Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub •Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub •Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub •Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub •Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub •Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub •Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub •Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub •Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub •Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub •Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub •Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub •Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub •Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub •Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub •Enable logging by category group for microsoft.network/p2svpngateways to Event Hub •Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub •Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub •Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub •Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub •Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub •Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub •Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub •Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub •Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub | ||
| bbf86eb8-f7b4-4cce-96e4-18cddf81d86e | Attestation Contributor | Can read write or delete the attestation provider instance | False |
00003 effective control plane operations (unique) •delete: 1 •read: 1 •write: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Attestation/attestationProviders/attestation/read •Microsoft.Attestation/attestationProviders/attestation/write •Microsoft.Attestation/attestationProviders/attestation/delete | ||||
| 61ed4efc-fab3-44fd-b111-e24485cc132a | HDInsight Cluster Operator | Lets you read and modify HDInsight cluster configurations. | False |
00072 effective control plane operations (unique) •: 1 •action: 9 •Delete: 1 •read: 59 •Write: 2 |
Actions: 009 resolved operations: 72 effective operations: 72 •: 1 •action: 9 •Delete: 1 •read: 59 •Write: 2 •Microsoft.HDInsight/*/read •Microsoft.HDInsight/clusters/getGatewaySettings/action •Microsoft.HDInsight/clusters/updateGatewaySettings/action •Microsoft.HDInsight/clusters/configurations/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/operations/read •Microsoft.Insights/alertRules/* •Microsoft.Authorization/*/read •Microsoft.Support/* | ||||
| 230815da-be43-4aae-9cb4-875f7bd000aa | Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. | False |
00309 effective control plane operations (unique) •: 1 •action: 53 •delete: 28 •read: 179 •write: 48 |
Actions: 008 resolved operations: 328 effective operations: 309 •: 1 •action: 53 •delete: 28 •read: 179 •write: 48 •Microsoft.DocumentDb/databaseAccounts/* •Microsoft.Insights/alertRules/* •Microsoft.Authorization/*/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | NotActions: 013 resolved not operations: 19 effective not operations: 15077 •Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/* •Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* •Microsoft.DocumentDB/databaseAccounts/regenerateKey/* •Microsoft.DocumentDB/databaseAccounts/listKeys/* •Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* •Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write •Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete •Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write •Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete •Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write •Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete •Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write •Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete | |||
| 48b40c6e-82e0-4eb3-90d5-19e40f49b624 | Hybrid Server Resource Administrator | Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. | False |
00034 effective control plane operations (unique) •action: 3 •delete: 4 •read: 23 •write: 4 |
Actions: 002 resolved operations: 34 effective operations: 34 •action: 3 •delete: 4 •read: 23 •write: 4 •Microsoft.HybridCompute/machines/* •Microsoft.HybridCompute/*/read | count: 001 •[Preview]: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended. | |||
| 5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb | Hybrid Server Onboarding | Can onboard new Hybrid servers to the Hybrid Resource Provider. | False |
00002 effective control plane operations (unique) •read: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write | ||||
| a638d3c7-ab3a-418d-83e6-5f17a39d4fde | Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. | False |
00002 effective control plane and data plane operations (unique) •action: 1 •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.EventHub/*/eventhubs/consumergroups/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventHub/*/receive/action | |||
| 2b629674-e913-4c01-ae53-ef4638d8f975 | Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. | False |
00002 effective control plane and data plane operations (unique) •action: 1 •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.EventHub/*/eventhubs/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventHub/*/send/action | |||
| 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | Azure Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. | False |
00004 effective control plane and data plane operations (unique) •action: 1 •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.ServiceBus/*/queues/read •Microsoft.ServiceBus/*/topics/read •Microsoft.ServiceBus/*/topics/subscriptions/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.ServiceBus/*/receive/action | |||
| 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 | Azure Service Bus Data Sender | Allows for send access to Azure Service Bus resources. | False |
00004 effective control plane and data plane operations (unique) •action: 1 •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.ServiceBus/*/queues/read •Microsoft.ServiceBus/*/topics/read •Microsoft.ServiceBus/*/topics/subscriptions/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.ServiceBus/*/send/action | |||
| aba4ae5f-2193-4029-9191-0cb91df5e314 | Storage File Data SMB Share Reader | Allows for read access to Azure File Share over SMB | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | ||||
| 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb | Storage File Data SMB Share Contributor | Allows for read, write, and delete access in Azure Storage file shares over SMB | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete | ||||
| b12aa53e-6015-4669-85d0-8515ebb3ae7f | Private DNS Zone Contributor | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. | False |
00094 effective control plane operations (unique) •: 1 •Action: 12 •Delete: 11 •read: 56 •Write: 14 |
Actions: 010 resolved operations: 94 effective operations: 94 •: 1 •Action: 12 •Delete: 11 •read: 56 •Write: 14 •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Network/privateDnsZones/* •Microsoft.Network/privateDnsOperationResults/* •Microsoft.Network/privateDnsOperationStatuses/* •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/join/action •Microsoft.Authorization/*/read | count: 001 •Configure Azure File Sync to use private DNS zones | |||
| db58b8e5-c6ad-4a2a-8342-4190687cbf4a | Storage Blob Delegator | Allows for generation of a user delegation key which can be used to sign SAS tokens | False |
00001 effective control plane operations (unique) •action: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •action: 1 •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | ||||
| 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 | Desktop Virtualization User | Allows user to use the applications in an application group. | False |
00002 effective data plane operations (unique) •action: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.DesktopVirtualization/applicationGroups/useApplications/action •Microsoft.DesktopVirtualization/appAttachPackages/useApplications/action | ||||
| a7264617-510b-434b-a828-9731dc254ea7 | Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB | False |
00004 effective data plane operations (unique) •action: 1 •delete: 1 •read: 1 •write: 1 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 1 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action | ||||
| 41077137-e803-4205-871c-5a86e6a753b4 | Blueprint Contributor | Can manage blueprint definitions, but not assign them. | False |
00057 effective control plane operations (unique) •action: 7 •delete: 4 •read: 41 •write: 5 |
Actions: 005 resolved operations: 57 effective operations: 57 •action: 7 •delete: 4 •read: 41 •write: 5 •Microsoft.Authorization/*/read •Microsoft.Blueprint/blueprints/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* | ||||
| 437d2ced-4a38-4302-8479-ed2bcb43d090 | Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. | False |
00052 effective control plane operations (unique) •action: 8 •delete: 2 •read: 39 •write: 3 |
Actions: 005 resolved operations: 52 effective operations: 52 •action: 8 •delete: 2 •read: 39 •write: 3 •Microsoft.Authorization/*/read •Microsoft.Blueprint/blueprintAssignments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* | ||||
| ab8e14d6-4a74-4a29-9ba8-549422addade | Microsoft Sentinel Contributor | Microsoft Sentinel Contributor | False |
00944 effective control plane operations (unique) •: 1 •Action: 39 •Delete: 41 •read: 819 •Write: 44 |
Actions: 016 resolved operations: 948 effective operations: 944 •: 1 •Action: 39 •Delete: 41 •read: 819 •Write: 44 •Microsoft.SecurityInsights/* •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/savedSearches/* •Microsoft.OperationsManagement/solutions/read •Microsoft.OperationalInsights/workspaces/query/read •Microsoft.OperationalInsights/workspaces/query/*/read •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.OperationalInsights/querypacks/*/read •Microsoft.Insights/workbooks/* •Microsoft.Insights/myworkbooks/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | NotActions: 002 resolved not operations: 4 effective not operations: 14442 •Microsoft.SecurityInsights/ConfidentialWatchlists/* •Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |||
| 3e150937-b8fe-4cfb-8069-0eaf05ecd056 | Microsoft Sentinel Responder | Microsoft Sentinel Responder | False |
00856 effective control plane operations (unique) •: 1 •Action: 21 •Delete: 5 •read: 818 •Write: 11 |
Actions: 029 resolved operations: 861 effective operations: 856 •: 1 •Action: 21 •Delete: 5 •read: 818 •Write: 11 •Microsoft.SecurityInsights/*/read •Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action •Microsoft.SecurityInsights/automationRules/* •Microsoft.SecurityInsights/cases/* •Microsoft.SecurityInsights/incidents/* •Microsoft.SecurityInsights/entities/runPlaybook/action •Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action •Microsoft.SecurityInsights/threatIntelligence/indicators/query/action •Microsoft.SecurityInsights/threatIntelligence/bulkTag/action •Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action •Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action •Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action •Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.OperationalInsights/workspaces/savedSearches/read •Microsoft.OperationsManagement/solutions/read •Microsoft.OperationalInsights/workspaces/query/read •Microsoft.OperationalInsights/workspaces/query/*/read •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.OperationalInsights/querypacks/*/read •Microsoft.Insights/workbooks/read •Microsoft.Insights/myworkbooks/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | NotActions: 004 resolved not operations: 7 effective not operations: 14530 •Microsoft.SecurityInsights/cases/*/Delete •Microsoft.SecurityInsights/incidents/*/Delete •Microsoft.SecurityInsights/ConfidentialWatchlists/* •Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |||
| 8d289c81-5878-46d4-8554-54e1e3d8b5cb | Microsoft Sentinel Reader | Microsoft Sentinel Reader | False |
00839 effective control plane operations (unique) •: 1 •Action: 14 •Delete: 2 •read: 819 •Write: 3 |
Actions: 021 resolved operations: 841 effective operations: 839 •: 1 •Action: 14 •Delete: 2 •read: 819 •Write: 3 •Microsoft.SecurityInsights/*/read •Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action •Microsoft.SecurityInsights/threatIntelligence/indicators/query/action •Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/LinkedServices/read •Microsoft.OperationalInsights/workspaces/savedSearches/read •Microsoft.OperationsManagement/solutions/read •Microsoft.OperationalInsights/workspaces/query/read •Microsoft.OperationalInsights/workspaces/query/*/read •Microsoft.OperationalInsights/querypacks/*/read •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.Insights/workbooks/read •Microsoft.Insights/myworkbooks/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/templateSpecs/*/read •Microsoft.Support/* | NotActions: 002 resolved not operations: 4 effective not operations: 14547 •Microsoft.SecurityInsights/ConfidentialWatchlists/* •Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* | |||
| 66bb4e9e-b016-4a94-8249-4c0511c2be84 | Policy Insights Data Writer (Preview) | Allows read access to resource policies and write access to resource component policy events. | False |
00006 effective control plane and data plane operations (unique) •action: 2 •read: 4 |
Actions: 004 resolved operations: 4 effective operations: 4 •read: 4 •Microsoft.Authorization/policyassignments/read •Microsoft.Authorization/policydefinitions/read •Microsoft.Authorization/policyexemptions/read •Microsoft.Authorization/policysetdefinitions/read | DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.PolicyInsights/checkDataPolicyCompliance/action •Microsoft.PolicyInsights/policyEvents/logDataEvents/action | |||
| 04165923-9d83-45d5-8227-78b77b0a687e | SignalR AccessKey Reader | Read SignalR Service Access Keys | False |
00094 effective control plane operations (unique) •action: 4 •read: 89 •write: 1 |
Actions: 005 resolved operations: 94 effective operations: 94 •action: 4 •read: 89 •write: 1 •Microsoft.SignalRService/*/read •Microsoft.SignalRService/SignalR/listkeys/action •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 | SignalR/Web PubSub Contributor | Create, Read, Update, and Delete SignalR service resources | False |
00163 effective control plane operations (unique) •: 1 •Action: 25 •Delete: 18 •read: 94 •Write: 25 |
Actions: 006 resolved operations: 163 effective operations: 163 •: 1 •Action: 25 •Delete: 18 •read: 94 •Write: 25 •Microsoft.SignalRService/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* | count: 006 •Configure Azure SignalR Service to disable local authentication •Configure Azure Web PubSub Service to disable local authentication •Configure Azure Web PubSub Service to disable public network access •Configure Azure Web PubSub Service with private endpoints •Configure private endpoints to Azure SignalR Service •Modify Azure SignalR Service resources to disable public network access | |||
| b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 | Azure Connected Machine Onboarding | Can onboard Azure Connected Machines. | False |
00004 effective control plane operations (unique) •read: 3 •write: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •read: 3 •write: 1 •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/privateLinkScopes/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/read | ||||
| 91c1777a-f3dc-4fae-b103-61d183457e46 | Managed Services Registration assignment Delete Role | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. | False |
00003 effective control plane operations (unique) •delete: 1 •read: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 2 •Microsoft.ManagedServices/registrationAssignments/read •Microsoft.ManagedServices/registrationAssignments/delete •Microsoft.ManagedServices/operationStatuses/read | ||||
| 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b | App Configuration Data Owner | Allows full access to App Configuration data. | False |
00006 effective data plane operations (unique) •action: 1 •delete: 1 •read: 2 •write: 2 |
DataActions: 004 resolved data operations: 6 effective data operations: 6 •action: 1 •delete: 1 •read: 2 •write: 2 •Microsoft.AppConfiguration/configurationStores/*/read •Microsoft.AppConfiguration/configurationStores/*/write •Microsoft.AppConfiguration/configurationStores/*/delete •Microsoft.AppConfiguration/configurationStores/*/action | ||||
| 516239f1-63e1-4d78-a4de-a74fb236a071 | App Configuration Data Reader | Allows read access to App Configuration data. | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 001 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.AppConfiguration/configurationStores/*/read | ||||
| 34e09817-6cbe-4d01-b1a2-e0eac5743d41 | Kubernetes Cluster - Azure Arc Onboarding | Role definition to authorize any user/service to create connectedClusters resource | False |
00051 effective control plane operations (unique) •: 1 •Action: 6 •Delete: 1 •read: 39 •Write: 4 |
Actions: 009 resolved operations: 51 effective operations: 51 •: 1 •Action: 6 •Delete: 1 •read: 39 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Kubernetes/connectedClusters/Write •Microsoft.Kubernetes/connectedClusters/read •Microsoft.Support/* | count: 002 •Configure Azure Arc Private Link Scopes with private endpoints •Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope | |||
| 7f646f1b-fa08-80eb-a22b-edd6ce5c915c | Experimentation Contributor | Experimentation Contributor | False |
00009 effective control plane and data plane operations (unique) •action: 2 •delete: 2 •read: 3 •write: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Experimentation/experimentWorkspaces/read | DataActions: 008 resolved data operations: 8 effective data operations: 8 •action: 2 •delete: 2 •read: 2 •write: 2 •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action •Microsoft.Experimentation/experimentWorkspaces/read •Microsoft.Experimentation/experimentWorkspaces/write •Microsoft.Experimentation/experimentWorkspaces/delete | |||
| 466ccd10-b268-4a11-b098-b4849f024126 | Cognitive Services QnA Maker Reader | Let's you read and test a KB only. | False |
00053 effective control plane and data plane operations (unique) •action: 3 •read: 50 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 018 resolved data operations: 18 effective data operations: 18 •action: 3 •read: 15 •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read | |||
| f4cc2bf9-21be-47a1-bdf1-5c5804381025 | Cognitive Services QnA Maker Editor | Let's you create, edit, import and export a KB. You cannot publish or delete a KB. | False |
00074 effective control plane and data plane operations (unique) •action: 9 •read: 53 •write: 12 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 039 resolved data operations: 39 effective data operations: 39 •action: 9 •read: 18 •write: 12 •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action •Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write •Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action •Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write •Microsoft.CognitiveServices/accounts/QnAMaker/operations/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read | |||
| 7f646f1b-fa08-80eb-a33b-edd6ce5c915c | Experimentation Administrator | Experimentation Administrator | False |
00014 effective control plane and data plane operations (unique) •action: 7 •delete: 2 •read: 3 •write: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Experimentation/experimentWorkspaces/read | DataActions: 013 resolved data operations: 13 effective data operations: 13 •action: 7 •delete: 2 •read: 2 •write: 2 •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/admin/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action •Microsoft.Experimentation/experimentWorkspaces/read •Microsoft.Experimentation/experimentWorkspaces/write •Microsoft.Experimentation/experimentWorkspaces/delete •Microsoft.Experimentation/experimentWorkspaces/admin/action •Microsoft.Experimentation/experimentWorkspaces/metricwrite/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action | |||
| 3df8b902-2a6f-47c7-8cc5-360e9b272a7e | Remote Rendering Administrator | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | False |
00008 effective data plane operations (unique) •action: 2 •delete: 2 •read: 4 |
DataActions: 008 resolved data operations: 8 effective data operations: 8 •action: 2 •delete: 2 •read: 4 •Microsoft.MixedReality/RemoteRenderingAccounts/convert/action •Microsoft.MixedReality/RemoteRenderingAccounts/convert/read •Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete •Microsoft.MixedReality/RemoteRenderingAccounts/render/read •Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read | ||||
| d39065c4-c120-43c9-ab0a-63eed9795f0a | Remote Rendering Client | Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. | False |
00005 effective data plane operations (unique) •action: 1 •delete: 1 •read: 3 |
DataActions: 005 resolved data operations: 5 effective data operations: 5 •action: 1 •delete: 1 •read: 3 •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete •Microsoft.MixedReality/RemoteRenderingAccounts/render/read •Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read | ||||
| 641177b8-a67a-45b9-a033-47bc880bb21e | Managed Application Contributor Role | Allows for creating managed application resources. | False |
06735 effective control plane operations (unique) •action: 11 •delete: 3 •read: 6717 •write: 4 |
Actions: 005 resolved operations: 6735 effective operations: 6735 •action: 11 •delete: 3 •read: 6717 •write: 4 •*/read •Microsoft.Solutions/applications/* •Microsoft.Solutions/register/action •Microsoft.Resources/subscriptions/resourceGroups/* •Microsoft.Resources/deployments/* | ||||
| 612c2aa1-cb24-443b-ac28-3ab7272de6f5 | Security Assessment Contributor | Lets you push assessments to Security Center | False |
00001 effective control plane operations (unique) •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •write: 1 •Microsoft.Security/assessments/write | ||||
| 4a9ae827-6dc8-4573-8ac7-8239d42aa03f | Tag Contributor | Lets you manage tags on entities, without providing access to the entities themselves. | False |
00060 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 3 •read: 42 •Write: 4 |
Actions: 008 resolved operations: 60 effective operations: 60 •: 1 •Action: 10 •Delete: 3 •read: 42 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/resources/read •Microsoft.Resources/subscriptions/resources/read •Microsoft.Resources/deployments/* •Microsoft.Insights/alertRules/* •Microsoft.Support/* •Microsoft.Resources/tags/* | count: 002 •Add a tag to subscriptions •Add or replace a tag on subscriptions | |||
| c7aa55d3-1abb-444a-a5ca-5e51e485d6ec | Integration Service Environment Developer | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | False |
00039 effective control plane operations (unique) •action: 4 •read: 34 •write: 1 |
Actions: 004 resolved operations: 39 effective operations: 39 •action: 4 •read: 34 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Support/* •Microsoft.Logic/integrationServiceEnvironments/read •Microsoft.Logic/integrationServiceEnvironments/*/join/action | ||||
| a41e2c5b-bd99-4a07-88f4-9bf657a760b8 | Integration Service Environment Contributor | Lets you manage integration service environments, but not access to them. | False |
00049 effective control plane operations (unique) •action: 5 •delete: 1 •read: 40 •write: 3 |
Actions: 003 resolved operations: 49 effective operations: 49 •action: 5 •delete: 1 •read: 40 •write: 3 •Microsoft.Authorization/*/read •Microsoft.Support/* •Microsoft.Logic/integrationServiceEnvironments/* | ||||
| ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 | Azure Kubernetes Service Contributor Role | Grants access to read and write Azure Kubernetes Service clusters | False |
00011 effective control plane operations (unique) •action: 4 •delete: 1 •read: 4 •write: 2 |
Actions: 003 resolved operations: 11 effective operations: 11 •action: 4 •delete: 1 •read: 4 •write: 2 •Microsoft.ContainerService/managedClusters/read •Microsoft.ContainerService/managedClusters/write •Microsoft.Resources/deployments/* | count: 006 •[Preview]: Deploy Image Integrity on Azure Kubernetes Service •Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access •Configure Node OS Auto upgrade on Azure Kubernetes Cluster •Deploy Azure Policy Add-on to Azure Kubernetes Service clusters •Deploy Image Cleaner on Azure Kubernetes Service •Disable Command Invoke on Azure Kubernetes Service clusters | |||
| d57506d4-4c8d-48b1-8587-93c323f6a5a3 | Azure Digital Twins Data Reader | Read-only role for Digital Twins data-plane properties | False |
00008 effective data plane operations (unique) •action: 1 •read: 7 |
DataActions: 008 resolved data operations: 8 effective data operations: 8 •action: 1 •read: 7 •Microsoft.DigitalTwins/digitaltwins/read •Microsoft.DigitalTwins/digitaltwins/relationships/read •Microsoft.DigitalTwins/eventroutes/read •Microsoft.DigitalTwins/jobs/import/read •Microsoft.DigitalTwins/jobs/imports/read •Microsoft.DigitalTwins/jobs/deletions/read •Microsoft.DigitalTwins/models/read •Microsoft.DigitalTwins/query/action | ||||
| bcd981a7-7f74-457b-83e1-cceb9e632ffe | Azure Digital Twins Data Owner | Full access role for Digital Twins data-plane | False |
00023 effective data plane operations (unique) •action: 3 •delete: 5 •read: 8 •write: 7 |
DataActions: 007 resolved data operations: 23 effective data operations: 23 •action: 3 •delete: 5 •read: 8 •write: 7 •Microsoft.DigitalTwins/digitaltwins/* •Microsoft.DigitalTwins/digitaltwins/commands/* •Microsoft.DigitalTwins/digitaltwins/relationships/* •Microsoft.DigitalTwins/eventroutes/* •Microsoft.DigitalTwins/jobs/* •Microsoft.DigitalTwins/models/* •Microsoft.DigitalTwins/query/* | ||||
| 350f8d15-c687-4448-8ae1-157740a3936d | Hierarchy Settings Administrator | Allows users to edit and delete Hierarchy Settings | False |
00002 effective control plane operations (unique) •delete: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •delete: 1 •write: 1 •Microsoft.Management/managementGroups/settings/write •Microsoft.Management/managementGroups/settings/delete | ||||
| 5a1fc7df-4bf1-4951-a576-89034ee01acd | FHIR Data Contributor | Role allows user or principal full access to FHIR Data | False |
00022 effective data plane operations (unique) •action: 16 •delete: 2 •read: 2 •write: 2 |
DataActions: 002 resolved data operations: 24 effective data operations: 22 •action: 16 •delete: 2 •read: 2 •write: 2 •Microsoft.HealthcareApis/services/fhir/resources/* •Microsoft.HealthcareApis/workspaces/fhirservices/resources/* | NotDataActions: 002 resolved not data operations: 2 effective not data operations: 3099 •Microsoft.HealthcareApis/services/fhir/resources/smart/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action | |||
| 3db33094-8700-4567-8da5-1501d4e7e843 | FHIR Data Exporter | Role allows user or principal to read and export FHIR Data | False |
00004 effective data plane operations (unique) •action: 2 •read: 2 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 2 •read: 2 •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/services/fhir/resources/export/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action | ||||
| 4c8d0bbc-75d3-4935-991f-5f3c56d81508 | FHIR Data Reader | Role allows user or principal to read FHIR Data | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | ||||
| 3f88fce4-5892-4214-ae73-ba5294559913 | FHIR Data Writer | Role allows user or principal to read and write FHIR Data | False |
00018 effective data plane operations (unique) •action: 12 •delete: 2 •read: 2 •write: 2 |
DataActions: 018 resolved data operations: 18 effective data operations: 18 •action: 12 •delete: 2 •read: 2 •write: 2 •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/services/fhir/resources/write •Microsoft.HealthcareApis/services/fhir/resources/delete •Microsoft.HealthcareApis/services/fhir/resources/export/action •Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action •Microsoft.HealthcareApis/services/fhir/resources/reindex/action •Microsoft.HealthcareApis/services/fhir/resources/convertData/action •Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action •Microsoft.HealthcareApis/services/fhir/resources/import/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/write •Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete •Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action | ||||
| 49632ef5-d9ac-41f4-b8e7-bbe587fa74a1 | Experimentation Reader | Experimentation Reader | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Experimentation/experimentWorkspaces/read | DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.Experimentation/experimentWorkspaces/read •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read | |||
| 4dd61c23-6743-42fe-a388-d8bdd41cb745 | Object Understanding Account Owner | Provides user with ingestion capabilities for Azure Object Understanding. | False |
00002 effective data plane operations (unique) •action: 1 •read: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/action •Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read | ||||
| 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 | Azure Maps Data Contributor | Grants access to read, write, and delete access to map related data from an Azure maps account. | False |
00019 effective data plane operations (unique) •action: 1 •delete: 2 •read: 12 •write: 4 |
DataActions: 004 resolved data operations: 19 effective data operations: 19 •action: 1 •delete: 2 •read: 12 •write: 4 •Microsoft.Maps/accounts/*/read •Microsoft.Maps/accounts/*/write •Microsoft.Maps/accounts/*/delete •Microsoft.Maps/accounts/*/action | ||||
| c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 | Cognitive Services Custom Vision Contributor | Full access to the project, including the ability to view, create, edit, or delete projects. | False |
00107 effective control plane and data plane operations (unique) •action: 33 •delete: 11 •read: 56 •write: 7 |
Actions: 001 resolved operations: 33 effective operations: 33 •read: 33 •Microsoft.CognitiveServices/*/read | DataActions: 001 resolved data operations: 74 effective data operations: 74 •action: 33 •delete: 11 •read: 23 •write: 7 •Microsoft.CognitiveServices/accounts/CustomVision/* | |||
| 5c4089e1-6d96-4d2f-b296-c1bc7137275f | Cognitive Services Custom Vision Deployment | Publish, unpublish or export models. Deployment can view the project but can't update. | False |
00070 effective control plane and data plane operations (unique) •action: 13 •delete: 2 •read: 55 |
Actions: 001 resolved operations: 33 effective operations: 33 •read: 33 •Microsoft.CognitiveServices/*/read | DataActions: 007 resolved data operations: 38 effective data operations: 37 •action: 13 •delete: 2 •read: 22 •Microsoft.CognitiveServices/accounts/CustomVision/*/read •Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/* •Microsoft.CognitiveServices/accounts/CustomVision/classify/* •Microsoft.CognitiveServices/accounts/CustomVision/detect/* | NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3084 •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 88424f51-ebe7-446f-bc41-7fa16989e96c | Cognitive Services Custom Vision Labeler | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. | False |
00073 effective control plane and data plane operations (unique) •action: 13 •delete: 4 •read: 55 •write: 1 |
Actions: 001 resolved operations: 33 effective operations: 33 •read: 33 •Microsoft.CognitiveServices/*/read | DataActions: 006 resolved data operations: 41 effective data operations: 40 •action: 13 •delete: 4 •read: 22 •write: 1 •Microsoft.CognitiveServices/accounts/CustomVision/*/read •Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action •Microsoft.CognitiveServices/accounts/CustomVision/projects/images/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action | NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3081 •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 93586559-c37d-4a6b-ba08-b9f0940c2d73 | Cognitive Services Custom Vision Reader | Read-only actions in the project. Readers can't create or update the project. | False |
00056 effective control plane and data plane operations (unique) •action: 1 •read: 55 |
Actions: 001 resolved operations: 33 effective operations: 33 •read: 33 •Microsoft.CognitiveServices/*/read | DataActions: 002 resolved data operations: 24 effective data operations: 23 •action: 1 •read: 22 •Microsoft.CognitiveServices/accounts/CustomVision/*/read •Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action | NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3098 •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b | Cognitive Services Custom Vision Trainer | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. | False |
00103 effective control plane and data plane operations (unique) •action: 31 •delete: 10 •read: 55 •write: 7 |
Actions: 001 resolved operations: 33 effective operations: 33 •read: 33 •Microsoft.CognitiveServices/*/read | DataActions: 001 resolved data operations: 74 effective data operations: 70 •action: 31 •delete: 10 •read: 22 •write: 7 •Microsoft.CognitiveServices/accounts/CustomVision/* | NotDataActions: 004 resolved not data operations: 4 effective not data operations: 3051 •Microsoft.CognitiveServices/accounts/CustomVision/projects/action •Microsoft.CognitiveServices/accounts/CustomVision/projects/delete •Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 00482a5a-887f-4fb3-b363-3b7fe8e74483 | Key Vault Administrator | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | False |
00125 effective control plane and data plane operations (unique) •: 1 •Action: 47 •Delete: 8 •read: 63 •Write: 6 |
Actions: 010 resolved operations: 74 effective operations: 74 •: 1 •Action: 10 •Delete: 2 •read: 58 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/operations/read | DataActions: 001 resolved data operations: 52 effective data operations: 52 •action: 37 •delete: 6 •read: 6 •write: 3 •Microsoft.KeyVault/vaults/* | |||
| 12338af0-0e69-4776-bea7-57ae8d297424 | Key Vault Crypto User | Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | False |
00009 effective data plane operations (unique) •action: 8 •read: 1 |
DataActions: 009 resolved data operations: 9 effective data operations: 9 •action: 8 •read: 1 •Microsoft.KeyVault/vaults/keys/read •Microsoft.KeyVault/vaults/keys/update/action •Microsoft.KeyVault/vaults/keys/backup/action •Microsoft.KeyVault/vaults/keys/encrypt/action •Microsoft.KeyVault/vaults/keys/decrypt/action •Microsoft.KeyVault/vaults/keys/wrap/action •Microsoft.KeyVault/vaults/keys/unwrap/action •Microsoft.KeyVault/vaults/keys/sign/action •Microsoft.KeyVault/vaults/keys/verify/action | ||||
| b86a8fe4-44ce-4948-aee5-eccb2c155cd7 | Key Vault Secrets Officer | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | False |
00083 effective control plane and data plane operations (unique) •: 1 •Action: 18 •Delete: 3 •read: 58 •Write: 3 |
Actions: 010 resolved operations: 74 effective operations: 74 •: 1 •Action: 10 •Delete: 2 •read: 58 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/operations/read | DataActions: 001 resolved data operations: 9 effective data operations: 9 •action: 8 •delete: 1 •Microsoft.KeyVault/vaults/secrets/* | |||
| 4633458b-17de-408a-b874-0445c86b69e6 | Key Vault Secrets User | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | False |
00002 effective data plane operations (unique) •action: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.KeyVault/vaults/secrets/getSecret/action •Microsoft.KeyVault/vaults/secrets/readMetadata/action | ||||
| a4417e6f-fecd-4de8-b567-7b0420556985 | Key Vault Certificates Officer | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | False |
00087 effective control plane and data plane operations (unique) •: 1 •Action: 17 •Delete: 4 •read: 60 •Write: 5 |
Actions: 010 resolved operations: 74 effective operations: 74 •: 1 •Action: 10 •Delete: 2 •read: 58 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/operations/read | DataActions: 003 resolved data operations: 13 effective data operations: 13 •action: 7 •delete: 2 •read: 2 •write: 2 •Microsoft.KeyVault/vaults/certificatecas/* •Microsoft.KeyVault/vaults/certificates/* •Microsoft.KeyVault/vaults/certificatecontacts/write | |||
| 21090545-7ca7-4776-b22c-e363652d74d2 | Key Vault Reader | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. | False |
00080 effective control plane and data plane operations (unique) •: 1 •Action: 11 •Delete: 2 •read: 63 •Write: 3 |
