| Id | Name | Description | Category | Condition | Effective operations | Actions (control plane) | NotActions (control plane) | DataActions (data plane) | NotDataActions (data plane) | Used in Policy |
|---|---|---|---|---|---|---|---|---|---|---|
| 76cc9ee4-d5d3-4a45-a930-26add3d73475 | Access Review Operator Service Role | Lets you grant Access Review System app permissions to discover and revoke access as needed by the access review process. | None | False |
00003 effective control plane operations (unique) •action: 1 •delete: 1 •read: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •delete: 1 •read: 1 •Microsoft.Authorization/roleAssignments/delete •Microsoft.Authorization/roleAssignments/read •Microsoft.Management/getEntities/action | ||||
| c2f4ef07-c644-48eb-af81-4b1b4947fb11 | AcrDelete | acr delete | Containers | False |
00001 effective control plane operations (unique) •delete: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •delete: 1 •Microsoft.ContainerRegistry/registries/artifacts/delete | ||||
| 6cef56e8-d556-48e5-a04f-b8e64114680f | AcrImageSigner | acr image signer | Containers | False |
00002 effective control plane and data plane operations (unique) •write: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •write: 1 •Microsoft.ContainerRegistry/registries/sign/write |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •write: 1 •Microsoft.ContainerRegistry/registries/trustedCollections/write | |||
| 7f951dda-4ed3-4680-a7ca-43fe172d538d | AcrPull | acr pull | Containers | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ContainerRegistry/registries/pull/read | ||||
| 8311e382-0749-4cb8-b61a-304f252e45ec | AcrPush | acr push | Containers | False |
00002 effective control plane operations (unique) •read: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.ContainerRegistry/registries/pull/read •Microsoft.ContainerRegistry/registries/push/write | ||||
| cdda3590-29a3-44f6-95f2-9f980659eb04 | AcrQuarantineReader | acr quarantine data reader | Containers | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ContainerRegistry/registries/quarantine/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read | |||
| c8d4ff99-41c3-41a8-9f60-21dfdad59608 | AcrQuarantineWriter | acr quarantine data writer | Containers | False |
00004 effective control plane and data plane operations (unique) •read: 2 •write: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.ContainerRegistry/registries/quarantine/read •Microsoft.ContainerRegistry/registries/quarantine/write |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read •Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write | |||
| 6b534d80-e337-47c4-864f-140f5c7f593d | Advisor Recommendations Contributor (Assessments and Reviews) | View assessment recommendations, accepted review recommendations, and manage the recommendations lifecycle (mark recommendations as completed, postponed or dismissed, in progress, or not started). | Management and governance | False |
00003 effective control plane operations (unique) •action: 1 •read: 1 •write: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 1 •write: 1 •Microsoft.Advisor/recommendations/available/action •Microsoft.Advisor/recommendations/read •Microsoft.Advisor/recommendations/write | ||||
| 8aac15f0-d885-4138-8afa-bfb5872f7d13 | Advisor Reviews Contributor | View reviews for a workload and triage recommendations linked to them. | Management and governance | False |
00054 effective control plane operations (unique) •action: 10 •Delete: 2 •read: 40 •Write: 2 |
Actions: 010 resolved operations: 54 effective operations: 54 •action: 10 •Delete: 2 •read: 40 •Write: 2 •Microsoft.Advisor/resiliencyReviews/read •Microsoft.Advisor/triageRecommendations/approve/action •Microsoft.Advisor/triageRecommendations/read •Microsoft.Advisor/triageRecommendations/reject/action •Microsoft.Advisor/triageRecommendations/reset/action •Microsoft.Advisor/triageResources/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| c64499e0-74c3-47ad-921c-13865957895c | Advisor Reviews Reader | View reviews for a workload and recommendations linked to them. | Management and governance | False |
00003 effective control plane operations (unique) •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.Advisor/resiliencyReviews/read •Microsoft.Advisor/triageRecommendations/read •Microsoft.Advisor/triageResources/read | ||||
| 68ac31b4-936a-4046-a6d2-ba6f8a757bf6 | Agentless scanning for Serverless Scanner Service Role | Grants access to Serverless resources and thier connections | None | False |
00002 effective control plane operations (unique) •Action: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •Action: 2 •microsoft.web/sites/publish/action •microsoft.web/sites/slots/publish/action | ||||
| a8d4b70f-0fb9-4f72-b267-b87b2f990aec | AgFood Platform Dataset Admin | Provides access to Dataset APIs | None | False |
00012 effective data plane operations (unique) •action: 6 •delete: 2 •read: 2 •write: 2 |
DataActions: 002 resolved data operations: 12 effective data operations: 12 •action: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.AgFoodPlatform/farmBeats/datasetRecords/* •Microsoft.AgFoodPlatform/farmBeats/datasets/* | ||||
| 6b77f0a0-0d89-41cc-acd1-579c22c17a67 | AgFood Platform Sensor Partner Contributor | Provides contribute access to manage sensor related entities in AgFood Platform Service | AI + machine learning | False |
00018 effective data plane operations (unique) •action: 4 •delete: 3 •read: 6 •write: 5 |
DataActions: 001 resolved data operations: 19 effective data operations: 18 •action: 4 •delete: 3 •read: 6 •write: 5 •Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/* |
NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3553 •Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/delete | |||
| f8da80de-1ff9-4747-ad80-a19b7f6079e3 | AgFood Platform Service Admin | Provides admin access to AgFood Platform Service | AI + machine learning | False |
00335 effective data plane operations (unique) •action: 101 •delete: 58 •read: 89 •write: 87 |
DataActions: 001 resolved data operations: 335 effective data operations: 335 •action: 101 •delete: 58 •read: 89 •write: 87 •Microsoft.AgFoodPlatform/* | ||||
| 8508508a-4469-4e45-963b-2518ee0bb728 | AgFood Platform Service Contributor | Provides contribute access to AgFood Platform Service | AI + machine learning | False |
00251 effective data plane operations (unique) •action: 98 •read: 89 •write: 64 |
DataActions: 003 resolved data operations: 277 effective data operations: 251 •action: 98 •read: 89 •write: 64 •Microsoft.AgFoodPlatform/*/action •Microsoft.AgFoodPlatform/*/read •Microsoft.AgFoodPlatform/*/write |
NotDataActions: 006 resolved not data operations: 26 effective not data operations: 3320 •Microsoft.AgFoodPlatform/farmBeats/datasetRecords/write •Microsoft.AgFoodPlatform/farmBeats/datasets/access/*/action •Microsoft.AgFoodPlatform/farmBeats/datasets/write •Microsoft.AgFoodPlatform/farmBeats/deletionJobs/*/write •Microsoft.AgFoodPlatform/farmBeats/farmers/write •Microsoft.AgFoodPlatform/farmBeats/parties/write | |||
| 7ec7ccdc-f61e-41fe-9aaf-980df0a44eba | AgFood Platform Service Reader | Provides read access to AgFood Platform Service | AI + machine learning | False |
00185 effective data plane operations (unique) •action: 96 •read: 89 |
DataActions: 006 resolved data operations: 185 effective data operations: 185 •action: 96 •read: 89 •Microsoft.AgFoodPlatform/*/checkConsent/action •Microsoft.AgFoodPlatform/*/download/action •Microsoft.AgFoodPlatform/*/list/action •Microsoft.AgFoodPlatform/*/overlap/action •Microsoft.AgFoodPlatform/*/read •Microsoft.AgFoodPlatform/*/search/action | ||||
| 8b9beb50-e28c-4879-8472-24c9d328085f | AI Model Scanner Operator | Grants Microsoft Defender for AI access to AI services and resources. | None | False | n/a | |||||
| a2138dac-4907-4679-a376-736901ed8ad8 | AnyBuild Builder | Basic user role for AnyBuild. This role allows listing of agent information and execution of remote build capabilities. | None | False |
00002 effective data plane operations (unique) •read: 1 •write: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.AnyBuild/clusters/build/read •Microsoft.AnyBuild/clusters/build/write | ||||
| c031e6a8-4391-4de0-8d69-4706a7ed3729 | API Management Developer Portal Content Editor | Can customize the developer portal, edit its content, and publish it. | Integration | False |
00008 effective control plane operations (unique) •delete: 2 •read: 3 •write: 3 |
Actions: 008 resolved operations: 8 effective operations: 8 •delete: 2 •read: 3 •write: 3 •Microsoft.ApiManagement/service/contentTypes/contentItems/delete •Microsoft.ApiManagement/service/contentTypes/contentItems/read •Microsoft.ApiManagement/service/contentTypes/contentItems/write •Microsoft.ApiManagement/service/contentTypes/delete •Microsoft.ApiManagement/service/contentTypes/read •Microsoft.ApiManagement/service/contentTypes/write •Microsoft.ApiManagement/service/portalRevisions/read •Microsoft.ApiManagement/service/portalRevisions/write | ||||
| 312a565d-c81f-4fd8-895a-4e21e48d571c | API Management Service Contributor | Can manage service and the APIs | Integration | False |
00513 effective control plane operations (unique) •action: 69 •delete: 117 •read: 202 •write: 125 |
Actions: 007 resolved operations: 513 effective operations: 513 •action: 69 •delete: 117 •read: 202 •write: 125 •Microsoft.ApiManagement/service/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 001 •Configure API Management services to disable access to API Management public service configuration endpoints | |||
| e022efe7-f5ba-4159-bbe4-b44f577e9b61 | API Management Service Operator Role | Can manage service but not the APIs | Integration | False |
00223 effective control plane operations (unique) •action: 15 •delete: 3 •read: 201 •write: 4 |
Actions: 015 resolved operations: 224 effective operations: 223 •action: 15 •delete: 3 •read: 201 •write: 4 •Microsoft.ApiManagement/service/*/read •Microsoft.ApiManagement/service/backup/action •Microsoft.ApiManagement/service/delete •Microsoft.ApiManagement/service/managedeployments/action •Microsoft.ApiManagement/service/read •Microsoft.ApiManagement/service/restore/action •Microsoft.ApiManagement/service/updatecertificate/action •Microsoft.ApiManagement/service/updatehostname/action •Microsoft.ApiManagement/service/write •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
NotActions: 001 resolved not operations: 1 effective not operations: 16613 •Microsoft.ApiManagement/service/users/keys/read | |||
| 71522526-b88f-4d52-b57f-d31fc3546d0d | API Management Service Reader Role | Read-only access to service and APIs | Integration | False |
00216 effective control plane operations (unique) •Action: 10 •Delete: 2 •read: 201 •Write: 3 |
Actions: 008 resolved operations: 217 effective operations: 216 •Action: 10 •Delete: 2 •read: 201 •Write: 3 •Microsoft.ApiManagement/service/*/read •Microsoft.ApiManagement/service/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
NotActions: 001 resolved not operations: 1 effective not operations: 16620 •Microsoft.ApiManagement/service/users/keys/read | |||
| 9565a273-41b9-4368-97d2-aeb0c976a9b3 | API Management Service Workspace API Developer | Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope. | Integration | False |
00047 effective control plane operations (unique) •delete: 4 •read: 39 •write: 4 |
Actions: 009 resolved operations: 47 effective operations: 47 •delete: 4 •read: 39 •write: 4 •Microsoft.ApiManagement/service/authorizationServers/read •Microsoft.ApiManagement/service/products/apiLinks/* •Microsoft.ApiManagement/service/products/read •Microsoft.ApiManagement/service/read •Microsoft.ApiManagement/service/tags/apiLinks/* •Microsoft.ApiManagement/service/tags/operationLinks/* •Microsoft.ApiManagement/service/tags/productLinks/* •Microsoft.ApiManagement/service/tags/read •Microsoft.Authorization/*/read | ||||
| d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da | API Management Service Workspace API Product Manager | Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope. | Integration | False |
00052 effective control plane operations (unique) •delete: 5 •read: 42 •write: 5 |
Actions: 012 resolved operations: 52 effective operations: 52 •delete: 5 •read: 42 •write: 5 •Microsoft.ApiManagement/service/authorizationServers/read •Microsoft.ApiManagement/service/groups/read •Microsoft.ApiManagement/service/groups/users/* •Microsoft.ApiManagement/service/products/apiLinks/* •Microsoft.ApiManagement/service/products/read •Microsoft.ApiManagement/service/read •Microsoft.ApiManagement/service/tags/apiLinks/* •Microsoft.ApiManagement/service/tags/operationLinks/* •Microsoft.ApiManagement/service/tags/productLinks/* •Microsoft.ApiManagement/service/tags/read •Microsoft.ApiManagement/service/users/read •Microsoft.Authorization/*/read | ||||
| 56328988-075d-4c6a-8766-d93edd6725b6 | API Management Workspace API Developer | Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope. | Integration | False |
00139 effective control plane operations (unique) •action: 5 •delete: 29 •read: 75 •write: 30 |
Actions: 017 resolved operations: 139 effective operations: 139 •action: 5 •delete: 29 •read: 75 •write: 30 •Microsoft.ApiManagement/service/workspaces/*/read •Microsoft.ApiManagement/service/workspaces/apis/* •Microsoft.ApiManagement/service/workspaces/apiVersionSets/* •Microsoft.ApiManagement/service/workspaces/backends/* •Microsoft.ApiManagement/service/workspaces/certificates/* •Microsoft.ApiManagement/service/workspaces/diagnostics/* •Microsoft.ApiManagement/service/workspaces/loggers/* •Microsoft.ApiManagement/service/workspaces/namedValues/* •Microsoft.ApiManagement/service/workspaces/policies/* •Microsoft.ApiManagement/service/workspaces/policyFragments/* •Microsoft.ApiManagement/service/workspaces/products/* •Microsoft.ApiManagement/service/workspaces/schemas/* •Microsoft.ApiManagement/service/workspaces/tags/* •Microsoft.Authorization/*/read •Microsoft.Insights/diagnosticSettings/*/read •Microsoft.insights/logs/ApiManagementGatewayLogs/read •Microsoft.insights/logs/read | ||||