Actions: 010 resolved operations: 74 effective operations: 74 •: 1 •Action: 10 •Delete: 2 •read: 58 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/operations/read | DataActions: 002 resolved data operations: 7 effective data operations: 7 •action: 1 •read: 6 •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/vaults/secrets/readMetadata/action | |||
| e147488a-f6f5-4113-8e2d-b22465e65bf6 | Key Vault Crypto Service Encryption User | Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. | False |
00006 effective control plane and data plane operations (unique) •action: 2 •delete: 1 •read: 2 •write: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.EventGrid/eventSubscriptions/write •Microsoft.EventGrid/eventSubscriptions/read •Microsoft.EventGrid/eventSubscriptions/delete | DataActions: 003 resolved data operations: 3 effective data operations: 3 •action: 2 •read: 1 •Microsoft.KeyVault/vaults/keys/read •Microsoft.KeyVault/vaults/keys/wrap/action •Microsoft.KeyVault/vaults/keys/unwrap/action | |||
| 63f0a09d-1495-4db4-a681-037d84835eb4 | Azure Arc Kubernetes Viewer | Lets you view all resources in cluster/namespace, except secrets. | False |
00077 effective control plane and data plane operations (unique) •: 1 •Action: 6 •Delete: 1 •read: 66 •Write: 3 |
Actions: 007 resolved operations: 49 effective operations: 49 •: 1 •Action: 6 •Delete: 1 •read: 38 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | DataActions: 029 resolved data operations: 28 effective data operations: 28 •read: 28 •Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read •Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read •Microsoft.Kubernetes/connectedClusters/apps/deployments/read •Microsoft.Kubernetes/connectedClusters/apps/replicasets/read •Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read •Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read •Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read •Microsoft.Kubernetes/connectedClusters/batch/jobs/read •Microsoft.Kubernetes/connectedClusters/configmaps/read •Microsoft.Kubernetes/connectedClusters/endpoints/read •Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read •Microsoft.Kubernetes/connectedClusters/events/read •Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read •Microsoft.Kubernetes/connectedClusters/extensions/deployments/read •Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read •Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read •Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read •Microsoft.Kubernetes/connectedClusters/limitranges/read •Microsoft.Kubernetes/connectedClusters/namespaces/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read •Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read •Microsoft.Kubernetes/connectedClusters/pods/read •Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read •Microsoft.Kubernetes/connectedClusters/resourcequotas/read •Microsoft.Kubernetes/connectedClusters/serviceaccounts/read •Microsoft.Kubernetes/connectedClusters/services/read | |||
| 5b999177-9696-4545-85c7-50de3797e5a1 | Azure Arc Kubernetes Writer | Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. | False |
00126 effective control plane and data plane operations (unique) •: 1 •Action: 8 •Delete: 24 •read: 67 •Write: 26 |
Actions: 007 resolved operations: 49 effective operations: 49 •: 1 •Action: 6 •Delete: 1 •read: 38 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | DataActions: 030 resolved data operations: 77 effective data operations: 77 •action: 2 •delete: 23 •read: 29 •write: 23 •Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read •Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* •Microsoft.Kubernetes/connectedClusters/apps/deployments/* •Microsoft.Kubernetes/connectedClusters/apps/replicasets/* •Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* •Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* •Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* •Microsoft.Kubernetes/connectedClusters/batch/jobs/* •Microsoft.Kubernetes/connectedClusters/configmaps/* •Microsoft.Kubernetes/connectedClusters/endpoints/* •Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read •Microsoft.Kubernetes/connectedClusters/events/read •Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* •Microsoft.Kubernetes/connectedClusters/extensions/deployments/* •Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* •Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* •Microsoft.Kubernetes/connectedClusters/limitranges/read •Microsoft.Kubernetes/connectedClusters/namespaces/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* •Microsoft.Kubernetes/connectedClusters/pods/* •Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/resourcequotas/read •Microsoft.Kubernetes/connectedClusters/secrets/* •Microsoft.Kubernetes/connectedClusters/serviceaccounts/* •Microsoft.Kubernetes/connectedClusters/services/* | |||
| 8393591c-06b9-48a2-a542-1bd6b377f6a2 | Azure Arc Kubernetes Cluster Admin | Lets you manage all resources in the cluster. | False |
00359 effective control plane and data plane operations (unique) •: 1 •Action: 16 •Delete: 58 •read: 218 •Write: 66 |
Actions: 007 resolved operations: 49 effective operations: 49 •: 1 •Action: 6 •Delete: 1 •read: 38 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | DataActions: 001 resolved data operations: 310 effective data operations: 310 •action: 10 •delete: 57 •read: 180 •write: 63 •Microsoft.Kubernetes/connectedClusters/* | |||
| dffb1e0c-446f-4dde-a09f-99eb5cc68b96 | Azure Arc Kubernetes Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | False |
00135 effective control plane and data plane operations (unique) •: 1 •Action: 10 •Delete: 26 •read: 69 •Write: 29 |
Actions: 007 resolved operations: 49 effective operations: 49 •: 1 •Action: 6 •Delete: 1 •read: 38 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | DataActions: 033 resolved data operations: 86 effective data operations: 86 •action: 4 •delete: 25 •read: 31 •write: 26 •Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read •Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* •Microsoft.Kubernetes/connectedClusters/apps/deployments/* •Microsoft.Kubernetes/connectedClusters/apps/replicasets/* •Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* •Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write •Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* •Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* •Microsoft.Kubernetes/connectedClusters/batch/jobs/* •Microsoft.Kubernetes/connectedClusters/configmaps/* •Microsoft.Kubernetes/connectedClusters/endpoints/* •Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read •Microsoft.Kubernetes/connectedClusters/events/read •Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* •Microsoft.Kubernetes/connectedClusters/extensions/deployments/* •Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* •Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* •Microsoft.Kubernetes/connectedClusters/limitranges/read •Microsoft.Kubernetes/connectedClusters/namespaces/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* •Microsoft.Kubernetes/connectedClusters/pods/* •Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* •Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* •Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/resourcequotas/read •Microsoft.Kubernetes/connectedClusters/secrets/* •Microsoft.Kubernetes/connectedClusters/serviceaccounts/* •Microsoft.Kubernetes/connectedClusters/services/* | |||
| b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b | Azure Kubernetes Service RBAC Cluster Admin | Lets you manage all resources in the cluster. | False |
00342 effective control plane and data plane operations (unique) •action: 11 •delete: 57 •read: 211 •write: 63 |
Actions: 005 resolved operations: 31 effective operations: 31 •action: 1 •read: 30 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | DataActions: 001 resolved data operations: 311 effective data operations: 311 •action: 10 •delete: 57 •read: 181 •write: 63 •Microsoft.ContainerService/managedClusters/* | |||
| 3498e952-d568-435e-9b2c-8d77e338d7f7 | Azure Kubernetes Service RBAC Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | False |
00338 effective control plane and data plane operations (unique) •action: 11 •delete: 55 •read: 211 •write: 61 |
Actions: 005 resolved operations: 31 effective operations: 31 •action: 1 •read: 30 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/managedClusters/listClusterUserCredential/action | DataActions: 001 resolved data operations: 311 effective data operations: 307 •action: 10 •delete: 55 •read: 181 •write: 61 •Microsoft.ContainerService/managedClusters/* | NotDataActions: 004 resolved not data operations: 4 effective not data operations: 2814 •Microsoft.ContainerService/managedClusters/resourcequotas/write •Microsoft.ContainerService/managedClusters/resourcequotas/delete •Microsoft.ContainerService/managedClusters/namespaces/write •Microsoft.ContainerService/managedClusters/namespaces/delete | ||
| 7f6c6a51-bcf8-42ba-9220-52d62157d7db | Azure Kubernetes Service RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | False |
00061 effective control plane and data plane operations (unique) •read: 61 |
Actions: 004 resolved operations: 30 effective operations: 30 •read: 30 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 031 resolved data operations: 31 effective data operations: 31 •read: 31 •Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read •Microsoft.ContainerService/managedClusters/apps/daemonsets/read •Microsoft.ContainerService/managedClusters/apps/deployments/read •Microsoft.ContainerService/managedClusters/apps/replicasets/read •Microsoft.ContainerService/managedClusters/apps/statefulsets/read •Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read •Microsoft.ContainerService/managedClusters/batch/cronjobs/read •Microsoft.ContainerService/managedClusters/batch/jobs/read •Microsoft.ContainerService/managedClusters/configmaps/read •Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read •Microsoft.ContainerService/managedClusters/endpoints/read •Microsoft.ContainerService/managedClusters/events.k8s.io/events/read •Microsoft.ContainerService/managedClusters/events/read •Microsoft.ContainerService/managedClusters/extensions/daemonsets/read •Microsoft.ContainerService/managedClusters/extensions/deployments/read •Microsoft.ContainerService/managedClusters/extensions/ingresses/read •Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read •Microsoft.ContainerService/managedClusters/extensions/replicasets/read •Microsoft.ContainerService/managedClusters/limitranges/read •Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read •Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read •Microsoft.ContainerService/managedClusters/namespaces/read •Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read •Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read •Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read •Microsoft.ContainerService/managedClusters/pods/read •Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read •Microsoft.ContainerService/managedClusters/replicationcontrollers/read •Microsoft.ContainerService/managedClusters/resourcequotas/read •Microsoft.ContainerService/managedClusters/serviceaccounts/read •Microsoft.ContainerService/managedClusters/services/read | |||
| a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb | Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | False |
00115 effective control plane and data plane operations (unique) •action: 2 •delete: 25 •read: 63 •write: 25 |
Actions: 004 resolved operations: 30 effective operations: 30 •read: 30 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 035 resolved data operations: 85 effective data operations: 85 •action: 2 •delete: 25 •read: 33 •write: 25 •Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read •Microsoft.ContainerService/managedClusters/apps/daemonsets/* •Microsoft.ContainerService/managedClusters/apps/deployments/* •Microsoft.ContainerService/managedClusters/apps/replicasets/* •Microsoft.ContainerService/managedClusters/apps/statefulsets/* •Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* •Microsoft.ContainerService/managedClusters/batch/cronjobs/* •Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read •Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write •Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete •Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read •Microsoft.ContainerService/managedClusters/batch/jobs/* •Microsoft.ContainerService/managedClusters/configmaps/* •Microsoft.ContainerService/managedClusters/endpoints/* •Microsoft.ContainerService/managedClusters/events.k8s.io/events/read •Microsoft.ContainerService/managedClusters/events/* •Microsoft.ContainerService/managedClusters/extensions/daemonsets/* •Microsoft.ContainerService/managedClusters/extensions/deployments/* •Microsoft.ContainerService/managedClusters/extensions/ingresses/* •Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* •Microsoft.ContainerService/managedClusters/extensions/replicasets/* •Microsoft.ContainerService/managedClusters/limitranges/read •Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read •Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read •Microsoft.ContainerService/managedClusters/namespaces/read •Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* •Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* •Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* •Microsoft.ContainerService/managedClusters/pods/* •Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* •Microsoft.ContainerService/managedClusters/replicationcontrollers/* •Microsoft.ContainerService/managedClusters/resourcequotas/read •Microsoft.ContainerService/managedClusters/secrets/* •Microsoft.ContainerService/managedClusters/serviceaccounts/* •Microsoft.ContainerService/managedClusters/services/* | |||
| 82200a5b-e217-47a5-b665-6d8765ee745b | Services Hub Operator | Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. | False |
00043 effective control plane operations (unique) •action: 5 •delete: 2 •read: 34 •write: 2 |
Actions: 009 resolved operations: 43 effective operations: 43 •action: 5 •delete: 2 •read: 34 •write: 2 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.ServicesHub/connectors/write •Microsoft.ServicesHub/connectors/read •Microsoft.ServicesHub/connectors/delete •Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action •Microsoft.ServicesHub/supportOfferingEntitlement/read •Microsoft.ServicesHub/workspaces/read | ||||
| d18777c0-1514-4662-8490-608db7d334b6 | Object Understanding Account Reader | Lets you read ingestion jobs for an object understanding account. | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read | ||||
| fd53cd77-2268-407a-8f46-7e7863d0f521 | SignalR REST API Owner | Full access to Azure SignalR Service REST APIs | False |
00012 effective data plane operations (unique) •action: 5 •read: 3 •write: 4 |
DataActions: 005 resolved data operations: 12 effective data operations: 12 •action: 5 •read: 3 •write: 4 •Microsoft.SignalRService/SignalR/auth/clientToken/action •Microsoft.SignalRService/SignalR/hub/* •Microsoft.SignalRService/SignalR/group/* •Microsoft.SignalRService/SignalR/clientConnection/* •Microsoft.SignalRService/SignalR/user/* | ||||
| daa9e50b-21df-454c-94a6-a8050adab352 | Collaborative Data Contributor | Can manage data packages of a collaborative. | False |
00057 effective control plane operations (unique) •: 1 •action: 12 •Delete: 2 •read: 39 •Write: 3 |
Actions: 013 resolved operations: 57 effective operations: 57 •: 1 •action: 12 •Delete: 2 •read: 39 •Write: 3 •Microsoft.IndustryDataLifecycle/custodianCollaboratives/*/read •Microsoft.IndustryDataLifecycle/memberCollaboratives/*/read •Microsoft.IndustryDataLifecycle/locations/dataPackages/* •Microsoft.IndustryDataLifecycle/custodianCollaboratives/receivedDataPackages/* •Microsoft.IndustryDataLifecycle/custodianCollaboratives/rejectDataPackage/action •Microsoft.IndustryDataLifecycle/memberCollaboratives/sharedDataPackages/* •Microsoft.IndustryDataLifecycle/custodianCollaboratives/dataModels/* •Microsoft.IndustryDataLifecycle/custodianCollaboratives/auditLogs/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f | Device Update Reader | Gives you read access to management and content operations, but does not allow making changes | False |
00057 effective control plane and data plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 41 •Write: 3 |
Actions: 005 resolved operations: 55 effective operations: 55 •: 1 •Action: 10 •Delete: 2 •read: 39 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.DeviceUpdate/accounts/instances/updates/read •Microsoft.DeviceUpdate/accounts/instances/management/read | |||
| 02ca0879-e8e4-47a5-a61e-5c618b76e64a | Device Update Administrator | Gives you full access to management and content operations | False |
00061 effective control plane and data plane operations (unique) •: 1 •Action: 10 •delete: 4 •read: 41 •write: 5 |
Actions: 005 resolved operations: 55 effective operations: 55 •: 1 •Action: 10 •Delete: 2 •read: 39 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | DataActions: 006 resolved data operations: 6 effective data operations: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.DeviceUpdate/accounts/instances/updates/read •Microsoft.DeviceUpdate/accounts/instances/updates/write •Microsoft.DeviceUpdate/accounts/instances/updates/delete •Microsoft.DeviceUpdate/accounts/instances/management/read •Microsoft.DeviceUpdate/accounts/instances/management/write •Microsoft.DeviceUpdate/accounts/instances/management/delete | |||
| 0378884a-3af5-44ab-8323-f5b22f9f3c98 | Device Update Content Administrator | Gives you full access to content operations | False |
00058 effective control plane and data plane operations (unique) •: 1 •Action: 10 •delete: 3 •read: 40 •write: 4 |
Actions: 005 resolved operations: 55 effective operations: 55 •: 1 •Action: 10 •Delete: 2 •read: 39 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.DeviceUpdate/accounts/instances/updates/read •Microsoft.DeviceUpdate/accounts/instances/updates/write •Microsoft.DeviceUpdate/accounts/instances/updates/delete | |||
| d1ee9a80-8b14-47f0-bdc2-f4a351625a7b | Device Update Content Reader | Gives you read access to content operations, but does not allow making changes | False |
00056 effective control plane and data plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 40 •Write: 3 |
Actions: 005 resolved operations: 55 effective operations: 55 •: 1 •Action: 10 •Delete: 2 •read: 39 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.DeviceUpdate/accounts/instances/updates/read | |||
| cb43c632-a144-4ec5-977c-e80c4affc34a | Cognitive Services Metrics Advisor Administrator | Full access to the project, including the system level configuration. | False |
00087 effective control plane and data plane operations (unique) •action: 14 •delete: 8 •read: 56 •write: 9 |
Actions: 001 resolved operations: 33 effective operations: 33 •read: 33 •Microsoft.CognitiveServices/*/read | DataActions: 001 resolved data operations: 54 effective data operations: 54 •action: 14 •delete: 8 •read: 23 •write: 9 •Microsoft.CognitiveServices/accounts/MetricsAdvisor/* | |||
| 3b20f47b-3825-43cb-8114-4bd2201156a8 | Cognitive Services Metrics Advisor User | Access to the project. | False |
00086 effective control plane and data plane operations (unique) •action: 14 •delete: 8 •read: 55 •write: 9 |
Actions: 001 resolved operations: 33 effective operations: 33 •read: 33 •Microsoft.CognitiveServices/*/read | DataActions: 001 resolved data operations: 54 effective data operations: 53 •action: 14 •delete: 8 •read: 22 •write: 9 •Microsoft.CognitiveServices/accounts/MetricsAdvisor/* | NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3068 •Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/* | ||
| 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 | Schema Registry Reader (Preview) | Read and list Schema Registry groups and schemas. | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.EventHub/namespaces/schemagroups/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.EventHub/namespaces/schemas/read | |||
| 5dffeca3-4936-4216-b2bc-10343a5abb25 | Schema Registry Contributor (Preview) | Read, write, and delete Schema Registry groups and schemas. | False |
00006 effective control plane and data plane operations (unique) •delete: 2 •read: 2 •write: 2 |
Actions: 001 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.EventHub/namespaces/schemagroups/* | DataActions: 001 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.EventHub/namespaces/schemas/* | |||
| 7ec7ccdc-f61e-41fe-9aaf-980df0a44eba | AgFood Platform Service Reader | Provides read access to AgFood Platform Service | False |
00185 effective data plane operations (unique) •action: 96 •read: 89 |
DataActions: 006 resolved data operations: 185 effective data operations: 185 •action: 96 •read: 89 •Microsoft.AgFoodPlatform/*/list/action •Microsoft.AgFoodPlatform/*/read •Microsoft.AgFoodPlatform/*/search/action •Microsoft.AgFoodPlatform/*/download/action •Microsoft.AgFoodPlatform/*/overlap/action •Microsoft.AgFoodPlatform/*/checkConsent/action | ||||
| 8508508a-4469-4e45-963b-2518ee0bb728 | AgFood Platform Service Contributor | Provides contribute access to AgFood Platform Service | False |
00251 effective data plane operations (unique) •action: 98 •read: 89 •write: 64 |
DataActions: 003 resolved data operations: 277 effective data operations: 251 •action: 98 •read: 89 •write: 64 •Microsoft.AgFoodPlatform/*/action •Microsoft.AgFoodPlatform/*/read •Microsoft.AgFoodPlatform/*/write | NotDataActions: 006 resolved not data operations: 26 effective not data operations: 2870 •Microsoft.AgFoodPlatform/farmBeats/farmers/write •Microsoft.AgFoodPlatform/farmBeats/deletionJobs/*/write •Microsoft.AgFoodPlatform/farmBeats/parties/write •Microsoft.AgFoodPlatform/farmBeats/datasets/write •Microsoft.AgFoodPlatform/farmBeats/datasetRecords/write •Microsoft.AgFoodPlatform/farmBeats/datasets/access/*/action | |||
| f8da80de-1ff9-4747-ad80-a19b7f6079e3 | AgFood Platform Service Admin | Provides admin access to AgFood Platform Service | False |
00335 effective data plane operations (unique) •action: 101 •delete: 58 •read: 89 •write: 87 |
DataActions: 001 resolved data operations: 335 effective data operations: 335 •action: 101 •delete: 58 •read: 89 •write: 87 •Microsoft.AgFoodPlatform/* | ||||
| 18500a29-7fe2-46b2-a342-b16a415e101d | Managed HSM contributor | Lets you manage managed HSM pools, but not access to them. | False |
00023 effective control plane operations (unique) •action: 3 •delete: 3 •read: 12 •write: 5 |
Actions: 005 resolved operations: 23 effective operations: 23 •action: 3 •delete: 3 •read: 12 •write: 5 •Microsoft.KeyVault/managedHSMs/* •Microsoft.KeyVault/deletedManagedHsms/read •Microsoft.KeyVault/locations/deletedManagedHsms/read •Microsoft.KeyVault/locations/deletedManagedHsms/purge/action •Microsoft.KeyVault/locations/managedHsmOperationResults/read | count: 002 •[Preview]: Configure Azure Key Vault Managed HSM to disable public network access •[Preview]: Configure Azure Key Vault Managed HSM with private endpoints | |||
| 0b555d9b-b4a7-4f43-b330-627f0e5be8f0 | Security Detonation Chamber Submitter | Allowed to create submissions to Security Detonation Chamber | False |
00008 effective data plane operations (unique) •delete: 1 •read: 6 •write: 1 |
DataActions: 008 resolved data operations: 8 effective data operations: 8 •delete: 1 •read: 6 •write: 1 •Microsoft.SecurityDetonation/chambers/submissions/delete •Microsoft.SecurityDetonation/chambers/submissions/write •Microsoft.SecurityDetonation/chambers/submissions/read •Microsoft.SecurityDetonation/chambers/submissions/files/read •Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read •Microsoft.SecurityDetonation/chambers/platforms/metadata/read •Microsoft.SecurityDetonation/chambers/workflows/metadata/read •Microsoft.SecurityDetonation/chambers/toolsets/metadata/read | ||||
| ddde6b66-c0df-4114-a159-3618637b3035 | SignalR REST API Reader | Read-only access to Azure SignalR Service REST APIs | False |
00003 effective data plane operations (unique) •read: 3 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •read: 3 •Microsoft.SignalRService/SignalR/group/read •Microsoft.SignalRService/SignalR/clientConnection/read •Microsoft.SignalRService/SignalR/user/read | ||||
| 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 | SignalR Service Owner | Full access to Azure SignalR Service REST APIs | False |
00017 effective data plane operations (unique) •action: 7 •read: 4 •write: 6 |
DataActions: 001 resolved data operations: 17 effective data operations: 17 •action: 7 •read: 4 •write: 6 •Microsoft.SignalRService/SignalR/* | ||||
| f7b75c60-3036-4b75-91c3-6b41c27c1689 | Reservation Purchaser | Lets you purchase reservations | False |
00011 effective control plane operations (unique) •action: 4 •read: 6 •write: 1 |
Actions: 011 resolved operations: 11 effective operations: 11 •action: 4 •read: 6 •write: 1 •Microsoft.Authorization/roleAssignments/read •Microsoft.Capacity/catalogs/read •Microsoft.Capacity/register/action •Microsoft.Compute/register/action •Microsoft.Consumption/register/action •Microsoft.Consumption/reservationRecommendationDetails/read •Microsoft.Consumption/reservationRecommendations/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SQL/register/action •Microsoft.Support/supporttickets/write | ||||
| 635dd51f-9968-44d3-b7fb-6d9a6bd613ae | AzureML Metrics Writer (preview) | Lets you write metrics to AzureML workspace | False |
00001 effective control plane operations (unique) •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •write: 1 •Microsoft.MachineLearningServices/workspaces/metrics/*/write | ||||
| e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 | Storage Account Backup Contributor | Lets you perform backup and restore operations using Azure Backup on the storage account. | False |
00043 effective control plane operations (unique) •action: 1 •delete: 2 •read: 35 •write: 5 |
Actions: 018 resolved operations: 43 effective operations: 43 •action: 1 •delete: 2 •read: 35 •write: 5 •Microsoft.Authorization/*/read •Microsoft.Authorization/locks/read •Microsoft.Authorization/locks/write •Microsoft.Authorization/locks/delete •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/operations/read •Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete •Microsoft.Storage/storageAccounts/objectReplicationPolicies/read •Microsoft.Storage/storageAccounts/objectReplicationPolicies/write •Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/write •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/restoreBlobRanges/action | ||||
| 6188b7c9-7d01-4f99-a59f-c88b630326c0 | Experimentation Metric Contributor | Allows for creation, writes and reads to the metric set via the metrics service APIs. | False |
00004 effective control plane and data plane operations (unique) •action: 2 •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Experimentation/experimentWorkspaces/read | DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 2 •read: 2 •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action •Microsoft.Experimentation/experimentWorkspaces/metricwrite/action •Microsoft.Experimentation/experimentWorkspaces/read | |||
| 9ef4ef9c-a049-46b0-82ab-dd8ac094c889 | Project Babylon Data Curator | The Microsoft.ProjectBabylon data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. | False |
00003 effective control plane and data plane operations (unique) •read: 2 •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ProjectBabylon/accounts/read | DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.ProjectBabylon/accounts/data/read •Microsoft.ProjectBabylon/accounts/data/write | |||
| c8d896ba-346d-4f50-bc1d-7d1c84130446 | Project Babylon Data Reader | The Microsoft.ProjectBabylon data reader can read catalog data objects. This role is in preview and subject to change. | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ProjectBabylon/accounts/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.ProjectBabylon/accounts/data/read | |||
| 05b7651b-dc44-475e-b74d-df3db49fae0f | Project Babylon Data Source Administrator | The Microsoft.ProjectBabylon data source administrator can manage data sources and data scans. This role is in preview and subject to change. | False |
00003 effective control plane and data plane operations (unique) •read: 2 •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ProjectBabylon/accounts/read | DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.ProjectBabylon/accounts/scan/read •Microsoft.ProjectBabylon/accounts/scan/write | |||
| ca6382a4-1721-4bcf-a114-ff0c70227b6b | Application Group Contributor | Contributor of the Application Group. | False |
00074 effective control plane operations (unique) •: 1 •action: 11 •delete: 5 •read: 49 •write: 8 |
Actions: 009 resolved operations: 74 effective operations: 74 •: 1 •action: 11 •delete: 5 •read: 49 •write: 8 •Microsoft.DesktopVirtualization/applicationgroups/* •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/workspaces/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| 49a72310-ab8d-41df-bbb0-79b649203868 | Desktop Virtualization Reader | Reader of Desktop Virtualization. | False |
00084 effective control plane operations (unique) •action: 3 •read: 80 •write: 1 |
Actions: 006 resolved operations: 84 effective operations: 84 •action: 3 •read: 80 •write: 1 •Microsoft.DesktopVirtualization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Support/* | ||||
| 082f0a83-3be5-4ba1-904c-961cca79b387 | Desktop Virtualization Contributor | Contributor of Desktop Virtualization. | False |
00159 effective control plane operations (unique) •: 1 •action: 29 •delete: 19 •read: 83 •write: 27 |
Actions: 006 resolved operations: 159 effective operations: 159 •: 1 •action: 29 •delete: 19 •read: 83 •write: 27 •Microsoft.DesktopVirtualization/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| 21efdde3-836f-432b-bf3d-3e8e734d4b2b | Desktop Virtualization Workspace Contributor | Contributor of the Desktop Virtualization Workspace. | False |
00072 effective control plane operations (unique) •: 1 •action: 12 •delete: 5 •read: 47 •write: 7 |
Actions: 007 resolved operations: 72 effective operations: 72 •: 1 •action: 12 •delete: 5 •read: 47 •write: 7 •Microsoft.DesktopVirtualization/workspaces/* •Microsoft.DesktopVirtualization/applicationgroups/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | count: 001 •Configure Azure Virtual Desktop workspaces to disable public network access | |||
| ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 | Desktop Virtualization User Session Operator | Operator of the Desktop Virtualization Uesr Session. | False |
00062 effective control plane operations (unique) •: 1 •action: 12 •delete: 3 •read: 42 •write: 4 |
Actions: 008 resolved operations: 62 effective operations: 62 •: 1 •action: 12 •delete: 3 •read: 42 •write: 4 •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| 2ad6aaab-ead9-4eaa-8ac5-da422f562408 | Desktop Virtualization Session Host Operator | Operator of the Desktop Virtualization Session Host. | False |
00065 effective control plane operations (unique) •: 1 •action: 13 •delete: 4 •read: 42 •write: 5 |
Actions: 007 resolved operations: 65 effective operations: 65 •: 1 •action: 13 •delete: 4 •read: 42 •write: 5 •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| ceadfde2-b300-400a-ab7b-6143895aa822 | Desktop Virtualization Host Pool Reader | Reader of the Desktop Virtualization Host Pool. | False |
00060 effective control plane operations (unique) •action: 3 •read: 56 •write: 1 |
Actions: 007 resolved operations: 60 effective operations: 60 •action: 3 •read: 56 •write: 1 •Microsoft.DesktopVirtualization/hostpools/*/read •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Support/* | ||||
| e307426c-f9b6-4e81-87de-d99efb3c32bc | Desktop Virtualization Host Pool Contributor | Contributor of the Desktop Virtualization Host Pool. | False |
00103 effective control plane operations (unique) •: 1 •action: 22 •delete: 9 •read: 59 •write: 12 |
Actions: 006 resolved operations: 103 effective operations: 103 •: 1 •action: 22 •delete: 9 •read: 59 •write: 12 •Microsoft.DesktopVirtualization/hostpools/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | count: 002 •Configure Azure Virtual Desktop hostpools to disable public network access •Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts | |||
| aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 | Desktop Virtualization Application Group Reader | Reader of the Desktop Virtualization Application Group. | False |
00049 effective control plane operations (unique) •action: 3 •read: 45 •write: 1 |
Actions: 009 resolved operations: 49 effective operations: 49 •action: 3 •read: 45 •write: 1 •Microsoft.DesktopVirtualization/applicationgroups/*/read •Microsoft.DesktopVirtualization/applicationgroups/read •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Support/* | ||||
| 86240b0e-9422-4c43-887b-b61143f32ba8 | Desktop Virtualization Application Group Contributor | Contributor of the Desktop Virtualization Application Group. | False |
00073 effective control plane operations (unique) •: 1 •action: 11 •delete: 5 •read: 48 •write: 8 |
Actions: 008 resolved operations: 73 effective operations: 73 •: 1 •action: 11 •delete: 5 •read: 48 •write: 8 •Microsoft.DesktopVirtualization/applicationgroups/* •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d | Desktop Virtualization Workspace Reader | Reader of the Desktop Virtualization Workspace. | False |
00042 effective control plane operations (unique) •action: 3 •read: 38 •write: 1 |
Actions: 007 resolved operations: 42 effective operations: 42 •action: 3 •read: 38 •write: 1 •Microsoft.DesktopVirtualization/workspaces/read •Microsoft.DesktopVirtualization/applicationgroups/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Support/* | ||||
| 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 | Disk Backup Reader | Provides permission to backup vault to perform disk backup. | False |
00029 effective control plane operations (unique) •action: 1 •read: 28 |
Actions: 003 resolved operations: 29 effective operations: 29 •action: 1 •read: 28 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/read •Microsoft.Compute/disks/beginGetAccess/action | ||||
| b50d9833-a0cb-478e-945f-707fcc997c13 | Disk Restore Operator | Provides permission to backup vault to perform disk restore. | False |
00030 effective control plane operations (unique) •read: 29 •write: 1 |
Actions: 004 resolved operations: 30 effective operations: 30 •read: 29 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Compute/disks/write •Microsoft.Compute/disks/read | ||||
| 7efff54f-a5b4-42b5-a1c5-5411624893ce | Disk Snapshot Contributor | Provides permission to backup vault to manage disk snapshots. | False |
00038 effective control plane operations (unique) •action: 4 •delete: 2 •read: 30 •write: 2 |
Actions: 012 resolved operations: 38 effective operations: 38 •action: 4 •delete: 2 •read: 30 •write: 2 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Compute/snapshots/delete •Microsoft.Compute/snapshots/write •Microsoft.Compute/snapshots/read •Microsoft.Compute/snapshots/beginGetAccess/action •Microsoft.Compute/snapshots/endGetAccess/action •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/write •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/delete | ||||
| 5548b2cf-c94c-4228-90ba-30851930a12f | Microsoft.Kubernetes connected cluster role | Microsoft.Kubernetes connected cluster role. | False |
00004 effective control plane operations (unique) •Delete: 1 •Read: 2 •Write: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •Delete: 1 •Read: 2 •Write: 1 •Microsoft.Kubernetes/connectedClusters/read •Microsoft.Kubernetes/connectedClusters/write •Microsoft.Kubernetes/connectedClusters/delete •Microsoft.Kubernetes/registeredSubscriptions/read | ||||
| a37b566d-3efa-4beb-a2f2-698963fa42ce | Security Detonation Chamber Submission Manager | Allowed to create and manage submissions to Security Detonation Chamber | False |
00011 effective data plane operations (unique) •delete: 1 •read: 9 •write: 1 |
DataActions: 011 resolved data operations: 11 effective data operations: 11 •delete: 1 •read: 9 •write: 1 •Microsoft.SecurityDetonation/chambers/submissions/delete •Microsoft.SecurityDetonation/chambers/submissions/write •Microsoft.SecurityDetonation/chambers/submissions/read •Microsoft.SecurityDetonation/chambers/submissions/files/read •Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read •Microsoft.SecurityDetonation/chambers/submissions/adminview/read •Microsoft.SecurityDetonation/chambers/submissions/analystview/read •Microsoft.SecurityDetonation/chambers/submissions/publicview/read •Microsoft.SecurityDetonation/chambers/platforms/metadata/read •Microsoft.SecurityDetonation/chambers/workflows/metadata/read •Microsoft.SecurityDetonation/chambers/toolsets/metadata/read | ||||
| 352470b3-6a9c-4686-b503-35deb827e500 | Security Detonation Chamber Publisher | Allowed to publish and modify platforms, workflows and toolsets to Security Detonation Chamber | False |
00014 effective data plane operations (unique) •action: 1 •delete: 3 •read: 7 •write: 3 |
DataActions: 014 resolved data operations: 14 effective data operations: 14 •action: 1 •delete: 3 •read: 7 •write: 3 •Microsoft.SecurityDetonation/chambers/platforms/read •Microsoft.SecurityDetonation/chambers/platforms/write •Microsoft.SecurityDetonation/chambers/platforms/delete •Microsoft.SecurityDetonation/chambers/platforms/metadata/read •Microsoft.SecurityDetonation/chambers/workflows/read •Microsoft.SecurityDetonation/chambers/workflows/write •Microsoft.SecurityDetonation/chambers/workflows/delete •Microsoft.SecurityDetonation/chambers/workflows/metadata/read •Microsoft.SecurityDetonation/chambers/toolsets/read •Microsoft.SecurityDetonation/chambers/toolsets/write •Microsoft.SecurityDetonation/chambers/toolsets/delete •Microsoft.SecurityDetonation/chambers/toolsets/metadata/read •Microsoft.SecurityDetonation/chambers/publishRequests/read •Microsoft.SecurityDetonation/chambers/publishRequests/cancel/action | ||||
| 7a6f0e70-c033-4fb1-828c-08514e5f4102 | Collaborative Runtime Operator | Can manage resources created by AICS at runtime | False |
00055 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 39 •Write: 3 |
Actions: 008 resolved operations: 55 effective operations: 55 •: 1 •Action: 10 •Delete: 2 •read: 39 •Write: 3 •Microsoft.IndustryDataLifecycle/derivedModels/* •Microsoft.IndustryDataLifecycle/pipelineSets/* •Microsoft.IndustryDataLifecycle/modelMappings/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 5432c526-bc82-444a-b7ba-57c5b0b5b34f | CosmosRestoreOperator | Can perform restore action for Cosmos DB database account with continuous backup mode | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 003 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action •Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read •Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read | ||||
| a1705bd2-3a8f-45a5-8683-466fcfd5cc24 | FHIR Data Converter | Role allows user or principal to convert data from legacy format to FHIR | False |
00002 effective data plane operations (unique) •action: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.HealthcareApis/services/fhir/resources/convertData/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action | ||||
| 0e5f05e5-9ab9-446b-b98d-1e2157c94125 | Quota Request Operator | Read and create quota requests, get quota request status, and create support tickets. | False |
00064 effective control plane operations (unique) •: 1 •action: 12 •Delete: 2 •read: 44 •write: 5 |
Actions: 014 resolved operations: 64 effective operations: 64 •: 1 •action: 12 •Delete: 2 •read: 44 •write: 5 •Microsoft.Capacity/resourceProviders/locations/serviceLimits/read •Microsoft.Capacity/resourceProviders/locations/serviceLimits/write •Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read •Microsoft.Capacity/register/action •Microsoft.Quota/usages/read •Microsoft.Quota/quotas/read •Microsoft.Quota/quotas/write •Microsoft.Quota/quotaRequests/read •Microsoft.Quota/register/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 1e241071-0855-49ea-94dc-649edcd759de | EventGrid Contributor | Lets you manage EventGrid operations. | False |
00251 effective control plane operations (unique) •: 1 •action: 57 •delete: 37 •read: 112 •write: 44 |
Actions: 006 resolved operations: 251 effective operations: 251 •: 1 •action: 57 •delete: 37 •read: 112 •write: 44 •Microsoft.Authorization/*/read •Microsoft.EventGrid/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | count: 009 •Configure Azure Event Grid domains to disable local authentication •Configure Azure Event Grid namespace MQTT broker with private endpoints •Configure Azure Event Grid namespaces with private endpoints •Configure Azure Event Grid partner namespaces to disable local authentication •Configure Azure Event Grid topics to disable local authentication •Deploy - Configure Azure Event Grid domains with private endpoints •Deploy - Configure Azure Event Grid topics with private endpoints •Modify - Configure Azure Event Grid domains to disable public network access •Modify - Configure Azure Event Grid topics to disable public network access | |||
| 28241645-39f8-410b-ad48-87863e2951d5 | Security Detonation Chamber Reader | Allowed to query submission info and files from Security Detonation Chamber | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.SecurityDetonation/chambers/submissions/read •Microsoft.SecurityDetonation/chambers/submissions/files/read | ||||
| 4a167cdf-cb95-4554-9203-2347fe489bd9 | Object Anchors Account Reader | Lets you read ingestion jobs for an object anchors account. | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read | ||||
| ca0835dd-bacc-42dd-8ed2-ed5e7230d15b | Object Anchors Account Owner | Provides user with ingestion capabilities for an object anchors account. | False |
00002 effective data plane operations (unique) •action: 1 •read: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/action •Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read | ||||
| d17ce0a2-0697-43bc-aac5-9113337ab61c | WorkloadBuilder Migration Agent Role | WorkloadBuilder Migration Agent Role. | False |
00002 effective control plane operations (unique) •Read: 1 •Write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •Read: 1 •Write: 1 •Microsoft.WorkloadBuilder/migrationAgents/Read •Microsoft.WorkloadBuilder/migrationAgents/Write | ||||
| b5537268-8956-4941-a8f0-646150406f0c | Azure Spring Cloud Data Reader | Allow read access to Azure Spring Cloud Data | False |
00004 effective data plane operations (unique) •read: 4 |
DataActions: 001 resolved data operations: 4 effective data operations: 4 •read: 4 •Microsoft.AppPlatform/Spring/*/read | ||||
| 0e75ca1e-0464-4b4d-8b93-68208a576181 | Cognitive Services Speech Contributor | Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. | False |
00254 effective control plane and data plane operations (unique) •action: 46 •delete: 37 •read: 128 •write: 43 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 007 resolved data operations: 219 effective data operations: 219 •action: 46 •delete: 37 •read: 93 •write: 43 •Microsoft.CognitiveServices/accounts/SpeechServices/* •Microsoft.CognitiveServices/accounts/CustomVoice/* •Microsoft.CognitiveServices/accounts/AudioContentCreation/* •Microsoft.CognitiveServices/accounts/VideoTranslation/* •Microsoft.CognitiveServices/accounts/CustomAvatar/* •Microsoft.CognitiveServices/accounts/BatchAvatar/* •Microsoft.CognitiveServices/accounts/BatchTextToSpeech/* | |||
| 9894cab4-e18a-44aa-828b-cb588cd6f2d7 | Cognitive Services Face Recognizer | Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. | False |
00016 effective data plane operations (unique) •action: 10 •delete: 2 •read: 4 |
DataActions: 012 resolved data operations: 16 effective data operations: 16 •action: 10 •delete: 2 •read: 4 •Microsoft.CognitiveServices/accounts/Face/detect/action •Microsoft.CognitiveServices/accounts/Face/verify/action •Microsoft.CognitiveServices/accounts/Face/identify/action •Microsoft.CognitiveServices/accounts/Face/group/action •Microsoft.CognitiveServices/accounts/Face/findsimilars/action •Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action •Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action •Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action •Microsoft.CognitiveServices/accounts/Face/*/sessions/action •Microsoft.CognitiveServices/accounts/Face/*/sessions/delete •Microsoft.CognitiveServices/accounts/Face/*/sessions/read •Microsoft.CognitiveServices/accounts/Face/*/sessions/audit/read | ||||
| 054126f8-9a2b-4f1c-a9ad-eca461f08466 | Media Services Account Administrator | Create, read, modify, and delete Media Services accounts; read-only access to other Media Services resources. | False |
00084 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 4 •read: 65 •Write: 4 |
Actions: 014 resolved operations: 84 effective operations: 84 •: 1 •Action: 10 •Delete: 4 •read: 65 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Media/mediaservices/*/read •Microsoft.Media/mediaservices/assets/listStreamingLocators/action •Microsoft.Media/mediaservices/streamingLocators/listPaths/action •Microsoft.Media/mediaservices/write •Microsoft.Media/mediaservices/delete •Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action •Microsoft.Media/mediaservices/privateEndpointConnections/* | count: 001 •Configure Azure Media Services with private endpoints | |||
| 532bc159-b25e-42c0-969e-a1d439f60d77 | Media Services Live Events Administrator | Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming Locators; read-only access to other Media Services resources. | False |
00097 effective control plane operations (unique) •: 1 •Action: 14 •Delete: 8 •read: 65 •Write: 9 |
Actions: 012 resolved operations: 99 effective operations: 97 •: 1 •Action: 14 •Delete: 8 •read: 65 •Write: 9 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Media/mediaservices/*/read •Microsoft.Media/mediaservices/assets/* •Microsoft.Media/mediaservices/assets/assetfilters/* •Microsoft.Media/mediaservices/streamingLocators/* •Microsoft.Media/mediaservices/liveEvents/* | NotActions: 002 resolved not operations: 2 effective not operations: 15289 •Microsoft.Media/mediaservices/assets/getEncryptionKey/action •Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action | |||
| e4395492-1534-4db2-bedf-88c14621589c | Media Services Media Operator | Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs; read-only access to other Media Services resources. | False |
00092 effective control plane operations (unique) •: 1 •Action: 12 •Delete: 7 •read: 65 •Write: 7 |
Actions: 012 resolved operations: 94 effective operations: 92 •: 1 •Action: 12 •Delete: 7 •read: 65 •Write: 7 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Media/mediaservices/*/read •Microsoft.Media/mediaservices/assets/* •Microsoft.Media/mediaservices/assets/assetfilters/* •Microsoft.Media/mediaservices/streamingLocators/* •Microsoft.Media/mediaservices/transforms/jobs/* | NotActions: 002 resolved not operations: 2 effective not operations: 15294 •Microsoft.Media/mediaservices/assets/getEncryptionKey/action •Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action | |||
| c4bba371-dacd-4a26-b320-7250bca963ae | Media Services Policy Administrator | Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies, and Transforms; read-only access to other Media Services resources. Cannot create Jobs, Assets or Streaming resources. | False |
00090 effective control plane operations (unique) •: 1 •Action: 10 •Delete: 7 •read: 65 •Write: 7 |
Actions: 014 resolved operations: 91 effective operations: 90 •: 1 •Action: 10 •Delete: 7 •read: 65 •Write: 7 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Media/mediaservices/*/read •Microsoft.Media/mediaservices/assets/listStreamingLocators/action •Microsoft.Media/mediaservices/streamingLocators/listPaths/action •Microsoft.Media/mediaservices/accountFilters/* •Microsoft.Media/mediaservices/streamingPolicies/* •Microsoft.Media/mediaservices/contentKeyPolicies/* •Microsoft.Media/mediaservices/transforms/* | NotActions: 001 resolved not operations: 1 effective not operations: 15296 •Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSecrets/action | |||
| 99dba123-b5fe-44d5-874c-ced7199a5804 | Media Services Streaming Endpoints Administrator | Create, read, modify, and delete Streaming Endpoints; read-only access to other Media Services resources. | False |
00085 effective control plane operations (unique) •: 1 •Action: 12 •Delete: 3 •read: 65 •Write: 4 |
Actions: 011 resolved operations: 85 effective operations: 85 •: 1 •Action: 12 •Delete: 3 •read: 65 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Media/mediaservices/*/read •Microsoft.Media/mediaservices/assets/listStreamingLocators/action •Microsoft.Media/mediaservices/streamingLocators/listPaths/action •Microsoft.Media/mediaservices/streamingEndpoints/* | ||||
| 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf | Stream Analytics Query Tester | Lets you perform query testing without creating a stream analytics job first | False |
00004 effective control plane operations (unique) •action: 3 •Read: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 3 •Read: 1 •Microsoft.StreamAnalytics/locations/TestQuery/action •Microsoft.StreamAnalytics/locations/OperationResults/read •Microsoft.StreamAnalytics/locations/SampleInput/action •Microsoft.StreamAnalytics/locations/CompileQuery/action | ||||
| a2138dac-4907-4679-a376-736901ed8ad8 | AnyBuild Builder | Basic user role for AnyBuild. This role allows listing of agent information and execution of remote build capabilities. | False |
00002 effective data plane operations (unique) •read: 1 •write: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.AnyBuild/clusters/build/write •Microsoft.AnyBuild/clusters/build/read | ||||
| b447c946-2db7-41ec-983d-d8bf3b1c77e3 | IoT Hub Data Reader | Allows for full read access to IoT Hub data-plane properties | False |
00006 effective data plane operations (unique) •action: 1 •read: 5 |
DataActions: 002 resolved data operations: 6 effective data operations: 6 •action: 1 •read: 5 •Microsoft.Devices/IotHubs/*/read •Microsoft.Devices/IotHubs/fileUpload/notifications/action | ||||
| 494bdba2-168f-4f31-a0a1-191d2f7c028c | IoT Hub Twin Contributor | Allows for read and write access to all IoT Hub device and module twins. | False |
00002 effective data plane operations (unique) •read: 1 •write: 1 |
DataActions: 001 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.Devices/IotHubs/twins/* | ||||
| 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 | IoT Hub Registry Contributor | Allows for full access to IoT Hub device registry. | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 001 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Devices/IotHubs/devices/* | ||||
| 4fc6c259-987e-4a07-842e-c321cc9d413f | IoT Hub Data Contributor | Allows for full access to IoT Hub data plane operations. | False |
00019 effective data plane operations (unique) •action: 7 •delete: 3 •read: 5 •write: 4 |
DataActions: 001 resolved data operations: 19 effective data operations: 19 •action: 7 •delete: 3 •read: 5 •write: 4 •Microsoft.Devices/IotHubs/* | ||||
| 15e0f5a1-3450-4248-8e25-e2afe88a9e85 | Test Base Reader | Let you view and download packages and test results. | False |
00039 effective control plane operations (unique) •action: 3 •delete: 1 •read: 34 •write: 1 |
Actions: 006 resolved operations: 39 effective operations: 39 •action: 3 •delete: 1 •read: 34 •write: 1 •Microsoft.TestBase/testBaseAccounts/packages/testResults/getDownloadUrl/action •Microsoft.TestBase/testBaseAccounts/packages/testResults/getVideoDownloadUrl/action •Microsoft.TestBase/testBaseAccounts/packages/getDownloadUrl/action •Microsoft.TestBase/*/read •Microsoft.TestBase/testBaseAccounts/customerEvents/write •Microsoft.TestBase/testBaseAccounts/customerEvents/delete | ||||
| 1407120a-92aa-4202-b7e9-c0e197c71c8f | Search Index Data Reader | Grants read access to Azure Cognitive Search index data. | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Search/searchServices/indexes/documents/read | ||||
| 8ebe5a00-799e-43f5-93ac-243d3dce84a7 | Search Index Data Contributor | Grants full access to Azure Cognitive Search index data. | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 001 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Search/searchServices/indexes/documents/* | ||||
| 76199698-9eea-4c19-bc75-cec21354c6b6 | Storage Table Data Reader | Allows for read access to Azure Storage tables and entities | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/tableServices/tables/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | |||
| 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 | Storage Table Data Contributor | Allows for read, write and delete access to Azure Storage tables and entities | False |
00008 effective control plane and data plane operations (unique) •action: 2 •delete: 2 •read: 2 •write: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/tableServices/tables/read •Microsoft.Storage/storageAccounts/tableServices/tables/write •Microsoft.Storage/storageAccounts/tableServices/tables/delete | DataActions: 005 resolved data operations: 5 effective data operations: 5 •action: 2 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/tableServices/tables/entities/read •Microsoft.Storage/storageAccounts/tableServices/tables/entities/write •Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete •Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action •Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action | |||
| e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a | DICOM Data Reader | Read and search DICOM data. | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.HealthcareApis/workspaces/dicomservices/resources/read | ||||
| 58a3b984-7adf-4c20-983a-32417c86fbc8 | DICOM Data Owner | Full access to DICOM data. | False |
00005 effective data plane operations (unique) •action: 2 •delete: 1 •read: 1 •write: 1 |
DataActions: 001 resolved data operations: 5 effective data operations: 5 •action: 2 •delete: 1 •read: 1 •write: 1 •Microsoft.HealthcareApis/workspaces/dicomservices/resources/* | ||||
| d5a91429-5739-47e2-a06b-3470a27159e7 | EventGrid Data Sender | Allows send access to event grid events. | False |
00033 effective control plane and data plane operations (unique) •action: 1 •read: 32 |
Actions: 006 resolved operations: 32 effective operations: 32 •read: 32 •Microsoft.Authorization/*/read •Microsoft.EventGrid/topics/read •Microsoft.EventGrid/domains/read •Microsoft.EventGrid/partnerNamespaces/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.EventGrid/namespaces/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventGrid/events/send/action | |||
| 60fc6e62-5479-42d4-8bf4-67625fcc2840 | Disk Pool Operator | Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool. | False |
00047 effective control plane operations (unique) •: 1 •Action: 7 •Delete: 2 •read: 34 •write: 3 |
Actions: 006 resolved operations: 47 effective operations: 47 •: 1 •Action: 7 •Delete: 2 •read: 34 •write: 3 •Microsoft.Compute/disks/write •Microsoft.Compute/disks/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| f6c7c914-8db3-469d-8ca1-694a8f32e121 | AzureML Data Scientist | Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. | False |
00245 effective control plane operations (unique) •action: 48 •delete: 51 •read: 86 •write: 60 |
Actions: 004 resolved operations: 251 effective operations: 245 •action: 48 •delete: 51 •read: 86 •write: 60 •Microsoft.MachineLearningServices/workspaces/*/read •Microsoft.MachineLearningServices/workspaces/*/action •Microsoft.MachineLearningServices/workspaces/*/delete •Microsoft.MachineLearningServices/workspaces/*/write | NotActions: 010 resolved not operations: 8 effective not operations: 15141 •Microsoft.MachineLearningServices/workspaces/delete •Microsoft.MachineLearningServices/workspaces/write •Microsoft.MachineLearningServices/workspaces/computes/*/write •Microsoft.MachineLearningServices/workspaces/computes/*/delete •Microsoft.MachineLearningServices/workspaces/computes/listKeys/action •Microsoft.MachineLearningServices/workspaces/listKeys/action •Microsoft.MachineLearningServices/workspaces/hubs/write •Microsoft.MachineLearningServices/workspaces/hubs/delete •Microsoft.MachineLearningServices/workspaces/featurestores/write •Microsoft.MachineLearningServices/workspaces/featurestores/delete | |||
| 22926164-76b3-42b3-bc55-97df8dab3e41 | Grafana Admin | Built-in Grafana admin role | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action | ||||
| e8113dce-c529-4d33-91fa-e9b972617508 | Azure Connected SQL Server Onboarding | Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS. | False |
00002 effective control plane operations (unique) •read: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.AzureArcData/sqlServerInstances/read •Microsoft.AzureArcData/sqlServerInstances/write | ||||
| 26baccc8-eea7-41f1-98f4-1762cc7f685d | Azure Relay Sender | Allows for send access to Azure Relay resources. | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Relay/*/wcfRelays/read •Microsoft.Relay/*/hybridConnections/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Relay/*/send/action | |||
| 2787bf04-f1f5-4bfe-8383-c8a24483ee38 | Azure Relay Owner | Allows for full access to Azure Relay resources. | False |
00064 effective control plane and data plane operations (unique) •action: 22 •delete: 10 •read: 20 •write: 12 |
Actions: 001 resolved operations: 62 effective operations: 62 •action: 20 •delete: 10 •read: 20 •write: 12 •Microsoft.Relay/* | DataActions: 001 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.Relay/* | |||
| 26e0b698-aa6d-4085-9386-aadae190014d | Azure Relay Listener | Allows for listen access to Azure Relay resources. | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Relay/*/wcfRelays/read •Microsoft.Relay/*/hybridConnections/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Relay/*/listen/action | |||
| 60921a7e-fef1-4a43-9b16-a26c52ad4769 | Grafana Viewer | Built-in Grafana Viewer role | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action | ||||
| a79a5197-3a5c-4973-a920-486035ffd60f | Grafana Editor | Built-in Grafana Editor role | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action | ||||
| f353d9bd-d4a6-484e-a77a-8050b599b867 | Automation Contributor | Manage azure automation resources and other resources using azure automation. | False |
00205 effective control plane operations (unique) •action: 35 •delete: 32 •read: 99 •write: 39 |
Actions: 011 resolved operations: 205 effective operations: 205 •action: 35 •delete: 32 •read: 99 •write: 39 •Microsoft.Automation/automationAccounts/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/ActionGroups/* •Microsoft.Insights/ActivityLogAlerts/* •Microsoft.Insights/MetricAlerts/* •Microsoft.Insights/ScheduledQueryRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.OperationalInsights/workspaces/sharedKeys/action | ||||
| 85cb6faf-e071-4c9b-8136-154b5a04f717 | Kubernetes Extension Contributor | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | False |
00049 effective control plane operations (unique) •: 1 •Action: 7 •Delete: 3 •read: 35 •Write: 3 |
Actions: 008 resolved operations: 49 effective operations: 49 •: 1 •Action: 7 •Delete: 3 •read: 35 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read | count: 001 •Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | |||
| 10745317-c249-44a1-a5ce-3a4353c0bbd8 | Device Provisioning Service Data Reader | Allows for full read access to Device Provisioning Service data-plane properties. | False |
00003 effective data plane operations (unique) •read: 3 |
DataActions: 001 resolved data operations: 3 effective data operations: 3 •read: 3 •Microsoft.Devices/provisioningServices/*/read | ||||
| dfce44e4-17b7-4bd1-a6d1-04996ec95633 | Device Provisioning Service Data Contributor | Allows for full access to Device Provisioning Service data-plane operations. | False |
00009 effective data plane operations (unique) •action: 1 •delete: 3 •read: 3 •write: 2 |
DataActions: 001 resolved data operations: 9 effective data operations: 9 •action: 1 •delete: 3 •read: 3 •write: 2 •Microsoft.Devices/provisioningServices/* | ||||
| 2837e146-70d7-4cfd-ad55-7efa6464f958 | Trusted Signing Certificate Profile Signer | Sign files with a certificate profile. This role is in preview and subject to change. | False |
00043 effective control plane and data plane operations (unique) •action: 5 •delete: 1 •read: 36 •write: 1 |
Actions: 004 resolved operations: 42 effective operations: 42 •action: 4 •delete: 1 •read: 36 •write: 1 •Microsoft.CodeSigning/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.CodeSigning/certificateProfiles/Sign/action | |||
| cff1b556-2399-4e7e-856d-a8f754be7b65 | Azure Spring Cloud Service Registry Reader | Allow read access to Azure Spring Cloud Service Registry | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.AppPlatform/Spring/eurekaService/read | ||||
| f5880b48-c26d-48be-b172-7927bfa1c8f1 | Azure Spring Cloud Service Registry Contributor | Allow read, write and delete access to Azure Spring Cloud Service Registry | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.AppPlatform/Spring/eurekaService/read •Microsoft.AppPlatform/Spring/eurekaService/write •Microsoft.AppPlatform/Spring/eurekaService/delete | ||||
| d04c6db6-4947-4782-9e91-30a88feb7be7 | Azure Spring Cloud Config Server Reader | Allow read access to Azure Spring Cloud Config Server | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.AppPlatform/Spring/configService/read | ||||
| a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b | Azure Spring Cloud Config Server Contributor | Allow read, write and delete access to Azure Spring Cloud Config Server | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.AppPlatform/Spring/configService/read •Microsoft.AppPlatform/Spring/configService/write •Microsoft.AppPlatform/Spring/configService/delete | ||||
| 6ae96244-5829-4925-a7d3-5975537d91dd | Azure VM Managed identities restore Contributor | Azure VM Managed identities restore Contributors are allowed to perform Azure VM Restores with managed identities both user and system | False |
00027 effective control plane operations (unique) •read: 27 |
Actions: 001 resolved operations: 27 effective operations: 27 •read: 27 •Microsoft.Authorization/*/read | ||||
| 6be48352-4f82-47c9-ad5e-0acacefdb005 | Azure Maps Search and Render Data Reader | Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs. | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.Maps/accounts/services/render/read •Microsoft.Maps/accounts/services/search/read | ||||
| dba33070-676a-4fb0-87fa-064dc56ff7fb | Azure Maps Contributor | Grants access all Azure Maps resource management. | False |
00060 effective control plane operations (unique) •action: 10 •delete: 4 •read: 40 •write: 6 |
Actions: 004 resolved operations: 60 effective operations: 60 •action: 10 •delete: 4 •read: 40 •write: 6 •Microsoft.Maps/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| b748a06d-6150-4f8a-aaa9-ce3940cd96cb | Azure Arc VMware VM Contributor | Arc VMware VM Contributor has permissions to perform all VM actions. | False |
00101 effective control plane operations (unique) •action: 16 •Delete: 12 •read: 60 •Write: 13 |
Actions: 056 resolved operations: 101 effective operations: 101 •action: 16 •Delete: 12 •read: 60 •Write: 13 •Microsoft.ConnectedVMwarevSphere/virtualmachines/* •Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/* •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/licenses/delete | ||||
| ce551c02-7c42-47e0-9deb-e3b6fc3a9a83 | Azure Arc VMware Private Cloud User | Azure Arc VMware Private Cloud User has permissions to use the VMware cloud resources to deploy VMs. | False |
00066 effective control plane operations (unique) •action: 14 •Delete: 2 •read: 47 •Write: 3 |
Actions: 040 resolved operations: 66 effective operations: 66 •action: 14 •Delete: 2 •read: 47 •Write: 3 •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.ConnectedVMwarevSphere/virtualnetworks/join/action •Microsoft.ConnectedVMwarevSphere/virtualnetworks/Read •Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/clone/action •Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/Read •Microsoft.ConnectedVMwarevSphere/resourcepools/deploy/action •Microsoft.ConnectedVMwarevSphere/resourcepools/Read •Microsoft.ConnectedVMwarevSphere/hosts/deploy/action •Microsoft.ConnectedVMwarevSphere/hosts/Read •Microsoft.ConnectedVMwarevSphere/clusters/deploy/action •Microsoft.ConnectedVMwarevSphere/clusters/Read •Microsoft.ConnectedVMwarevSphere/datastores/allocateSpace/action •Microsoft.ConnectedVMwarevSphere/datastores/Read •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.KubernetesConfiguration/extensions/read | ||||
| ddc140ed-e463-4246-9145-7c664192013f | Azure Arc VMware Administrator role | Arc VMware VM Contributor has permissions to perform all connected VMwarevSphere actions. | False |
00140 effective control plane operations (unique) •action: 25 •Delete: 20 •read: 73 •Write: 22 |
Actions: 055 resolved operations: 140 effective operations: 140 •action: 25 •Delete: 20 •read: 73 •Write: 22 •Microsoft.ConnectedVMwarevSphere/* •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/licenses/delete | ||||
| f72c8140-2111-481c-87ff-72b910f6e3f8 | Cognitive Services LUIS Owner | Has access to all Read, Test, Write, Deploy and Delete functions under LUIS | False |
00257 effective control plane and data plane operations (unique) •action: 19 •delete: 40 •read: 146 •write: 52 |
Actions: 004 resolved operations: 36 effective operations: 36 •action: 1 •read: 35 •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/listkeys/action •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 001 resolved data operations: 221 effective data operations: 221 •action: 18 •delete: 40 •read: 111 •write: 52 •Microsoft.CognitiveServices/accounts/LUIS/* | |||
| 7628b7b8-a8b2-4cdc-b46f-e9b35248918e | Cognitive Services Language Reader | Has access to Read and Test functions under Language portal | False |
00160 effective control plane and data plane operations (unique) •action: 19 •read: 141 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 016 resolved data operations: 142 effective data operations: 125 •action: 19 •read: 106 •Microsoft.CognitiveServices/accounts/LanguageAuthoring/*/read •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*/read •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/action •Microsoft.CognitiveServices/accounts/Language/*/read •Microsoft.CognitiveServices/accounts/Language/*/projects/export/action •Microsoft.CognitiveServices/accounts/Language/query-text/action •Microsoft.CognitiveServices/accounts/Language/query-dataverse/action •Microsoft.CognitiveServices/accounts/Language/analyze-text/jobs/action •Microsoft.CognitiveServices/accounts/Language/analyze-text/action •Microsoft.CognitiveServices/accounts/Language/analyze-text/jobscancel/action •Microsoft.CognitiveServices/accounts/Language/analyze-conversations/action •Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobscancel/action •Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobs/action •Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/action •Microsoft.CognitiveServices/accounts/Language/generate/action •Microsoft.CognitiveServices/accounts/TextAnalytics/* | NotDataActions: 001 resolved not data operations: 17 effective not data operations: 2996 •Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/* | ||
| f2310ca1-dc64-4889-bb49-c8e0fa3d47a8 | Cognitive Services Language Writer | Has access to all Read, Test, and Write functions under Language Portal | False |
00210 effective control plane and data plane operations (unique) •action: 54 •delete: 6 •read: 141 •write: 9 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 004 resolved data operations: 204 effective data operations: 175 •action: 54 •delete: 6 •read: 106 •write: 9 •Microsoft.CognitiveServices/accounts/LanguageAuthoring/* •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/* •Microsoft.CognitiveServices/accounts/Language/* •Microsoft.CognitiveServices/accounts/TextAnalytics/* | NotDataActions: 007 resolved not data operations: 29 effective not data operations: 2946 •Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/action •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/deployments/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/* •Microsoft.CognitiveServices/accounts/Language/*/projects/delete •Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/write •Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/delete •Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/swap/action | ||
| f07febfe-79bc-46b1-8b37-790e26e6e498 | Cognitive Services Language Owner | Has access to all Read, Test, Write, Deploy and Delete functions under Language portal | False |
00223 effective control plane and data plane operations (unique) •action: 58 •delete: 11 •read: 141 •write: 13 |
Actions: 004 resolved operations: 36 effective operations: 36 •action: 1 •read: 35 •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/listkeys/action •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 004 resolved data operations: 204 effective data operations: 187 •action: 57 •delete: 11 •read: 106 •write: 13 •Microsoft.CognitiveServices/accounts/LanguageAuthoring/* •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/* •Microsoft.CognitiveServices/accounts/Language/* •Microsoft.CognitiveServices/accounts/TextAnalytics/* | NotDataActions: 001 resolved not data operations: 17 effective not data operations: 2934 •Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/* | ||
| 18e81cdc-4e98-4e29-a639-e7d10c5a6226 | Cognitive Services LUIS Reader | Has access to Read and Test functions under LUIS. | False |
00147 effective control plane and data plane operations (unique) •read: 146 •write: 1 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 002 resolved data operations: 112 effective data operations: 112 •read: 111 •write: 1 •Microsoft.CognitiveServices/accounts/LUIS/*/read •Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/write | |||
| 6322a993-d5c9-4bed-b113-e49bbea25b27 | Cognitive Services LUIS Writer | Has access to all Read, Test, and Write functions under LUIS | False |
00250 effective control plane and data plane operations (unique) •action: 15 •delete: 38 •read: 146 •write: 51 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 001 resolved data operations: 221 effective data operations: 215 •action: 15 •delete: 38 •read: 111 •write: 51 •Microsoft.CognitiveServices/accounts/LUIS/* | NotDataActions: 006 resolved not data operations: 6 effective not data operations: 2906 •Microsoft.CognitiveServices/accounts/LUIS/apps/delete •Microsoft.CognitiveServices/accounts/LUIS/apps/move/action •Microsoft.CognitiveServices/accounts/LUIS/apps/publish/action •Microsoft.CognitiveServices/accounts/LUIS/apps/settings/write •Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/action •Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/delete | ||
| a9a19cc5-31f4-447c-901f-56c0bb18fcaf | PlayFab Reader | Provides read access to PlayFab resources | False |
00028 effective control plane operations (unique) •read: 28 |
Actions: 003 resolved operations: 28 effective operations: 28 •read: 28 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Authorization/*/read •Microsoft.PlayFab/*/read | ||||
| 749a398d-560b-491b-bb21-08924219302e | Load Test Contributor | View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. | False |
00058 effective control plane and data plane operations (unique) •: 1 •Action: 12 •Delete: 2 •read: 41 •Write: 2 |
Actions: 005 resolved operations: 53 effective operations: 53 •: 1 •Action: 7 •Delete: 2 •read: 41 •Write: 2 •Microsoft.LoadTestService/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/* | DataActions: 001 resolved data operations: 5 effective data operations: 5 •action: 5 •Microsoft.LoadTestService/loadtests/* | |||
| 45bb0b16-2f0c-4e78-afaa-a07599b003f6 | Load Test Owner | Execute all operations on load test resources and load tests | False |
00069 effective control plane and data plane operations (unique) •: 1 •Action: 16 •Delete: 5 •read: 41 •Write: 6 |
Actions: 005 resolved operations: 64 effective operations: 64 •: 1 •Action: 11 •Delete: 5 •read: 41 •Write: 6 •Microsoft.LoadTestService/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/* | DataActions: 001 resolved data operations: 5 effective data operations: 5 •action: 5 •Microsoft.LoadTestService/* | |||
| 0c8b84dc-067c-4039-9615-fa1a4b77c726 | PlayFab Contributor | Provides contributor access to PlayFab resources | False |
00037 effective control plane operations (unique) •action: 4 •delete: 1 •read: 31 •write: 1 |
Actions: 006 resolved operations: 37 effective operations: 37 •action: 4 •delete: 1 •read: 31 •write: 1 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.PlayFab/*/read •Microsoft.PlayFab/*/write •Microsoft.PlayFab/*/delete | ||||
| 3ae3fb29-0000-4ccd-bf80-542e7b26e081 | Load Test Reader | View and list all load tests and load test resources but can not make any changes | False |
00054 effective control plane and data plane operations (unique) •: 1 •Action: 8 •Delete: 2 •read: 41 •Write: 2 |
Actions: 005 resolved operations: 53 effective operations: 53 •: 1 •Action: 7 •Delete: 2 •read: 41 •Write: 2 •Microsoft.LoadTestService/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/* | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.LoadTestService/loadtests/readTest/action | |||
| b2de6794-95db-4659-8781-7e080d3f2b9d | Cognitive Services Immersive Reader User | Provides access to create Immersive Reader sessions and call APIs | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.CognitiveServices/accounts/ImmersiveReader/getcontentmodelforreader/action | ||||