| 73c2c328-d004-4c5e-938c-35c6f5679a1f | API Management Workspace API Product Manager | Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. | Integration | False |
00112 effective control plane operations (unique) •action: 4 •delete: 16 •read: 75 •write: 17 |
Actions: 010 resolved operations: 112 effective operations: 112 •action: 4 •delete: 16 •read: 75 •write: 17 •Microsoft.ApiManagement/service/workspaces/*/read •Microsoft.ApiManagement/service/workspaces/groups/* •Microsoft.ApiManagement/service/workspaces/notifications/* •Microsoft.ApiManagement/service/workspaces/products/* •Microsoft.ApiManagement/service/workspaces/subscriptions/* •Microsoft.ApiManagement/service/workspaces/tags/* •Microsoft.Authorization/*/read •Microsoft.Insights/diagnosticSettings/*/read •Microsoft.insights/logs/ApiManagementGatewayLogs/read •Microsoft.insights/logs/read | ||||
| 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 | API Management Workspace Contributor | Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. | Integration | False |
00160 effective control plane operations (unique) •action: 10 •delete: 36 •read: 76 •write: 38 |
Actions: 005 resolved operations: 160 effective operations: 160 •action: 10 •delete: 36 •read: 76 •write: 38 •Microsoft.ApiManagement/service/workspaces/* •Microsoft.Authorization/*/read •Microsoft.Insights/diagnosticSettings/*/read •Microsoft.insights/logs/ApiManagementGatewayLogs/read •Microsoft.insights/logs/read | ||||
| ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2 | API Management Workspace Reader | Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. | Integration | False |
00075 effective control plane operations (unique) •read: 75 |
Actions: 005 resolved operations: 75 effective operations: 75 •read: 75 •Microsoft.ApiManagement/service/workspaces/*/read •Microsoft.Authorization/*/read •Microsoft.Insights/diagnosticSettings/*/read •Microsoft.insights/logs/ApiManagementGatewayLogs/read •Microsoft.insights/logs/read | ||||
| 0f37683f-2463-46b6-9ce7-9b788b988ba2 | App Compliance Automation Administrator | Allows managing App Compliance Automation tool for Microsoft 365 | Security | False |
07265 effective control plane operations (unique) •action: 22 •delete: 6 •read: 7225 •write: 12 |
Actions: 028 resolved operations: 7265 effective operations: 7265 •action: 22 •delete: 6 •read: 7225 •write: 12 •*/read •Microsoft.AppComplianceAutomation/* •Microsoft.PolicyInsights/policyStates/queryResults/action •Microsoft.PolicyInsights/policyStates/triggerEvaluation/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/write •Microsoft.Resources/resources/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/delete •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/resources/read •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Resources/subscriptions/resources/read •Microsoft.Resources/tags/read •Microsoft.Security/automations/delete •Microsoft.Security/automations/read •Microsoft.Security/automations/write •Microsoft.Security/register/action •Microsoft.Security/unregister/action •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/write •Microsoft.Storage/storageAccounts/fileservices/write •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/write | ||||
| ffc6bbe0-e443-4c3b-bf54-26581bb2f78e | App Compliance Automation Reader | Allows read-only access to App Compliance Automation tool for Microsoft 365 | Security | False |
07225 effective control plane operations (unique) •read: 7225 |
Actions: 001 resolved operations: 7225 effective operations: 7225 •read: 7225 •*/read | ||||
| fe86443c-f201-4fc4-9d2a-ac61149fbda0 | App Configuration Contributor | Grants permission for all management operations, except purge, for App Configuration resources. | Integration | False |
00093 effective control plane operations (unique) •action: 18 •delete: 10 •read: 54 •write: 11 |
Actions: 005 resolved operations: 94 effective operations: 93 •action: 18 •delete: 10 •read: 54 •write: 11 •Microsoft.AppConfiguration/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
NotActions: 001 resolved not operations: 1 effective not operations: 16743 •Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action | |||
| 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b | App Configuration Data Owner | Allows full access to App Configuration data. | Integration | False |
00006 effective data plane operations (unique) •action: 1 •delete: 1 •read: 2 •write: 2 |
DataActions: 004 resolved data operations: 7 effective data operations: 6 •action: 1 •delete: 1 •read: 2 •write: 2 •Microsoft.AppConfiguration/configurationStores/*/action •Microsoft.AppConfiguration/configurationStores/*/delete •Microsoft.AppConfiguration/configurationStores/*/read •Microsoft.AppConfiguration/configurationStores/*/write |
NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3565 •Microsoft.AppConfiguration/configurationStores/useSasAuth/action | |||
| 516239f1-63e1-4d78-a4de-a74fb236a071 | App Configuration Data Reader | Allows read access to App Configuration data. | Integration | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 001 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.AppConfiguration/configurationStores/*/read | ||||
| 7fd69092-c9bc-4b59-9e2e-bca63317e147 | App Configuration Data SAS User | Allows the usage of SAS tokens for authentication. | None | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppConfiguration/configurationStores/useSasAuth/action | ||||
| 175b81b9-6e0d-490a-85e4-0d422273c10c | App Configuration Reader | Grants permission for read operations for App Configuration resources. | Integration | False |
00051 effective control plane operations (unique) •read: 51 |
Actions: 005 resolved operations: 51 effective operations: 51 •read: 51 •Microsoft.AppConfiguration/*/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 8ea85a25-eb16-4e29-ab4d-6f2a26c711a2 | App Service Environment Contributor | Manage App Service Environments but not the App Service Plans or Websites that it hosts. | None | False |
00104 effective control plane operations (unique) •Action: 15 •Delete: 6 •read: 72 •Write: 11 |
Actions: 006 resolved operations: 104 effective operations: 104 •Action: 15 •Delete: 6 •read: 72 •Write: 11 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Web/hostingEnvironments/* | ||||
| fbc52c3f-28ad-4303-a892-8a056630b8f1 | AppGw for Containers Configuration Manager | Allows access and configuration updates to Application Gateway for Containers resource. | None | False |
00019 effective control plane and data plane operations (unique) •delete: 5 •read: 8 •write: 6 |
Actions: 016 resolved operations: 16 effective operations: 16 •delete: 4 •read: 7 •write: 5 •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.ServiceNetworking/trafficControllers/*/delete •Microsoft.ServiceNetworking/trafficControllers/*/read •Microsoft.ServiceNetworking/trafficControllers/*/write •Microsoft.ServiceNetworking/trafficControllers/associations/delete •Microsoft.ServiceNetworking/trafficControllers/associations/read •Microsoft.ServiceNetworking/trafficControllers/associations/write •Microsoft.ServiceNetworking/trafficControllers/delete •Microsoft.ServiceNetworking/trafficControllers/frontends/delete •Microsoft.ServiceNetworking/trafficControllers/frontends/read •Microsoft.ServiceNetworking/trafficControllers/frontends/write •Microsoft.ServiceNetworking/trafficControllers/read •Microsoft.ServiceNetworking/trafficControllers/write |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/delete •Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/read •Microsoft.ServiceNetworking/trafficControllers/serviceRoutingConfigurations/write | |||
| ca6382a4-1721-4bcf-a114-ff0c70227b6b | Application Group Contributor | Contributor of the Application Group. | None | False |
00077 effective control plane operations (unique) •action: 11 •delete: 5 •read: 53 •write: 8 |
Actions: 009 resolved operations: 77 effective operations: 77 •action: 11 •delete: 5 •read: 53 •write: 8 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/applicationgroups/* •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/workspaces/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| ae349356-3a1b-4a5e-921d-050484c6347e | Application Insights Component Contributor | Can manage Application Insights components | Monitor | False |
00141 effective control plane operations (unique) •Action: 18 •Delete: 15 •read: 88 •Write: 20 |
Actions: 013 resolved operations: 141 effective operations: 141 •Action: 18 •Delete: 15 •read: 88 •Write: 20 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/components/* •Microsoft.Insights/generateLiveToken/read •Microsoft.Insights/metricAlerts/* •Microsoft.Insights/scheduledqueryrules/* •Microsoft.Insights/topology/read •Microsoft.Insights/transactions/read •Microsoft.Insights/webtests/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 001 •Configure Azure Application Insights components to disable public network access for log ingestion and querying | |||
| 08954f03-6346-4c2e-81c0-ec3a5cfae23b | Application Insights Snapshot Debugger | Gives user permission to use Application Insights Snapshot Debugger features | Monitor | False |
00089 effective control plane operations (unique) •Action: 10 •Delete: 2 •read: 74 •Write: 3 |
Actions: 006 resolved operations: 89 effective operations: 89 •Action: 10 •Delete: 2 •read: 74 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/components/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| f6e92014-8af2-414d-9948-9b1abf559285 | Arc Gateway Manager | Manage Arc Gateway Resources | None | False |
00053 effective control plane operations (unique) •Action: 7 •delete: 3 •read: 39 •write: 4 |
Actions: 009 resolved operations: 53 effective operations: 53 •Action: 7 •delete: 3 •read: 39 •write: 4 •Microsoft.Authorization/*/read •Microsoft.HybridCompute/gateways/delete •Microsoft.HybridCompute/gateways/read •Microsoft.HybridCompute/gateways/write •Microsoft.HybridCompute/settings/read •Microsoft.HybridCompute/settings/write •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| bbf86eb8-f7b4-4cce-96e4-18cddf81d86e | Attestation Contributor | Can read write or delete the attestation provider instance | Security | False |
00003 effective control plane operations (unique) •delete: 1 •read: 1 •write: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Attestation/attestationProviders/attestation/delete •Microsoft.Attestation/attestationProviders/attestation/read •Microsoft.Attestation/attestationProviders/attestation/write | ||||
| fd1bd22b-8476-40bc-a0bc-69b95687b9f3 | Attestation Reader | Can read the attestation provider properties | Security | False |
00002 effective control plane operations (unique) •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Attestation/attestationProviders/attestation/read •Microsoft.Attestation/attestationProviders/read | ||||
| a8d01690-9418-4783-8ca2-9f0f1791783d | Auto Actions Contributor | Allows users to manage Auto Actions resources. | None | False |
00062 effective control plane operations (unique) •action: 18 •delete: 3 •read: 37 •write: 4 |
Actions: 018 resolved operations: 62 effective operations: 62 •action: 18 •delete: 3 •read: 37 •write: 4 •Microsoft.Authorization/*/read •Microsoft.ComputeSchedule/autoActions/attachResources/action •Microsoft.ComputeSchedule/autoActions/cancelNextOccurrence/action •Microsoft.ComputeSchedule/autoActions/delete •Microsoft.ComputeSchedule/autoActions/detachResources/action •Microsoft.ComputeSchedule/autoActions/disable/action •Microsoft.ComputeSchedule/autoActions/enable/action •Microsoft.ComputeSchedule/autoActions/listResources/action •Microsoft.ComputeSchedule/autoActions/occurrences/cancel/action •Microsoft.ComputeSchedule/autoActions/occurrences/delay/action •Microsoft.ComputeSchedule/autoActions/occurrences/listResources/action •Microsoft.ComputeSchedule/autoActions/patchResources/action •Microsoft.ComputeSchedule/autoActions/triggerManualOccurrence/action •Microsoft.ComputeSchedule/autoActions/write •Microsoft.ComputeSchedule/locations/OperationStatuses/write •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| f353d9bd-d4a6-484e-a77a-8050b599b867 | Automation Contributor | Manage azure automation resources and other resources using azure automation. | Management and governance | False |
00207 effective control plane operations (unique) •action: 35 •delete: 31 •read: 103 •write: 38 |
Actions: 011 resolved operations: 207 effective operations: 207 •action: 35 •delete: 31 •read: 103 •write: 38 •Microsoft.Authorization/*/read •Microsoft.Automation/automationAccounts/* •Microsoft.Insights/ActionGroups/* •Microsoft.Insights/ActivityLogAlerts/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Insights/MetricAlerts/* •Microsoft.Insights/ScheduledQueryRules/* •Microsoft.OperationalInsights/workspaces/sharedKeys/action •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 4fe576fe-1146-4730-92eb-48519fa6bf9f | Automation Job Operator | Create and Manage Jobs using Automation Runbooks. | Management and governance | False |
00066 effective control plane operations (unique) •action: 13 •Delete: 2 •read: 47 •write: 4 |
Actions: 013 resolved operations: 66 effective operations: 66 •action: 13 •Delete: 2 •read: 47 •write: 4 •Microsoft.Authorization/*/read •Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read •Microsoft.Automation/automationAccounts/jobs/output/read •Microsoft.Automation/automationAccounts/jobs/read •Microsoft.Automation/automationAccounts/jobs/resume/action •Microsoft.Automation/automationAccounts/jobs/stop/action •Microsoft.Automation/automationAccounts/jobs/streams/read •Microsoft.Automation/automationAccounts/jobs/suspend/action •Microsoft.Automation/automationAccounts/jobs/write •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| d3881f73-407a-4167-8283-e981cbba0404 | Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs | Management and governance | False |
00074 effective control plane operations (unique) •action: 13 •Delete: 2 •read: 53 •write: 6 |
Actions: 021 resolved operations: 74 effective operations: 74 •action: 13 •Delete: 2 •read: 53 •write: 6 •Microsoft.Authorization/*/read •Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read •Microsoft.Automation/automationAccounts/jobs/output/read •Microsoft.Automation/automationAccounts/jobs/read •Microsoft.Automation/automationAccounts/jobs/resume/action •Microsoft.Automation/automationAccounts/jobs/stop/action •Microsoft.Automation/automationAccounts/jobs/streams/read •Microsoft.Automation/automationAccounts/jobs/suspend/action •Microsoft.Automation/automationAccounts/jobs/write •Microsoft.Automation/automationAccounts/jobSchedules/read •Microsoft.Automation/automationAccounts/jobSchedules/write •Microsoft.Automation/automationAccounts/linkedWorkspace/read •Microsoft.Automation/automationAccounts/read •Microsoft.Automation/automationAccounts/runbooks/read •Microsoft.Automation/automationAccounts/schedules/read •Microsoft.Automation/automationAccounts/schedules/write •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 | Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. | Management and governance | False |
00059 effective control plane operations (unique) •Action: 10 •Delete: 2 •read: 44 •Write: 3 |
Actions: 006 resolved operations: 59 effective operations: 59 •Action: 10 •Delete: 2 •read: 44 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Automation/automationAccounts/runbooks/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| b8b15564-4fa6-4a59-ab12-03e1d9594795 | Autonomous Development Platform Data Contributor (Preview) | Grants permissions to upload and manage new Autonomous Development Platform measurements. | None | False |
00033 effective control plane and data plane operations (unique) •read: 33 |
Actions: 003 resolved operations: 32 effective operations: 32 •read: 32 •Microsoft.Authorization/*/read •Microsoft.AutonomousDevelopmentPlatform/*/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 012 resolved data operations: 3 effective data operations: 1 •read: 1 •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/discoveries/* •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurementCollections/* •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/* •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/uploads/* •Microsoft.AutonomousDevelopmentPlatform/accounts/measurementCollections/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/discoveries/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurementCollections/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/classifications/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/dataStreams/classifications/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/* •Microsoft.AutonomousDevelopmentPlatform/workspaces/read •Microsoft.AutonomousDevelopmentPlatform/workspaces/uploads/* |
NotDataActions: 002 resolved not data operations: 2 effective not data operations: 3570 •Microsoft.AutonomousDevelopmentPlatform/accounts/dataPools/measurements/states/new/changeState/action •Microsoft.AutonomousDevelopmentPlatform/workspaces/measurements/states/new/changeState/action | ||
| 27f8b550-c507-4db9-86f2-f4b8e816d59d | Autonomous Development Platform Data Owner (Preview) | Grants full access to Autonomous Development Platform data. | None | False |
00035 effective control plane and data plane operations (unique) •action: 2 •read: 33 |
Actions: 003 resolved operations: 32 effective operations: 32 •read: 32 •Microsoft.Authorization/*/read •Microsoft.AutonomousDevelopmentPlatform/*/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 3 effective data operations: 3 •action: 2 •read: 1 •Microsoft.AutonomousDevelopmentPlatform/* | |||
| d63b75f7-47ea-4f27-92ac-e0d173aaf093 | Autonomous Development Platform Data Reader (Preview) | Grants read access to Autonomous Development Platform data. | None | False |
00033 effective control plane and data plane operations (unique) •read: 33 |
Actions: 003 resolved operations: 32 effective operations: 32 •read: 32 •Microsoft.Authorization/*/read •Microsoft.AutonomousDevelopmentPlatform/*/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.AutonomousDevelopmentPlatform/*/read | |||
| 4f8fab4f-1852-4a58-a46a-8eaf358af14a | Avere Contributor | Can create and manage an Avere vFXT cluster. | Storage | False |
00730 effective control plane and data plane operations (unique) •action: 83 •delete: 28 •read: 574 •write: 45 |
Actions: 020 resolved operations: 727 effective operations: 727 •action: 83 •delete: 27 •read: 573 •write: 44 •Microsoft.Authorization/*/read •Microsoft.Compute/*/read •Microsoft.Compute/availabilitySets/* •Microsoft.Compute/disks/* •Microsoft.Compute/proximityPlacementGroups/* •Microsoft.Compute/virtualMachines/* •Microsoft.Insights/alertRules/* •Microsoft.Network/*/read •Microsoft.Network/networkInterfaces/* •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/resources/read •Microsoft.Storage/*/read •Microsoft.Storage/storageAccounts/* •Microsoft.Support/* |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | |||
| c025889f-8102-4ebf-b32c-fc0c6f0c6bd9 | Avere Operator | Used by the Avere vFXT cluster to manage the cluster | Storage | False |
00014 effective control plane and data plane operations (unique) •action: 2 •delete: 2 •read: 7 •write: 3 |
Actions: 011 resolved operations: 11 effective operations: 11 •action: 2 •delete: 1 •read: 6 •write: 2 •Microsoft.Compute/virtualMachines/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/blobServices/containers/delete •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | |||
| 49fc33c1-886f-4b21-a00e-1d9993234734 | AVS on Fleet VIS Role | Do not remove this role from your resource because it is critical to enable your AVS private cloud to operate. If the role is removed, it will cause your AVS private cloud control plane to no longer operate correctly. The role is used to enable the AVS private cloud control plane to inject address prefix changes of the private clouds attached virtual network to SDN and support peering sync feature. This role is not intended for use cases outside of assignment to the associated AVS identity in your entra-id tenant. |
None | True |
00021 effective control plane operations (unique) •action: 9 •delete: 1 •read: 7 •write: 4 |
Actions: 021 resolved operations: 21 effective operations: 21 •action: 9 •delete: 1 •read: 7 •write: 4 •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/read •Microsoft.BareMetal/peeringSettings/read •Microsoft.Network/ddosProtectionPlans/join/action •Microsoft.Network/natGateways/join/action •Microsoft.Network/networkIntentPolicies/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkManagers/ipamPools/associateResourcesToPool/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/routeTables/join/action •Microsoft.Network/serviceEndpointPolicies/join/action •Microsoft.Network/virtualNetworks/peer/action •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write •Microsoft.Network/virtualNetworks/write •Microsoft.Resources/subscriptions/resourcegroups/read | ||||
| d715fb95-a0f0-4f1c-8be6-5ad2d2767f67 | AVS Orchestrator Role | Do not remove this role from your resource group because it is critical to enable your AVS private cloud to operate. If the role is removed, it will cause your AVS private cloud control plane to no longer operate correctly. The role is used to enable the AVS private cloud control plane to create the supporting resources in the resource group of the private clouds attached virtual network and bind them to the attached virtual network. This role is not intended for use cases outside of assignment to the associated AVS identity in your entra-id tenant. |
None | True |
00056 effective control plane operations (unique) •action: 8 •delete: 13 •read: 20 •write: 15 |
Actions: 058 resolved operations: 56 effective operations: 56 •action: 8 •delete: 13 •read: 20 •write: 15 •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/read •Microsoft.Network/locations/operationResults/read •Microsoft.Network/locations/operations/read •Microsoft.Network/networkIntentPolicies/delete •Microsoft.Network/networkIntentPolicies/read •Microsoft.Network/networkIntentPolicies/write •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkSecurityGroups/delete •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/securityRules/delete •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/networkSecurityGroups/securityRules/write •Microsoft.Network/networkSecurityGroups/write •Microsoft.Network/publicIPAddresses/delete •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/publicIPAddresses/write •Microsoft.Network/routeTables/delete •Microsoft.Network/routeTables/join/action •Microsoft.Network/routeTables/read •Microsoft.Network/routeTables/routes/delete •Microsoft.Network/routeTables/routes/read •Microsoft.Network/routeTables/routes/write •Microsoft.Network/routeTables/write •Microsoft.Network/virtualHubs/bgpConnections/read •Microsoft.Network/virtualHubs/bgpConnections/write •Microsoft.Network/virtualHubs/delete •Microsoft.Network/virtualHubs/ipConfigurations/read •Microsoft.Network/virtualHubs/ipConfigurations/write •Microsoft.Network/virtualHubs/write •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/peer/action •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/delete •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/prepareNetworkPolicies/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete •Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/delete •Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/read •Microsoft.Network/virtualNetworks/subnets/serviceAssociationLinks/write •Microsoft.Network/virtualNetworks/subnets/unprepareNetworkPolicies/action •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write •Microsoft.Network/virtualNetworks/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationStatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/read | ||||
| e47c6f54-e4a2-4754-9501-8e0985b135e1 | Azure AI Account Owner | Grants full access to manage AI projects and accounts. Grants conditional assignment of the Azure AI User role to other user principles. | None | True |
00174 effective control plane operations (unique) •action: 26 •delete: 24 •read: 97 •write: 27 |
Actions: 020 resolved operations: 174 effective operations: 174 •action: 26 •delete: 24 •read: 97 •write: 27 •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.CognitiveServices/* •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Features/providers/features/register/action •Microsoft.Insights/alertRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Insights/logDefinitions/read •Microsoft.Insights/metricdefinitions/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| b78c5d69-af96-48a3-bf8d-a8b4d589de94 | Azure AI Administrator | A Built-In Role that has all control plane permissions to work with Azure AI and its dependencies. | None | False |
01268 effective control plane operations (unique) •action: 270 •delete: 192 •read: 545 •write: 261 |
Actions: 039 resolved operations: 1268 effective operations: 1268 •action: 270 •delete: 192 •read: 545 •write: 261 •Microsoft.Authorization/*/read •Microsoft.CognitiveServices/* •Microsoft.ContainerRegistry/registries/* •Microsoft.DataFactory/factories/* •Microsoft.DocumentDb/databaseAccounts/* •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Features/providers/features/register/action •Microsoft.Insights/alertRules/* •Microsoft.Insights/components/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Insights/generateLiveToken/read •Microsoft.Insights/logDefinitions/read •Microsoft.Insights/metricAlerts/* •Microsoft.Insights/metricdefinitions/read •Microsoft.Insights/metrics/read •Microsoft.Insights/scheduledqueryrules/* •Microsoft.Insights/topology/read •Microsoft.Insights/transactions/read •Microsoft.Insights/webtests/* •Microsoft.KeyVault/* •Microsoft.MachineLearningServices/workspaces/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Search/searchServices/delete •Microsoft.Search/searchServices/indexes/* •Microsoft.Search/searchServices/listAdminKeys/action •Microsoft.Search/searchServices/privateEndpointConnections/* •Microsoft.Search/searchServices/read •Microsoft.Search/searchServices/write •Microsoft.Storage/storageAccounts/* •Microsoft.Support/* | ||||
| 64702f94-c441-49e6-a78b-ef80e0188fee | Azure AI Developer | Can perform all actions within an Azure AI resource besides managing the resource itself. | AI + machine learning | False |
00533 effective control plane and data plane operations (unique) •action: 125 •delete: 92 •read: 203 •write: 113 |
Actions: 007 resolved operations: 333 effective operations: 325 •action: 59 •delete: 58 •read: 139 •write: 69 •Microsoft.Authorization/*/read •Microsoft.MachineLearningServices/locations/*/read •Microsoft.MachineLearningServices/workspaces/*/action •Microsoft.MachineLearningServices/workspaces/*/delete •Microsoft.MachineLearningServices/workspaces/*/read •Microsoft.MachineLearningServices/workspaces/*/write •Microsoft.Resources/deployments/* |
NotActions: 010 resolved not operations: 10 effective not operations: 16511 •Microsoft.MachineLearningServices/workspaces/delete •Microsoft.MachineLearningServices/workspaces/evaluations/results/labels/read •Microsoft.MachineLearningServices/workspaces/evaluations/results/reasonings/read •Microsoft.MachineLearningServices/workspaces/featurestores/delete •Microsoft.MachineLearningServices/workspaces/featurestores/write •Microsoft.MachineLearningServices/workspaces/hubs/delete •Microsoft.MachineLearningServices/workspaces/hubs/write •Microsoft.MachineLearningServices/workspaces/listKeys/action •Microsoft.MachineLearningServices/workspaces/simulations/results/images/read •Microsoft.MachineLearningServices/workspaces/write |
DataActions: 004 resolved data operations: 208 effective data operations: 208 •action: 66 •delete: 34 •read: 64 •write: 44 •Microsoft.CognitiveServices/accounts/ContentSafety/* •Microsoft.CognitiveServices/accounts/MaaS/* •Microsoft.CognitiveServices/accounts/OpenAI/* •Microsoft.CognitiveServices/accounts/SpeechServices/* | ||
| b556d68e-0be0-4f35-a333-ad7ee1ce17ea | Azure AI Enterprise Network Connection Approver | Can approve private endpoint connections to Azure AI common dependency resources | AI + machine learning | False |
00088 effective control plane operations (unique) •action: 16 •read: 53 •write: 19 |