| f69b8690-cc87-41d6-b77a-a4bc3c0a966f | Lab Services Contributor | The lab services contributor role | False |
00124 effective control plane and data plane operations (unique) •: 1 •Action: 41 •Delete: 15 •read: 52 •Write: 15 |
Actions: 005 resolved operations: 123 effective operations: 123 •: 1 •Action: 40 •Delete: 15 •read: 52 •Write: 15 •Microsoft.LabServices/* •Microsoft.Insights/alertRules/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.LabServices/labPlans/createLab/action | |||
| 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc | Lab Services Reader | The lab services reader role | False |
00056 effective control plane operations (unique) •action: 4 •delete: 1 •read: 50 •write: 1 |
Actions: 004 resolved operations: 56 effective operations: 56 •action: 4 •delete: 1 •read: 50 •write: 1 •Microsoft.LabServices/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| ce40b423-cede-4313-a93f-9b28290b72e1 | Lab Assistant | The lab assistant role | False |
00058 effective control plane operations (unique) •: 1 •Action: 12 •Delete: 2 •read: 41 •Write: 2 |
Actions: 017 resolved operations: 58 effective operations: 58 •: 1 •Action: 12 •Delete: 2 •read: 41 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/users/invite/action •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/labs/virtualMachines/start/action •Microsoft.LabServices/labs/virtualMachines/stop/action •Microsoft.LabServices/labs/virtualMachines/reimage/action •Microsoft.LabServices/labs/virtualMachines/redeploy/action •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a36e6959-b6be-4b12-8e9f-ef4b474d304d | Lab Operator | The lab operator role | False |
00065 effective control plane operations (unique) •: 1 •Action: 15 •Delete: 4 •read: 41 •Write: 4 |
Actions: 024 resolved operations: 65 effective operations: 65 •: 1 •Action: 15 •Delete: 4 •read: 41 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labPlans/saveImage/action •Microsoft.LabServices/labs/publish/action •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/schedules/write •Microsoft.LabServices/labs/schedules/delete •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/users/write •Microsoft.LabServices/labs/users/delete •Microsoft.LabServices/labs/users/invite/action •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/labs/virtualMachines/start/action •Microsoft.LabServices/labs/virtualMachines/stop/action •Microsoft.LabServices/labs/virtualMachines/reimage/action •Microsoft.LabServices/labs/virtualMachines/redeploy/action •Microsoft.LabServices/labs/virtualMachines/resetPassword/action •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 5daaa2af-1fe8-407c-9122-bba179798270 | Lab Contributor | The lab contributor role | False |
00069 effective control plane and data plane operations (unique) •: 1 •Action: 17 •Delete: 5 •read: 41 •Write: 5 |
Actions: 027 resolved operations: 68 effective operations: 68 •: 1 •Action: 16 •Delete: 5 •read: 41 •Write: 5 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labPlans/saveImage/action •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/write •Microsoft.LabServices/labs/delete •Microsoft.LabServices/labs/publish/action •Microsoft.LabServices/labs/syncGroup/action •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/schedules/write •Microsoft.LabServices/labs/schedules/delete •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/users/write •Microsoft.LabServices/labs/users/delete •Microsoft.LabServices/labs/users/invite/action •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/labs/virtualMachines/start/action •Microsoft.LabServices/labs/virtualMachines/stop/action •Microsoft.LabServices/labs/virtualMachines/reimage/action •Microsoft.LabServices/labs/virtualMachines/redeploy/action •Microsoft.LabServices/labs/virtualMachines/resetPassword/action •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.LabServices/labPlans/createLab/action | |||
| fb1c8493-542b-48eb-b624-b4c8fea62acd | Security Admin | Security Admin Role | False |
01081 effective control plane operations (unique) •: 1 •action: 88 •delete: 56 •read: 863 •write: 73 |
Actions: 014 resolved operations: 1081 effective operations: 1081 •: 1 •action: 88 •delete: 56 •read: 863 •write: 73 •Microsoft.Authorization/*/read •Microsoft.Authorization/policyAssignments/* •Microsoft.Authorization/policyDefinitions/* •Microsoft.Authorization/policyExemptions/* •Microsoft.Authorization/policySetDefinitions/* •Microsoft.Insights/alertRules/* •Microsoft.Management/managementGroups/read •Microsoft.operationalInsights/workspaces/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/* •Microsoft.IoTSecurity/* •Microsoft.IoTFirmwareDefense/* •Microsoft.Support/* | count: 028 •[Deprecated]: Configure Azure Defender for container registries to be enabled •[Deprecated]: Configure Azure Defender for DNS to be enabled •[Deprecated]: Configure Azure Defender for Kubernetes to be enabled •[Deprecated]: Configure Microsoft Defender for APIs should be enabled •Configure Azure Defender for App Service to be enabled •Configure Azure Defender for Azure SQL database to be enabled •Configure Azure Defender for open-source relational databases to be enabled •Configure Azure Defender for Resource Manager to be enabled •Configure Azure Defender for Servers to be disabled for all resources (resource level) •Configure Azure Defender for Servers to be disabled for resources (resource level) with the selected tag •Configure Azure Defender for servers to be enabled •Configure Azure Defender for Servers to be enabled ('P1' subplan) for all resources (resource level) with the selected tag •Configure Azure Defender for Servers to be enabled (with 'P1' subplan) for all resources (resource level) •Configure Azure Defender for SQL servers on machines to be enabled •Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) •Configure machines to receive a vulnerability assessment provider •Configure Microsoft Defender for Azure Cosmos DB to be enabled •Configure Microsoft Defender for Containers to be enabled •Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP) •Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_EXCLUDE_LINUX...) •Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_UNIFIED_SOLUTION) •Configure Microsoft Defender for Key Vault plan •Configure Microsoft Defender for Storage (Classic) to be enabled •Deploy - Configure suppression rules for Azure Security Center alerts •Deploy Advanced Threat Protection for Cosmos DB Accounts •Deploy Defender for Storage (Classic) on storage accounts •Enable Microsoft Defender for Cloud on your subscription •Setup subscriptions to transition to an alternative vulnerability assessment solution | |||
| 12cf5a90-567b-43ae-8102-96cf46c7d9b4 | Web PubSub Service Owner | Full access to Azure Web PubSub Service REST APIs | False |
00014 effective data plane operations (unique) •action: 7 •read: 4 •write: 3 |
DataActions: 001 resolved data operations: 14 effective data operations: 14 •action: 7 •read: 4 •write: 3 •Microsoft.SignalRService/WebPubSub/* | ||||
| bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf | Web PubSub Service Reader | Read-only access to Azure Web PubSub Service REST APIs | False |
00004 effective data plane operations (unique) •read: 4 |
DataActions: 001 resolved data operations: 4 effective data operations: 4 •read: 4 •Microsoft.SignalRService/WebPubSub/*/read | ||||
| 420fcaa2-552c-430f-98ca-3264be4806c7 | SignalR App Server | Lets your app server access SignalR Service with AAD auth options. | False |
00003 effective data plane operations (unique) •action: 1 •write: 2 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •action: 1 •write: 2 •Microsoft.SignalRService/SignalR/auth/accessKey/action •Microsoft.SignalRService/SignalR/serverConnection/write •Microsoft.SignalRService/SignalR/clientConnection/write | ||||
| fb879df8-f326-4884-b1cf-06f3ad86be52 | Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. | False |
00026 effective control plane and data plane operations (unique) •action: 3 •read: 23 |
Actions: 007 resolved operations: 24 effective operations: 24 •action: 1 •read: 23 •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Compute/virtualMachines/*/read •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridConnectivity/endpoints/listCredentials/action | DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.Compute/virtualMachines/login/action •Microsoft.HybridCompute/machines/login/action | |||
| 1c0163c0-47e6-4577-8991-ea5c82e286e4 | Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator | False |
00028 effective control plane and data plane operations (unique) •action: 5 •read: 23 |
Actions: 007 resolved operations: 24 effective operations: 24 •action: 1 •read: 23 •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Compute/virtualMachines/*/read •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridConnectivity/endpoints/listCredentials/action | DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 4 •Microsoft.Compute/virtualMachines/login/action •Microsoft.Compute/virtualMachines/loginAsAdmin/action •Microsoft.HybridCompute/machines/login/action •Microsoft.HybridCompute/machines/loginAsAdmin/action | |||
| cd570a14-e51a-42ad-bac8-bafd67325302 | Azure Connected Machine Resource Administrator | Can read, write, delete and re-onboard Azure Connected Machines. | False |
00054 effective control plane operations (unique) •action: 8 •delete: 10 •read: 26 •write: 10 |
Actions: 018 resolved operations: 54 effective operations: 54 •action: 8 •delete: 10 •read: 26 •write: 10 •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/privateLinkScopes/* •Microsoft.HybridCompute/*/read •Microsoft.Resources/deployments/* •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/licenses/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/machines/runCommands/read •Microsoft.HybridCompute/machines/runCommands/write •Microsoft.HybridCompute/machines/runCommands/delete | count: 011 •[Preview]: Configure ChangeTracking Extension for Linux Arc machines •[Preview]: Configure ChangeTracking Extension for Windows Arc machines •[Preview]: Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory •[Preview]: Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory •Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent •Configure Azure Arc Private Link Scopes to disable public network access •Configure Azure Arc Private Link Scopes with private endpoints •Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope •Configure Linux Arc-enabled machines to run Azure Monitor Agent •Configure periodic checking for missing system updates on azure Arc-enabled servers •Configure Windows Arc-enabled machines to run Azure Monitor Agent | |||
| 00c29273-979b-4161-815c-10b084fb9324 | Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others | False |
00138 effective control plane operations (unique) •action: 36 •delete: 1 •read: 90 •write: 11 |
Actions: 092 resolved operations: 138 effective operations: 138 •action: 36 •delete: 1 •read: 90 •write: 11 •Microsoft.Authorization/*/read •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action •Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read •Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action •Microsoft.RecoveryServices/Vaults/backupJobs/* •Microsoft.RecoveryServices/Vaults/backupJobsExport/action •Microsoft.RecoveryServices/Vaults/backupOperationResults/* •Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read •Microsoft.RecoveryServices/Vaults/backupPolicies/read •Microsoft.RecoveryServices/Vaults/backupProtectableItems/* •Microsoft.RecoveryServices/Vaults/backupProtectedItems/read •Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read •Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read •Microsoft.RecoveryServices/Vaults/certificates/write •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/extendedInformation/write •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/write •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.RecoveryServices/Vaults/backupstorageconfig/* •Microsoft.RecoveryServices/Vaults/backupValidateOperation/action •Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action •Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read •Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read •Microsoft.RecoveryServices/Vaults/backupOperations/read •Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action •Microsoft.RecoveryServices/Vaults/backupEngines/read •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read •Microsoft.RecoveryServices/locations/backupStatus/action •Microsoft.RecoveryServices/locations/backupPreValidateProtection/action •Microsoft.RecoveryServices/locations/backupValidateFeatures/action •Microsoft.RecoveryServices/locations/backupAadProperties/read •Microsoft.RecoveryServices/locations/backupCrrJobs/action •Microsoft.RecoveryServices/locations/backupCrrJob/action •Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action •Microsoft.RecoveryServices/locations/backupCrrOperationResults/read •Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/write •Microsoft.RecoveryServices/operations/read •Microsoft.RecoveryServices/locations/operationStatus/read •Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read •Microsoft.Support/* •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/deletedBackupInstances/read •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/operationResults/read •Microsoft.DataProtection/backupVaults/operationStatus/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/locations/operationStatus/read •Microsoft.DataProtection/locations/operationResults/read •Microsoft.DataProtection/operations/read •Microsoft.DataProtection/backupVaults/validateForBackup/action •Microsoft.DataProtection/backupVaults/backupInstances/backup/action •Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action •Microsoft.DataProtection/backupVaults/backupInstances/restore/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action •Microsoft.DataProtection/locations/checkFeatureSupport/action | ||||
| e8ddcd69-c73f-4f9f-9844-4100522f16ad | Workbook Contributor | Can save shared workbooks. | False |
00007 effective control plane operations (unique) •Delete: 2 •Read: 3 •Write: 2 |
Actions: 007 resolved operations: 7 effective operations: 7 •Delete: 2 •Read: 3 •Write: 2 •Microsoft.Insights/workbooks/write •Microsoft.Insights/workbooks/delete •Microsoft.Insights/workbooks/read •Microsoft.Insights/workbooks/revisions/read •Microsoft.Insights/workbooktemplates/write •Microsoft.Insights/workbooktemplates/delete •Microsoft.Insights/workbooktemplates/read | ||||
| b279062a-9be3-42a0-92ae-8b3cf002ec4d | Workbook Reader | Can read workbooks. | False |
00003 effective control plane operations (unique) •Read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •Read: 3 •microsoft.insights/workbooks/read •microsoft.insights/workbooks/revisions/read •microsoft.insights/workbooktemplates/read | ||||
| 749f88d5-cbae-40b8-bcfc-e573ddc772fa | Monitoring Contributor | Can read all monitoring data and update monitoring settings. | False |
06825 effective control plane operations (unique) •: 1 •action: 29 •delete: 36 •read: 6717 •write: 42 |
Actions: 038 resolved operations: 6825 effective operations: 6825 •: 1 •action: 29 •delete: 36 •read: 6717 •write: 42 •*/read •Microsoft.AlertsManagement/alerts/* •Microsoft.AlertsManagement/alertsSummary/* •Microsoft.Insights/actiongroups/* •Microsoft.Insights/activityLogAlerts/* •Microsoft.Insights/AlertRules/* •Microsoft.Insights/components/* •Microsoft.Insights/createNotifications/* •Microsoft.Insights/dataCollectionEndpoints/* •Microsoft.Insights/dataCollectionRules/* •Microsoft.Insights/dataCollectionRuleAssociations/* •Microsoft.Insights/DiagnosticSettings/* •Microsoft.Insights/eventtypes/* •Microsoft.Insights/LogDefinitions/* •Microsoft.Insights/metricalerts/* •Microsoft.Insights/MetricDefinitions/* •Microsoft.Insights/Metrics/* •Microsoft.Insights/notificationStatus/* •Microsoft.Insights/Register/Action •Microsoft.Insights/scheduledqueryrules/* •Microsoft.Insights/webtests/* •Microsoft.Insights/workbooks/* •Microsoft.Insights/workbooktemplates/* •Microsoft.Insights/privateLinkScopes/* •Microsoft.Insights/privateLinkScopeOperationStatuses/* •Microsoft.OperationalInsights/workspaces/write •Microsoft.OperationalInsights/workspaces/intelligencepacks/* •Microsoft.OperationalInsights/workspaces/savedSearches/* •Microsoft.OperationalInsights/workspaces/search/action •Microsoft.OperationalInsights/workspaces/sharedKeys/action •Microsoft.OperationalInsights/workspaces/storageinsightconfigs/* •Microsoft.Support/* •Microsoft.AlertsManagement/smartDetectorAlertRules/* •Microsoft.AlertsManagement/actionRules/* •Microsoft.AlertsManagement/smartGroups/* •Microsoft.AlertsManagement/migrateFromSmartDetection/* •Microsoft.AlertsManagement/investigations/* •Microsoft.Monitor/investigations/* | count: 051 •[Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group •[Preview]: Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •[Preview]: Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •[Preview]: Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory •[Preview]: Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •[Preview]: Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •[Preview]: Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. •Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR •Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR •Configure Azure Activity logs to stream to specified Log Analytics workspace •Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace •Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace •Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace •Configure diagnostic settings for Blob Services to Log Analytics workspace •Configure diagnostic settings for container groups to Log Analytics workspace •Configure diagnostic settings for File Services to Log Analytics workspace •Configure diagnostic settings for Queue Services to Log Analytics workspace •Configure diagnostic settings for Storage Accounts to Log Analytics workspace •Configure diagnostic settings for Table Services to Log Analytics workspace •Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL •Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace •Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace •Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace •Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM •Deploy Diagnostic Settings for Batch Account to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace •Deploy Diagnostic Settings for Event Hub to Log Analytics workspace •Deploy Diagnostic Settings for Key Vault to Log Analytics workspace •Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace •Deploy Diagnostic Settings for Network Security Groups •Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. •Deploy Diagnostic Settings for Search Services to Log Analytics workspace •Deploy Diagnostic Settings for Service Bus to Log Analytics workspace •Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | |||
| 3913510d-42f4-4e42-8a64-420c390055eb | Monitoring Metrics Publisher | Enables publishing metrics against Azure resources | False |
00014 effective control plane and data plane operations (unique) •Action: 4 •read: 7 •Write: 3 |
Actions: 003 resolved operations: 12 effective operations: 12 •Action: 4 •read: 7 •write: 1 •Microsoft.Insights/Register/Action •Microsoft.Support/* •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 002 resolved data operations: 2 effective data operations: 2 •Write: 2 •Microsoft.Insights/Metrics/Write •Microsoft.Insights/Telemetry/Write | |||
| 8a3c2885-9b38-4fd2-9d99-91af537c1347 | Purview role 1 (Deprecated) | Deprecated role. | False |
00003 effective control plane and data plane operations (unique) •read: 2 •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Purview/accounts/read | DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.Purview/accounts/data/read •Microsoft.Purview/accounts/data/write | |||
| 200bba9e-f0c8-430f-892b-6f0794863803 | Purview role 2 (Deprecated) | Deprecated role. | False |
00003 effective control plane and data plane operations (unique) •read: 2 •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Purview/accounts/read | DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.Purview/accounts/scan/read •Microsoft.Purview/accounts/scan/write | |||
| ff100721-1b9d-43d8-af52-42b69c1272db | Purview role 3 (Deprecated) | Deprecated role. | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Purview/accounts/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Purview/accounts/data/read | |||
| b8b15564-4fa6-4a59-ab12-03e1d9594795 | Autonomous Development Platform Data Contributor (Preview) | Grants permissions to upload and manage new Autonomous Development Platform measurements. | False |
00074 effective control plane and data plane operations (unique) •action: 6 •delete: 11 •read: 46 •write: 11 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.AutonomousDevelopmentPlatform/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 012 resolved data operations: 42 effective data operations: 40 •action: 6 •delete: 11 •read: 12 •write: 11 •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/discoveries/* •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/uploads/* •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/* •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurementCollections/* •Microsoft.AutonomousDevelopmentPlatform/accounts/measurementCollections/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/read •Microsoft.AutonomousDevelopmentPlatform/workspaces/discoveries/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/uploads/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/classifications/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/dataStreams/classifications/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurementCollections/* | NotDataActions: 002 resolved not data operations: 2 effective not data operations: 3081 •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/changeState/action •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/changeState/action | ||
| 27f8b550-c507-4db9-86f2-f4b8e816d59d | Autonomous Development Platform Data Owner (Preview) | Grants full access to Autonomous Development Platform data. | False |
00124 effective control plane and data plane operations (unique) •action: 26 •delete: 21 •read: 56 •write: 21 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.AutonomousDevelopmentPlatform/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 001 resolved data operations: 90 effective data operations: 90 •action: 26 •delete: 21 •read: 22 •write: 21 •Microsoft.AutonomousDevelopmentPlatform/* | |||
| d63b75f7-47ea-4f27-92ac-e0d173aaf093 | Autonomous Development Platform Data Reader (Preview) | Grants read access to Autonomous Development Platform data. | False |
00056 effective control plane and data plane operations (unique) •read: 56 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.AutonomousDevelopmentPlatform/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 001 resolved data operations: 22 effective data operations: 22 •read: 22 •Microsoft.AutonomousDevelopmentPlatform/*/read | |||
| 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 | Key Vault Crypto Officer | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | False |
00092 effective control plane and data plane operations (unique) •: 1 •Action: 25 •Delete: 3 •read: 59 •Write: 4 |
Actions: 010 resolved operations: 74 effective operations: 74 •: 1 •Action: 10 •Delete: 2 •read: 58 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/operations/read | DataActions: 002 resolved data operations: 19 effective data operations: 19 •action: 15 •delete: 1 •read: 2 •write: 1 •Microsoft.KeyVault/vaults/keys/* •Microsoft.KeyVault/vaults/keyrotationpolicies/* | |||
| 49e2f5d2-7741-4835-8efa-19e1fe35e47f | Device Update Deployments Reader | Gives you read access to management operations, but does not allow making changes | False |
00057 effective control plane and data plane operations (unique) •: 1 •Action: 10 •Delete: 2 •read: 41 •Write: 3 |
Actions: 005 resolved operations: 55 effective operations: 55 •: 1 •Action: 10 •Delete: 2 •read: 39 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.DeviceUpdate/accounts/instances/management/read •Microsoft.DeviceUpdate/accounts/instances/updates/read | |||
| e4237640-0e3d-4a46-8fda-70bc94856432 | Device Update Deployments Administrator | Gives you full access to management operations | False |
00059 effective control plane and data plane operations (unique) •: 1 •Action: 10 •delete: 3 •read: 41 •write: 4 |
Actions: 005 resolved operations: 55 effective operations: 55 •: 1 •Action: 10 •Delete: 2 •read: 39 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Insights/alertRules/* | DataActions: 004 resolved data operations: 4 effective data operations: 4 •delete: 1 •read: 2 •write: 1 •Microsoft.DeviceUpdate/accounts/instances/management/read •Microsoft.DeviceUpdate/accounts/instances/management/write •Microsoft.DeviceUpdate/accounts/instances/management/delete •Microsoft.DeviceUpdate/accounts/instances/updates/read | |||
| 67d33e57-3129-45e6-bb0b-7cc522f762fa | Azure Arc VMware Private Clouds Onboarding | Azure Arc VMware Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vCenter instances to Azure. | False |
00070 effective control plane operations (unique) •action: 9 •delete: 7 •read: 46 •write: 8 |
Actions: 044 resolved operations: 70 effective operations: 70 •action: 9 •delete: 7 •read: 46 •write: 8 •Microsoft.ConnectedVMwarevSphere/vcenters/Write •Microsoft.ConnectedVMwarevSphere/vcenters/Read •Microsoft.ConnectedVMwarevSphere/vcenters/Delete •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.KubernetesConfiguration/extensions/Write •Microsoft.KubernetesConfiguration/extensions/Read •Microsoft.KubernetesConfiguration/extensions/Delete •Microsoft.KubernetesConfiguration/operations/read •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.ExtendedLocation/customLocations/Write •Microsoft.ExtendedLocation/customLocations/Delete •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ResourceConnector/appliances/Read •Microsoft.ResourceConnector/appliances/Write •Microsoft.ResourceConnector/appliances/Delete •Microsoft.ResourceConnector/appliances/listClusterUserCredential/action •Microsoft.BackupSolutions/vmwareapplications/write •Microsoft.BackupSolutions/vmwareapplications/delete •Microsoft.BackupSolutions/vmwareapplications/read | ||||
| 4e9b8407-af2e-495b-ae54-bb60a55b1b5a | Chamber Admin | Lets you manage everything under your Modeling and Simulation Workbench chamber. | False |
00071 effective control plane and data plane operations (unique) •action: 21 •delete: 5 •read: 40 •write: 5 |
Actions: 005 resolved operations: 70 effective operations: 68 •action: 18 •delete: 5 •read: 40 •write: 5 •Microsoft.ModSimWorkbench/*/read •Microsoft.ModSimWorkbench/workbenches/chambers/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | NotActions: 002 resolved not operations: 2 effective not operations: 15318 •Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/manage/action •Microsoft.ModSimWorkbench/workbenches/chambers/connector/setCopyPaste/action | DataActions: 002 resolved data operations: 3 effective data operations: 3 •action: 3 •Microsoft.ModSimWorkbench/workbenches/chambers/upload/action •Microsoft.ModSimWorkbench/workbenches/chambers/files/* | ||
| f4c81013-99ee-4d62-a7ee-b3f1f648599a | Microsoft Sentinel Automation Contributor | Microsoft Sentinel Automation Contributor | False |
00033 effective control plane operations (unique) •action: 2 •read: 31 |
Actions: 007 resolved operations: 33 effective operations: 33 •action: 2 •read: 31 •Microsoft.Authorization/*/read •Microsoft.Logic/workflows/triggers/read •Microsoft.Logic/workflows/triggers/listCallbackUrl/action •Microsoft.Logic/workflows/runs/read •Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read •Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action •Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read | ||||
| 871e35f6-b5c1-49cc-a043-bde969a0f2cd | CDN Endpoint Reader | Can view CDN endpoints, but can't make changes. | False |
00132 effective control plane operations (unique) •: 1 •action: 33 •delete: 18 •read: 61 •write: 19 |
Actions: 009 resolved operations: 132 effective operations: 132 •: 1 •action: 33 •delete: 18 •read: 61 •write: 19 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/endpoints/*/read •Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 4447db05-44ed-4da3-ae60-6cbece780e32 | Chamber User | Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes. | False |
00050 effective control plane and data plane operations (unique) •action: 10 •delete: 2 •read: 36 •write: 2 |
Actions: 007 resolved operations: 49 effective operations: 49 •action: 9 •delete: 2 •read: 36 •write: 2 •Microsoft.ModSimWorkbench/workbenches/chambers/*/read •Microsoft.ModSimWorkbench/workbenches/chambers/workloads/* •Microsoft.ModSimWorkbench/workbenches/chambers/getUploadUri/action •Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/getDownloadUri/action •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.ModSimWorkbench/workbenches/chambers/upload/action | |||
| f2dc8367-1007-4938-bd23-fe263f013447 | Cognitive Services Speech User | Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. | False |
00174 effective control plane and data plane operations (unique) •action: 26 •delete: 11 •read: 126 •write: 11 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 015 resolved data operations: 141 effective data operations: 139 •action: 26 •delete: 11 •read: 91 •write: 11 •Microsoft.CognitiveServices/accounts/SpeechServices/*/read •Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/read •Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/write •Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/delete •Microsoft.CognitiveServices/accounts/SpeechServices/*/frontend/action •Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/*/action •Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/*/action •Microsoft.CognitiveServices/accounts/CustomVoice/*/read •Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/* •Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/* •Microsoft.CognitiveServices/accounts/AudioContentCreation/* •Microsoft.CognitiveServices/accounts/VideoTranslation/* •Microsoft.CognitiveServices/accounts/CustomAvatar/*/read •Microsoft.CognitiveServices/accounts/BatchAvatar/* •Microsoft.CognitiveServices/accounts/BatchTextToSpeech/* | NotDataActions: 002 resolved not data operations: 2 effective not data operations: 2982 •Microsoft.CognitiveServices/accounts/CustomVoice/datasets/files/read •Microsoft.CognitiveServices/accounts/CustomVoice/datasets/utterances/read | ||
| a6333a3e-0164-44c3-b281-7a577aff287f | Windows Admin Center Administrator Login | Let's you manage the OS of your resource via Windows Admin Center as an administrator. | False |
00053 effective control plane and data plane operations (unique) •Action: 7 •Delete: 2 •Read: 38 •Write: 6 |
Actions: 041 resolved operations: 49 effective operations: 49 •action: 3 •Delete: 2 •Read: 38 •Write: 6 •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridCompute/machines/extensions/* •Microsoft.HybridCompute/machines/upgradeExtensions/action •Microsoft.HybridCompute/operations/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read •Microsoft.Network/networkWatchers/securityGroupView/action •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/networkSecurityGroups/securityRules/write •Microsoft.HybridConnectivity/endpoints/write •Microsoft.HybridConnectivity/endpoints/read •Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write •Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read •Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read •Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read •Microsoft.Compute/virtualMachines/patchInstallationResults/read •Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/runCommands/read •Microsoft.Compute/virtualMachines/vmSizes/read •Microsoft.Compute/locations/publishers/artifacttypes/types/read •Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read •Microsoft.Compute/diskAccesses/read •Microsoft.Compute/galleries/images/read •Microsoft.Compute/images/read •Microsoft.AzureStackHCI/Clusters/Read •Microsoft.AzureStackHCI/Clusters/ArcSettings/Read •Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read •Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write •Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete •Microsoft.AzureStackHCI/Operations/Read •Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read •Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write •Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read | DataActions: 004 resolved data operations: 4 effective data operations: 4 •Action: 4 •Microsoft.HybridCompute/machines/WACLoginAsAdmin/action •Microsoft.Compute/virtualMachines/WACloginAsAdmin/action •Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action •Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action | |||
| 18ed5180-3e48-46fd-8541-4ea054d57064 | Azure Kubernetes Service Policy Add-on Deployment | Deploy the Azure Policy add-on on Azure Kubernetes Service clusters | False |
00014 effective control plane operations (unique) •action: 7 •delete: 1 •read: 4 •write: 2 |
Actions: 006 resolved operations: 14 effective operations: 14 •action: 7 •delete: 1 •read: 4 •write: 2 •Microsoft.Resources/deployments/* •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/publicIPPrefixes/join/action •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Compute/diskEncryptionSets/read •Microsoft.Compute/proximityPlacementGroups/write | count: 006 •[Preview]: Deploy Image Integrity on Azure Kubernetes Service •Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access •Configure Node OS Auto upgrade on Azure Kubernetes Cluster •Deploy Azure Policy Add-on to Azure Kubernetes Service clusters •Deploy Image Cleaner on Azure Kubernetes Service •Disable Command Invoke on Azure Kubernetes Service clusters | |||
| 088ab73d-1256-47ae-bea9-9de8e7131f31 | Guest Configuration Resource Contributor | Lets you read, write Guest Configuration Resource. | False |
00012 effective control plane operations (unique) •action: 4 •delete: 1 •read: 5 •write: 2 |
Actions: 004 resolved operations: 12 effective operations: 12 •action: 4 •delete: 1 •read: 5 •write: 2 •Microsoft.GuestConfiguration/guestConfigurationAssignments/write •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read •Microsoft.Resources/deployments/* | count: 005 •[Preview]: Configure Windows Server to disable local users. •[Preview]: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended. •Configure Linux Server to disable local users. •Configure time zone on Windows machines. •Local authentication methods should be disabled on Linux machines | |||
| 361898ef-9ed1-48c2-849c-a832951106bb | Domain Services Reader | Can view Azure AD Domain Services and related network configurations | False |
00071 effective control plane operations (unique) •read: 71 |
Actions: 028 resolved operations: 71 effective operations: 71 •read: 71 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/Logs/Read •Microsoft.Insights/Metrics/read •Microsoft.Insights/DiagnosticSettings/read •Microsoft.Insights/DiagnosticSettingsCategories/Read •Microsoft.AAD/domainServices/*/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/azureFirewalls/read •Microsoft.Network/ddosProtectionPlans/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/*/read •Microsoft.Network/natGateways/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/routeTables/read •Microsoft.Network/routeTables/routes/read | ||||
| eeaeda52-9324-47f6-8069-5d5bade478b2 | Domain Services Contributor | Can manage Azure AD Domain Services and related network configurations | False |
00120 effective control plane operations (unique) •action: 21 •delete: 14 •read: 71 •write: 14 |
Actions: 069 resolved operations: 120 effective operations: 120 •action: 21 •delete: 14 •read: 71 •write: 14 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/Logs/Read •Microsoft.Insights/Metrics/Read •Microsoft.Insights/DiagnosticSettings/* •Microsoft.Insights/DiagnosticSettingsCategories/Read •Microsoft.AAD/register/action •Microsoft.AAD/unregister/action •Microsoft.AAD/domainServices/* •Microsoft.Network/register/action •Microsoft.Network/unregister/action •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/write •Microsoft.Network/virtualNetworks/delete •Microsoft.Network/virtualNetworks/peer/action •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/virtualNetworks/subnets/delete •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/azureFirewalls/read •Microsoft.Network/ddosProtectionPlans/read •Microsoft.Network/ddosProtectionPlans/join/action •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/delete •Microsoft.Network/loadBalancers/*/read •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/inboundNatRules/join/action •Microsoft.Network/natGateways/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/write •Microsoft.Network/networkSecurityGroups/delete •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/networkSecurityGroups/securityRules/write •Microsoft.Network/networkSecurityGroups/securityRules/delete •Microsoft.Network/routeTables/read •Microsoft.Network/routeTables/write •Microsoft.Network/routeTables/delete •Microsoft.Network/routeTables/join/action •Microsoft.Network/routeTables/routes/read •Microsoft.Network/routeTables/routes/write •Microsoft.Network/routeTables/routes/delete | ||||