Actions: 088 resolved operations: 88 effective operations: 88 •action: 16 •read: 53 •write: 19 •Microsoft.ApiManagement/service/privateEndpointConnections/read •Microsoft.ApiManagement/service/privateEndpointConnections/write •Microsoft.ApiManagement/service/privateLinkResources/read •Microsoft.ApiManagement/service/read •Microsoft.Cache/redis/privateEndpointConnections/read •Microsoft.Cache/redis/privateEndpointConnections/write •Microsoft.Cache/redis/privateEndpointConnectionsApproval/action •Microsoft.Cache/redis/privateLinkResources/read •Microsoft.Cache/redis/read •Microsoft.Cache/redisEnterprise/privateEndpointConnections/read •Microsoft.Cache/redisEnterprise/privateEndpointConnections/write •Microsoft.Cache/redisEnterprise/privateEndpointConnectionsApproval/action •Microsoft.Cache/redisEnterprise/privateLinkResources/read •Microsoft.Cache/redisEnterprise/read •Microsoft.CognitiveServices/accounts/privateEndpointConnections/read •Microsoft.CognitiveServices/accounts/privateEndpointConnections/write •Microsoft.CognitiveServices/accounts/privateLinkResources/read •Microsoft.CognitiveServices/accounts/read •Microsoft.ContainerRegistry/registries/privateEndpointConnections/read •Microsoft.ContainerRegistry/registries/privateEndpointConnections/write •Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action •Microsoft.DBforMySQL/flexibleServers/privateEndpointConnections/read •Microsoft.DBforMySQL/flexibleServers/privateEndpointConnections/write •Microsoft.DBforMySQL/flexibleServers/privateEndpointConnectionsApproval/action •Microsoft.DBforMySQL/flexibleServers/privateLinkResources/read •Microsoft.DBforMySQL/flexibleServers/read •Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnections/read •Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnections/write •Microsoft.DBforPostgreSQL/flexibleServers/privateEndpointConnectionsApproval/action •Microsoft.DBforPostgreSQL/flexibleServers/privateLinkResources/read •Microsoft.DBforPostgreSQL/flexibleServers/read •Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnections/read •Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnections/write •Microsoft.DBforPostgreSQL/serverGroupsv2/privateEndpointConnectionsApproval/action •Microsoft.DBforPostgreSQL/serverGroupsv2/privateLinkResources/read •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/read •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/write •Microsoft.DocumentDB/databaseAccounts/privateEndpointConnectionsApproval/action •Microsoft.DocumentDB/databaseAccounts/privateLinkResources/read •Microsoft.DocumentDB/databaseAccounts/read •Microsoft.EventHub/namespaces/privateEndpointConnections/read •Microsoft.EventHub/namespaces/privateEndpointConnections/write •Microsoft.EventHub/namespaces/privateEndpointConnectionsApproval/action •Microsoft.EventHub/namespaces/privateLinkResources/read •Microsoft.EventHub/namespaces/read •Microsoft.Insights/privatelinkscopes/privateEndpointConnections/read •Microsoft.Insights/privatelinkscopes/privateEndpointConnections/write •Microsoft.Insights/privatelinkscopes/privateEndpointConnectionsApproval/action •Microsoft.Insights/privatelinkscopes/privateLinkResources/read •Microsoft.Insights/privatelinkscopes/read •Microsoft.KeyVault/vaults/privateEndpointConnections/read •Microsoft.KeyVault/vaults/privateEndpointConnections/write •Microsoft.KeyVault/vaults/privateEndpointConnectionsApproval/action •Microsoft.KeyVault/vaults/privateLinkResources/read •Microsoft.KeyVault/vaults/read •Microsoft.MachineLearningServices/registries/privateEndpointConnections/read •Microsoft.MachineLearningServices/registries/privateEndpointConnections/write •Microsoft.MachineLearningServices/registries/privateEndpointConnectionsApproval/action •Microsoft.MachineLearningServices/registries/privateLinkResources/read •Microsoft.MachineLearningServices/registries/read •Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/read •Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/write •Microsoft.MachineLearningServices/workspaces/privateEndpointConnectionsApproval/action •Microsoft.MachineLearningServices/workspaces/privateLinkResources/read •Microsoft.MachineLearningServices/workspaces/read •Microsoft.Network/applicationGateways/privateEndpointConnections/read •Microsoft.Network/applicationGateways/privateEndpointConnections/write •Microsoft.Network/applicationGateways/privateLinkResources/read •Microsoft.Network/applicationGateways/read •Microsoft.Network/privateLinkServices/privateEndpointConnections/read •Microsoft.Network/privateLinkServices/privateEndpointConnections/write •Microsoft.Network/privateLinkServices/privateEndpointConnectionsApproval/action •Microsoft.Network/privateLinkServices/read •Microsoft.Search/searchServices/privateEndpointConnections/read •Microsoft.Search/searchServices/privateEndpointConnections/write •Microsoft.Search/searchServices/privateEndpointConnectionsApproval/action •Microsoft.Search/searchServices/read •Microsoft.Search/searchServices/sharedPrivateLinkResources/read •Microsoft.Sql/servers/privateEndpointConnections/read •Microsoft.Sql/servers/privateEndpointConnections/write •Microsoft.Sql/servers/privateEndpointConnectionsApproval/action •Microsoft.Sql/servers/privateLinkResources/read •Microsoft.Sql/servers/read •Microsoft.Storage/storageAccounts/privateEndpointConnections/read •Microsoft.Storage/storageAccounts/privateEndpointConnections/write •Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action •Microsoft.Storage/storageAccounts/privateLinkResources/read •Microsoft.Storage/storageAccounts/read | ||||
| 3afb7f49-54cb-416e-8c09-6dc049efa503 | Azure AI Inference Deployment Operator | Can perform all actions required to create a resource deployment within a resource group. | AI + machine learning | False |
00041 effective control plane operations (unique) •action: 4 •delete: 1 •read: 34 •Write: 2 |
Actions: 003 resolved operations: 41 effective operations: 41 •action: 4 •delete: 1 •read: 34 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/AutoscaleSettings/write •Microsoft.Resources/deployments/* | ||||
| eadc314b-1a2d-4efa-be10-5d325db5065e | Azure AI Project Manager | Lets you perform developer actions and management actions on Azure AI Foundry Projects. Allows for making role assignments, but limited to Cognitive Service User role. | None | True |
01625 effective control plane and data plane operations (unique) •action: 458 •delete: 226 •read: 681 •write: 260 |
Actions: 009 resolved operations: 89 effective operations: 89 •action: 8 •delete: 6 •read: 69 •write: 6 •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.CognitiveServices/accounts/*/read •Microsoft.CognitiveServices/accounts/projects/* •Microsoft.CognitiveServices/locations/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 1536 effective data operations: 1536 •action: 450 •delete: 220 •read: 612 •write: 254 •Microsoft.CognitiveServices/* | |||
| 11102f94-c441-49e6-a78b-ef80e0188abc | Azure AI Safety Evaluator | This role can perform all actions under workspace evaluations and simulations. | None | False |
00007 effective control plane operations (unique) •read: 5 •write: 2 |
Actions: 002 resolved operations: 7 effective operations: 7 •read: 5 •write: 2 •Microsoft.MachineLearningServices/workspaces/evaluations/* •Microsoft.MachineLearningServices/workspaces/simulations/* | ||||
| 53ca6127-db72-4b80-b1b0-d745d6d5456d | Azure AI User | Grants reader access to AI projects, reader access to AI accounts, and data actions for an AI project. | None | False |
01607 effective control plane and data plane operations (unique) •action: 458 •delete: 221 •read: 672 •write: 256 |
Actions: 013 resolved operations: 71 effective operations: 71 •action: 8 •delete: 1 •read: 60 •write: 2 •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/listkeys/action •Microsoft.Insights/alertRules/read •Microsoft.Insights/diagnosticSettings/read •Microsoft.Insights/logDefinitions/read •Microsoft.Insights/metricdefinitions/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 001 resolved data operations: 1536 effective data operations: 1536 •action: 450 •delete: 220 •read: 612 •write: 254 •Microsoft.CognitiveServices/* | |||
| ede9aaa3-4627-494e-be13-4aa7c256148d | Azure API Center Compliance Manager | Allows managing API compliance in Azure API Center service. | Integration | False |
00021 effective control plane operations (unique) •action: 2 •read: 19 |
Actions: 003 resolved operations: 21 effective operations: 21 •action: 2 •read: 19 •Microsoft.ApiCenter/services/*/read •Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action •Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAnalysisState/action | ||||
| 1df7cd83-1d3f-41df-95b0-53b30d963369 | Azure API Center Credential Access Reader | Allows for access to Azure API Center data plane get credentials operations. | None | False |
00002 effective data plane operations (unique) •action: 1 •read: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.ApiCenter/services/workspaces/apis/versions/securityRequirements/getCredentials/action •Microsoft.ApiCenter/services/workspaces/apis/versions/securityRequirements/read | ||||
| c7244dfb-f447-457d-b2ba-3999044d1706 | Azure API Center Data Reader | Allows for access to Azure API Center data plane read operations. | Integration | False |
00008 effective data plane operations (unique) •action: 2 •read: 6 |
DataActions: 003 resolved data operations: 8 effective data operations: 8 •action: 2 •read: 6 •Microsoft.ApiCenter/services/*/read •Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action •Microsoft.ApiCenter/services/workspaces/search/action | ||||
| dd24193f-ef65-44e5-8a7e-6fa6e03f7713 | Azure API Center Service Contributor | Allows managing Azure API Center service. | Integration | False |
00113 effective control plane operations (unique) •action: 19 •delete: 18 •read: 59 •write: 17 |
Actions: 007 resolved operations: 114 effective operations: 113 •action: 19 •delete: 18 •read: 59 •write: 17 •Microsoft.ApiCenter/deletedServices/* •Microsoft.ApiCenter/services/* •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
NotActions: 001 resolved not operations: 1 effective not operations: 16723 •Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAnalysisState/action | |||
| 6cba8790-29c5-48e5-bab1-c7541b01cb04 | Azure API Center Service Reader | Allows read-only access to Azure API Center service. | Integration | False |
00069 effective control plane operations (unique) •action: 8 •Delete: 2 •read: 57 •Write: 2 |
Actions: 007 resolved operations: 69 effective operations: 69 •action: 8 •Delete: 2 •read: 57 •Write: 2 •Microsoft.ApiCenter/services/*/read •Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 00493d72-78f6-4148-b6c5-d3ce8e4799dd | Azure Arc Enabled Kubernetes Cluster User Role | List cluster user credentials action. | Containers | False |
00054 effective control plane operations (unique) •Action: 8 •Delete: 1 •read: 42 •Write: 3 |
Actions: 009 resolved operations: 54 effective operations: 54 •Action: 8 •Delete: 1 •read: 42 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action •Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| dffb1e0c-446f-4dde-a09f-99eb5cc68b96 | Azure Arc Kubernetes Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | Containers | False |
00138 effective control plane and data plane operations (unique) •Action: 10 •Delete: 26 •read: 73 •Write: 29 |
Actions: 007 resolved operations: 52 effective operations: 52 •Action: 6 •Delete: 1 •read: 42 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 033 resolved data operations: 86 effective data operations: 86 •action: 4 •delete: 25 •read: 31 •write: 26 •Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read •Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* •Microsoft.Kubernetes/connectedClusters/apps/deployments/* •Microsoft.Kubernetes/connectedClusters/apps/replicasets/* •Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* •Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectaccessreviews/write •Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* •Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* •Microsoft.Kubernetes/connectedClusters/batch/jobs/* •Microsoft.Kubernetes/connectedClusters/configmaps/* •Microsoft.Kubernetes/connectedClusters/endpoints/* •Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read •Microsoft.Kubernetes/connectedClusters/events/read •Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* •Microsoft.Kubernetes/connectedClusters/extensions/deployments/* •Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* •Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* •Microsoft.Kubernetes/connectedClusters/limitranges/read •Microsoft.Kubernetes/connectedClusters/namespaces/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* •Microsoft.Kubernetes/connectedClusters/pods/* •Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* •Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindings/* •Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/resourcequotas/read •Microsoft.Kubernetes/connectedClusters/secrets/* •Microsoft.Kubernetes/connectedClusters/serviceaccounts/* •Microsoft.Kubernetes/connectedClusters/services/* | |||
| 8393591c-06b9-48a2-a542-1bd6b377f6a2 | Azure Arc Kubernetes Cluster Admin | Lets you manage all resources in the cluster. | Containers | False |
00362 effective control plane and data plane operations (unique) •Action: 16 •Delete: 58 •read: 222 •Write: 66 |
Actions: 007 resolved operations: 52 effective operations: 52 •Action: 6 •Delete: 1 •read: 42 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 001 resolved data operations: 310 effective data operations: 310 •action: 10 •delete: 57 •read: 180 •write: 63 •Microsoft.Kubernetes/connectedClusters/* | |||
| 63f0a09d-1495-4db4-a681-037d84835eb4 | Azure Arc Kubernetes Viewer | Lets you view all resources in cluster/namespace, except secrets. | Containers | False |
00080 effective control plane and data plane operations (unique) •Action: 6 •Delete: 1 •read: 70 •Write: 3 |
Actions: 007 resolved operations: 52 effective operations: 52 •Action: 6 •Delete: 1 •read: 42 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 029 resolved data operations: 28 effective data operations: 28 •read: 28 •Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read •Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read •Microsoft.Kubernetes/connectedClusters/apps/deployments/read •Microsoft.Kubernetes/connectedClusters/apps/replicasets/read •Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read •Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/read •Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read •Microsoft.Kubernetes/connectedClusters/batch/jobs/read •Microsoft.Kubernetes/connectedClusters/configmaps/read •Microsoft.Kubernetes/connectedClusters/endpoints/read •Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read •Microsoft.Kubernetes/connectedClusters/events/read •Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read •Microsoft.Kubernetes/connectedClusters/extensions/deployments/read •Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read •Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read •Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read •Microsoft.Kubernetes/connectedClusters/limitranges/read •Microsoft.Kubernetes/connectedClusters/namespaces/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/read •Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read •Microsoft.Kubernetes/connectedClusters/pods/read •Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read •Microsoft.Kubernetes/connectedClusters/resourcequotas/read •Microsoft.Kubernetes/connectedClusters/serviceaccounts/read •Microsoft.Kubernetes/connectedClusters/services/read | |||
| 5b999177-9696-4545-85c7-50de3797e5a1 | Azure Arc Kubernetes Writer | Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. | Containers | False |
00129 effective control plane and data plane operations (unique) •Action: 8 •Delete: 24 •read: 71 •Write: 26 |
Actions: 007 resolved operations: 52 effective operations: 52 •Action: 6 •Delete: 1 •read: 42 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 030 resolved data operations: 77 effective data operations: 77 •action: 2 •delete: 23 •read: 29 •write: 23 •Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read •Microsoft.Kubernetes/connectedClusters/apps/daemonsets/* •Microsoft.Kubernetes/connectedClusters/apps/deployments/* •Microsoft.Kubernetes/connectedClusters/apps/replicasets/* •Microsoft.Kubernetes/connectedClusters/apps/statefulsets/* •Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers/* •Microsoft.Kubernetes/connectedClusters/batch/cronjobs/* •Microsoft.Kubernetes/connectedClusters/batch/jobs/* •Microsoft.Kubernetes/connectedClusters/configmaps/* •Microsoft.Kubernetes/connectedClusters/endpoints/* •Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read •Microsoft.Kubernetes/connectedClusters/events/read •Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/* •Microsoft.Kubernetes/connectedClusters/extensions/deployments/* •Microsoft.Kubernetes/connectedClusters/extensions/ingresses/* •Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/extensions/replicasets/* •Microsoft.Kubernetes/connectedClusters/limitranges/read •Microsoft.Kubernetes/connectedClusters/namespaces/read •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/* •Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/* •Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/* •Microsoft.Kubernetes/connectedClusters/pods/* •Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/replicationcontrollers/* •Microsoft.Kubernetes/connectedClusters/resourcequotas/read •Microsoft.Kubernetes/connectedClusters/secrets/* •Microsoft.Kubernetes/connectedClusters/serviceaccounts/* •Microsoft.Kubernetes/connectedClusters/services/* | |||
| a92dfd61-77f9-4aec-a531-19858b406c87 | Azure Arc ScVmm Administrator role | Arc ScVmm VM Administrator has permissions to perform all ScVmm actions. | Hybrid + multicloud | False |
00128 effective control plane operations (unique) •action: 23 •delete: 16 •read: 72 •write: 17 |
Actions: 057 resolved operations: 128 effective operations: 128 •action: 23 •delete: 16 •read: 72 •write: 17 •Microsoft.Authorization/*/read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.HybridCompute/licenses/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ScVmm/* | ||||
| c0781e91-8102-4553-8951-97c6d4243cda | Azure Arc ScVmm Private Cloud User | Azure Arc ScVmm Private Cloud User has permissions to use the ScVmm resources to deploy VMs. | Hybrid + multicloud | False |
00064 effective control plane operations (unique) •action: 11 •Delete: 2 •read: 48 •Write: 3 |
Actions: 034 resolved operations: 64 effective operations: 64 •action: 11 •Delete: 2 •read: 48 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/enabledresourcetypes/read •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read •microsoft.scvmm/clouds/deploy/action •microsoft.scvmm/clouds/Read •microsoft.scvmm/virtualmachinetemplates/clone/action •microsoft.scvmm/virtualmachinetemplates/Read •microsoft.scvmm/virtualnetworks/join/action •microsoft.scvmm/virtualnetworks/Read | ||||
| 6aac74c4-6311-40d2-bbdd-7d01e7c6e3a9 | Azure Arc ScVmm Private Clouds Onboarding | Azure Arc ScVmm Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vmm server instances to Azure. | Hybrid + multicloud | False |
00060 effective control plane operations (unique) •action: 8 •Delete: 3 •read: 45 •Write: 4 |
Actions: 030 resolved operations: 60 effective operations: 60 •action: 8 •Delete: 3 •read: 45 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read •microsoft.scvmm/vmmservers/Delete •microsoft.scvmm/vmmservers/Read •microsoft.scvmm/vmmservers/Write | ||||
| e582369a-e17b-42a5-b10c-874c387c530b | Azure Arc ScVmm VM Contributor | Arc ScVmm VM Contributor has permissions to perform all VM actions. | Hybrid + multicloud | False |
00100 effective control plane operations (unique) •action: 17 •delete: 10 •read: 63 •write: 10 |
Actions: 058 resolved operations: 100 effective operations: 100 •action: 17 •delete: 10 •read: 63 •write: 10 •Microsoft.Authorization/*/read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.HybridCompute/licenses/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read •microsoft.scvmm/virtualMachineInstances/* •microsoft.scvmm/virtualmachines/* | ||||
| ddc140ed-e463-4246-9145-7c664192013f | Azure Arc VMware Administrator role | Arc VMware VM Contributor has permissions to perform all connected VMwarevSphere actions. | None | False |
00150 effective control plane operations (unique) •action: 29 •Delete: 20 •read: 79 •Write: 22 |
Actions: 058 resolved operations: 150 effective operations: 150 •action: 29 •Delete: 20 •read: 79 •Write: 22 •Microsoft.Authorization/*/read •Microsoft.ConnectedVMwarevSphere/* •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/read •Microsoft.HybridCompute/licenses/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| ce551c02-7c42-47e0-9deb-e3b6fc3a9a83 | Azure Arc VMware Private Cloud User | Azure Arc VMware Private Cloud User has permissions to use the VMware cloud resources to deploy VMs. | None | False |
00070 effective control plane operations (unique) •action: 14 •Delete: 2 •read: 51 •Write: 3 |
Actions: 040 resolved operations: 70 effective operations: 70 •action: 14 •Delete: 2 •read: 51 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.ConnectedVMwarevSphere/clusters/deploy/action •Microsoft.ConnectedVMwarevSphere/clusters/Read •Microsoft.ConnectedVMwarevSphere/datastores/allocateSpace/action •Microsoft.ConnectedVMwarevSphere/datastores/Read •Microsoft.ConnectedVMwarevSphere/hosts/deploy/action •Microsoft.ConnectedVMwarevSphere/hosts/Read •Microsoft.ConnectedVMwarevSphere/resourcepools/deploy/action •Microsoft.ConnectedVMwarevSphere/resourcepools/Read •Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/clone/action •Microsoft.ConnectedVMwarevSphere/virtualmachinetemplates/Read •Microsoft.ConnectedVMwarevSphere/virtualnetworks/join/action •Microsoft.ConnectedVMwarevSphere/virtualnetworks/Read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 67d33e57-3129-45e6-bb0b-7cc522f762fa | Azure Arc VMware Private Clouds Onboarding | Azure Arc VMware Private Clouds Onboarding role has permissions to provision all the required resources for onboard and deboard vCenter instances to Azure. | None | False |
00074 effective control plane operations (unique) •action: 9 •delete: 7 •read: 50 •write: 8 |
Actions: 044 resolved operations: 74 effective operations: 74 •action: 9 •delete: 7 •read: 50 •write: 8 •Microsoft.Authorization/*/read •Microsoft.BackupSolutions/vmwareapplications/delete •Microsoft.BackupSolutions/vmwareapplications/read •Microsoft.BackupSolutions/vmwareapplications/write •Microsoft.ConnectedVMwarevSphere/vcenters/Delete •Microsoft.ConnectedVMwarevSphere/vcenters/Read •Microsoft.ConnectedVMwarevSphere/vcenters/Write •Microsoft.ExtendedLocation/customLocations/Delete •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.ExtendedLocation/customLocations/Write •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.KubernetesConfiguration/extensions/Delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.KubernetesConfiguration/extensions/Read •Microsoft.KubernetesConfiguration/extensions/Write •Microsoft.KubernetesConfiguration/operations/read •Microsoft.ResourceConnector/appliances/Delete •Microsoft.ResourceConnector/appliances/listClusterUserCredential/action •Microsoft.ResourceConnector/appliances/Read •Microsoft.ResourceConnector/appliances/Write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| b748a06d-6150-4f8a-aaa9-ce3940cd96cb | Azure Arc VMware VM Contributor | Arc VMware VM Contributor has permissions to perform all VM actions. | Compute | False |
00108 effective control plane operations (unique) •action: 19 •Delete: 12 •read: 64 •Write: 13 |
Actions: 056 resolved operations: 108 effective operations: 108 •action: 19 •Delete: 12 •read: 64 •Write: 13 •Microsoft.Authorization/*/read •Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/* •Microsoft.ConnectedVMwarevSphere/virtualmachines/* •Microsoft.HybridCompute/licenses/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 8d6517c1-e434-405c-9f3f-e0ae65085d76 | Azure Automanage Contributor | Azure Automanage Contributor | None | False |
00033 effective control plane operations (unique) •Action: 2 •Delete: 8 •Read: 14 •Write: 9 |
Actions: 001 resolved operations: 33 effective operations: 33 •Action: 2 •Delete: 8 •Read: 14 •Write: 9 •Microsoft.Automanage/* | ||||
| afc680e2-a938-412d-b213-9a49efa7fb83 | Azure Backup Snapshot Contributor | Provide permissions to backup identity to manage RPC snapshots | None | False |
00041 effective control plane operations (unique) •action: 1 •delete: 1 •read: 35 •write: 4 |
Actions: 011 resolved operations: 41 effective operations: 41 •action: 1 •delete: 1 •read: 35 •write: 4 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/disks/delete •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Compute/restorePointCollections/read •Microsoft.Compute/restorePointCollections/restorePoints/read •Microsoft.Compute/restorePointCollections/restorePoints/write •Microsoft.Compute/restorePointCollections/write •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write | ||||
| 29fe4964-1e60-436b-bd3a-77fd4c178b3c | Azure Batch Account Contributor | Grants full access to manage all Batch resources, including Batch accounts, pools and jobs. | None | False |
00102 effective control plane and data plane operations (unique) •action: 17 •delete: 12 •read: 60 •write: 13 |
Actions: 005 resolved operations: 96 effective operations: 96 •action: 17 •delete: 10 •read: 58 •write: 11 •Microsoft.Authorization/*/read •Microsoft.Batch/batchAccounts/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 6 effective data operations: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.Batch/batchAccounts/* | |||
| 11076f67-66f6-4be0-8f6b-f0609fd05cc9 | Azure Batch Account Reader | Lets you view all resources including pools and jobs in the Batch account. | None | False |
00024 effective control plane and data plane operations (unique) •read: 24 |
Actions: 003 resolved operations: 22 effective operations: 22 •read: 22 •Microsoft.Batch/batchAccounts/*/read •Microsoft.Batch/batchAccounts/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.Batch/batchAccounts/*/read | |||
| 6aaa78f1-f7de-44ca-8722-c64a23943cae | Azure Batch Data Contributor | Grants permissions to manage Batch pools and jobs but not to modify accounts. | None | False |
00076 effective control plane and data plane operations (unique) •action: 11 •delete: 8 •read: 49 •write: 8 |
Actions: 011 resolved operations: 70 effective operations: 70 •action: 11 •delete: 6 •read: 47 •write: 6 •Microsoft.Authorization/*/read •Microsoft.Batch/batchAccounts/applications/* •Microsoft.Batch/batchAccounts/certificateOperationResults/* •Microsoft.Batch/batchAccounts/certificates/* •Microsoft.Batch/batchAccounts/poolOperationResults/* •Microsoft.Batch/batchAccounts/pools/* •Microsoft.Batch/batchAccounts/read •Microsoft.Batch/locations/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 002 resolved data operations: 6 effective data operations: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.Batch/batchAccounts/jobs/* •Microsoft.Batch/batchAccounts/jobSchedules/* | |||
| 48e5e92e-a480-4e71-aa9c-2778f4c13781 | Azure Batch Job Submitter | Lets you submit and manage jobs in the Batch account. | None | False |
00017 effective control plane and data plane operations (unique) •Action: 3 •delete: 3 •read: 8 •write: 3 |
Actions: 005 resolved operations: 11 effective operations: 11 •Action: 3 •Delete: 1 •read: 6 •Write: 1 •Microsoft.Batch/batchAccounts/applications/read •Microsoft.Batch/batchAccounts/applications/versions/read •Microsoft.Batch/batchAccounts/pools/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 002 resolved data operations: 6 effective data operations: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.Batch/batchAccounts/jobs/* •Microsoft.Batch/batchAccounts/jobSchedules/* | |||
| a35466a1-cfd6-450a-b35e-683fcdf30363 | Azure Batch Service Orchestration Role | Grants the required permissions to Azure Batch Resource Provider to manage compute and other backing resources in the subscription. | None | False |
00048 effective control plane operations (unique) •action: 15 •delete: 6 •read: 21 •write: 6 |