| 0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d | DNS Resolver Contributor | Lets you manage DNS resolver resources. | False |
00080 effective control plane operations (unique) •: 1 •Action: 19 •Delete: 8 •read: 43 •Write: 9 |
Actions: 041 resolved operations: 80 effective operations: 80 •: 1 •Action: 19 •Delete: 8 •read: 43 •Write: 9 •Microsoft.Network/dnsResolvers/read •Microsoft.Network/dnsResolvers/write •Microsoft.Network/dnsResolvers/delete •Microsoft.Network/dnsResolvers/join/action •Microsoft.Network/dnsResolvers/inboundEndpoints/read •Microsoft.Network/dnsResolvers/inboundEndpoints/write •Microsoft.Network/dnsResolvers/inboundEndpoints/delete •Microsoft.Network/dnsResolvers/inboundEndpoints/join/action •Microsoft.Network/dnsResolvers/outboundEndpoints/read •Microsoft.Network/dnsResolvers/outboundEndpoints/write •Microsoft.Network/dnsResolvers/outboundEndpoints/delete •Microsoft.Network/dnsResolvers/outboundEndpoints/join/action •Microsoft.Network/dnsForwardingRulesets/read •Microsoft.Network/dnsForwardingRulesets/write •Microsoft.Network/dnsForwardingRulesets/delete •Microsoft.Network/dnsForwardingRulesets/join/action •Microsoft.Network/dnsForwardingRulesets/forwardingRules/read •Microsoft.Network/dnsForwardingRulesets/forwardingRules/write •Microsoft.Network/dnsForwardingRulesets/forwardingRules/delete •Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/read •Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/write •Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/delete •Microsoft.Network/locations/dnsResolverOperationResults/read •Microsoft.Network/locations/dnsResolverOperationStatuses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/joinLoadBalancer/action •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action •Microsoft.Network/natGateways/join/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/routeTables/join/action •Microsoft.Network/serviceEndpointPolicies/join/action •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 00493d72-78f6-4148-b6c5-d3ce8e4799dd | Azure Arc Enabled Kubernetes Cluster User Role | List cluster user credentials action. | False |
00051 effective control plane operations (unique) •: 1 •Action: 8 •Delete: 1 •read: 38 •Write: 3 |
Actions: 009 resolved operations: 51 effective operations: 51 •: 1 •Action: 8 •Delete: 1 •read: 38 •Write: 3 •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Support/* •Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action | ||||
| 959f8984-c045-4866-89c7-12bf9737be2e | Data Operator for Managed Disks | Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. | False |
00004 effective data plane operations (unique) •action: 4 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 4 •Microsoft.Compute/disks/download/action •Microsoft.Compute/disks/upload/action •Microsoft.Compute/snapshots/download/action •Microsoft.Compute/snapshots/upload/action | ||||
| 6b77f0a0-0d89-41cc-acd1-579c22c17a67 | AgFood Platform Sensor Partner Contributor | Provides contribute access to manage sensor related entities in AgFood Platform Service | False |
00018 effective data plane operations (unique) •action: 4 •delete: 3 •read: 6 •write: 5 |
DataActions: 001 resolved data operations: 19 effective data operations: 18 •action: 4 •delete: 3 •read: 6 •write: 5 •Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/* | NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3103 •Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/delete | |||
| 1ef6a3be-d0ac-425d-8c01-acb62866290b | Compute Gallery Sharing Admin | This role allows user to share gallery to another subscription/tenant or share it to the public. | False |
00001 effective control plane operations (unique) •action: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •action: 1 •Microsoft.Compute/galleries/share/action | ||||
| cd08ab90-6b14-449c-ad9a-8f8e549482c6 | Scheduled Patching Contributor | Provides access to manage maintenance configurations with maintenance scope InGuestPatch and corresponding configuration assignments | False |
00012 effective control plane operations (unique) •delete: 4 •read: 4 •write: 4 |
Actions: 012 resolved operations: 12 effective operations: 12 •delete: 4 •read: 4 •write: 4 •Microsoft.Maintenance/maintenanceConfigurations/read •Microsoft.Maintenance/maintenanceConfigurations/write •Microsoft.Maintenance/maintenanceConfigurations/delete •Microsoft.Maintenance/configurationAssignments/read •Microsoft.Maintenance/configurationAssignments/write •Microsoft.Maintenance/configurationAssignments/delete •Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/read •Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/write •Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/delete •Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/read •Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/write •Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/delete | ||||
| 45d50f46-0b78-4001-a660-4198cbe8cd05 | DevCenter Dev Box User | Provides access to create and manage dev boxes. | False |
00046 effective control plane and data plane operations (unique) •action: 11 •read: 35 |
Actions: 004 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.DevCenter/projects/read •Microsoft.DevCenter/projects/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 011 resolved data operations: 11 effective data operations: 11 •action: 11 •Microsoft.DevCenter/projects/users/devboxes/userStop/action •Microsoft.DevCenter/projects/users/devboxes/userStart/action •Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action •Microsoft.DevCenter/projects/users/devboxes/userRead/action •Microsoft.DevCenter/projects/users/devboxes/userWrite/action •Microsoft.DevCenter/projects/users/devboxes/userDelete/action •Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionRead/action •Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionManage/action •Microsoft.DevCenter/projects/users/devboxes/userActionRead/action •Microsoft.DevCenter/projects/users/devboxes/userActionManage/action •Microsoft.DevCenter/projects/users/devboxes/userCustomize/action | |||
| 331c37c6-af14-46d9-b9f4-e1909e1b95a0 | DevCenter Project Admin | Provides access to manage project resources. | False |
00073 effective control plane and data plane operations (unique) •action: 27 •delete: 4 •read: 38 •write: 4 |
Actions: 004 resolved operations: 53 effective operations: 51 •action: 5 •delete: 4 •read: 38 •write: 4 •Microsoft.DevCenter/projects/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | NotActions: 002 resolved not operations: 2 effective not operations: 15335 •Microsoft.DevCenter/projects/write •Microsoft.DevCenter/projects/delete | DataActions: 022 resolved data operations: 22 effective data operations: 22 •action: 22 •Microsoft.DevCenter/projects/users/devboxes/adminStart/action •Microsoft.DevCenter/projects/users/devboxes/adminStop/action •Microsoft.DevCenter/projects/users/devboxes/adminRead/action •Microsoft.DevCenter/projects/users/devboxes/adminWrite/action •Microsoft.DevCenter/projects/users/devboxes/adminDelete/action •Microsoft.DevCenter/projects/users/devboxes/userStop/action •Microsoft.DevCenter/projects/users/devboxes/userStart/action •Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action •Microsoft.DevCenter/projects/users/devboxes/userRead/action •Microsoft.DevCenter/projects/users/devboxes/userWrite/action •Microsoft.DevCenter/projects/users/devboxes/userDelete/action •Microsoft.DevCenter/projects/users/devboxes/userActionRead/action •Microsoft.DevCenter/projects/users/devboxes/userActionManage/action •Microsoft.DevCenter/projects/users/environments/adminRead/action •Microsoft.DevCenter/projects/users/environments/userWrite/action •Microsoft.DevCenter/projects/users/environments/adminWrite/action •Microsoft.DevCenter/projects/users/environments/userDelete/action •Microsoft.DevCenter/projects/users/environments/adminDelete/action •Microsoft.DevCenter/projects/users/environments/adminAction/action •Microsoft.DevCenter/projects/users/environments/adminActionRead/action •Microsoft.DevCenter/projects/users/environments/adminActionManage/action •Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action | ||
| 602da2ba-a5c2-41da-b01d-5360126ab525 | Virtual Machine Local User Login | View Virtual Machines in the portal and login as a local user configured on the arc server | False |
00009 effective control plane operations (unique) •action: 1 •read: 8 |
Actions: 002 resolved operations: 9 effective operations: 9 •action: 1 •read: 8 •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridConnectivity/endpoints/listCredentials/action | ||||
| c0781e91-8102-4553-8951-97c6d4243cda | Azure Arc ScVmm Private Cloud User | Azure Arc ScVmm Private Cloud User has permissions to use the ScVmm resources to deploy VMs. | False |
00060 effective control plane operations (unique) •action: 11 •Delete: 2 •read: 44 •Write: 3 |
Actions: 034 resolved operations: 60 effective operations: 60 •action: 11 •Delete: 2 •read: 44 •Write: 3 •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •microsoft.scvmm/virtualnetworks/join/action •microsoft.scvmm/virtualnetworks/Read •microsoft.scvmm/virtualmachinetemplates/clone/action •microsoft.scvmm/virtualmachinetemplates/Read •microsoft.scvmm/clouds/deploy/action •microsoft.scvmm/clouds/Read •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/enabledresourcetypes/read | ||||
| e582369a-e17b-42a5-b10c-874c387c530b | Azure Arc ScVmm VM Contributor | Arc ScVmm VM Contributor has permissions to perform all VM actions. | False |
00096 effective control plane operations (unique) •action: 17 •delete: 10 •read: 59 •write: 10 |
Actions: 058 resolved operations: 96 effective operations: 96 •action: 17 •delete: 10 •read: 59 •write: 10 •microsoft.scvmm/virtualmachines/* •microsoft.scvmm/virtualMachineInstances/* •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/licenses/delete | ||||
| 6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9 | Azure Arc ScVmm Private Clouds Onboarding | Azure Arc ScVmm Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vmm server instances to Azure. | False |
00056 effective control plane operations (unique) •action: 8 •Delete: 3 •read: 41 •Write: 4 |
Actions: 030 resolved operations: 56 effective operations: 56 •action: 8 •Delete: 3 •read: 41 •Write: 4 •microsoft.scvmm/vmmservers/Read •microsoft.scvmm/vmmservers/Write •microsoft.scvmm/vmmservers/Delete •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.ExtendedLocation/customLocations/deploy/action | ||||
| a92dfd61-77f9-4aec-a531-19858b406c87 | Azure Arc ScVmm Administrator role | Arc ScVmm VM Administrator has permissions to perform all ScVmm actions. | False |
00124 effective control plane operations (unique) •action: 23 •delete: 16 •read: 68 •write: 17 |
Actions: 057 resolved operations: 124 effective operations: 124 •action: 23 •delete: 16 •read: 68 •write: 17 •Microsoft.ScVmm/* •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/licenses/delete | ||||
| fd036e6b-1266-47a0-b0bb-a05d04831731 | HDInsight on AKS Cluster Admin | Grants a user/group the ability to create, delete and manage clusters within a given cluster pool. Cluster Admin can also run workloads, monitor, and manage all user activity on these clusters. | False |
00056 effective control plane operations (unique) •action: 8 •delete: 2 •read: 43 •write: 3 |
Actions: 030 resolved operations: 56 effective operations: 56 •action: 8 •delete: 2 •read: 43 •write: 3 •Microsoft.Authorization/*/read •Microsoft.HDInsight/clusterPools/clusters/read •Microsoft.HDInsight/clusterPools/clusters/write •Microsoft.HDInsight/clusterPools/clusters/delete •Microsoft.HDInsight/clusterPools/clusters/resize/action •Microsoft.HDInsight/clusterpools/clusters/instanceviews/read •Microsoft.HDInsight/clusterPools/clusters/jobs/read •Microsoft.HDInsight/clusterPools/clusters/runjob/action •Microsoft.HDInsight/clusterpools/clusters/serviceconfigs/read •Microsoft.HDInsight/clusterPools/clusters/availableupgrades/read •Microsoft.HDInsight/clusterPools/clusters/upgrade/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/*/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/metrics/read •Microsoft.Insights/logs/read | ||||
| 7656b436-37d4-490a-a4ab-d39f838f0042 | HDInsight on AKS Cluster Pool Admin | Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters | False |
00053 effective control plane operations (unique) •action: 6 •delete: 2 •read: 41 •write: 4 |
Actions: 027 resolved operations: 53 effective operations: 53 •action: 6 •delete: 2 •read: 41 •write: 4 •Microsoft.Authorization/*/read •Microsoft.HDInsight/clusterPools/clusters/read •Microsoft.HDInsight/clusterPools/clusters/write •Microsoft.HDInsight/clusterPools/delete •Microsoft.HDInsight/clusterPools/read •Microsoft.HDInsight/clusterPools/write •Microsoft.HDInsight/clusterpools/availableupgrades/read •Microsoft.HDInsight/clusterpools/upgrade/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/*/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/metrics/read •Microsoft.Insights/logs/read | ||||
| 4465e953-8ced-4406-a58e-0f6e3f3b530b | FHIR Data Importer | Role allows user or principal to read and import FHIR Data | False |
00002 effective data plane operations (unique) •action: 1 •read: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action | ||||
| c031e6a8-4391-4de0-8d69-4706a7ed3729 | API Management Developer Portal Content Editor | Can customize the developer portal, edit its content, and publish it. | False |
00008 effective control plane operations (unique) •delete: 2 •read: 3 •write: 3 |
Actions: 008 resolved operations: 8 effective operations: 8 •delete: 2 •read: 3 •write: 3 •Microsoft.ApiManagement/service/portalRevisions/read •Microsoft.ApiManagement/service/portalRevisions/write •Microsoft.ApiManagement/service/contentTypes/read •Microsoft.ApiManagement/service/contentTypes/delete •Microsoft.ApiManagement/service/contentTypes/write •Microsoft.ApiManagement/service/contentTypes/contentItems/read •Microsoft.ApiManagement/service/contentTypes/contentItems/write •Microsoft.ApiManagement/service/contentTypes/contentItems/delete | ||||
| d24ecba3-c1f4-40fa-a7bb-4588a071e8fd | VM Scanner Operator | Role that provides access to disk snapshot for security analysis. | False |
00009 effective control plane operations (unique) •action: 1 •read: 8 |
Actions: 009 resolved operations: 9 effective operations: 9 •action: 1 •read: 8 •Microsoft.Compute/disks/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/diskEncryptionSets/read •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachineScaleSets/instanceView/read •Microsoft.Compute/virtualMachineScaleSets/read •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read | ||||
| 80dcbedb-47ef-405d-95bd-188a1b4ac406 | Elastic SAN Owner | Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access | False |
00061 effective control plane operations (unique) •action: 8 •delete: 7 •read: 39 •write: 7 |
Actions: 006 resolved operations: 61 effective operations: 61 •action: 8 •delete: 7 •read: 39 •write: 7 •Microsoft.Authorization/*/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ElasticSan/elasticSans/* •Microsoft.ElasticSan/locations/* | ||||
| af6a70f8-3c9f-4105-acf1-d719e9fca4ca | Elastic SAN Reader | Allows for control path read access to Azure Elastic SAN | False |
00009 effective control plane operations (unique) •read: 9 |
Actions: 005 resolved operations: 9 effective operations: 9 •read: 9 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ElasticSan/elasticSans/*/read | ||||
| 489581de-a3bd-480d-9518-53dea7416b33 | Desktop Virtualization Power On Contributor | Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines. | False |
00055 effective control plane operations (unique) •: 1 •Action: 9 •Delete: 2 •read: 41 •Write: 2 |
Actions: 014 resolved operations: 55 effective operations: 55 •: 1 •Action: 9 •Delete: 2 •read: 41 •Write: 2 •Microsoft.Compute/virtualMachines/start/action •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.AzureStackHCI/virtualMachineInstances/read •Microsoft.AzureStackHCI/virtualMachineInstances/start/action •Microsoft.AzureStackHCI/operations/read | ||||
| a959dbd1-f747-45e3-8ba6-dd80f235f97c | Desktop Virtualization Virtual Machine Contributor | This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines. | False |
00097 effective control plane operations (unique) •: 1 •action: 20 •delete: 7 •read: 59 •write: 10 |
Actions: 057 resolved operations: 97 effective operations: 97 •: 1 •action: 20 •delete: 7 •read: 59 •write: 10 •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/write •Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/write •Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action •Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read •Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action •Microsoft.DesktopVirtualization/hostpools/sessionhosts/retryprovisioning/action •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/availabilitySets/write •Microsoft.Compute/availabilitySets/vmSizes/read •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Compute/disks/delete •Microsoft.Compute/galleries/read •Microsoft.Compute/galleries/images/read •Microsoft.Compute/galleries/images/versions/read •Microsoft.Compute/images/read •Microsoft.Compute/locations/usages/read •Microsoft.Compute/locations/vmSizes/read •Microsoft.Compute/operations/read •Microsoft.Compute/skus/read •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write •Microsoft.Compute/virtualMachines/delete •Microsoft.Compute/virtualMachines/start/action •Microsoft.Compute/virtualMachines/powerOff/action •Microsoft.Compute/virtualMachines/restart/action •Microsoft.Compute/virtualMachines/deallocate/action •Microsoft.Compute/virtualMachines/runCommand/action •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/extensions/write •Microsoft.Compute/virtualMachines/extensions/delete •Microsoft.Compute/virtualMachines/runCommands/read •Microsoft.Compute/virtualMachines/runCommands/write •Microsoft.Compute/virtualMachines/vmSizes/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/usages/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read •Microsoft.KeyVault/vaults/deploy/action •Microsoft.Storage/storageAccounts/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 40c5ff49-9181-41f8-ae61-143b0e78555e | Desktop Virtualization Power On Off Contributor | Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines. | False |
00068 effective control plane operations (unique) •: 1 •Action: 15 •delete: 3 •read: 45 •write: 4 |
Actions: 027 resolved operations: 68 effective operations: 68 •: 1 •Action: 15 •delete: 3 •read: 45 •write: 4 •Microsoft.Compute/virtualMachines/start/action •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/deallocate/action •Microsoft.Compute/virtualMachines/restart/action •Microsoft.Compute/virtualMachines/powerOff/action •Microsoft.Insights/eventtypes/values/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/write •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/write •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.AzureStackHCI/virtualMachineInstances/read •Microsoft.AzureStackHCI/virtualMachineInstances/start/action •Microsoft.AzureStackHCI/virtualMachineInstances/stop/action •Microsoft.AzureStackHCI/virtualMachineInstances/restart/action •Microsoft.AzureStackHCI/operations/read | ||||
| 76cc9ee4-d5d3-4a45-a930-26add3d73475 | Access Review Operator Service Role | Lets you grant Access Review System app permissions to discover and revoke access as needed by the access review process. | False |
00003 effective control plane operations (unique) •action: 1 •delete: 1 •read: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •delete: 1 •read: 1 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleAssignments/delete •Microsoft.Management/getEntities/action | ||||
| a8281131-f312-4f34-8d98-ae12be9f0d23 | Elastic SAN Volume Group Owner | Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access | False |
00013 effective control plane operations (unique) •action: 1 •delete: 3 •read: 6 •write: 3 |
Actions: 004 resolved operations: 13 effective operations: 13 •action: 1 •delete: 3 •read: 6 •write: 3 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.ElasticSan/elasticSans/volumeGroups/* •Microsoft.ElasticSan/locations/asyncoperations/read | ||||
| 4339b7cf-9826-4e41-b4ed-c7f4505dac08 | Trusted Signing Identity Verifier | Manage identity or business verification requests. This role is in preview and subject to change. | False |
00007 effective control plane and data plane operations (unique) •Read: 6 •Write: 1 |
Actions: 001 resolved operations: 5 effective operations: 5 •Read: 5 •Microsoft.CodeSigning/*/read | DataActions: 002 resolved data operations: 2 effective data operations: 2 •Read: 1 •Write: 1 •Microsoft.CodeSigning/IdentityVerification/Read •Microsoft.CodeSigning/IdentityVerification/Write | |||
| a2c4a527-7dc0-4ee3-897b-403ade70fafb | Video Indexer Restricted Viewer | Has access to view and search through all video's insights and transcription in the Video Indexer portal. No access to model customization, embedding of widget, downloading videos, or sharing the account. | False |
00008 effective control plane operations (unique) •action: 1 •read: 7 |
Actions: 002 resolved operations: 9 effective operations: 8 •action: 1 •read: 7 •Microsoft.VideoIndexer/*/read •Microsoft.VideoIndexer/accounts/*/action | NotActions: 003 resolved not operations: 6 effective not operations: 15378 •Microsoft.VideoIndexer/*/write •Microsoft.VideoIndexer/*/delete •Microsoft.VideoIndexer/accounts/generateAccessToken/action | |||
| b0d8363b-8ddd-447d-831f-62ca05bff136 | Monitoring Data Reader | Can access the data in an Azure Monitor Workspace. | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Monitor/accounts/data/metrics/read | ||||
| 30b27cfc-9c84-438e-b0ce-70e35255df80 | Azure Kubernetes Fleet Manager RBAC Reader | Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | False |
00057 effective control plane and data plane operations (unique) •action: 1 •read: 56 |
Actions: 006 resolved operations: 32 effective operations: 32 •action: 1 •read: 31 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/fleets/read •Microsoft.ContainerService/fleets/listCredentials/action | DataActions: 026 resolved data operations: 25 effective data operations: 25 •read: 25 •Microsoft.ContainerService/fleets/apps/controllerrevisions/read •Microsoft.ContainerService/fleets/apps/daemonsets/read •Microsoft.ContainerService/fleets/apps/deployments/read •Microsoft.ContainerService/fleets/apps/statefulsets/read •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read •Microsoft.ContainerService/fleets/batch/cronjobs/read •Microsoft.ContainerService/fleets/batch/jobs/read •Microsoft.ContainerService/fleets/configmaps/read •Microsoft.ContainerService/fleets/endpoints/read •Microsoft.ContainerService/fleets/events.k8s.io/events/read •Microsoft.ContainerService/fleets/events/read •Microsoft.ContainerService/fleets/extensions/daemonsets/read •Microsoft.ContainerService/fleets/extensions/deployments/read •Microsoft.ContainerService/fleets/extensions/ingresses/read •Microsoft.ContainerService/fleets/extensions/networkpolicies/read •Microsoft.ContainerService/fleets/limitranges/read •Microsoft.ContainerService/fleets/namespaces/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read •Microsoft.ContainerService/fleets/persistentvolumeclaims/read •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read •Microsoft.ContainerService/fleets/replicationcontrollers/read •Microsoft.ContainerService/fleets/replicationcontrollers/read •Microsoft.ContainerService/fleets/resourcequotas/read •Microsoft.ContainerService/fleets/serviceaccounts/read •Microsoft.ContainerService/fleets/services/read | |||
| 18ab4d3d-a1bf-4477-8ad9-8359bc988f69 | Azure Kubernetes Fleet Manager RBAC Cluster Admin | Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster. | False |
00318 effective control plane and data plane operations (unique) •action: 10 •delete: 49 •read: 204 •write: 55 |
Actions: 006 resolved operations: 32 effective operations: 32 •action: 1 •read: 31 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/fleets/read •Microsoft.ContainerService/fleets/listCredentials/action | DataActions: 001 resolved data operations: 286 effective data operations: 286 •action: 9 •delete: 49 •read: 173 •write: 55 •Microsoft.ContainerService/fleets/* | |||
| 434fb43a-c01c-447e-9f67-c3ad923cfaba | Azure Kubernetes Fleet Manager RBAC Admin | Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. | False |
00108 effective control plane and data plane operations (unique) •action: 4 •delete: 22 •read: 59 •write: 23 |
Actions: 006 resolved operations: 32 effective operations: 32 •action: 1 •read: 31 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/fleets/read •Microsoft.ContainerService/fleets/listCredentials/action | DataActions: 030 resolved data operations: 76 effective data operations: 76 •action: 3 •delete: 22 •read: 28 •write: 23 •Microsoft.ContainerService/fleets/apps/controllerrevisions/read •Microsoft.ContainerService/fleets/apps/daemonsets/* •Microsoft.ContainerService/fleets/apps/deployments/* •Microsoft.ContainerService/fleets/apps/statefulsets/* •Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* •Microsoft.ContainerService/fleets/batch/cronjobs/* •Microsoft.ContainerService/fleets/batch/jobs/* •Microsoft.ContainerService/fleets/configmaps/* •Microsoft.ContainerService/fleets/endpoints/* •Microsoft.ContainerService/fleets/events.k8s.io/events/read •Microsoft.ContainerService/fleets/events/read •Microsoft.ContainerService/fleets/extensions/daemonsets/* •Microsoft.ContainerService/fleets/extensions/deployments/* •Microsoft.ContainerService/fleets/extensions/ingresses/* •Microsoft.ContainerService/fleets/extensions/networkpolicies/* •Microsoft.ContainerService/fleets/limitranges/read •Microsoft.ContainerService/fleets/namespaces/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* •Microsoft.ContainerService/fleets/persistentvolumeclaims/* •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* •Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* •Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* •Microsoft.ContainerService/fleets/replicationcontrollers/* •Microsoft.ContainerService/fleets/replicationcontrollers/* •Microsoft.ContainerService/fleets/resourcequotas/read •Microsoft.ContainerService/fleets/secrets/* •Microsoft.ContainerService/fleets/serviceaccounts/* •Microsoft.ContainerService/fleets/services/* | |||
| 5af6afb3-c06c-4fa4-8848-71a8aee05683 | Azure Kubernetes Fleet Manager RBAC Writer | Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | False |
00099 effective control plane and data plane operations (unique) •action: 2 •delete: 20 •read: 57 •write: 20 |
Actions: 006 resolved operations: 32 effective operations: 32 •action: 1 •read: 31 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ContainerService/fleets/read •Microsoft.ContainerService/fleets/listCredentials/action | DataActions: 027 resolved data operations: 67 effective data operations: 67 •action: 1 •delete: 20 •read: 26 •write: 20 •Microsoft.ContainerService/fleets/apps/controllerrevisions/read •Microsoft.ContainerService/fleets/apps/daemonsets/* •Microsoft.ContainerService/fleets/apps/deployments/* •Microsoft.ContainerService/fleets/apps/statefulsets/* •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* •Microsoft.ContainerService/fleets/batch/cronjobs/* •Microsoft.ContainerService/fleets/batch/jobs/* •Microsoft.ContainerService/fleets/configmaps/* •Microsoft.ContainerService/fleets/endpoints/* •Microsoft.ContainerService/fleets/events.k8s.io/events/read •Microsoft.ContainerService/fleets/events/read •Microsoft.ContainerService/fleets/extensions/daemonsets/* •Microsoft.ContainerService/fleets/extensions/deployments/* •Microsoft.ContainerService/fleets/extensions/ingresses/* •Microsoft.ContainerService/fleets/extensions/networkpolicies/* •Microsoft.ContainerService/fleets/limitranges/read •Microsoft.ContainerService/fleets/namespaces/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* •Microsoft.ContainerService/fleets/persistentvolumeclaims/* •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* •Microsoft.ContainerService/fleets/replicationcontrollers/* •Microsoft.ContainerService/fleets/replicationcontrollers/* •Microsoft.ContainerService/fleets/resourcequotas/read •Microsoft.ContainerService/fleets/secrets/* •Microsoft.ContainerService/fleets/serviceaccounts/* •Microsoft.ContainerService/fleets/services/* | |||
| 63bb64ad-9799-4770-b5c3-24ed299a07bf | Azure Kubernetes Fleet Manager Contributor Role | Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc. | False |
00027 effective control plane operations (unique) •action: 7 •delete: 6 •read: 8 •write: 6 |
Actions: 002 resolved operations: 27 effective operations: 27 •action: 7 •delete: 6 •read: 8 •write: 6 •Microsoft.ContainerService/fleets/* •Microsoft.Resources/deployments/* | ||||
| ba79058c-0414-4a34-9e42-c3399d80cd5a | Kubernetes Namespace User | Allows a user to read namespace resources and retrieve kubeconfig for the cluster | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.KubernetesConfiguration/namespaces/read •Microsoft.KubernetesConfiguration/namespaces/listUserCredential/action | ||||
| c6decf44-fd0a-444c-a844-d653c394e7ab | Data Labeling - Labeler | Can label data in Labeling. | False |
00006 effective control plane operations (unique) •read: 5 •write: 1 |
Actions: 006 resolved operations: 6 effective operations: 6 •read: 5 •write: 1 •Microsoft.MachineLearningServices/workspaces/read •Microsoft.MachineLearningServices/workspaces/experiments/runs/read •Microsoft.MachineLearningServices/workspaces/labeling/projects/read •Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read •Microsoft.MachineLearningServices/workspaces/labeling/labels/read •Microsoft.MachineLearningServices/workspaces/labeling/labels/write | ||||
| f58310d9-a9f6-439a-9e8d-f62e7b41a168 | Role Based Access Control Administrator | Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. | False |
06723 effective control plane operations (unique) •action: 3 •delete: 1 •read: 6717 •write: 2 |
Actions: 004 resolved operations: 6723 effective operations: 6723 •action: 3 •delete: 1 •read: 6717 •write: 2 •Microsoft.Authorization/roleAssignments/write •Microsoft.Authorization/roleAssignments/delete •*/read •Microsoft.Support/* | ||||
| 392ae280-861d-42bd-9ea5-08ee6d83b80e | Template Spec Reader | Allows read access to Template Specs at the assigned scope. | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Resources/templateSpecs/*/read | ||||
| 1c9b6475-caf0-4164-b5a1-2142a7116f4b | Template Spec Contributor | Allows full access to Template Spec operations at the assigned scope. | False |
00043 effective control plane operations (unique) •action: 4 •delete: 3 •read: 33 •write: 3 |
Actions: 004 resolved operations: 43 effective operations: 43 •action: 4 •delete: 3 •read: 33 •write: 3 •Microsoft.Resources/templateSpecs/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 51d6186e-6489-4900-b93f-92e23144cca5 | Microsoft Sentinel Playbook Operator | Microsoft Sentinel Playbook Operator | False |
00004 effective control plane operations (unique) •action: 2 •read: 2 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 2 •read: 2 •Microsoft.Logic/workflows/read •Microsoft.Logic/workflows/triggers/listCallbackUrl/action •Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action •Microsoft.Web/sites/read | ||||
| 18e40d4e-8d2e-438d-97e1-9528336e149c | Deployment Environments User | Provides access to manage environment resources. | False |
00038 effective control plane and data plane operations (unique) •action: 5 •read: 33 |
Actions: 004 resolved operations: 35 effective operations: 33 •read: 33 •Microsoft.DevCenter/projects/read •Microsoft.DevCenter/projects/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Authorization/*/read | NotActions: 002 resolved not operations: 2 effective not operations: 15353 •Microsoft.DevCenter/projects/pools/read •Microsoft.DevCenter/projects/pools/schedules/read | DataActions: 005 resolved data operations: 5 effective data operations: 5 •action: 5 •Microsoft.DevCenter/projects/users/environments/userRead/action •Microsoft.DevCenter/projects/users/environments/userWrite/action •Microsoft.DevCenter/projects/users/environments/userDelete/action •Microsoft.DevCenter/projects/users/environments/userActionManage/action •Microsoft.DevCenter/projects/users/environments/userOutputsRead/action | ||
| 80558df3-64f9-4c0f-b32d-e5094b036b0b | Azure Spring Apps Connect Role | Azure Spring Apps Connect Role | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/apps/deployments/connect/action | ||||
| a99b0159-1064-4c22-a57b-c9b3caa1c054 | Azure Spring Apps Remote Debugging Role | Azure Spring Apps Remote Debugging Role | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/apps/deployments/remotedebugging/action | ||||
| 1823dd4f-9b8c-4ab6-ab4e-7397a3684615 | AzureML Registry User | Can perform all actions on Machine Learning Services Registry assets as well as get Registry resources. | False |
00005 effective control plane operations (unique) •delete: 1 •read: 2 •write: 2 |
Actions: 002 resolved operations: 5 effective operations: 5 •delete: 1 •read: 2 •write: 2 •Microsoft.MachineLearningServices/registries/read •Microsoft.MachineLearningServices/registries/assets/* | ||||
| e503ece1-11d0-4e8e-8e2c-7a6c3bf38815 | AzureML Compute Operator | Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). | False |
00017 effective control plane operations (unique) •action: 11 •delete: 2 •read: 2 •write: 2 |
Actions: 002 resolved operations: 17 effective operations: 17 •action: 11 •delete: 2 •read: 2 •write: 2 •Microsoft.MachineLearningServices/workspaces/computes/* •Microsoft.MachineLearningServices/workspaces/notebooks/vm/* | ||||
| 05352d14-a920-4328-a0de-4cbe7430e26b | Azure Center for SAP solutions reader | This role provides read access to all capabilities of Azure Center for SAP solutions. | False |
00070 effective control plane operations (unique) •read: 70 |
Actions: 043 resolved operations: 70 effective operations: 70 •read: 70 •Microsoft.Advisor/configurations/read •Microsoft.Advisor/recommendations/read •Microsoft.Workloads/sapvirtualInstances/*/read •Microsoft.Workloads/Locations/*/read •Microsoft.Workloads/Operations/read •Microsoft.Workloads/Locations/OperationStatuses/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/read •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/virtualMachines/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/ipconfigurations/read •Microsoft.Network/networkInterfaces/loadBalancers/read •Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/backendAddressPools/read •Microsoft.Network/loadBalancers/frontendIPConfigurations/read •Microsoft.Network/loadBalancers/loadBalancingRules/read •Microsoft.Network/loadBalancers/inboundNatRules/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read •Microsoft.Network/loadBalancers/networkInterfaces/read •Microsoft.Network/loadBalancers/outboundRules/read •Microsoft.Network/loadBalancers/virtualMachines/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/privateEndpoints/read •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/fileServices/read •Microsoft.Storage/storageAccounts/fileServices/shares/read •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/disks/read | ||||
| aabbc5dd-1af0-458b-a942-81af88f9c138 | Azure Center for SAP solutions service role | Azure Center for SAP solutions service role - This role is intended to be used for providing the permissions to user assigned managed identity. Azure Center for SAP solutions will use this identity to deploy and manage SAP systems. | False |
00066 effective control plane operations (unique) •action: 11 •delete: 2 •read: 39 •write: 14 |
Actions: 055 resolved operations: 66 effective operations: 66 •action: 11 •delete: 2 •read: 39 •write: 14 •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/write •Microsoft.Network/loadBalancers/backendAddressPools/read •Microsoft.Network/loadBalancers/backendAddressPools/write •Microsoft.Network/loadBalancers/frontendIPConfigurations/read •Microsoft.Network/loadBalancers/loadBalancingRules/read •Microsoft.Network/loadBalancers/inboundNatRules/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read •Microsoft.Network/loadBalancers/networkInterfaces/read •Microsoft.Network/loadBalancers/outboundRules/read •Microsoft.Network/loadBalancers/virtualMachines/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkInterfaces/ipconfigurations/read •Microsoft.Network/networkInterfaces/loadBalancers/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/virtualMachines/read •Microsoft.Network/virtualNetworks/virtualMachines/read •Microsoft.Network/networkInterfaces/ipconfigurations/join/action •Microsoft.Network/privateEndpoints/read •Microsoft.Network/privateEndpoints/write •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/write •Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/fileServices/read •Microsoft.Storage/storageAccounts/fileServices/write •Microsoft.Storage/storageAccounts/fileServices/shares/read •Microsoft.Storage/storageAccounts/fileServices/shares/write •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/availabilitySets/write •Microsoft.Compute/skus/read •Microsoft.Compute/sshPublicKeys/read •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/extensions/write •Microsoft.Compute/virtualMachines/extensions/delete •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write | ||||
| 7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7 | Azure Center for SAP solutions administrator | This role provides read and write access to all capabilities of Azure Center for SAP solutions. | False |
00117 effective control plane and data plane operations (unique) •: 1 •Action: 19 •delete: 8 •read: 78 •write: 11 |
Actions: 057 resolved operations: 116 effective operations: 116 •: 1 •Action: 19 •delete: 8 •read: 77 •write: 11 •Microsoft.Advisor/configurations/read •Microsoft.Advisor/recommendations/read •Microsoft.Workloads/sapvirtualInstances/*/read •Microsoft.Workloads/sapVirtualInstances/*/write •Microsoft.Workloads/sapVirtualInstances/*/delete •Microsoft.Workloads/Locations/*/action •Microsoft.Workloads/Locations/*/read •Microsoft.Workloads/sapVirtualInstances/*/start/action •Microsoft.Workloads/sapVirtualInstances/*/stop/action •Microsoft.Workloads/connectors/*/read •Microsoft.Workloads/connectors/*/write •Microsoft.Workloads/connectors/*/delete •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/virtualNetworks/subnets/virtualMachines/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/ipconfigurations/read •Microsoft.Network/networkInterfaces/loadBalancers/read •Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/backendAddressPools/read •Microsoft.Network/loadBalancers/frontendIPConfigurations/read •Microsoft.Network/loadBalancers/loadBalancingRules/read •Microsoft.Network/loadBalancers/inboundNatRules/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read •Microsoft.Network/loadBalancers/networkInterfaces/read •Microsoft.Network/loadBalancers/outboundRules/read •Microsoft.Network/loadBalancers/virtualMachines/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/privateEndpoints/read •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/routeTables/join/action •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/fileServices/read •Microsoft.Storage/storageAccounts/fileServices/shares/read •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/sshPublicKeys/read •Microsoft.Compute/sshPublicKeys/write •Microsoft.Compute/sshPublicKeys/*/generateKeyPair/action •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/extensions/delete •Microsoft.Compute/disks/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | |||
| fbc52c3f-28ad-4303-a892-8a056630b8f1 | AppGw for Containers Configuration Manager | Allows access and configuration updates to Application Gateway for Containers resource. | False |
00016 effective control plane and data plane operations (unique) •delete: 4 •read: 7 •write: 5 |
Actions: 013 resolved operations: 13 effective operations: 13 •delete: 3 •read: 6 •write: 4 •Microsoft.ServiceNetworking/trafficControllers/read •Microsoft.ServiceNetworking/trafficControllers/write •Microsoft.ServiceNetworking/trafficControllers/delete •Microsoft.ServiceNetworking/trafficControllers/frontends/read •Microsoft.ServiceNetworking/trafficControllers/frontends/write •Microsoft.ServiceNetworking/trafficControllers/frontends/delete •Microsoft.ServiceNetworking/trafficControllers/associations/read •Microsoft.ServiceNetworking/trafficControllers/associations/write •Microsoft.ServiceNetworking/trafficControllers/associations/delete •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read | DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/read •Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/write •Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/delete | |||
| 4ba50f17-9666-485c-a643-ff00808643f0 | FHIR SMART User | Role allows user to access FHIR Service according to SMART on FHIR specification | False |
00004 effective data plane operations (unique) •action: 2 •read: 2 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 2 •read: 2 •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read •Microsoft.HealthcareApis/services/fhir/resources/smart/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action | ||||
| a001fd3d-188f-4b5d-821b-7da978bf7442 | Cognitive Services OpenAI Contributor | Full access including the ability to fine-tune, deploy and generate text | False |
00090 effective control plane and data plane operations (unique) •action: 12 •delete: 11 •read: 52 •write: 15 |
Actions: 011 resolved operations: 41 effective operations: 41 •delete: 3 •read: 35 •write: 3 •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/deployments/write •Microsoft.CognitiveServices/accounts/deployments/delete •Microsoft.CognitiveServices/accounts/raiPolicies/read •Microsoft.CognitiveServices/accounts/raiPolicies/write •Microsoft.CognitiveServices/accounts/raiPolicies/delete •Microsoft.CognitiveServices/accounts/commitmentplans/read •Microsoft.CognitiveServices/accounts/commitmentplans/write •Microsoft.CognitiveServices/accounts/commitmentplans/delete •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 001 resolved data operations: 49 effective data operations: 49 •action: 12 •delete: 8 •read: 17 •write: 12 •Microsoft.CognitiveServices/accounts/OpenAI/* | count: 002 •Configure Azure AI Services resources to disable local key access (disable local authentication) •Configure Azure AI Services resources to disable local key access (disable local authentication) | ||
| 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd | Cognitive Services OpenAI User | Ability to view files, models, deployments. Readers can't make any changes They can inference and create images | False |
00062 effective control plane and data plane operations (unique) •action: 10 •read: 52 |
Actions: 003 resolved operations: 35 effective operations: 35 •read: 35 •Microsoft.CognitiveServices/*/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read | DataActions: 011 resolved data operations: 27 effective data operations: 27 •action: 10 •read: 17 •Microsoft.CognitiveServices/accounts/OpenAI/*/read •Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action •Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action •Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/audio/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/completions/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action •Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action | |||
| 36e80216-a7e8-4f42-a7e1-f12c98cbaf8a | Impact Reporter | Allows access to create/report, read and delete impacts | False |
00003 effective control plane operations (unique) •Read: 2 •Write: 1 |
Actions: 002 resolved operations: 3 effective operations: 3 •Read: 2 •Write: 1 •Microsoft.Impact/WorkloadImpacts/* •Microsoft.Impact/ImpactCategories/read | ||||
| 68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e | Impact Reader | Allows read-only access to reported impacts and impact categories | False |
00002 effective control plane operations (unique) •Read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •Read: 2 •Microsoft.Impact/WorkloadImpacts/read •Microsoft.Impact/ImpactCategories/read | ||||
| ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b | ContainerApp Reader | View all containerapp resources, but does not allow you to make any changes. | False |
00054 effective control plane operations (unique) •: 1 •Action: 7 •Delete: 2 •read: 42 •Write: 2 |
Actions: 006 resolved operations: 54 effective operations: 54 •: 1 •Action: 7 •Delete: 2 •read: 42 •Write: 2 •Microsoft.App/containerApps/*/read •Microsoft.App/containerApps/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 1afdec4b-e479-420e-99e7-f82237c7c5e6 | Azure Kubernetes Service Cluster Monitoring User | List cluster monitoring user credential action. | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action •Microsoft.ContainerService/managedClusters/read | ||||
| f5819b54-e033-4d82-ac66-4fec3cbf3f4c | Azure Connected Machine Resource Manager | Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group | False |
00037 effective control plane operations (unique) •action: 1 •delete: 3 •read: 27 •write: 6 |
Actions: 018 resolved operations: 37 effective operations: 37 •action: 1 •delete: 3 •read: 27 •write: 6 •Microsoft.HybridConnectivity/endpoints/read •Microsoft.HybridConnectivity/endpoints/write •Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read •Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/*/read •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/write | ||||
| 189207d4-bb67-4208-a635-b06afe8b2c57 | SqlDb Migration Role | Role for SqlDb migration | False |
00024 effective control plane operations (unique) •action: 7 •delete: 3 •read: 10 •write: 4 |
Actions: 024 resolved operations: 24 effective operations: 24 •action: 7 •delete: 3 •read: 10 •write: 4 •Microsoft.Sql/servers/read •Microsoft.Sql/servers/write •Microsoft.Sql/servers/databases/read •Microsoft.Sql/servers/databases/write •Microsoft.Sql/servers/databases/delete •Microsoft.DataMigration/locations/operationResults/read •Microsoft.DataMigration/locations/operationStatuses/read •Microsoft.DataMigration/locations/sqlMigrationServiceOperationResults/read •Microsoft.DataMigration/databaseMigrations/write •Microsoft.DataMigration/databaseMigrations/read •Microsoft.DataMigration/databaseMigrations/delete •Microsoft.DataMigration/databaseMigrations/cancel/action •Microsoft.DataMigration/databaseMigrations/cutover/action •Microsoft.DataMigration/sqlMigrationServices/write •Microsoft.DataMigration/sqlMigrationServices/delete •Microsoft.DataMigration/sqlMigrationServices/read •Microsoft.DataMigration/sqlMigrationServices/listAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/regenerateAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/deleteNode/action •Microsoft.DataMigration/sqlMigrationServices/listMonitoringData/action •Microsoft.DataMigration/sqlMigrationServices/listMigrations/read •Microsoft.DataMigration/sqlMigrationServices/MonitoringData/read •Microsoft.DataMigration/register/action •Microsoft.DataMigration/operations/read | ||||
| c4bc862a-3b64-4a35-a021-a380c159b042 | Bayer Ag Powered Services GDU Solution | Provide access to GDU Solution by Bayer Ag Powered Services | False |
00012 effective data plane operations (unique) •action: 3 •delete: 2 •read: 5 •write: 2 |
DataActions: 005 resolved data operations: 12 effective data operations: 12 •action: 3 •delete: 2 •read: 5 •write: 2 •Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read •Microsoft.AgFoodPlatform/farmBeats/parties/farms/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/* | ||||
| ef29765d-0d37-4119-a4f8-f9f9902c9588 | Bayer Ag Powered Services Imagery Solution | Provide access to Imagery Solution by Bayer Ag Powered Services | False |
00022 effective data plane operations (unique) •action: 5 •delete: 3 •read: 7 •write: 7 |
DataActions: 010 resolved data operations: 22 effective data operations: 22 •action: 5 •delete: 3 •read: 7 •write: 7 •Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read •Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/write •Microsoft.AgFoodPlatform/farmBeats/parties/farms/read •Microsoft.AgFoodPlatform/farmBeats/parties/farms/write •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/write •Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/* •Microsoft.AgFoodPlatform/farmBeats/scenes/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/* | ||||
| 0105a6b0-4bb9-43d2-982a-12806f9faddb | Azure Center for SAP solutions Service role for management | This role has permissions that the user assigned managed identity must have to enable registration for the existing systems. | False | n/a | |||||
| 6d949e1d-41e2-46e3-8920-c6e4f31a8310 | Azure Center for SAP solutions Management role | This role has permissions which allow users to register existing systems, view and manage systems. | False | n/a | |||||
| d5a2ae44-610b-4500-93be-660a0c5f5ca6 | Kubernetes Agentless Operator | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services | False |
00008 effective control plane operations (unique) •action: 1 •delete: 1 •read: 5 •write: 1 |
Actions: 008 resolved operations: 8 effective operations: 8 •action: 1 •delete: 1 •read: 5 •write: 1 •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete •Microsoft.ContainerService/managedClusters/read •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Features/providers/features/register/action •Microsoft.Security/pricings/securityoperators/read | ||||
| f0310ce6-e953-4cf8-b892-fb1c87eaf7f6 | Azure Usage Billing Data Sender | Azure Usage Billing shared BuiltIn role to be used for all Customer Account Authentication | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.UsageBilling/accounts/inputs/send/action | ||||
| 1d335eef-eee1-47fe-a9e0-53214eba8872 | SqlMI Migration Role | Role for SqlMI migration | False |
00030 effective control plane operations (unique) •action: 8 •delete: 3 •read: 14 •write: 5 |
Actions: 030 resolved operations: 30 effective operations: 30 •action: 8 •delete: 3 •read: 14 •write: 5 •Microsoft.Sql/managedInstances/read •Microsoft.Sql/managedInstances/write •Microsoft.Sql/managedInstances/databases/read •Microsoft.Sql/managedInstances/databases/write •Microsoft.Sql/managedInstances/databases/delete •Microsoft.Sql/managedInstances/metrics/read •Microsoft.DataMigration/locations/operationResults/read •Microsoft.DataMigration/locations/operationStatuses/read •Microsoft.DataMigration/locations/sqlMigrationServiceOperationResults/read •Microsoft.DataMigration/databaseMigrations/write •Microsoft.DataMigration/databaseMigrations/read •Microsoft.DataMigration/databaseMigrations/delete •Microsoft.DataMigration/databaseMigrations/cancel/action •Microsoft.DataMigration/databaseMigrations/cutover/action •Microsoft.DataMigration/sqlMigrationServices/write •Microsoft.DataMigration/sqlMigrationServices/delete •Microsoft.DataMigration/sqlMigrationServices/read •Microsoft.DataMigration/sqlMigrationServices/listAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/regenerateAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/deleteNode/action •Microsoft.DataMigration/sqlMigrationServices/listMonitoringData/action •Microsoft.DataMigration/sqlMigrationServices/listMigrations/read •Microsoft.DataMigration/sqlMigrationServices/MonitoringData/read •Microsoft.DataMigration/register/action •Microsoft.DataMigration/operations/read •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/write •Microsoft.Storage/storageAccounts/blobServices/containers/read | ||||
| ae8036db-e102-405b-a1b9-bae082ea436d | SqlVM Migration Role | Role for SqlVM migration | False |
00026 effective control plane operations (unique) •action: 8 •delete: 2 •read: 12 •write: 4 |
Actions: 026 resolved operations: 26 effective operations: 26 •action: 8 •delete: 2 •read: 12 •write: 4 •Microsoft.DataMigration/locations/operationResults/read •Microsoft.DataMigration/locations/operationStatuses/read •Microsoft.DataMigration/locations/sqlMigrationServiceOperationResults/read •Microsoft.DataMigration/databaseMigrations/write •Microsoft.DataMigration/databaseMigrations/read •Microsoft.DataMigration/databaseMigrations/delete •Microsoft.DataMigration/databaseMigrations/cancel/action •Microsoft.DataMigration/databaseMigrations/cutover/action •Microsoft.DataMigration/sqlMigrationServices/write •Microsoft.DataMigration/sqlMigrationServices/delete •Microsoft.DataMigration/sqlMigrationServices/read •Microsoft.DataMigration/sqlMigrationServices/listAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/regenerateAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/deleteNode/action •Microsoft.DataMigration/sqlMigrationServices/listMonitoringData/action •Microsoft.DataMigration/sqlMigrationServices/listMigrations/read •Microsoft.DataMigration/sqlMigrationServices/MonitoringData/read •Microsoft.DataMigration/register/action •Microsoft.DataMigration/operations/read •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/write •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.SqlVirtualMachine/sqlVirtualMachines/read •Microsoft.SqlVirtualMachine/sqlVirtualMachines/write | ||||
| a9b99099-ead7-47db-8fcf-072597a61dfa | Bayer Ag Powered Services CWUM Solution | Provide access to CWUM Solution by Bayer Ag Powered Services | False |
00017 effective data plane operations (unique) •action: 3 •delete: 2 •read: 6 •write: 6 |
DataActions: 009 resolved data operations: 17 effective data operations: 17 •action: 3 •delete: 2 •read: 6 •write: 6 •Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read •Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/write •Microsoft.AgFoodPlatform/farmBeats/parties/farms/read •Microsoft.AgFoodPlatform/farmBeats/parties/farms/write •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/write •Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/* •Microsoft.AgFoodPlatform/farmBeats/scenes/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* | ||||
| 0ab34830-df19-4f8c-b84e-aa85b8afa6e8 | Azure Front Door Domain Contributor | For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users. | False |
00005 effective control plane operations (unique) •delete: 1 •read: 3 •write: 1 |
Actions: 005 resolved operations: 5 effective operations: 5 •delete: 1 •read: 3 •write: 1 •Microsoft.Cdn/operationresults/profileresults/customdomainresults/read •Microsoft.Cdn/profiles/customdomains/read •Microsoft.Cdn/profiles/customdomains/write •Microsoft.Cdn/profiles/customdomains/delete •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 3f2eb865-5811-4578-b90a-6fc6fa0df8e5 | Azure Front Door Secret Contributor | For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users. | False |
00005 effective control plane operations (unique) •delete: 1 •read: 3 •write: 1 |
Actions: 005 resolved operations: 5 effective operations: 5 •delete: 1 •read: 3 •write: 1 •Microsoft.Cdn/operationresults/profileresults/secretresults/read •Microsoft.Cdn/profiles/secrets/read •Microsoft.Cdn/profiles/secrets/write •Microsoft.Cdn/profiles/secrets/delete •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 0f99d363-226e-4dca-9920-b807cf8e1a5f | Azure Front Door Domain Reader | For internal use within Azure. Can view Azure Front Door domains, but can't make changes. | False |
00003 effective control plane operations (unique) •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.Cdn/operationresults/profileresults/customdomainresults/read •Microsoft.Cdn/profiles/customdomains/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 0db238c4-885e-4c4f-a933-aa2cef684fca | Azure Front Door Secret Reader | For internal use within Azure. Can view Azure Front Door secrets, but can't make changes. | False |
00003 effective control plane operations (unique) •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.Cdn/operationresults/profileresults/secretresults/read •Microsoft.Cdn/profiles/secrets/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| d18ad5f3-1baf-4119-b49b-d944edb1f9d0 | MySQL Backup And Export Operator | Grants full access to manage backup and export resources | False |
00006 effective control plane operations (unique) •action: 2 •read: 4 |
Actions: 006 resolved operations: 6 effective operations: 6 •action: 2 •read: 4 •Microsoft.DBforMySQL/flexibleServers/validateBackup/action •Microsoft.DBforMySQL/flexibleServers/backupAndExport/action •Microsoft.DBforMySQL/locations/operationResults/read •Microsoft.DBforMySQL/locations/azureAsyncOperation/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2 | LocalNGFirewallAdministrator role | Allows user to create, modify, describe, or delete NGFirewalls. | False |
00083 effective control plane operations (unique) •: 1 •Action: 16 •Delete: 4 •read: 55 •Write: 7 |
Actions: 028 resolved operations: 83 effective operations: 83 •: 1 •Action: 16 •Delete: 4 •read: 55 •Write: 7 •PaloAltoNetworks.Cloudngfw/firewalls/* •PaloAltoNetworks.Cloudngfw/localRulestacks/read •PaloAltoNetworks.Cloudngfw/globalRulestacks/read •PaloAltoNetworks.Cloudngfw/Locations/operationStatuses/read •Microsoft.OperationalInsights/workspaces/write •Microsoft.OperationalInsights/workspaces/sharedKeys/read •Microsoft.OperationalInsights/workspaces/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metrics/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Support/* •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/publicIPAddresses/write •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/networkVirtualAppliances/read •Microsoft.Network/networkVirtualAppliances/write •Microsoft.Network/networkVirtualAppliances/delete •Microsoft.Network/virtualHubs/read •Microsoft.Network/virtualWans/read •Microsoft.Network/virtualWans/virtualHubs/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/join/action | ||||
| bda0d508-adf1-4af0-9c28-88919fc3ae06 | Azure Stack HCI Administrator | Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader | True |
00207 effective control plane operations (unique) •Action: 48 •delete: 30 •read: 97 •write: 32 |
Actions: 089 resolved operations: 207 effective operations: 207 •Action: 48 •delete: 30 •read: 97 •write: 32 •Microsoft.AzureStackHCI/register/action •Microsoft.AzureStackHCI/Unregister/Action •Microsoft.AzureStackHCI/clusters/* •Microsoft.HybridCompute/register/action •Microsoft.GuestConfiguration/register/action •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Resources/subscriptions/resourceGroups/delete •Microsoft.HybridConnectivity/register/action •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/read •Microsoft.Management/managementGroups/read •Microsoft.Support/* •Microsoft.AzureStackHCI/* •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/licenses/delete •Microsoft.ResourceConnector/register/action •Microsoft.ResourceConnector/appliances/read •Microsoft.ResourceConnector/appliances/write •Microsoft.ResourceConnector/appliances/delete •Microsoft.ResourceConnector/locations/operationresults/read •Microsoft.ResourceConnector/locations/operationsstatus/read •Microsoft.ResourceConnector/appliances/listClusterUserCredential/action •Microsoft.ResourceConnector/appliances/listKeys/action •Microsoft.ResourceConnector/operations/read •Microsoft.ExtendedLocation/register/action •Microsoft.ExtendedLocation/customLocations/read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/write •Microsoft.ExtendedLocation/customLocations/delete •Microsoft.EdgeMarketplace/offers/read •Microsoft.EdgeMarketplace/publishers/read •Microsoft.Kubernetes/register/action •Microsoft.KubernetesConfiguration/register/action •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.KubernetesConfiguration/namespaces/read •Microsoft.KubernetesConfiguration/operations/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.AzureStackHCI/StorageContainers/Write •Microsoft.AzureStackHCI/StorageContainers/Read •Microsoft.HybridContainerService/register/action | ||||
| bfc3b73d-c6ff-45eb-9a5f-40298295bf20 | LocalRulestacksAdministrator role | Allows users to create, modify, describe, or delete Rulestacks. | False |
00083 effective control plane operations (unique) •: 1 •Action: 22 •Delete: 7 •read: 45 •Write: 8 |
Actions: 007 resolved operations: 83 effective operations: 83 •: 1 •Action: 22 •Delete: 7 •read: 45 •Write: 8 •PaloAltoNetworks.Cloudngfw/localRulestacks/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Authorization/*/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Insights/alertRules/* •Microsoft.Support/* | ||||
| 7392c568-9289-4bde-aaaa-b7131215889d | Azure Extension for SQL Server Deployment | Microsoft.AzureArcData service role to enable deployment of Azure Extension for SQL Server | False |
00002 effective control plane operations (unique) •write: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •write: 2 •Microsoft.Resources/deployments/write •Microsoft.HybridCompute/machines/extensions/write | count: 002 •[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. •Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates. | |||
| d6470a16-71bd-43ab-86b3-6f3a73f4e787 | Azure Maps Data Read and Batch Role | This role can be used to assign read and batch actions on Azure Maps. | False |
00013 effective data plane operations (unique) •action: 1 •read: 12 |
DataActions: 002 resolved data operations: 13 effective data operations: 13 •action: 1 •read: 12 •Microsoft.Maps/accounts/services/*/read •Microsoft.Maps/accounts/services/batch/action | ||||
| ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2 | API Management Workspace Reader | Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. | False |
00069 effective control plane operations (unique) •read: 69 |
Actions: 002 resolved operations: 69 effective operations: 69 •read: 69 •Microsoft.ApiManagement/service/workspaces/*/read •Microsoft.Authorization/*/read | ||||
| 73c2c328-d004-4c5e-938c-35c6f5679a1f | API Management Workspace API Product Manager | Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. | False |
00106 effective control plane operations (unique) •action: 4 •delete: 16 •read: 69 •write: 17 |
Actions: 007 resolved operations: 106 effective operations: 106 •action: 4 •delete: 16 •read: 69 •write: 17 •Microsoft.ApiManagement/service/workspaces/*/read •Microsoft.ApiManagement/service/workspaces/products/* •Microsoft.ApiManagement/service/workspaces/subscriptions/* •Microsoft.ApiManagement/service/workspaces/groups/* •Microsoft.ApiManagement/service/workspaces/tags/* •Microsoft.ApiManagement/service/workspaces/notifications/* •Microsoft.Authorization/*/read | ||||
| 56328988-075d-4c6a-8766-d93edd6725b6 | API Management Workspace API Developer | Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. | False |
00123 effective control plane operations (unique) •action: 3 •delete: 25 •read: 69 •write: 26 |
Actions: 010 resolved operations: 123 effective operations: 123 •action: 3 •delete: 25 •read: 69 •write: 26 •Microsoft.ApiManagement/service/workspaces/*/read •Microsoft.ApiManagement/service/workspaces/apis/* •Microsoft.ApiManagement/service/workspaces/apiVersionSets/* •Microsoft.ApiManagement/service/workspaces/policies/* •Microsoft.ApiManagement/service/workspaces/schemas/* •Microsoft.ApiManagement/service/workspaces/products/* •Microsoft.ApiManagement/service/workspaces/policyFragments/* •Microsoft.ApiManagement/service/workspaces/namedValues/* •Microsoft.ApiManagement/service/workspaces/tags/* •Microsoft.Authorization/*/read | ||||
| d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da | API Management Service Workspace API Product Manager | Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. | False |
00047 effective control plane operations (unique) •delete: 5 •read: 37 •write: 5 |
Actions: 011 resolved operations: 47 effective operations: 47 •delete: 5 •read: 37 •write: 5 •Microsoft.ApiManagement/service/users/read •Microsoft.ApiManagement/service/tags/read •Microsoft.ApiManagement/service/tags/apiLinks/* •Microsoft.ApiManagement/service/tags/operationLinks/* •Microsoft.ApiManagement/service/tags/productLinks/* •Microsoft.ApiManagement/service/products/read •Microsoft.ApiManagement/service/products/apiLinks/* •Microsoft.ApiManagement/service/groups/read •Microsoft.ApiManagement/service/groups/users/* •Microsoft.ApiManagement/service/read •Microsoft.Authorization/*/read | ||||
| 9565a273-41b9-4368-97d2-aeb0c976a9b3 | API Management Service Workspace API Developer | Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. | False |
00042 effective control plane operations (unique) •delete: 4 •read: 34 •write: 4 |
Actions: 008 resolved operations: 42 effective operations: 42 •delete: 4 •read: 34 •write: 4 •Microsoft.ApiManagement/service/tags/read •Microsoft.ApiManagement/service/tags/apiLinks/* •Microsoft.ApiManagement/service/tags/operationLinks/* •Microsoft.ApiManagement/service/tags/productLinks/* •Microsoft.ApiManagement/service/products/read •Microsoft.ApiManagement/service/products/apiLinks/* •Microsoft.ApiManagement/service/read •Microsoft.Authorization/*/read | ||||
| 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 | API Management Workspace Contributor | Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. | False |
00153 effective control plane operations (unique) •action: 9 •delete: 36 •read: 70 •write: 38 |
Actions: 002 resolved operations: 153 effective operations: 153 •action: 9 •delete: 36 •read: 70 •write: 38 •Microsoft.ApiManagement/service/workspaces/* •Microsoft.Authorization/*/read | ||||
| b8eda974-7b85-4f76-af95-65846b26df6d | Storage File Data Privileged Reader | Customer has read access on Azure Storage file shares. | False |
00002 effective data plane operations (unique) •action: 1 •read: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read •Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | ||||
| 69566ab7-960f-475b-8e7c-b3118f30c6bd | Storage File Data Privileged Contributor | Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares. | False |
00006 effective data plane operations (unique) •action: 3 •delete: 1 •read: 1 •write: 1 |
DataActions: 006 resolved data operations: 6 effective data operations: 6 •action: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action •Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action •Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action | ||||
| 7eabc9a4-85f7-4f71-b8ab-75daaccc1033 | Windows 365 Network User | This role is used by Windows 365 to read virtual networks and join the designated virtual networks. | False |
00004 effective control plane operations (unique) •action: 1 •read: 3 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 1 •read: 3 •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/usages/read •Microsoft.Network/virtualNetworks/subnets/join/action | ||||
| 1f135831-5bbe-4924-9016-264044c00788 | Windows 365 Network Interface Contributor | This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces. | False |
00015 effective control plane operations (unique) •action: 3 •delete: 2 •read: 8 •write: 2 |
Actions: 015 resolved operations: 15 effective operations: 15 •action: 3 •delete: 2 •read: 8 •write: 2 •Microsoft.Resources/subscriptions/resourcegroups/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Network/locations/operations/read •Microsoft.Network/locations/operationResults/read •Microsoft.Network/locations/usages/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action •Microsoft.Network/networkInterfaces/effectiveRouteTable/action | ||||
| 3d55a8f6-4133-418d-8051-facdb1735758 | Windows365SubscriptionReader | Read subscriptions, images, azure firewalls. This role is used in Windows365 scenarios. | False |
00029 effective control plane operations (unique) •read: 29 |
Actions: 003 resolved operations: 29 effective operations: 29 •read: 29 •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Authorization/*/read | ||||
| 0f37683f-2463-46b6-9ce7-9b788b988ba2 | App Compliance Automation Administrator | Create, read, download, modify and delete reports objects and related other resource objects. | False |
06756 effective control plane operations (unique) •action: 21 •delete: 6 •read: 6717 •write: 12 |
Actions: 028 resolved operations: 6756 effective operations: 6756 •action: 21 •delete: 6 •read: 6717 •write: 12 •Microsoft.AppComplianceAutomation/* •Microsoft.Storage/storageAccounts/blobServices/write •Microsoft.Storage/storageAccounts/fileservices/write •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/write •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.PolicyInsights/policyStates/queryResults/action •Microsoft.PolicyInsights/policyStates/triggerEvaluation/action •Microsoft.Resources/resources/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/resources/read •Microsoft.Resources/subscriptions/resources/read •Microsoft.Resources/subscriptions/resourceGroups/delete •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Resources/tags/read •Microsoft.Resources/deployments/validate/action •Microsoft.Security/automations/read •Microsoft.Resources/deployments/write •Microsoft.Security/automations/delete •Microsoft.Security/automations/write •Microsoft.Security/register/action •Microsoft.Security/unregister/action •*/read | ||||
| ffc6bbe0-e443-4c3b-bf54-26581bb2f78e | App Compliance Automation Reader | Read, download the reports objects and related other resource objects. | False |
06717 effective control plane operations (unique) •read: 6717 |
Actions: 001 resolved operations: 6717 effective operations: 6717 •read: 6717 •*/read | ||||
| 8b9dfcab-4b77-4632-a6df-94bd07820648 | Azure Sphere Contributor | Allows user read and write access to Azure Sphere resources. | False |
00086 effective control plane operations (unique) •: 1 •action: 22 •delete: 9 •read: 44 •write: 10 |
Actions: 007 resolved operations: 86 effective operations: 86 •: 1 •action: 22 •delete: 9 •read: 44 •write: 10 •Microsoft.AzureSphere/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/DiagnosticSettings/* •Microsoft.Insights/DiagnosticSettingsCategories/Read | ||||
| e9b8712a-cbcf-4ea7-b0f7-e71b803401e6 | SaaS Hub Contributor | SaaS Hub contributor can manage SaaS Hub resource | False |
00004 effective control plane operations (unique) •delete: 1 •read: 2 •write: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •delete: 1 •read: 2 •write: 1 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SaaSHub/cloudservices/read •Microsoft.SaaSHub/cloudservices/write •Microsoft.SaaSHub/cloudservices/delete | ||||
| c8ae6279-5a0b-4cb2-b3f0-d4d62845742c | Azure Sphere Reader | Allows user to read Azure Sphere resources. | False |
00046 effective control plane operations (unique) •action: 8 •read: 38 |
Actions: 012 resolved operations: 46 effective operations: 46 •action: 8 •read: 38 •Microsoft.AzureSphere/*/read •Microsoft.AzureSphere/catalogs/countDevices/action •Microsoft.AzureSphere/catalogs/listDeviceGroups/action •Microsoft.AzureSphere/catalogs/listDeviceInsights/action •Microsoft.AzureSphere/catalogs/listDevices/action •Microsoft.AzureSphere/catalogs/listDeployments/action •Microsoft.AzureSphere/catalogs/products/countDevices/action •Microsoft.AzureSphere/catalogs/products/deviceGroups/countDevices/action •Microsoft.AzureSphere/catalogs/certificates/retrieveCertChain/action •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/DiagnosticSettings/Read | ||||
| 6d994134-994b-4a59-9974-f479f0b227fb | Azure Sphere Publisher | Allows user to read and download Azure Sphere resources and upload images. | False |
00048 effective control plane operations (unique) •action: 9 •read: 38 •write: 1 |
Actions: 014 resolved operations: 48 effective operations: 48 •action: 9 •read: 38 •write: 1 •Microsoft.AzureSphere/*/read •Microsoft.AzureSphere/catalogs/countDevices/action •Microsoft.AzureSphere/catalogs/listDeviceGroups/action •Microsoft.AzureSphere/catalogs/listDeviceInsights/action •Microsoft.AzureSphere/catalogs/listDevices/action •Microsoft.AzureSphere/catalogs/products/countDevices/action •Microsoft.AzureSphere/catalogs/products/deviceGroups/countDevices/action •Microsoft.AzureSphere/catalogs/certificates/retrieveProofOfPossessionNonce/action •Microsoft.AzureSphere/catalogs/certificates/retrieveCertChain/action •Microsoft.AzureSphere/catalogs/images/write •Microsoft.AzureSphere/catalogs/uploadImage/action •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/DiagnosticSettings/Read | ||||
| be1a1ac2-09d3-4261-9e57-a73a6e227f53 | Procurement Contributor | Lets you manage the procurement of products and services. | False |
00020 effective control plane operations (unique) •action: 6 •delete: 4 •read: 6 •write: 4 |