Actions: 034 resolved operations: 48 effective operations: 48 •action: 15 •delete: 6 •read: 21 •write: 6 •Microsoft.AzureFleet/fleets/delete •Microsoft.AzureFleet/fleets/read •Microsoft.AzureFleet/fleets/write •Microsoft.Compute/diskEncryptionSets/read •Microsoft.Compute/locations/DiskOperations/read •Microsoft.Compute/locations/operations/read •Microsoft.Compute/virtualMachineScaleSets/approveRollingUpgrade/action •Microsoft.Compute/virtualMachineScaleSets/deallocate/action •Microsoft.Compute/virtualMachineScaleSets/delete •Microsoft.Compute/virtualMachineScaleSets/delete/action •Microsoft.Compute/virtualMachineScaleSets/extensions/read •microsoft.Compute/virtualMachineScaleSets/networkInterfaces/read •Microsoft.Compute/VirtualMachineScaleSets/read •Microsoft.Compute/virtualMachineScaleSets/reimage/action •Microsoft.Compute/virtualMachineScaleSets/reimageall/action •Microsoft.Compute/virtualMachineScaleSets/restart/action •Microsoft.Compute/virtualMachineScaleSets/start/action •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read •Microsoft.Compute/virtualMachineScaleSets/virtualmachines/restart/action •Microsoft.Compute/virtualMachineScaleSets/write •Microsoft.Insights/alertRules/* •Microsoft.Insights/dataCollectionRuleAssociations/read •Microsoft.Insights/diagnosticSettings/read •Microsoft.Network/networkWatchers/read •Microsoft.Network/virtualNetworks/delete •Microsoft.Network/virtualNetworks/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/delete •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/resources/read •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Security/assessments/read | ||||
| 9fc6112f-f48e-4e27-8b09-72a5c94e4ae9 | Azure Bot Service Contributor Role | To perform actions on the bots by copilot studio platform and extensibility team | None | False |
00081 effective control plane operations (unique) •action: 17 •delete: 8 •read: 40 •write: 16 |
Actions: 037 resolved operations: 81 effective operations: 81 •action: 17 •delete: 8 •read: 40 •write: 16 •Microsoft.Authorization/*/read •Microsoft.BotService/botServices/channels/delete •Microsoft.BotService/botServices/channels/listchannelwithkeys/action •Microsoft.BotService/botServices/channels/providers/Microsoft.Insights/diagnosticSettings/write •Microsoft.BotService/botServices/channels/read •Microsoft.BotService/botServices/channels/regeneratekeys/action •Microsoft.BotService/botServices/channels/write •Microsoft.BotService/botServices/connections/delete •Microsoft.BotService/botServices/Connections/listWithSecrets/action •Microsoft.BotService/botServices/connections/listwithsecrets/write •Microsoft.BotService/botServices/connections/providers/Microsoft.Insights/diagnosticSettings/write •Microsoft.BotService/botServices/connections/read •Microsoft.BotService/botServices/connections/write •Microsoft.BotService/botServices/createemailsigninurl/action •Microsoft.BotService/botServices/delete •Microsoft.BotService/botServices/joinPerimeter/action •Microsoft.BotService/botServices/networkSecurityPerimeterAssociationProxies/delete •Microsoft.BotService/botServices/networkSecurityPerimeterAssociationProxies/write •Microsoft.BotService/botServices/networkSecurityPerimeterConfigurations/reconcile/action •Microsoft.BotService/botServices/privateEndpointConnectionProxies/delete •Microsoft.BotService/botServices/privateEndpointConnectionProxies/validate/action •Microsoft.BotService/botServices/privateEndpointConnectionProxies/write •Microsoft.BotService/botServices/privateEndpointConnections/delete •Microsoft.BotService/botServices/privateEndpointConnections/write •Microsoft.BotService/botServices/privateEndpointConnectionsApproval/action •Microsoft.BotService/botServices/providers/Microsoft.Insights/diagnosticSettings/write •Microsoft.BotService/botServices/read •Microsoft.BotService/botServices/write •Microsoft.BotService/checknameavailability/providers/Microsoft.Insights/diagnosticSettings/write •Microsoft.BotService/hostsettings/providers/Microsoft.Insights/diagnosticSettings/write •Microsoft.BotService/listAuthServiceProviders/action •Microsoft.BotService/listauthserviceproviders/providers/Microsoft.Insights/diagnosticSettings/write •Microsoft.BotService/listqnamakerendpointkeys/providers/Microsoft.Insights/diagnosticSettings/write •Microsoft.BotService/locations/notifyNetworkSecurityPerimeterUpdatesAvailable/action •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7 | Azure Center for SAP solutions administrator | This role provides read and write access to all capabilities of Azure Center for SAP solutions. | Management and governance | False |
00120 effective control plane and data plane operations (unique) •Action: 19 •delete: 8 •read: 82 •write: 11 |
Actions: 057 resolved operations: 119 effective operations: 119 •Action: 19 •delete: 8 •read: 81 •write: 11 •Microsoft.Advisor/configurations/read •Microsoft.Advisor/recommendations/read •Microsoft.Authorization/*/read •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/disks/read •Microsoft.Compute/sshPublicKeys/*/generateKeyPair/action •Microsoft.Compute/sshPublicKeys/read •Microsoft.Compute/sshPublicKeys/write •Microsoft.Compute/virtualMachines/extensions/delete •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metricDefinitions/read •Microsoft.Insights/metrics/read •Microsoft.Network/loadBalancers/backendAddressPools/read •Microsoft.Network/loadBalancers/frontendIPConfigurations/read •Microsoft.Network/loadBalancers/inboundNatRules/read •Microsoft.Network/loadBalancers/loadBalancingRules/read •Microsoft.Network/loadBalancers/networkInterfaces/read •Microsoft.Network/loadBalancers/outboundRules/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/virtualMachines/read •Microsoft.Network/networkInterfaces/ipconfigurations/read •Microsoft.Network/networkInterfaces/loadBalancers/read •Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/privateEndpoints/read •Microsoft.Network/routeTables/join/action •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/virtualMachines/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/fileServices/read •Microsoft.Storage/storageAccounts/fileServices/shares/read •Microsoft.Storage/storageAccounts/read •Microsoft.Workloads/connectors/*/delete •Microsoft.Workloads/connectors/*/read •Microsoft.Workloads/connectors/*/write •Microsoft.Workloads/Locations/*/action •Microsoft.Workloads/Locations/*/read •Microsoft.Workloads/sapVirtualInstances/*/delete •Microsoft.Workloads/sapvirtualInstances/*/read •Microsoft.Workloads/sapVirtualInstances/*/start/action •Microsoft.Workloads/sapVirtualInstances/*/stop/action •Microsoft.Workloads/sapVirtualInstances/*/write |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | |||
| 6d949e1d-41e2-46e3-8920-c6e4f31a8310 | Azure Center for SAP solutions Management role | This role has permissions which allow users to register existing systems, view and manage systems. | None | False | n/a | |||||
| 05352d14-a920-4328-a0de-4cbe7430e26b | Azure Center for SAP solutions reader | This role provides read access to all capabilities of Azure Center for SAP solutions. | Management and governance | False |
00074 effective control plane operations (unique) •read: 74 |
Actions: 043 resolved operations: 74 effective operations: 74 •read: 74 •Microsoft.Advisor/configurations/read •Microsoft.Advisor/recommendations/read •Microsoft.Authorization/*/read •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/disks/read •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/read •Microsoft.Insights/alertRules/read •Microsoft.Insights/metricDefinitions/read •Microsoft.Insights/metrics/read •Microsoft.Network/loadBalancers/backendAddressPools/read •Microsoft.Network/loadBalancers/frontendIPConfigurations/read •Microsoft.Network/loadBalancers/inboundNatRules/read •Microsoft.Network/loadBalancers/loadBalancingRules/read •Microsoft.Network/loadBalancers/networkInterfaces/read •Microsoft.Network/loadBalancers/outboundRules/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/virtualMachines/read •Microsoft.Network/networkInterfaces/ipconfigurations/read •Microsoft.Network/networkInterfaces/loadBalancers/read •Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/privateEndpoints/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/virtualMachines/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/fileServices/read •Microsoft.Storage/storageAccounts/fileServices/shares/read •Microsoft.Storage/storageAccounts/read •Microsoft.Workloads/Locations/*/read •Microsoft.Workloads/Locations/OperationStatuses/read •Microsoft.Workloads/Operations/read •Microsoft.Workloads/sapvirtualInstances/*/read | ||||
| aabbc5dd-1af0-458b-a942-81af88f9c138 | Azure Center for SAP solutions service role | Azure Center for SAP solutions service role - This role is intended to be used for providing the permissions to user assigned managed identity. Azure Center for SAP solutions will use this identity to deploy and manage SAP systems. | Management and governance | False |
00066 effective control plane operations (unique) •action: 11 •delete: 2 •read: 39 •write: 14 |
Actions: 055 resolved operations: 66 effective operations: 66 •action: 11 •delete: 2 •read: 39 •write: 14 •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/availabilitySets/write •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Compute/skus/read •Microsoft.Compute/sshPublicKeys/read •Microsoft.Compute/virtualMachines/extensions/delete •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/extensions/write •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/backendAddressPools/read •Microsoft.Network/loadBalancers/backendAddressPools/write •Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action •Microsoft.Network/loadBalancers/frontendIPConfigurations/read •Microsoft.Network/loadBalancers/inboundNatRules/read •Microsoft.Network/loadBalancers/loadBalancingRules/read •Microsoft.Network/loadBalancers/networkInterfaces/read •Microsoft.Network/loadBalancers/outboundRules/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions/read •Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/virtualMachines/read •Microsoft.Network/loadBalancers/write •Microsoft.Network/networkInterfaces/ipconfigurations/join/action •Microsoft.Network/networkInterfaces/ipconfigurations/read •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/privateEndpoints/read •Microsoft.Network/privateEndpoints/write •Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/virtualMachines/read •Microsoft.Network/virtualNetworks/virtualMachines/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/fileServices/read •Microsoft.Storage/storageAccounts/fileServices/shares/read •Microsoft.Storage/storageAccounts/fileServices/shares/write •Microsoft.Storage/storageAccounts/fileServices/write •Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/write | ||||
| 0105a6b0-4bb9-43d2-982a-12806f9faddb | Azure Center for SAP solutions Service role for management | This role has permissions that the user assigned managed identity must have to enable registration for the existing systems. | None | False | n/a | |||||
| b64e21ea-ac4e-4cdf-9dc9-5b892992bee7 | Azure Connected Machine Onboarding | Can onboard Azure Connected Machines. | Management and governance | False |
00011 effective control plane operations (unique) •action: 1 •Delete: 1 •read: 6 •write: 3 |
Actions: 011 resolved operations: 11 effective operations: 11 •action: 1 •Delete: 1 •read: 6 •write: 3 •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.HybridCompute/gateways/read •Microsoft.HybridCompute/machines/addExtensions/action •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/privateLinkScopes/read •Microsoft.HybridCompute/settings/read •Microsoft.HybridCompute/settings/write •Microsoft.Insights/dataCollectionRuleAssociations/delete •Microsoft.Insights/dataCollectionRuleAssociations/read •Microsoft.Insights/dataCollectionRuleAssociations/write | ||||
| cd570a14-e51a-42ad-bac8-bafd67325302 | Azure Connected Machine Resource Administrator | Can read, write, delete and re-onboard Azure Connected Machines. | Management and governance | False |
00066 effective control plane operations (unique) •action: 15 •delete: 11 •read: 28 •write: 12 |
Actions: 012 resolved operations: 66 effective operations: 66 •action: 15 •delete: 11 •read: 28 •write: 12 •Microsoft.HybridCompute/*/read •Microsoft.HybridCompute/gateways/* •Microsoft.HybridCompute/licenses/* •Microsoft.HybridCompute/locations/* •Microsoft.HybridCompute/machines/* •Microsoft.HybridCompute/machines/extensions/* •Microsoft.HybridCompute/machines/licenseProfiles/* •Microsoft.HybridCompute/machines/runCommands/* •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/privateLinkScopes/* •Microsoft.HybridCompute/settings/* •Microsoft.Resources/deployments/* |
count: 011 •Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent •Configure Azure Arc Private Link Scopes to disable public network access •Configure Azure Arc Private Link Scopes with private endpoints •Configure Azure Arc-enabled servers to use an Azure Arc Private Link Scope •Configure ChangeTracking Extension for Linux Arc machines •Configure ChangeTracking Extension for Windows Arc machines •Configure Linux Arc-enabled machines to run Azure Monitor Agent •Configure Linux Arc-enabled machines to to install AMA for ChangeTracking and Inventory •Configure periodic checking for missing system updates on azure Arc-enabled servers •Configure Windows Arc-enabled machines to install AMA for ChangeTracking and Inventory •Configure Windows Arc-enabled machines to run Azure Monitor Agent | |||
| f5819b54-e033-4d82-ac66-4fec3cbf3f4c | Azure Connected Machine Resource Manager | Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid connectivity endpoints in a resource group | Management and governance | False |
00083 effective control plane operations (unique) •action: 3 •delete: 5 •read: 67 •write: 8 |