Actions: 020 resolved operations: 20 effective operations: 20 •action: 6 •delete: 4 •read: 6 •write: 4 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SaaSHub/cloudservices/read •Microsoft.SaaSHub/cloudservices/write •Microsoft.SaaSHub/cloudservices/delete •Microsoft.SaaSHub/register/action •Microsoft.SaaS/resources/read •Microsoft.SaaS/resources/write •Microsoft.SaaS/resources/delete •Microsoft.SaaS/register/action •Microsoft.ProfessionalService/resources/read •Microsoft.ProfessionalService/resources/write •Microsoft.ProfessionalService/resources/delete •Microsoft.ProfessionalService/register/action •Microsoft.BillingBenefits/register/action •Microsoft.BillingBenefits/maccs/read •Microsoft.BillingBenefits/maccs/write •Microsoft.BillingBenefits/maccs/delete •Microsoft.BillingBenefits/maccs/cancel/action •Microsoft.BillingBenefits/maccs/chargeShortfall/action •Microsoft.BillingBenefits/maccs/contributors/read | ||||
| ea01e6af-a1c1-4350-9563-ad00f8c72ec5 | Azure Machine Learning Workspace Connection Secrets Reader | Can list workspace connection secrets | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.MachineLearningServices/workspaces/connections/listsecrets/action •Microsoft.MachineLearningServices/workspaces/metadata/secrets/read | ||||
| 79b01272-bf9f-4f4c-9517-5506269cf524 | Cognitive Search Serverless Data Reader (Deprecated) | This role has been deprecated | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.CognitiveSearch/indexes/schema/read •Microsoft.CognitiveSearch/indexes/documents/read | ||||
| 7ac06ca7-21ca-47e3-a67b-cbd6e6223baf | Cognitive Search Serverless Data Contributor (Deprecated) | This role has been deprecated | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.CognitiveSearch/indexes/schema/* •Microsoft.CognitiveSearch/indexes/documents/* | ||||
| 5e28a61e-8040-49db-b175-bb5b88af6239 | Community Owner Role | Community Owner Role to access the resources of Microsoft.Mission stored with RPSAAS. | False |
00065 effective control plane operations (unique) •action: 2 •delete: 7 •read: 47 •write: 9 |
Actions: 039 resolved operations: 65 effective operations: 65 •action: 2 •delete: 7 •read: 47 •write: 9 •Microsoft.Mission/register/action •Microsoft.Mission/unregister/action •Microsoft.Mission/Locations/OperationStatuses/read •Microsoft.Mission/Locations/OperationStatuses/write •Microsoft.Mission/Operations/read •Microsoft.Mission/catalogs/read •Microsoft.Mission/catalogs/write •Microsoft.Mission/catalogs/delete •Microsoft.Mission/communities/read •Microsoft.Mission/communities/write •Microsoft.Mission/communities/delete •Microsoft.Mission/internalConnections/read •Microsoft.Mission/internalConnections/write •Microsoft.Mission/internalConnections/delete •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/write •Microsoft.Mission/virtualEnclaves/delete •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.Mission/virtualEnclaves/workloads/write •Microsoft.Mission/virtualEnclaves/workloads/delete •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Features/providers/features/read •Microsoft.Features/features/read •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/communityEndpoints/write •Microsoft.Mission/communities/communityEndpoints/delete •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/communities/transitHubs/write •Microsoft.Mission/communities/transitHubs/delete •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read | ||||
| 9c1607d1-791d-4c68-885d-c7b7aaff7c8a | Firmware Analysis Admin | Upload and analyze firmware images in Defender for IoT | False |
00090 effective control plane operations (unique) •action: 35 •delete: 5 •read: 44 •write: 6 |
Actions: 004 resolved operations: 90 effective operations: 90 •action: 35 •delete: 5 •read: 44 •write: 6 •Microsoft.IoTFirmwareDefense/* •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* | ||||
| 8b54135c-b56d-4d72-a534-26097cfdc8d8 | Key Vault Data Access Administrator | Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments. | True |
00063 effective control plane operations (unique) •action: 7 •delete: 2 •read: 51 •write: 3 |
Actions: 010 resolved operations: 63 effective operations: 63 •action: 7 •delete: 2 •read: 51 •write: 3 •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/read •Microsoft.Management/managementGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* •Microsoft.KeyVault/vaults/*/read | ||||
| 1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 | Defender for Storage Data Scanner | Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. | False |
00004 effective control plane and data plane operations (unique) •read: 3 •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/read | DataActions: 003 resolved data operations: 3 effective data operations: 3 •read: 2 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read | |||
| df2711a6-406d-41cf-b366-b0250bff9ad1 | Compute Diagnostics Role | Grants permissions to execute diagnostics provided by Compute Diagnostic Service for Compute Resources. | False |
00029 effective control plane operations (unique) •action: 2 •read: 27 |
Actions: 003 resolved operations: 29 effective operations: 29 •action: 2 •read: 27 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/virtualmachinescalesets/disks/beginGetAccess/action | ||||
| fa6cecf6-5db3-4c43-8470-c540bcb4eafa | Elastic SAN Network Admin | Allows access to create Private Endpoints on SAN resources, and to read SAN resources | False |
00009 effective control plane operations (unique) •action: 1 •delete: 1 •read: 6 •write: 1 |
Actions: 005 resolved operations: 9 effective operations: 9 •action: 1 •delete: 1 •read: 6 •write: 1 •Microsoft.ElasticSan/elasticSans/*/read •Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action •Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write •Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete •Microsoft.ElasticSan/locations/asyncoperations/read | ||||
| bba48692-92b0-4667-a9ad-c31c7b334ac2 | Cognitive Services Usages Reader | Minimal permission to view Cognitive Services usages. | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.CognitiveServices/locations/usages/read | ||||
| c088a766-074b-43ba-90d4-1fb21feae531 | PostgreSQL Flexible Server Long Term Retention Backup Role | Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup. | False |
00007 effective control plane operations (unique) •action: 2 •read: 5 |
Actions: 007 resolved operations: 7 effective operations: 7 •action: 2 •read: 5 •Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read •Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action •Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action •Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read •Microsoft.DBforPostgreSQL/locations/operationResults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a02f7c31-354d-4106-865a-deedf37fa038 | Search Parameter Manager | Role allows user or principal access to $status and $reindex to update search parameters | False |
00004 effective data plane operations (unique) •action: 2 •read: 1 •write: 1 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 2 •read: 1 •write: 1 •Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/write •Microsoft.HealthcareApis/workspaces/fhirservices/resources/searchparameter/action | ||||
| 66f75aeb-eabe-4b70-9f1e-c350c4c9ad04 | Virtual Machine Data Access Administrator (preview) | Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. | True |
00074 effective control plane operations (unique) •action: 7 •delete: 2 •read: 62 •write: 3 |
Actions: 014 resolved operations: 74 effective operations: 74 •action: 7 •delete: 2 •read: 62 •write: 3 •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/read •Microsoft.Management/managementGroups/read •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Compute/virtualMachines/*/read •Microsoft.HybridCompute/machines/*/read •Microsoft.Resources/deployments/* •Microsoft.Support/* | ||||
| 4accf36b-2c05-432f-91c8-5c532dff4c73 | Logic Apps Standard Reader (Preview) | You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history. | False |
00343 effective control plane operations (unique) •: 1 •Action: 6 •Delete: 1 •read: 333 •Write: 2 |
Actions: 007 resolved operations: 343 effective operations: 343 •: 1 •Action: 6 •Delete: 1 •read: 333 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/*/read | ||||
| 523776ba-4eb2-4600-a3c8-f2dc93da4bdb | Logic Apps Standard Developer (Preview) | You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope. | False |
00374 effective control plane operations (unique) •: 1 •Action: 28 •Delete: 5 •read: 333 •Write: 7 |
Actions: 025 resolved operations: 374 effective operations: 374 •: 1 •Action: 28 •Delete: 5 •read: 333 •Write: 7 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/*/read •Microsoft.Web/connections/* •Microsoft.Web/customApis/* •Microsoft.Web/sites/config/list/Action •microsoft.web/sites/config/Write •microsoft.web/sites/config/web/appsettings/delete •microsoft.web/sites/config/web/appsettings/write •microsoft.web/sites/deployWorkflowArtifacts/action •microsoft.web/sites/hostruntime/* •microsoft.web/sites/listworkflowsconnections/action •Microsoft.Web/sites/publish/Action •microsoft.web/sites/slots/config/appsettings/write •Microsoft.Web/sites/slots/config/list/Action •microsoft.web/sites/slots/config/web/appsettings/delete •microsoft.web/sites/slots/deployWorkflowArtifacts/action •microsoft.web/sites/slots/listworkflowsconnections/action •Microsoft.Web/sites/slots/publish/Action •microsoft.web/sites/workflows/* •microsoft.web/sites/workflowsconfiguration/* | ||||
| ad710c24-b039-4e85-a019-deb4a06e8570 | Logic Apps Standard Contributor (Preview) | You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership. | False |
00581 effective control plane operations (unique) •: 1 •Action: 117 •Delete: 60 •read: 333 •Write: 70 |
Actions: 013 resolved operations: 581 effective operations: 581 •: 1 •Action: 117 •Delete: 60 •read: 333 •Write: 70 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/*/read •Microsoft.Web/certificates/* •Microsoft.Web/connectionGateways/* •Microsoft.Web/connections/* •Microsoft.Web/customApis/* •Microsoft.Web/serverFarms/* •Microsoft.Web/sites/* | ||||
| b70c96e9-66fe-4c09-b6e7-c98e69c98555 | Logic Apps Standard Operator (Preview) | You can enable and disable the logic app, resubmit workflow runs, as well as create connections. You can't edit workflows or settings. | False |
00357 effective control plane operations (unique) •: 1 •Action: 19 •Delete: 1 •read: 333 •Write: 3 |
Actions: 019 resolved operations: 357 effective operations: 357 •: 1 •Action: 19 •Delete: 1 •read: 333 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/*/read •Microsoft.Web/sites/applySlotConfig/Action •microsoft.web/sites/hostruntime/* •Microsoft.Web/sites/restart/Action •Microsoft.Web/sites/slots/restart/Action •Microsoft.Web/sites/slots/slotsswap/Action •Microsoft.Web/sites/slots/start/Action •Microsoft.Web/sites/slots/stop/Action •Microsoft.Web/sites/slotsdiffs/Action •Microsoft.Web/sites/slotsswap/Action •Microsoft.Web/sites/start/Action •Microsoft.Web/sites/stop/Action •Microsoft.Web/sites/write | ||||
| 7b3e853f-ad5d-4fb5-a7b8-56a3581c7037 | IPAM Pool User | Read IPAM Pools and child resources. Create and remove associations. This role is in preview and subject to change. | False |
00006 effective control plane operations (unique) •action: 6 |
Actions: 002 resolved operations: 6 effective operations: 6 •action: 6 •Microsoft.Network/networkManagers/ipamPools/*/read •Microsoft.Network/networkManagers/ipamPools/*/action | ||||
| e9c9ed2b-2a99-4071-b2ff-5b113ebf73a1 | SpatialMapsAccounts Account Owner | Lets you manage data in your account, including deleting them | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.MixedReality/spatialMapsAccounts/read •Microsoft.MixedReality/spatialMapsAccounts/delete •Microsoft.MixedReality/spatialMapsAccounts/write | ||||
| 0b962ed2-6d56-471c-bd5f-3477d83a7ba4 | Azure Resource Notifications System Topics Subscriber | Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications | False |
00005 effective control plane operations (unique) •action: 3 •write: 2 |
Actions: 005 resolved operations: 5 effective operations: 5 •action: 3 •write: 2 •Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action •Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/action •Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResources/action •Microsoft.EventGrid/eventSubscriptions/write •Microsoft.EventGrid/systemTopics/eventSubscriptions/write | ||||
| 1c4770c0-34f7-4110-a1ea-a5855cc7a939 | Elastic SAN Snapshot Exporter | Allows for creating and exporting Snapshot of Elastic San Volume | False |
00076 effective control plane operations (unique) •action: 4 •delete: 3 •read: 66 •write: 3 |
Actions: 014 resolved operations: 76 effective operations: 76 •action: 4 •delete: 3 •read: 66 •write: 3 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ElasticSan/elasticSans/*/read •Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/write •Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/delete •Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/beginGetAccess/action •Microsoft.ElasticSan/locations/* •Microsoft.Compute/locations/* •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Compute/disks/delete •Microsoft.Compute/snapshots/read •Microsoft.Compute/snapshots/write •Microsoft.Compute/snapshots/delete | ||||
| 90e8b822-3e73-47b5-868a-787dc80c008f | Elastic SAN Volume Importer | Allows for Importing Elastic San Volume | False |
00071 effective control plane operations (unique) •action: 7 •read: 63 •write: 1 |
Actions: 012 resolved operations: 71 effective operations: 71 •action: 7 •read: 63 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ElasticSan/elasticSans/volumeGroups/*/read •Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/write •Microsoft.ElasticSan/locations/* •Microsoft.Compute/locations/* •Microsoft.Compute/disks/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/disks/endGetAccess/action •Microsoft.Compute/snapshots/read •Microsoft.Compute/snapshots/beginGetAccess/action •Microsoft.Compute/snapshots/endGetAccess/action | ||||
| 49435da6-99fe-48a5-a235-fc668b9dc04a | Community Contributor Role | Community Contributor Role to access the resources of Microsoft.Mission stored with RPSAAS. | False |
00062 effective control plane operations (unique) •action: 2 •read: 49 •write: 11 |
Actions: 036 resolved operations: 62 effective operations: 62 •action: 2 •read: 49 •write: 11 •Microsoft.Mission/register/action •Microsoft.Mission/unregister/action •Microsoft.Mission/Locations/OperationStatuses/read •Microsoft.Mission/Locations/OperationStatuses/write •Microsoft.Mission/Operations/read •Microsoft.Mission/catalogs/read •Microsoft.Mission/catalogs/write •Microsoft.Mission/communities/read •Microsoft.Mission/communities/write •Microsoft.Mission/internalConnections/read •Microsoft.Mission/internalConnections/write •Microsoft.Mission/externalConnections/read •Microsoft.Mission/externalConnections/write •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/write •Microsoft.Mission/virtualEnclaves/endpoints/read •Microsoft.Mission/virtualEnclaves/endpoints/write •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.Mission/virtualEnclaves/workloads/write •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Features/providers/features/read •Microsoft.Features/features/read •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/communityEndpoints/write •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/communities/transitHubs/write •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read | ||||
| 4b0f2fd7-60b4-4eca-896f-4435034f8bf5 | EventGrid TopicSpaces Subscriber | Lets you subscribe messages on topicspaces. | False |
00119 effective control plane and data plane operations (unique) •: 1 •action: 8 •Delete: 2 •read: 106 •Write: 2 |
Actions: 005 resolved operations: 118 effective operations: 118 •: 1 •Action: 7 •Delete: 2 •read: 106 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.EventGrid/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventGrid/topicSpaces/subscribe/action | |||
| a12b0b94-b317-4dcd-84a8-502ce99884c6 | EventGrid TopicSpaces Publisher | Lets you publish messages on topicspaces. | False |
00119 effective control plane and data plane operations (unique) •: 1 •action: 8 •Delete: 2 •read: 106 •Write: 2 |
Actions: 005 resolved operations: 118 effective operations: 118 •: 1 •Action: 7 •Delete: 2 •read: 106 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.EventGrid/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventGrid/topicSpaces/publish/action | |||
| d1a38570-4b05-4d70-b8e4-1100bcf76d12 | Data Boundary Tenant Administrator | Allows tenant level administration for data boundaries. | False |
00038 effective control plane operations (unique) •action: 4 •delete: 1 •read: 31 •write: 2 |
Actions: 004 resolved operations: 38 effective operations: 38 •action: 4 •delete: 1 •read: 31 •write: 2 •Microsoft.Resources/dataBoundaries/write •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 8a90fa6b-6997-4a07-8a95-30633a7c97b9 | DeID Batch Data Owner | Create and manage DeID batch jobs. This role is in preview and subject to change. | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.HealthDataAIServices/DeidServices/Batch/write •Microsoft.HealthDataAIServices/DeidServices/Batch/delete •Microsoft.HealthDataAIServices/DeidServices/Batch/read | ||||
| b73a14ee-91f5-41b7-bd81-920e12466be9 | DeID Batch Data Reader | Read DeID batch jobs. This role is in preview and subject to change. | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.HealthDataAIServices/DeidServices/Batch/read | NotDataActions: 002 resolved not data operations: 2 effective not data operations: 3120 •Microsoft.HealthDataAIServices/DeidServices/Batch/write •Microsoft.HealthDataAIServices/DeidServices/Batch/delete | |||
| bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e | DeID Realtime Data User | Execute requests against DeID realtime endpoint. This role is in preview and subject to change. | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.HealthDataAIServices/DeidServices/Realtime/action | ||||
| fa0d39e6-28e5-40cf-8521-1eb320653a4c | Carbon Optimization Reader | Allow read access to Azure Carbon Optimization data | False |
00001 effective control plane operations (unique) •action: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •action: 1 •Microsoft.Carbon/carbonEmissionReports/action | ||||
| 38863829-c2a4-4f8d-b1d2-2e325973ebc7 | Landing Zone Management Owner | Microsoft.Sovereign Landing Zone Management Owner allowing to review and modify Landing Zone Configurations as well as reading and adding Landing Zone Registrations. Also enables read-access to policies and management groups for enabling the full user experience of the Sovereign Services RP in the Azure Portal (as otherwise some elements might not be accessible to end users). | False |
00045 effective control plane operations (unique) •action: 7 •delete: 3 •read: 32 •write: 3 |
Actions: 004 resolved operations: 45 effective operations: 45 •action: 7 •delete: 3 •read: 32 •write: 3 •Microsoft.Sovereign/landingZoneConfigurations/* •Microsoft.Sovereign/landingZoneRegistrations/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* | ||||
| 8fe6e843-6d9e-417b-9073-106b048f50bb | Landing Zone Management Reader | Microsoft.Sovereign Landing Zone Management Reader allowing to review Landing Zone Configurations and corresponding Registrations without the ability to modify. Also enables read-access to policies and management groups for enabling the full user experience of the Sovereign Services RP in the Azure Portal (as otherwise some elements might not be accessible to end users). | False |
00002 effective control plane operations (unique) •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Sovereign/landingZoneConfigurations/read •Microsoft.Sovereign/landingZoneRegistrations/read | ||||
| 865ae368-6a45-4bd1-8fbf-0d5151f56fc1 | Azure Stack HCI Device Management Role | Microsoft.AzureStackHCI Device Management Role | False |
00028 effective control plane operations (unique) •Action: 9 •Delete: 6 •Read: 7 •Write: 6 |
Actions: 003 resolved operations: 28 effective operations: 28 •Action: 9 •Delete: 6 •Read: 7 •Write: 6 •Microsoft.AzureStackHCI/Clusters/* •Microsoft.AzureStackHCI/EdgeDevices/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 4dae6930-7baf-46f5-909e-0383bc931c46 | Azure Customer Lockbox Approver for Subscription | Can approve Microsoft support requests to access specific resources contained within a subscription, or the subscription itself, when Customer Lockbox for Microsoft Azure is enabled on the tenant where the subscription resides. - in Public Preview. | False |
00032 effective control plane operations (unique) •action: 1 •read: 31 |
Actions: 006 resolved operations: 32 effective operations: 32 •action: 1 •read: 31 •Microsoft.Resources/subscriptions/read •Microsoft.CustomerLockbox/requests/UpdateApproval/action •Microsoft.CustomerLockbox/requests/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/eventtypes/values/read | ||||
| 7b1f81f9-4196-4058-8aae-762e593270df | Azure Resource Bridge Deployment Role | Azure Resource Bridge Deployment Role | False |
00036 effective control plane operations (unique) •Action: 10 •delete: 3 •read: 17 •Write: 6 |
Actions: 036 resolved operations: 36 effective operations: 36 •Action: 10 •delete: 3 •read: 17 •Write: 6 •Microsoft.Authorization/roleassignments/read •Microsoft.AzureStackHCI/Register/Action •Microsoft.ResourceConnector/register/action •Microsoft.ResourceConnector/appliances/read •Microsoft.ResourceConnector/appliances/write •Microsoft.ResourceConnector/appliances/delete •Microsoft.ResourceConnector/locations/operationresults/read •Microsoft.ResourceConnector/locations/operationsstatus/read •Microsoft.ResourceConnector/appliances/listClusterUserCredential/action •Microsoft.ResourceConnector/appliances/listKeys/action •Microsoft.ResourceConnector/appliances/upgradeGraphs/read •Microsoft.ResourceConnector/telemetryconfig/read •Microsoft.ResourceConnector/operations/read •Microsoft.ExtendedLocation/register/action •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/read •Microsoft.ExtendedLocation/customLocations/write •Microsoft.ExtendedLocation/customLocations/delete •Microsoft.HybridConnectivity/register/action •Microsoft.Kubernetes/register/action •Microsoft.KubernetesConfiguration/register/action •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.KubernetesConfiguration/namespaces/read •Microsoft.KubernetesConfiguration/operations/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.HybridContainerService/register/action •Microsoft.HybridContainerService/kubernetesVersions/read •Microsoft.HybridContainerService/kubernetesVersions/write •Microsoft.HybridContainerService/skus/read •Microsoft.HybridContainerService/skus/write •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.AzureStackHCI/StorageContainers/Write •Microsoft.AzureStackHCI/StorageContainers/Read | ||||
| 874d1c73-6003-4e60-a13a-cb31ea190a85 | Azure Stack HCI VM Contributor | Grants permissions to perform all VM actions | False |
00121 effective control plane operations (unique) •action: 24 •Delete: 12 •read: 72 •Write: 13 |
Actions: 073 resolved operations: 121 effective operations: 121 •action: 24 •Delete: 12 •read: 72 •Write: 13 •Microsoft.AzureStackHCI/VirtualMachines/* •Microsoft.AzureStackHCI/virtualMachineInstances/* •Microsoft.AzureStackHCI/NetworkInterfaces/* •Microsoft.AzureStackHCI/VirtualHardDisks/* •Microsoft.AzureStackHCI/VirtualNetworks/Read •Microsoft.AzureStackHCI/VirtualNetworks/join/action •Microsoft.AzureStackHCI/LogicalNetworks/Read •Microsoft.AzureStackHCI/LogicalNetworks/join/action •Microsoft.AzureStackHCI/GalleryImages/Read •Microsoft.AzureStackHCI/GalleryImages/deploy/action •Microsoft.AzureStackHCI/StorageContainers/Read •Microsoft.AzureStackHCI/StorageContainers/deploy/action •Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read •Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action •Microsoft.AzureStackHCI/Clusters/Read •Microsoft.AzureStackHCI/Clusters/ArcSettings/Read •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/licenses/delete •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.KubernetesConfiguration/extensions/read | ||||
| 4b3fe76c-f777-4d24-a2d7-b027b0f7b273 | Azure Stack HCI VM Reader | Grants permissions to view VMs | False |
00066 effective control plane operations (unique) •Action: 4 •Delete: 1 •read: 60 •Write: 1 |
Actions: 040 resolved operations: 66 effective operations: 66 •Action: 4 •Delete: 1 •read: 60 •Write: 1 •Microsoft.AzureStackHCI/VirtualMachines/Read •Microsoft.AzureStackHCI/virtualMachineInstances/Read •Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read •Microsoft.AzureStackHCI/VirtualNetworks/Read •Microsoft.AzureStackHCI/LogicalNetworks/Read •Microsoft.AzureStackHCI/NetworkInterfaces/Read •Microsoft.AzureStackHCI/VirtualHardDisks/Read •Microsoft.AzureStackHCI/StorageContainers/Read •Microsoft.AzureStackHCI/GalleryImages/Read •Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read •Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read •Microsoft.HybridCompute/privateLinkScopes/read •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/operationresults/read | ||||
| 64702f94-c441-49e6-a78b-ef80e0188fee | Azure AI Developer | Can perform all actions within an Azure AI resource besides managing the resource itself. | False |
00494 effective control plane and data plane operations (unique) •action: 99 •delete: 83 •read: 209 •write: 103 |
Actions: 007 resolved operations: 294 effective operations: 289 •action: 53 •delete: 52 •read: 123 •write: 61 •Microsoft.MachineLearningServices/workspaces/*/read •Microsoft.MachineLearningServices/workspaces/*/action •Microsoft.MachineLearningServices/workspaces/*/delete •Microsoft.MachineLearningServices/workspaces/*/write •Microsoft.MachineLearningServices/locations/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* | NotActions: 007 resolved not operations: 7 effective not operations: 15097 •Microsoft.MachineLearningServices/workspaces/delete •Microsoft.MachineLearningServices/workspaces/write •Microsoft.MachineLearningServices/workspaces/listKeys/action •Microsoft.MachineLearningServices/workspaces/hubs/write •Microsoft.MachineLearningServices/workspaces/hubs/delete •Microsoft.MachineLearningServices/workspaces/featurestores/write •Microsoft.MachineLearningServices/workspaces/featurestores/delete | DataActions: 003 resolved data operations: 205 effective data operations: 205 •action: 46 •delete: 31 •read: 86 •write: 42 •Microsoft.CognitiveServices/accounts/OpenAI/* •Microsoft.CognitiveServices/accounts/SpeechServices/* •Microsoft.CognitiveServices/accounts/ContentSafety/* | ||
| eb960402-bf75-4cc3-8d68-35b34f960f72 | Deployment Environments Reader | Provides read access to environment resources. | False |
00036 effective control plane and data plane operations (unique) •action: 3 •read: 33 |
Actions: 004 resolved operations: 35 effective operations: 33 •read: 33 •Microsoft.DevCenter/projects/read •Microsoft.DevCenter/projects/*/read •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read | NotActions: 002 resolved not operations: 2 effective not operations: 15353 •Microsoft.DevCenter/projects/pools/read •Microsoft.DevCenter/projects/pools/schedules/read | DataActions: 003 resolved data operations: 3 effective data operations: 3 •action: 3 •Microsoft.DevCenter/projects/users/environments/adminRead/action •Microsoft.DevCenter/projects/users/environments/adminActionRead/action •Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action | ||
| 1d8c3fe3-8864-474b-8749-01e3783e8157 | EventGrid Data Contributor | Allows send and receive access to event grid events. | False |
00038 effective control plane and data plane operations (unique) •action: 2 •read: 36 |
Actions: 010 resolved operations: 36 effective operations: 36 •read: 36 •Microsoft.Authorization/*/read •Microsoft.EventGrid/eventSubscriptions/read •Microsoft.EventGrid/topicTypes/eventSubscriptions/read •Microsoft.EventGrid/locations/eventSubscriptions/read •Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.EventGrid/topics/read •Microsoft.EventGrid/domains/read •Microsoft.EventGrid/partnerNamespaces/read •Microsoft.EventGrid/namespaces/read | DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.EventGrid/events/send/action •Microsoft.EventGrid/events/receive/action | |||
| 78cbd9e7-9798-4e2e-9b5a-547d9ebb31fb | EventGrid Data Receiver | Allows receive access to event grid events. | False |
00034 effective control plane and data plane operations (unique) •action: 1 •read: 33 |
Actions: 007 resolved operations: 33 effective operations: 33 •read: 33 •Microsoft.Authorization/*/read •Microsoft.EventGrid/eventSubscriptions/read •Microsoft.EventGrid/topicTypes/eventSubscriptions/read •Microsoft.EventGrid/locations/eventSubscriptions/read •Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.EventGrid/namespaces/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventGrid/events/receive/action | |||
| 3afb7f49-54cb-416e-8c09-6dc049efa503 | Azure AI Inference Deployment Operator | Can perform all actions required to create a resource deployment within a resource group. | False |
00037 effective control plane operations (unique) •action: 4 •delete: 1 •read: 30 •Write: 2 |
Actions: 003 resolved operations: 37 effective operations: 37 •action: 4 •delete: 1 •read: 30 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Insights/AutoscaleSettings/write | ||||
| 65a14201-8f6c-4c28-bec4-12619c5a9aaa | Connected Cluster Managed Identity CheckAccess Reader | Built-in role that allows a Connected Cluster managed identity to call the checkAccess API | False |
00027 effective control plane operations (unique) •read: 27 |
Actions: 001 resolved operations: 27 effective operations: 27 •read: 27 •Microsoft.Authorization/*/read | ||||
| c64499e0-74c3-47ad-921c-13865957895c | Advisor Reviews Reader | View reviews for a workload and recommendations linked to them. | False |
00002 effective control plane operations (unique) •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Advisor/resiliencyReviews/read •Microsoft.Advisor/triageRecommendations/read | ||||
| 8aac15f0-d885-4138-8afa-bfb5872f7d13 | Advisor Reviews Contributor | View reviews for a workload and triage recommendations linked to them. | False |
00050 effective control plane operations (unique) •: 1 •action: 10 •Delete: 2 •read: 35 •Write: 2 |
Actions: 009 resolved operations: 50 effective operations: 50 •: 1 •action: 10 •Delete: 2 •read: 35 •Write: 2 •Microsoft.Advisor/resiliencyReviews/read •Microsoft.Advisor/triageRecommendations/read •Microsoft.Advisor/triageRecommendations/approve/action •Microsoft.Advisor/triageRecommendations/reject/action •Microsoft.Advisor/triageRecommendations/reset/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a8d4b70f-0fb9-4f72-b267-b87b2f990aec | AgFood Platform Dataset Admin | Provides access to Dataset APIs | False |
00012 effective data plane operations (unique) •action: 6 •delete: 2 •read: 2 •write: 2 |
DataActions: 002 resolved data operations: 12 effective data operations: 12 •action: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.AgFoodPlatform/farmBeats/datasets/* •Microsoft.AgFoodPlatform/farmBeats/datasetRecords/* | ||||
| 662802e2-50f6-46b0-aed2-e834bacc6d12 | Azure Front Door Profile Reader | Can view AFD standard and premium profiles and their endpoints, but can't make changes. | False |
00149 effective control plane operations (unique) •: 1 •action: 38 •delete: 18 •read: 74 •write: 18 |
Actions: 017 resolved operations: 149 effective operations: 149 •: 1 •action: 38 •delete: 18 •read: 74 •write: 18 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action •Microsoft.Cdn/profiles/queryloganalyticsmetrics/action •Microsoft.Cdn/profiles/queryloganalyticsrankings/action •Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action •Microsoft.Cdn/profiles/querywafloganalyticsrankings/action •Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action •Microsoft.Cdn/profiles/Usages/action •Microsoft.Cdn/profiles/afdendpoints/Usages/action •Microsoft.Cdn/profiles/origingroups/Usages/action •Microsoft.Cdn/profiles/rulesets/Usages/action | ||||
| 86fede04-b259-4277-8c3e-e26b9865abd8 | Enclave Reader Role | Enclave Reader Role to access the resources of Microsoft.Mission stored with RPSAAS. | False |
00064 effective control plane operations (unique) •: 1 •Action: 7 •Delete: 3 •read: 50 •Write: 3 |
Actions: 023 resolved operations: 64 effective operations: 64 •: 1 •Action: 7 •Delete: 3 •read: 50 •Write: 3 •Microsoft.Mission/Operations/read •Microsoft.Mission/catalogs/read •Microsoft.Mission/catalogs/write •Microsoft.Mission/catalogs/delete •Microsoft.Mission/communities/read •Microsoft.Mission/internalConnections/read •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/endpoints/read •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Features/providers/features/read •Microsoft.Features/features/read •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read | ||||
| b5092dac-c796-4349-8681-1a322a31c3f9 | Azure Kubernetes Service Hybrid Cluster Admin Role | List cluster admin credential action. | False |
00003 effective control plane operations (unique) •action: 1 •read: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 2 •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action •Microsoft.Kubernetes/connectedClusters/Read | ||||
| fc3f91a1-40bf-4439-8c46-45edbd83563a | Azure Kubernetes Service Hybrid Cluster User Role | List cluster user credential action. | False |
00003 effective control plane operations (unique) •action: 1 •read: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 2 •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action •Microsoft.Kubernetes/connectedClusters/Read | ||||
| e7037d40-443a-4434-a3fb-8cd202011e1d | Azure Kubernetes Service Hybrid Contributor Role | Grants access to read and write Azure Kubernetes Services hybrid clusters | False |
00024 effective control plane operations (unique) •action: 2 •delete: 6 •read: 10 •write: 6 |
Actions: 024 resolved operations: 24 effective operations: 24 •action: 2 •delete: 6 •read: 10 •write: 6 •Microsoft.HybridContainerService/Locations/operationStatuses/read •Microsoft.HybridContainerService/Operations/read •Microsoft.HybridContainerService/kubernetesVersions/read •Microsoft.HybridContainerService/kubernetesVersions/write •Microsoft.HybridContainerService/kubernetesVersions/delete •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.HybridContainerService/provisionedClusterInstances/write •Microsoft.HybridContainerService/provisionedClusterInstances/delete •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete •Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read •Microsoft.HybridContainerService/skus/read •Microsoft.HybridContainerService/skus/write •Microsoft.HybridContainerService/skus/delete •Microsoft.HybridContainerService/virtualNetworks/read •Microsoft.HybridContainerService/virtualNetworks/write •Microsoft.HybridContainerService/virtualNetworks/delete •Microsoft.Kubernetes/connectedClusters/Read •Microsoft.Kubernetes/connectedClusters/Write •Microsoft.Kubernetes/connectedClusters/Delete •Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/read | ||||
| 3d5f3eff-eb94-473d-91e3-7aac74d6c0bb | Enclave Owner Role | Enclave Owner Role to access the resources of Microsoft.Mission stored with RPSAAS. | False |
00061 effective control plane operations (unique) •delete: 6 •read: 47 •write: 8 |
Actions: 035 resolved operations: 61 effective operations: 61 •delete: 6 •read: 47 •write: 8 •Microsoft.Mission/Locations/OperationStatuses/read •Microsoft.Mission/Locations/OperationStatuses/write •Microsoft.Mission/Operations/read •Microsoft.Mission/catalogs/read •Microsoft.Mission/catalogs/write •Microsoft.Mission/catalogs/delete •Microsoft.Mission/internalConnections/read •Microsoft.Mission/internalConnections/write •Microsoft.Mission/internalConnections/delete •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/write •Microsoft.Mission/virtualEnclaves/delete •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.Mission/virtualEnclaves/workloads/write •Microsoft.Mission/virtualEnclaves/workloads/delete •Microsoft.Mission/communities/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Features/providers/features/read •Microsoft.Features/features/read •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/enclaveConnections/write •Microsoft.Mission/enclaveConnections/delete •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/write •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/delete | ||||
| e6aadb6b-e64f-41c0-9392-d2bba3bc3ebc | Community Reader Role | Community Reader Role to access the resources of Microsoft.Mission stored with RPSAAS. | False |
00064 effective control plane operations (unique) •: 1 •Action: 7 •Delete: 2 •read: 52 •Write: 2 |
Actions: 023 resolved operations: 64 effective operations: 64 •: 1 •Action: 7 •Delete: 2 •read: 52 •Write: 2 •Microsoft.Mission/Locations/OperationStatuses/read •Microsoft.Mission/Operations/read •Microsoft.Mission/catalogs/read •Microsoft.Mission/communities/read •Microsoft.Mission/internalConnections/read •Microsoft.Mission/externalConnections/read •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/endpoints/read •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Features/providers/features/read •Microsoft.Features/features/read •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read | ||||
| 19feefae-eacc-4106-81fd-ac34c0671f14 | Enclave Contributor Role | Enclave Contributor Role to access the resources of Microsoft.Mission stored with RPSAAS. | False |
00059 effective control plane operations (unique) •action: 2 •read: 48 •write: 9 |
Actions: 033 resolved operations: 59 effective operations: 59 •action: 2 •read: 48 •write: 9 •Microsoft.Mission/register/action •Microsoft.Mission/unregister/action •Microsoft.Mission/Locations/OperationStatuses/read •Microsoft.Mission/Locations/OperationStatuses/write •Microsoft.Mission/Operations/read •Microsoft.Mission/catalogs/read •Microsoft.Mission/catalogs/write •Microsoft.Mission/communities/read •Microsoft.Mission/internalConnections/read •Microsoft.Mission/internalConnections/write •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/write •Microsoft.Mission/virtualEnclaves/endpoints/read •Microsoft.Mission/virtualEnclaves/endpoints/write •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.Mission/virtualEnclaves/workloads/write •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Features/providers/features/read •Microsoft.Features/features/read •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/enclaveConnections/write •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/write | ||||
| 44f0a1a8-6fea-4b35-980a-8ff50c487c97 | Operator Nexus Key Vault Writer Service Role (Preview) | (Preview) Provides Azure Operator Nexus services the ability to write to a Key Vault. This role is in preview and subject to change. | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.KeyVault/vaults/secrets/setSecret/action | ||||
| a316ed6d-1efe-48ac-ac08-f7995a9c26fb | Storage Account Encryption Scope Contributor Role | Allows management of Encryption Scopes on a Storage Account | False |
00002 effective control plane operations (unique) •read: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/encryptionScopes/read •Microsoft.Storage/storageAccounts/encryptionScopes/write | ||||
| 08bbd89e-9f13-488c-ac41-acfcb10c90ab | Key Vault Crypto Service Release User | Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.KeyVault/vaults/keys/release/action | ||||
| 0cd9749a-3aaf-4ae5-8803-bd217705bf3b | KubernetesRuntime Storage Class Contributor Role | Read, write, and delete KubernetesRuntime storage classes in an Arc connected Kubernetes cluster | False |
00048 effective control plane operations (unique) •: 1 •Action: 7 •Delete: 3 •read: 34 •Write: 3 |
Actions: 007 resolved operations: 48 effective operations: 48 •: 1 •Action: 7 •Delete: 3 •read: 34 •Write: 3 •Microsoft.KubernetesRuntime/storageClasses/read •Microsoft.KubernetesRuntime/storageClasses/write •Microsoft.KubernetesRuntime/storageClasses/delete •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 609c0c20-e0a0-4a71-b99f-e7e755ac493d | Azure Programmable Connectivity Gateway User | Allows access to all Gateway dataplane APIs. | False |
00046 effective control plane operations (unique) •: 1 •Action: 7 •Delete: 2 •read: 34 •Write: 2 |
Actions: 005 resolved operations: 46 effective operations: 46 •: 1 •Action: 7 •Delete: 2 •read: 34 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| db79e9a7-68ee-4b58-9aeb-b90e7c24fcba | Key Vault Certificate User | Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | False |
00004 effective data plane operations (unique) •action: 2 •read: 2 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 2 •read: 2 •Microsoft.KeyVault/vaults/certificates/read •Microsoft.KeyVault/vaults/secrets/getSecret/action •Microsoft.KeyVault/vaults/secrets/readMetadata/action •Microsoft.KeyVault/vaults/keys/read | ||||
| 4301dc2a-25a9-44b0-ae63-3636cf7f2bd2 | Azure Spring Apps Spring Cloud Gateway Log Reader Role | Read real-time logs for Spring Cloud Gateway in Azure Spring Apps | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.AppPlatform/Spring/read •Microsoft.AppPlatform/Spring/gateways/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/SpringCloudGateway/logstream/action | |||
| 52fd16bd-6ed5-46af-9c40-29cbd7952a29 | Azure Spring Apps Managed Components Log Reader Role | Read real-time logs for all managed components in Azure Spring Apps | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/managedComponents/logstream/action | ||||
| 6593e776-2a30-40f9-8a32-4fe28b77655d | Azure Spring Apps Application Configuration Service Log Reader Role | Read real-time logs for Application Configuration Service in Azure Spring Apps | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.AppPlatform/Spring/read •Microsoft.AppPlatform/Spring/configurationServices/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/ApplicationConfigurationService/logstream/action | |||
| 207bcc4b-86a6-4487-9141-d6c1f4c238aa | Azure Edge On-Site Deployment Engineer | Grants you access to take actions as an on-site person to assist in the provisioning of an edge device | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.EdgeOrder/bootstrapConfigurations/read •Microsoft.EdgeOrder/bootstrapConfigurations/uploadArtifacts/action | ||||
| c7244dfb-f447-457d-b2ba-3999044d1706 | Azure API Center Data Reader | Allows for access to Azure API Center data plane read operations. | False |
00005 effective data plane operations (unique) •read: 5 |
DataActions: 001 resolved data operations: 5 effective data operations: 5 •read: 5 •Microsoft.ApiCenter/services/*/read | ||||
| dfb2f09d-25f8-4558-8986-497084006d7a | Azure impact-insight reader | built-in role for azure impact-insight read access | False | n/a | Actions: 001 resolved operations: n/a effective operations: n/a •Microsoft.Impact/WorkloadImpacts/*/read | ||||
| 8bb6f106-b146-4ee6-a3f9-b9c5a96e0ae5 | Defender Kubernetes Agent Operator | Grants Microsoft Defender for Cloud permissions to provision the Kubernetes defender security agent | False |
00060 effective control plane operations (unique) •: 1 •Action: 11 •Delete: 3 •read: 39 •Write: 6 |
Actions: 019 resolved operations: 60 effective operations: 60 •: 1 •Action: 11 •Delete: 3 •read: 39 •Write: 6 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.Kubernetes/connectedClusters/Write •Microsoft.Kubernetes/connectedClusters/read •Microsoft.OperationalInsights/workspaces/write •Microsoft.OperationalInsights/workspaces/read •Microsoft.OperationalInsights/workspaces/listKeys/action •Microsoft.OperationalInsights/workspaces/sharedkeys/action •Microsoft.Kubernetes/register/action •Microsoft.KubernetesConfiguration/register/action | ||||
| 5b7237c5-45e1-49d6-bc18-a1f62f400748 | Azure RedHat OpenShift Storage Operator Role | Enables permissions to set OpenShift cluster-wide storage defaults. It ensures a default storageclass exists for clusters. It also installs Container Storage Interface (CSI) drivers which enable your cluster to use various storage backends. | False |
00014 effective control plane operations (unique) •delete: 2 •read: 8 •write: 4 |
Actions: 014 resolved operations: 14 effective operations: 14 •delete: 2 •read: 8 •write: 4 •Microsoft.Compute/virtualMachines/write •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read •Microsoft.Compute/virtualMachineScaleSets/read •Microsoft.Compute/snapshots/write •Microsoft.Compute/snapshots/read •Microsoft.Compute/snapshots/delete •Microsoft.Compute/locations/operations/read •Microsoft.Compute/locations/DiskOperations/read •Microsoft.Compute/disks/write •Microsoft.Compute/disks/read •Microsoft.Compute/disks/delete •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 4436bae4-7702-4c84-919b-c4069ff25ee2 | Azure RedHat OpenShift Service Operator | The ARO Operator is responsible for maintaining features, checks, and resources that are specific to an Azure Red Hat OpenShift cluster's continued functionality as a managed service. This includes, but is not limited to, machine management and health, network configuration, and monitoring. | False |
00007 effective control plane operations (unique) •action: 4 •read: 2 •write: 1 |
Actions: 007 resolved operations: 7 effective operations: 7 •action: 4 •read: 2 •write: 1 •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/natGateways/join/action •Microsoft.Network/routeTables/join/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/read | ||||
| 0d7aedc0-15fd-4a67-a412-efad370c947e | Azure RedHat OpenShift Azure Files Storage Operator Role | Enables permissions to set OpenShift cluster-wide storage defaults. It ensures a default storageclass exists for clusters. It also installs Container Storage Interface (CSI) drivers which enable your cluster to use Azure Files. | False |
00011 effective control plane operations (unique) •action: 2 •delete: 2 •read: 4 •write: 3 |
Actions: 011 resolved operations: 11 effective operations: 11 •action: 2 •delete: 2 •read: 4 •write: 3 •Microsoft.Storage/storageAccounts/delete •Microsoft.Storage/storageAccounts/fileServices/read •Microsoft.Storage/storageAccounts/fileServices/shares/delete •Microsoft.Storage/storageAccounts/fileServices/shares/read •Microsoft.Storage/storageAccounts/fileServices/shares/write •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/write •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write | ||||
| 8b32b316-c2f5-4ddf-b05b-83dacd2d08b5 | Azure RedHat OpenShift Image Registry Operator Role | Enables permissions for the operator to manage a singleton instance of the OpenShift image registry. It manages all configuration of the registry, including creating storage. | False |
00014 effective control plane and data plane operations (unique) •action: 4 •delete: 2 •read: 4 •write: 4 |
Actions: 009 resolved operations: 9 effective operations: 9 •action: 2 •delete: 1 •read: 3 •write: 3 •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/write •Microsoft.Storage/storageAccounts/delete •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Resources/tags/write | DataActions: 005 resolved data operations: 5 effective data operations: 5 •action: 2 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action | |||
| be7a6435-15ae-4171-8f30-4a343eff9e8f | Azure RedHat OpenShift Network Operator Role | Enables permissions to install and upgrade the networking components on an OpenShift cluster. | False |
00006 effective control plane operations (unique) •action: 2 •read: 3 •write: 1 |
Actions: 006 resolved operations: 6 effective operations: 6 •action: 2 •read: 3 •write: 1 •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Compute/virtualMachines/read | ||||
| a1f96423-95ce-4224-ab27-4e3dc72facd4 | Azure RedHat OpenShift Cloud Controller Manager Role | Enables permissions for the operator to manage and update the cloud controller managers deployed on top of OpenShift. | False |
00013 effective control plane operations (unique) •action: 3 •read: 6 •write: 4 |
Actions: 013 resolved operations: 13 effective operations: 13 •action: 3 •read: 6 •write: 4 •Microsoft.Compute/virtualMachines/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/write •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/write •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/publicIPAddresses/write •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/networkInterfaces/write | ||||
| 0358943c-7e01-48ba-8889-02cc51d78637 | Azure RedHat OpenShift Machine API Operator Role | Enables permissions for the operator to manage the lifecycle of specific purpose custom resource definitions (CRD), controllers, and RBAC objects that extend the Kubernetes API. This declares the desired state of machines in a cluster. | False |
00032 effective control plane operations (unique) •action: 5 •delete: 6 •read: 15 •write: 6 |
Actions: 032 resolved operations: 32 effective operations: 32 •action: 5 •delete: 6 •read: 15 •write: 6 •Microsoft.Compute/availabilitySets/delete •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/availabilitySets/write •Microsoft.Compute/diskEncryptionSets/read •Microsoft.Compute/disks/delete •Microsoft.Compute/galleries/images/versions/read •Microsoft.Compute/skus/read •Microsoft.Compute/virtualMachines/delete •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write •Microsoft.ManagedIdentity/userAssignedIdentities/assign/action •Microsoft.Network/applicationSecurityGroups/read •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/write •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/write •Microsoft.Network/publicIPAddresses/delete •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/publicIPAddresses/write •Microsoft.Network/routeTables/read •Microsoft.Network/virtualNetworks/delete •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 0336e1d3-7a87-462b-b6db-342b63f7802c | Azure RedHat OpenShift Cluster Ingress Operator Role | Enables permissions for the operator to configure and manage the OpenShift router. | False |
00004 effective control plane operations (unique) •delete: 2 •write: 2 |
Actions: 004 resolved operations: 4 effective operations: 4 •delete: 2 •write: 2 •Microsoft.Network/dnsZones/A/delete •Microsoft.Network/dnsZones/A/write •Microsoft.Network/privateDnsZones/A/delete •Microsoft.Network/privateDnsZones/A/write | ||||
| 5a382001-fe36-41ff-bba4-8bf06bd54da9 | Azure Sphere Owner | Allows user read and write access to Azure Sphere resources and RBAC configuration, includes an ABAC condition to constrain role assignments. | True |
00100 effective control plane operations (unique) •: 1 •action: 25 •delete: 10 •read: 52 •write: 12 |
Actions: 015 resolved operations: 100 effective operations: 100 •: 1 •action: 25 •delete: 10 •read: 52 •write: 12 •Microsoft.AzureSphere/* •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Insights/alertRules/* •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/read •Microsoft.Management/managementGroups/read •Microsoft.Resources/deployments/* •Microsoft.Support/* •Microsoft.Insights/DiagnosticSettings/* •Microsoft.Insights/DiagnosticSettingsCategories/Read •Microsoft.Authorization/roleAssignments/write •Microsoft.Authorization/roleAssignments/delete | ||||
| e2217c0e-04bb-4724-9580-91cf9871bc01 | GroupQuota Request Operator | Read and create GroupQuota requests, get GroupQuota request status, and get groupQuotaLimits. | False |
00041 effective control plane operations (unique) •action: 1 •read: 35 •write: 5 |
Actions: 015 resolved operations: 41 effective operations: 41 •action: 1 •read: 35 •write: 5 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •MICROSOFT.QUOTA/QUOTAS/WRITE •MICROSOFT.QUOTA/QUOTAS/READ •MICROSOFT.QUOTA/USAGES/READ •MICROSOFT.QUOTA/QUOTAREQUESTS/READ •MICROSOFT.QUOTA/REGISTER/ACTION •Microsoft.Quota/GROUPQUOTAS/READ •Microsoft.Quota/GROUPQUOTAS/subscriptions/READ •Microsoft.Quota/GROUPQUOTAS/groupQuotaLimits/READ •Microsoft.Quota/GROUPQUOTAS/quotaAllocations/READ •Microsoft.Quota/GROUPQUOTAS/WRITE •Microsoft.Quota/GROUPQUOTAS/subscriptions/WRITE •Microsoft.Quota/GROUPQUOTAS/groupQuotaLimits/WRITE •Microsoft.Quota/GROUPQUOTAS/quotaAllocations/WRITE | ||||
| d0f495dc-44ef-4140-aeb0-b89110e6a7c1 | GroupQuota Reader | Read GroupQuota requests, get GroupQuota request status, and get groupQuotaLimits. | False |
00036 effective control plane operations (unique) •action: 1 •read: 35 |
Actions: 010 resolved operations: 36 effective operations: 36 •action: 1 •read: 35 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •MICROSOFT.QUOTA/QUOTAS/READ •MICROSOFT.QUOTA/USAGES/READ •MICROSOFT.QUOTA/QUOTAREQUESTS/READ •MICROSOFT.QUOTA/REGISTER/ACTION •Microsoft.Quota/GROUPQUOTAS/READ •Microsoft.Quota/GROUPQUOTAS/subscriptions/READ •Microsoft.Quota/GROUPQUOTAS/groupQuotaLimits/READ •Microsoft.Quota/GROUPQUOTAS/quotaAllocations/READ | ||||
| 539283cd-c185-4a9a-9503-d35217a1db7b | Bayer Ag Powered Services Smart Boundary Solution User Role | Provide access to Smart Boundary Solution by Bayer Ag Powered Services | False |
00018 effective data plane operations (unique) •action: 5 •delete: 3 •read: 5 •write: 5 |
DataActions: 006 resolved data operations: 18 effective data operations: 18 •action: 5 •delete: 3 •read: 5 •write: 5 •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/write •Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/* •Microsoft.AgFoodPlatform/farmBeats/scenes/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/* | ||||
| 6b534d80-e337-47c4-864f-140f5c7f593d | Advisor Recommendations Contributor (Assessments and Reviews) | View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started). | False |
00003 effective control plane operations (unique) •action: 1 •read: 1 •write: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 1 •write: 1 •Microsoft.Advisor/recommendations/read •Microsoft.Advisor/recommendations/write •Microsoft.Advisor/recommendations/available/action | ||||
| c9c97b9c-105d-4bb5-a2a7-7d15666c2484 | GeoCatalog Administrator | Grants full access to manage GeoCatalogs, but does not allow you to assign roles in Azure RBAC. | False |
00049 effective control plane operations (unique) •: 1 •Action: 7 •Delete: 3 •read: 35 •Write: 3 |
Actions: 006 resolved operations: 49 effective operations: 49 •: 1 •Action: 7 •Delete: 3 •read: 35 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Orbital/operations/read •Microsoft.Orbital/geoCatalogs/* | ||||
| b7b8f583-43d0-40ae-b147-6b46f53661c1 | GeoCatalog Reader | View GeoCatalogs, but does not allow you to make any changes. | False |
00047 effective control plane operations (unique) •: 1 •Action: 7 •Delete: 2 •read: 35 •Write: 2 |
Actions: 006 resolved operations: 47 effective operations: 47 •: 1 •Action: 7 •Delete: 2 •read: 35 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Orbital/operations/read •Microsoft.Orbital/geoCatalogs/read | ||||
| eb5a76d5-50e7-4c33-a449-070e7c9c4cf2 | Health Bot Reader | Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys & secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). | False |
00001 effective data plane operations (unique) •Action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •Action: 1 •Microsoft.HealthBot/healthBots/Reader/Action | ||||
| af854a69-80ce-4ff7-8447-f1118a2e0ca8 | Health Bot Editor | Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys & secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels. | False |
00001 effective data plane operations (unique) •Action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •Action: 1 •Microsoft.HealthBot/healthBots/Editor/Action | ||||
| f1082fec-a70f-419f-9230-885d2550fb38 | Health Bot Admin | Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys & secrets. | False |
00001 effective data plane operations (unique) •Action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •Action: 1 •Microsoft.HealthBot/healthBots/Admin/Action | ||||
| c20923c5-b089-47a5-bf67-fd89569c4ad9 | Azure Programmable Connectivity Gateway Dataplane User | Allows access to all Gateway dataplane APIs. | False |
00040 effective control plane and data plane operations (unique) •: 1 •action: 4 •delete: 1 •NetworkAPIAccess: 1 •read: 32 •write: 1 |
Actions: 005 resolved operations: 39 effective operations: 39 •: 1 •action: 4 •delete: 1 •read: 32 •write: 1 •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/ •Microsoft.Resources/deployments/* | DataActions: 001 resolved data operations: 1 effective data operations: 1 •NetworkAPIAccess: 1 •Microsoft.ProgrammableConnectivity/Gateways/NetworkAPIAccess | |||
| b556d68e-0be0-4f35-a333-ad7ee1ce17ea | Azure AI Enterprise Network Connection Approver | Can approve private endpoint connections to Azure AI common dependency resources | False |
00041 effective control plane operations (unique) •action: 7 •read: 25 •write: 9 |
Actions: 041 resolved operations: 41 effective operations: 41 •action: 7 •read: 25 •write: 9 •Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action •Microsoft.ContainerRegistry/registries/privateEndpointConnections/read •Microsoft.ContainerRegistry/registries/privateEndpointConnections/write •Microsoft.Cache/redis/read •Microsoft.Cache/redis/privateEndpointConnections/read •Microsoft.Cache/redis/privateEndpointConnections/write •Microsoft.Cache/redis/privateLinkResources/read •Microsoft.Cache/redis/privateEndpointConnectionsApproval/action •Microsoft.Cache/redisEnterprise/read •Microsoft.Cache/redisEnterprise/privateEndpointConnections/read •Microsoft.Cache/redisEnterprise/privateEndpointConnections/write •Microsoft.Cache/redisEnterprise/privateLinkResources/read •Microsoft.Cache/redisEnterprise/privateEndpointConnectionsApproval/action •Microsoft.CognitiveServices/accounts/read •Microsoft.CognitiveServices/accounts/privateEndpointConnections/read •Microsoft.CognitiveServices/accounts/privateEndpointConnections/write •Microsoft.CognitiveServices/accounts/privateLinkResources/read •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnectionsApproval/action •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/read •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/write •Microsoft.DocumentDB/databaseAccounts/privateLinkResources/read •Microsoft.DocumentDB/databaseAccounts/read •Microsoft.KeyVault/vaults/privateEndpointConnectionsApproval/action •Microsoft.KeyVault/vaults/privateEndpointConnections/read •Microsoft.KeyVault/vaults/privateEndpointConnections/write •Microsoft.KeyVault/vaults/privateLinkResources/read •Microsoft.KeyVault/vaults/read •Microsoft.MachineLearningServices/workspaces/privateEndpointConnectionsApproval/action •Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/read •Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/write •Microsoft.MachineLearningServices/workspaces/privateLinkResources/read •Microsoft.MachineLearningServices/workspaces/read •Microsoft.Storage/storageAccounts/privateEndpointConnections/read •Microsoft.Storage/storageAccounts/privateEndpointConnections/write •Microsoft.Storage/storageAccounts/privateLinkResources/read •Microsoft.Storage/storageAccounts/read •Microsoft.Sql/servers/privateEndpointConnectionsApproval/action •Microsoft.Sql/servers/privateEndpointConnections/read •Microsoft.Sql/servers/privateEndpointConnections/write •Microsoft.Sql/servers/privateLinkResources/read •Microsoft.Sql/servers/read | ||||
| 08d4c71a-cc63-4ce4-a9c8-5dd251b4d619 | Azure Container Storage Operator | Role required by a Managed Identity for Azure Container Storage operations | False |
00039 effective control plane operations (unique) •action: 7 •delete: 7 •read: 14 •write: 11 |
Actions: 018 resolved operations: 39 effective operations: 39 •action: 7 •delete: 7 •read: 14 •write: 11 •Microsoft.ElasticSan/elasticSans/* •Microsoft.ElasticSan/locations/asyncoperations/read •Microsoft.Network/routeTables/join/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/virtualNetworks/write •Microsoft.Network/virtualNetworks/delete •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write •Microsoft.Compute/virtualMachineScaleSets/read •Microsoft.Compute/virtualMachineScaleSets/write •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read •Microsoft.Resources/subscriptions/providers/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Network/virtualNetworks/read | ||||
| 5d3f1697-4507-4d08-bb4a-477695db5f82 | Azure Kubernetes Service Arc Contributor Role | Grants access to read and write Azure Kubernetes Services hybrid clusters | False |
00025 effective control plane operations (unique) •action: 2 •delete: 6 •Read: 11 •write: 6 |
Actions: 025 resolved operations: 25 effective operations: 25 •action: 2 •delete: 6 •Read: 11 •write: 6 •Microsoft.HybridContainerService/Locations/operationStatuses/read •Microsoft.HybridContainerService/Operations/read •Microsoft.HybridContainerService/kubernetesVersions/read •Microsoft.HybridContainerService/kubernetesVersions/write •Microsoft.HybridContainerService/kubernetesVersions/delete •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.HybridContainerService/provisionedClusterInstances/write •Microsoft.HybridContainerService/provisionedClusterInstances/delete •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete •Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read •Microsoft.HybridContainerService/skus/read •Microsoft.HybridContainerService/skus/write •Microsoft.HybridContainerService/skus/delete •Microsoft.HybridContainerService/virtualNetworks/read •Microsoft.HybridContainerService/virtualNetworks/write •Microsoft.HybridContainerService/virtualNetworks/delete •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/read •Microsoft.Kubernetes/connectedClusters/Read •Microsoft.Kubernetes/connectedClusters/Write •Microsoft.Kubernetes/connectedClusters/Delete •Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action •Microsoft.AzureStackHCI/clusters/read | ||||
| 233ca253-b031-42ff-9fba-87ef12d6b55f | Azure Kubernetes Service Arc Cluster User Role | List cluster user credential action. | False |
00003 effective control plane operations (unique) •action: 1 •read: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 2 •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action •Microsoft.Kubernetes/connectedClusters/Read | ||||
| b29efa5f-7782-4dc3-9537-4d5bc70a5e9f | Azure Kubernetes Service Arc Cluster Admin Role | List cluster admin credential action. | False |
00003 effective control plane operations (unique) •action: 1 •read: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 2 •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action •Microsoft.Kubernetes/connectedClusters/Read | ||||
| c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8 | Backup MUA Admin | Backup MultiUser-Authorization. Can create/delete ResourceGuard | False |
00070 effective control plane operations (unique) •action: 7 •delete: 3 •read: 56 •write: 4 |
Actions: 026 resolved operations: 70 effective operations: 70 •action: 7 •delete: 3 •read: 56 •write: 4 •Microsoft.DataProtection/*/read •Microsoft.DataProtection/*/resourceGuards/write •Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write •Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete •Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read •Microsoft.DataProtection/locations/operationResults/read •Microsoft.DataProtection/locations/operationStatus/read •Microsoft.DataProtection/locations/getBackupStatus/action •Microsoft.DataProtection/locations/checkFeatureSupport/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read •Microsoft.Authorization/*/read •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/deployments/* •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action •Microsoft.DataProtection/subscriptions/providers/resourceGuards/read •Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read | ||||
| f54b6d04-23c6-443e-b462-9c16ab7b4a52 | Backup MUA Operator | Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard | False |
00068 effective control plane operations (unique) •action: 24 •read: 44 |
Actions: 003 resolved operations: 68 effective operations: 68 •action: 24 •read: 44 •Microsoft.DataProtection/*/action •Microsoft.DataProtection/*/read •Microsoft.Authorization/*/read | ||||
| 3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74 | Savings plan Purchaser | Lets you purchase savings plans | False |
00010 effective control plane operations (unique) •action: 2 •read: 6 •write: 2 |
Actions: 010 resolved operations: 10 effective operations: 10 •action: 2 •read: 6 •write: 2 •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Capacity/register/action •Microsoft.Capacity/catalogs/read •Microsoft.Authorization/roleAssignments/read •Microsoft.BillingBenefits/savingsPlanOrders/write •Microsoft.BIllingBenefits/register/action •Microsoft.Support/supporttickets/write •Microsoft.Billing/billingProperty/read •Microsoft.CostManagement/benefitRecommendations/read | ||||
| 399c3b2b-64c2-4ff1-af34-571db925b068 | CrossConnectionManager | Allows for read, write access to ExpressRoute CrossConnections | False |
00018 effective control plane operations (unique) •action: 2 •delete: 2 •read: 10 •write: 4 |
Actions: 003 resolved operations: 19 effective operations: 18 •action: 2 •delete: 2 •read: 10 •write: 4 •Microsoft.ClassicNetwork/expressRouteCrossConnections/* •Microsoft.Network/expressRouteCrossConnections/* •Microsoft.Features/providers/features/read | NotActions: 001 resolved not operations: 1 effective not operations: 15368 •Microsoft.Network/expressRouteCrossConnections/delete | |||
| b6ee44de-fe58-4ddc-b5c2-ab174eb23f05 | CrossConnectionReader | Allows for read access to ExpressRoute CrossConnections | False |
00008 effective control plane operations (unique) •read: 8 |
Actions: 003 resolved operations: 8 effective operations: 8 •read: 8 •Microsoft.ClassicNetwork/expressRouteCrossConnections/*/read •Microsoft.Network/expressRouteCrossConnections/*/read •Microsoft.Features/providers/features/read | ||||
| 5e93ba01-8f92-4c7a-b12a-801e3df23824 | Kubernetes Agent Operator | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services | False |
00005 effective control plane operations (unique) •delete: 1 •read: 3 •write: 1 |
Actions: 005 resolved operations: 5 effective operations: 5 •delete: 1 •read: 3 •write: 1 •Microsoft.ContainerService/managedClusters/read •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write •Microsoft.Security/pricings/securityoperators/read | ||||
| ede9aaa3-4627-494e-be13-4aa7c256148d | Azure API Center Compliance Manager | Allows managing API compliance in Azure API Center service. | False |
00014 effective control plane operations (unique) •action: 2 •read: 12 |
Actions: 003 resolved operations: 14 effective operations: 14 •action: 2 •read: 12 •Microsoft.ApiCenter/services/*/read •Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAnalysisState/action •Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action | ||||
| 6cba8790-29c5-48e5-bab1-c7541b01cb04 | Azure API Center Service Reader | Allows read-only access to Azure API Center service. | False |
00059 effective control plane operations (unique) •: 1 •action: 8 •Delete: 2 •read: 46 •Write: 2 |
Actions: 007 resolved operations: 59 effective operations: 59 •: 1 •action: 8 •Delete: 2 •read: 46 •Write: 2 •Microsoft.ApiCenter/services/*/read •Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| dd24193f-ef65-44e5-8a7e-6fa6e03f7713 | Azure API Center Service Contributor | Allows managing Azure API Center service. | False |
00085 effective control plane operations (unique) •: 1 •action: 13 •delete: 12 •read: 47 •write: 12 |
Actions: 006 resolved operations: 86 effective operations: 85 •: 1 •action: 13 •delete: 12 •read: 47 •write: 12 •Microsoft.ApiCenter/services/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | NotActions: 001 resolved not operations: 1 effective not operations: 15301 •Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAnalysisState/action | |||
| b5b192c1-773c-4543-bfb0-6c59254b74a9 | Bayer Ag Powered Services Historical Weather Data Solution User Role | Provide access to Historical Weather Data Solution by Bayer Ag Powered Services | False |
00012 effective data plane operations (unique) •action: 3 •delete: 2 •read: 4 •write: 3 |
DataActions: 005 resolved data operations: 12 effective data operations: 12 •action: 3 •delete: 2 •read: 4 •write: 3 •Microsoft.AgFoodPlatform/farmBeats/parties/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/write •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/* | ||||
| 4caf51ec-f9f5-413f-8a94-b9f5fddba66b | Oracle Subscriptions Manager Built-in Role | Grants full access to manage all Oracle Subscriptions resources | False |
00022 effective control plane operations (unique) •action: 6 •delete: 1 •read: 13 •write: 2 |
Actions: 009 resolved operations: 22 effective operations: 22 •action: 6 •delete: 1 •read: 13 •write: 2 •Oracle.Database/oracleSubscriptions/*/read •Oracle.Database/oracleSubscriptions/*/write •Oracle.Database/oracleSubscriptions/*/delete •Oracle.Database/oracleSubscriptions/*/action •Oracle.Database/Locations/*/read •Oracle.Database/Locations/*/write •Oracle.Database/Operations/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 4562aac9-b209-4bd7-a144-6d7f3bb516f4 | Oracle.Database Owner Built-in Role | Grants full access to manage all Oracle.Database resources | False |
00052 effective control plane operations (unique) •action: 13 •delete: 6 •read: 24 •write: 9 |
Actions: 010 resolved operations: 52 effective operations: 52 •action: 13 •delete: 6 •read: 24 •write: 9 •Oracle.Database/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/locations/operations/read •Microsoft.Resources/deployments/* •Microsoft.Compute/sshPublicKeys/read •Microsoft.Compute/sshPublicKeys/write •Microsoft.Compute/sshPublicKeys/generateKeyPair/action | ||||
| e9ce8739-6fa2-4123-a0a2-0ef41a67806f | Oracle.Database VmCluster Administrator Built-in Role | Grants full access to manage all VmCluster resources | False |
00033 effective control plane operations (unique) •action: 5 •delete: 2 •read: 20 •write: 6 |
Actions: 018 resolved operations: 33 effective operations: 33 •action: 5 •delete: 2 •read: 20 •write: 6 •Oracle.Database/cloudVmClusters/*/read •Oracle.Database/cloudVmClusters/*/write •Oracle.Database/cloudVmClusters/*/delete •Oracle.Database/cloudExadataInfrastructures/write •Oracle.Database/cloudExadataInfrastructures/*/read •Oracle.Database/Locations/*/read •Oracle.Database/Locations/*/write •Oracle.Database/Operations/read •Oracle.Database/oracleSubscriptions/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/locations/operations/read •Microsoft.Compute/sshPublicKeys/read •Microsoft.Compute/sshPublicKeys/write •Microsoft.Compute/sshPublicKeys/generateKeyPair/action | ||||
| 25211fc6-dc78-40b6-b205-e4ac934fd9fd | Azure Spring Apps Application Configuration Service Config File Pattern Reader Role | Read content of config file pattern for Application Configuration Service in Azure Spring Apps | False |
00003 effective control plane and data plane operations (unique) •read: 3 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.AppPlatform/Spring/read •Microsoft.AppPlatform/Spring/configurationServices/read | DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.AppPlatform/Spring/ApplicationConfigurationService/read | |||
| f27b7598-bc64-41f7-8a44-855ff16326c2 | Azure Messaging Catalog Data Owner | Allows for full access to Azure Messaging Catalog resources. | False |
00009 effective control plane and data plane operations (unique) •delete: 3 •read: 3 •write: 3 |
Actions: 001 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.MessagingCatalog/* | DataActions: 001 resolved data operations: 6 effective data operations: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.MessagingCatalog/* | |||
| 5d9c6a55-fc0e-4e21-ae6f-f7b095497342 | Azure Hybrid Database Administrator - Read Only Service Role | Read only access to Azure hybrid database services resources. | False |
00016 effective control plane operations (unique) •action: 2 •read: 14 |
Actions: 006 resolved operations: 16 effective operations: 16 •action: 2 •read: 14 •Microsoft.AzureArcData/*/read •Microsoft.AzureArcData/sqlServerInstances/getTelemetry/action •Microsoft.AzureArcData/sqlServerInstances/availabilityGroups/getDetailView/action •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/extensions/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| c18f9900-27b8-47c7-a8f0-5b3b3d4c2bc2 | Microsoft Sentinel Business Applications Agent Operator | List and update actions on a business applications system. This role is in preview and subject to change. | False |
00002 effective control plane operations (unique) •action: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 2 •Microsoft.SecurityInsights/businessApplicationAgents/systems/listActions/action •Microsoft.SecurityInsights/businessApplicationAgents/systems/reportActionStatus/action | ||||
| 0fb8eba5-a2bb-4abe-b1c1-49dfad359bb0 | Azure ContainerApps Session Creator | Create and execute sessions in a sessionPool | False |
00049 effective control plane and data plane operations (unique) •: 1 •action: 9 •Delete: 2 •read: 35 •Write: 2 |
Actions: 006 resolved operations: 47 effective operations: 47 •: 1 •action: 8 •Delete: 2 •read: 34 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.App/sessionPools/*/read •Microsoft.App/sessionPools/sessions/generatesessions/action | DataActions: 003 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.App/sessionPools/*/read •Microsoft.App/sessionPools/interpreters/execute/action •Microsoft.App/sessionPools/interpreters/read | |||
| ef318e2a-8334-4a05-9e4a-295a196c6a6e | Azure Red Hat OpenShift Federated Credential Role | This role grants the permissions required in order to patch cluster managed identities with the federated credential to build a trust relationship between the managed identity, OIDC, and the service account. | False |
00003 effective control plane operations (unique) •read: 2 •write: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 2 •write: 1 •Microsoft.ManagedIdentity/userAssignedIdentities/read •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write |