Actions: 032 resolved operations: 83 effective operations: 83 •action: 3 •delete: 5 •read: 67 •write: 8 •Microsoft.Attestation/attestationProviders/attestation/delete •Microsoft.Attestation/attestationProviders/attestation/read •Microsoft.Attestation/attestationProviders/attestation/write •Microsoft.Attestation/attestationProviders/delete •Microsoft.Attestation/attestationProviders/read •Microsoft.Attestation/attestationProviders/write •Microsoft.Authorization/*/read •Microsoft.EdgeMarketplace/locations/operationStatuses/read •Microsoft.EdgeMarketPlace/offers/generateAccessToken/action •Microsoft.EdgeMarketPlace/offers/getAccessToken/action •Microsoft.EdgeMarketplace/offers/read •Microsoft.EdgeMarketplace/publishers/read •Microsoft.ExtendedLocation/customLocations/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/write •Microsoft.HybridCompute/*/read •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/write •Microsoft.HybridConnectivity/endpoints/read •Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read •Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write •Microsoft.HybridConnectivity/endpoints/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| e8113dce-c529-4d33-91fa-e9b972617508 | Azure Connected SQL Server Onboarding | Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS. | Databases | False |
00002 effective control plane operations (unique) •read: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.AzureArcData/sqlServerInstances/read •Microsoft.AzureArcData/sqlServerInstances/write | ||||
| 5d977122-f97e-4b4d-a52f-6b43003ddb4d | Azure Container Instances Contributor Role | Grants read/write access to container groups provided by Azure Container Instances | None | False |
00065 effective control plane operations (unique) •action: 13 •delete: 3 •read: 45 •write: 4 |
Actions: 005 resolved operations: 65 effective operations: 65 •action: 13 •delete: 3 •read: 45 •write: 4 •Microsoft.Authorization/*/read •Microsoft.ContainerInstance/containerGroups/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 96062cf7-95ca-4f89-9b9d-2a2aa47356af | Azure Container Registry secure supply chain operator service role | Grants Microsoft Defender for Cloud access to Azure Container Registry for security assessment of container images | None | False |
00009 effective control plane and data plane operations (unique) •delete: 3 •read: 3 •write: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.ContainerRegistry/registries/artifacts/delete •Microsoft.ContainerRegistry/registries/pull/read •Microsoft.ContainerRegistry/registries/push/write |
DataActions: 006 resolved data operations: 6 effective data operations: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.ContainerRegistry/registries/repositories/content/delete •Microsoft.ContainerRegistry/registries/repositories/content/read •Microsoft.ContainerRegistry/registries/repositories/content/write •Microsoft.ContainerRegistry/registries/repositories/metadata/delete •Microsoft.ContainerRegistry/registries/repositories/metadata/read •Microsoft.ContainerRegistry/registries/repositories/metadata/write | |||
| 95dd08a6-00bd-4661-84bf-f6726f83a4d0 | Azure Container Storage Contributor | Lets you install Azure Container Storage and manage its storage resources | Containers | True |
00059 effective control plane operations (unique) •action: 7 •delete: 3 •read: 45 •write: 4 |
Actions: 012 resolved operations: 59 effective operations: 59 •action: 7 •delete: 3 •read: 45 •write: 4 •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.Management/managementGroups/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 08d4c71a-cc63-4ce4-a9c8-5dd251b4d619 | Azure Container Storage Operator | Role required by a Managed Identity for Azure Container Storage operations | Containers | False |
00041 effective control plane operations (unique) •action: 9 •delete: 7 •read: 14 •write: 11 |
Actions: 018 resolved operations: 41 effective operations: 41 •action: 9 •delete: 7 •read: 14 •write: 11 •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write •Microsoft.Compute/virtualMachineScaleSets/read •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write •Microsoft.Compute/virtualMachineScaleSets/write •Microsoft.ElasticSan/elasticSans/* •Microsoft.ElasticSan/locations/asyncoperations/read •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/routeTables/join/action •Microsoft.Network/virtualNetworks/delete •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/virtualNetworks/write •Microsoft.Resources/subscriptions/providers/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 95de85bd-744d-4664-9dde-11430bc34793 | Azure Container Storage Owner | Lets you install Azure Container Storage and grants access to its storage resources | Containers | True |
00084 effective control plane operations (unique) •action: 13 •delete: 9 •read: 52 •write: 10 |
Actions: 017 resolved operations: 84 effective operations: 84 •action: 13 •delete: 9 •read: 52 •write: 10 •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.ElasticSan/elasticSans/* •Microsoft.ElasticSan/elasticSans/volumeGroups/* •Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/* •Microsoft.ElasticSan/locations/* •Microsoft.ElasticSan/locations/asyncoperations/read •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.Management/managementGroups/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 0fb8eba5-a2bb-4abe-b1c1-49dfad359bb0 | Azure ContainerApps Session Executor | Create and execute sessions in a sessionPool | None | False |
00047 effective control plane and data plane operations (unique) •action: 7 •delete: 2 •read: 37 •Write: 1 |
Actions: 004 resolved operations: 39 effective operations: 39 •action: 4 •Delete: 1 •read: 33 •Write: 1 •Microsoft.App/sessionPools/*/read •Microsoft.App/sessionPools/sessions/generatesessions/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* |
DataActions: 005 resolved data operations: 8 effective data operations: 8 •action: 3 •delete: 1 •read: 4 •Microsoft.App/sessionPools/*/read •Microsoft.App/sessionPools/executions/* •Microsoft.App/sessionPools/files/* •Microsoft.App/sessionPools/interpreters/execute/action •Microsoft.App/sessionPools/interpreters/read | |||
| 4dae6930-7baf-46f5-909e-0383bc931c46 | Azure Customer Lockbox Approver for Subscription | Can approve Microsoft support requests to access specific resources contained within a subscription, or the subscription itself, when Customer Lockbox for Microsoft Azure is enabled on the tenant where the subscription resides. | Management and governance | False |
00036 effective control plane operations (unique) •action: 1 •read: 35 |
Actions: 006 resolved operations: 36 effective operations: 36 •action: 1 •read: 35 •Microsoft.Authorization/*/read •Microsoft.CustomerLockbox/requests/read •Microsoft.CustomerLockbox/requests/UpdateApproval/action •Microsoft.Insights/eventtypes/values/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| bf7f8882-3383-422a-806a-6526c631a88a | Azure Deployment Stack Contributor | Allows a user to manage deployment stacks, but cannot create or delete deny assignments within the deployment stack. | None | False |
00052 effective control plane operations (unique) •Action: 9 •Delete: 2 •read: 38 •Write: 3 |
Actions: 008 resolved operations: 52 effective operations: 52 •Action: 9 •Delete: 2 •read: 38 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/deploymentStacks/exportTemplate/action •Microsoft.Resources/deploymentStacks/read •Microsoft.Resources/deploymentStacks/validate/action •Microsoft.Resources/deploymentStacks/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| adb29209-aa1d-457b-a786-c913953d2891 | Azure Deployment Stack Owner | Allows a user to manage deployment stacks, including those with deny assignments. | None | False |
00054 effective control plane operations (unique) •Action: 10 •Delete: 3 •read: 38 •Write: 3 |
Actions: 005 resolved operations: 54 effective operations: 54 •Action: 10 •Delete: 3 •read: 38 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/deploymentStacks/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a227fb39-f479-404b-96fd-0176f5d88ab4 | Azure Device Onboarding Discovery Contributor | Can read, write or delete the discovery and it's child resources. | None | False |
00007 effective control plane operations (unique) •delete: 2 •read: 3 •write: 2 |
Actions: 002 resolved operations: 7 effective operations: 7 •delete: 2 •read: 3 •write: 2 •Microsoft.DeviceOnboarding/discoveryServices/* •Microsoft.DeviceOnboarding/locations/operationStatuses/read | ||||
| 2a740172-0fc2-4039-972c-b31864cd47d6 | Azure Device Update Agent | Provide full access to all Azure Device Update agent operations | None | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.DeviceUpdate/updateAccounts/agents/requestUpdate/action | ||||
| bcd981a7-7f74-457b-83e1-cceb9e632ffe | Azure Digital Twins Data Owner | Full access role for Digital Twins data-plane | Internet of Things | False |
00023 effective data plane operations (unique) •action: 3 •delete: 5 •read: 8 •write: 7 |
DataActions: 007 resolved data operations: 23 effective data operations: 23 •action: 3 •delete: 5 •read: 8 •write: 7 •Microsoft.DigitalTwins/digitaltwins/* •Microsoft.DigitalTwins/digitaltwins/commands/* •Microsoft.DigitalTwins/digitaltwins/relationships/* •Microsoft.DigitalTwins/eventroutes/* •Microsoft.DigitalTwins/jobs/* •Microsoft.DigitalTwins/models/* •Microsoft.DigitalTwins/query/* | ||||
| d57506d4-4c8d-48b1-8587-93c323f6a5a3 | Azure Digital Twins Data Reader | Read-only role for Digital Twins data-plane properties | Internet of Things | False |
00008 effective data plane operations (unique) •action: 1 •read: 7 |
DataActions: 008 resolved data operations: 8 effective data operations: 8 •action: 1 •read: 7 •Microsoft.DigitalTwins/digitaltwins/read •Microsoft.DigitalTwins/digitaltwins/relationships/read •Microsoft.DigitalTwins/eventroutes/read •Microsoft.DigitalTwins/jobs/deletions/read •Microsoft.DigitalTwins/jobs/import/read •Microsoft.DigitalTwins/jobs/imports/read •Microsoft.DigitalTwins/models/read •Microsoft.DigitalTwins/query/action | ||||
| 9295f069-25d0-4f44-bb6a-3da70d11aa00 | Azure Edge Hardware Center Administrator | Grants you access to take actions as an edge order administrator | None | False |
00025 effective control plane operations (unique) •action: 9 •delete: 3 •read: 10 •write: 3 |
Actions: 001 resolved operations: 25 effective operations: 25 •action: 9 •delete: 3 •read: 10 •write: 3 •Microsoft.EdgeOrder/* | ||||
| 207bcc4b-86a6-4487-9141-d6c1f4c238aa | Azure Edge On-Site Deployment Engineer | Grants you access to take actions as an on-site person to assist in the provisioning of an edge device | None | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.EdgeOrder/orderItems/read | ||||
| f526a384-b230-433a-b45c-95f59c4a2dec | Azure Event Hubs Data Owner | Allows for full access to Azure Event Hubs resources. | Analytics | False |
00089 effective control plane and data plane operations (unique) •action: 25 •delete: 15 •read: 32 •write: 17 |
Actions: 001 resolved operations: 82 effective operations: 82 •action: 21 •delete: 14 •read: 31 •write: 16 •Microsoft.EventHub/* |
DataActions: 001 resolved data operations: 7 effective data operations: 7 •action: 4 •delete: 1 •read: 1 •write: 1 •Microsoft.EventHub/* |
count: 142 •Configure Azure Event Hub namespaces to disable local authentication •Configure Event Hub namespaces with private endpoints •Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Event Hub •Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Event Hub •Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Event Hub •Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub •Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub •Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Event Hub •Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Event Hub •Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Event Hub •Enable logging by category group for Application Insights (microsoft.insights/components) to Event Hub •Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub •Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub •Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub •Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Event Hub •Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Event Hub •Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub •Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Event Hub •Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Event Hub •Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Event Hub •Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub •Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Event Hub •Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Event Hub •Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub •Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Event Hub •Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub •Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Event Hub •Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Event Hub •Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Event Hub •Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Event Hub •Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Event Hub •Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub •Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Event Hub •Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Event Hub •Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Event Hub •Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Event Hub •Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Event Hub •Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub •Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Event Hub •Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Event Hub •Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Event Hub •Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Event Hub •Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub •Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Event Hub •Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Event Hub •Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Event Hub •Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Event Hub •Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Event Hub •Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Event Hub •Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Event Hub •Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Event Hub •Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Event Hub •Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub •Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub •Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Event Hub •Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Event Hub •Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub •Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub •Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Event Hub •Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Event Hub •Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Event Hub •Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Event Hub •Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub •Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub •Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Event Hub •Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Event Hub •Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Event Hub •Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub •Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub •Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Event Hub •Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Event Hub •Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub •Enable logging by category group for Logic apps (microsoft.logic/workflows) to Event Hub •Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Event Hub •Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Event Hub •Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub •Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub •Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Event Hub •Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub •Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Event Hub •Enable logging by category group for microsoft.azuresphere/catalogs to Event Hub •Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Event Hub •Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Event Hub •Enable logging by category group for microsoft.community/communitytrainings to Event Hub •Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Event Hub •Enable logging by category group for microsoft.customproviders/resourceproviders to Event Hub •Enable logging by category group for microsoft.d365customerinsights/instances to Event Hub •Enable logging by category group for microsoft.dbformysql/flexibleservers to Event Hub •Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Event Hub •Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Event Hub •Enable logging by category group for microsoft.dbforpostgresql/servers to Event Hub •Enable logging by category group for microsoft.devices/provisioningservices to Event Hub •Enable logging by category group for microsoft.documentdb/cassandraclusters to Event Hub •Enable logging by category group for microsoft.documentdb/mongoclusters to Event Hub •Enable logging by category group for microsoft.insights/autoscalesettings to Event Hub •Enable logging by category group for microsoft.machinelearningservices/registries to Event Hub •Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Event Hub •Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Event Hub •Enable logging by category group for microsoft.network/dnsresolverpolicies to Event Hub •Enable logging by category group for microsoft.network/networkmanagers/ipampools to Event Hub •Enable logging by category group for microsoft.network/networksecurityperimeters to Event Hub •Enable logging by category group for microsoft.network/p2svpngateways to Event Hub •Enable logging by category group for microsoft.network/vpngateways to Event Hub •Enable logging by category group for microsoft.networkanalytics/dataproducts to Event Hub •Enable logging by category group for microsoft.networkcloud/baremetalmachines to Event Hub •Enable logging by category group for microsoft.networkcloud/clusters to Event Hub •Enable logging by category group for microsoft.networkcloud/storageappliances to Event Hub •Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Event Hub •Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Event Hub •Enable logging by category group for microsoft.openenergyplatform/energyservices to Event Hub •Enable logging by category group for microsoft.powerbi/tenants/workspaces to Event Hub •Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Event Hub •Enable logging by category group for microsoft.synapse/workspaces/kustopools to Event Hub •Enable logging by category group for microsoft.timeseriesinsights/environments to Event Hub •Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Event Hub •Enable logging by category group for microsoft.workloads/sapvirtualinstances to Event Hub •Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Event Hub •Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Event Hub •Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Event Hub •Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Event Hub •Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Event Hub •Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub •Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Event Hub •Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Event Hub •Enable logging by category group for Relays (microsoft.relay/namespaces) to Event Hub •Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Event Hub •Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Event Hub •Enable logging by category group for Search services (microsoft.search/searchservices) to Event Hub •Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub •Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub •Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub •Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub •Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Event Hub •Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Event Hub •Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Event Hub •Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Event Hub •Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub •Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub •Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Event Hub •Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub •Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub •Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Event Hub | ||
| a638d3c7-ab3a-418d-83e6-5f17a39d4fde | Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. | Analytics | False |
00002 effective control plane and data plane operations (unique) •action: 1 •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.EventHub/*/eventhubs/consumergroups/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventHub/*/receive/action | |||
| 2b629674-e913-4c01-ae53-ef4638d8f975 | Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. | Analytics | False |
00002 effective control plane and data plane operations (unique) •action: 1 •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.EventHub/*/eventhubs/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventHub/*/send/action | |||
| 7392c568-9289-4bde-aaaa-b7131215889d | Azure Extension for SQL Server Deployment | Microsoft.AzureArcData service role to enable deployment of Azure Extension for SQL Server | None | False |
00002 effective control plane operations (unique) •write: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •write: 2 •Microsoft.HybridCompute/machines/extensions/write •Microsoft.Resources/deployments/write |
count: 002 •[Deprecated]: Configure Arc-enabled machines running SQL Server to have SQL Server extension installed. •Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates. | |||
| 92b92042-07d9-4307-87f7-36a593fc5850 | Azure File Sync Administrator | Provides full access to manage all Azure File Sync (Storage Sync Service) resources. | Storage | False |
00106 effective control plane operations (unique) •Action: 22 •Delete: 9 •read: 64 •write: 11 |
Actions: 015 resolved operations: 106 effective operations: 106 •Action: 22 •Delete: 9 •read: 64 •write: 11 •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/write •Microsoft.Insights/AlertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/fileServices/read •Microsoft.Storage/storageAccounts/fileServices/shares/read •Microsoft.Storage/storageAccounts/read •Microsoft.StorageSync/deployments/preflight/action •Microsoft.StorageSync/locations/* •Microsoft.StorageSync/operations/read •Microsoft.StorageSync/register/action •Microsoft.StorageSync/storageSyncServices/* •Microsoft.StorageSync/unregister/action •Microsoft.Support/* | ||||
| 754c1a27-40dc-4708-8ad4-2bffdeee09e8 | Azure File Sync Reader | Provides read access to Azure File Sync service (Storage Sync Service). | Storage | False |
00018 effective control plane operations (unique) •read: 18 |
Actions: 001 resolved operations: 18 effective operations: 18 •read: 18 •Microsoft.StorageSync/*/read | ||||
| 0ab34830-df19-4f8c-b84e-aa85b8afa6e8 | Azure Front Door Domain Contributor | For internal use within Azure. Can manage Azure Front Door domains, but can't grant access to other users. | Networking | False |
00005 effective control plane operations (unique) •delete: 1 •read: 3 •write: 1 |
Actions: 005 resolved operations: 5 effective operations: 5 •delete: 1 •read: 3 •write: 1 •Microsoft.Cdn/operationresults/profileresults/customdomainresults/read •Microsoft.Cdn/profiles/customdomains/delete •Microsoft.Cdn/profiles/customdomains/read •Microsoft.Cdn/profiles/customdomains/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 0f99d363-226e-4dca-9920-b807cf8e1a5f | Azure Front Door Domain Reader | For internal use within Azure. Can view Azure Front Door domains, but can't make changes. | Networking | False |
00003 effective control plane operations (unique) •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.Cdn/operationresults/profileresults/customdomainresults/read •Microsoft.Cdn/profiles/customdomains/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 662802e2-50f6-46b0-aed2-e834bacc6d12 | Azure Front Door Profile Reader | Can view AFD standard and premium profiles and their endpoints, but can't make changes. | Networking | False |
00156 effective control plane operations (unique) •action: 42 •delete: 18 •read: 78 •write: 18 |
Actions: 017 resolved operations: 156 effective operations: 156 •action: 42 •delete: 18 •read: 78 •write: 18 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCustomDomainDNSMappingStatus/action •Microsoft.Cdn/profiles/*/read •Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/action •Microsoft.Cdn/profiles/afdendpoints/Usages/action •Microsoft.Cdn/profiles/origingroups/Usages/action •Microsoft.Cdn/profiles/queryloganalyticsmetrics/action •Microsoft.Cdn/profiles/queryloganalyticsrankings/action •Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action •Microsoft.Cdn/profiles/querywafloganalyticsrankings/action •Microsoft.Cdn/profiles/rulesets/Usages/action •Microsoft.Cdn/profiles/Usages/action •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 3f2eb865-5811-4578-b90a-6fc6fa0df8e5 | Azure Front Door Secret Contributor | For internal use within Azure. Can manage Azure Front Door secrets, but can't grant access to other users. | Networking | False |
00005 effective control plane operations (unique) •delete: 1 •read: 3 •write: 1 |
Actions: 005 resolved operations: 5 effective operations: 5 •delete: 1 •read: 3 •write: 1 •Microsoft.Cdn/operationresults/profileresults/secretresults/read •Microsoft.Cdn/profiles/secrets/delete •Microsoft.Cdn/profiles/secrets/read •Microsoft.Cdn/profiles/secrets/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 0db238c4-885e-4c4f-a933-aa2cef684fca | Azure Front Door Secret Reader | For internal use within Azure. Can view Azure Front Door secrets, but can't make changes. | Networking | False |
00003 effective control plane operations (unique) •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.Cdn/operationresults/profileresults/secretresults/read •Microsoft.Cdn/profiles/secrets/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 5d9c6a55-fc0e-4e21-ae6f-f7b095497342 | Azure Hybrid Database Administrator - Read Only Service Role | Read only access to Azure hybrid database services resources. | None | False |
00016 effective control plane operations (unique) •action: 2 •read: 14 |
Actions: 006 resolved operations: 16 effective operations: 16 •action: 2 •read: 14 •Microsoft.AzureArcData/*/read •Microsoft.AzureArcData/sqlServerInstances/availabilityGroups/getDetailView/action •Microsoft.AzureArcData/sqlServerInstances/getTelemetry/action •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| dfb2f09d-25f8-4558-8986-497084006d7a | Azure impact-insight reader | built-in role for azure impact-insight read access | None | False |
00001 effective control plane operations (unique) •Read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •Read: 1 •Microsoft.Impact/WorkloadImpacts/*/read | ||||
| 5bc02df6-6cd5-43fe-ad3d-4c93cf56cc16 | Azure IoT Operations Administrator | View, create, edit and delete AIO resources. Manage all resources, including instance and its downstream resources. | None | False |
00108 effective control plane operations (unique) •Action: 9 •delete: 20 •read: 58 •write: 21 |
Actions: 013 resolved operations: 108 effective operations: 108 •Action: 9 •delete: 20 •read: 58 •write: 21 •Microsoft.Authorization/*/read •Microsoft.DeviceRegistry/AssetEndpointProfiles/* •Microsoft.DeviceRegistry/Assets/* •Microsoft.DeviceRegistry/Namespaces/Assets/* •Microsoft.DeviceRegistry/Namespaces/Devices/* •Microsoft.DeviceRegistry/Namespaces/DiscoveredAssets/* •Microsoft.DeviceRegistry/Namespaces/DiscoveredDevices/* •Microsoft.DeviceRegistry/SchemaRegistries/* •Microsoft.Edge/sites/read •Microsoft.Insights/alertRules/* •Microsoft.IoTOperations/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 7b7c71ed-33fa-4ed2-a91a-e56d5da260b5 | Azure IoT Operations Onboarding | User can Azure arc connect and deploy Azure IoT Operations securely. | None | False |
00104 effective control plane operations (unique) •action: 10 •Delete: 11 •read: 50 •write: 33 |
Actions: 010 resolved operations: 104 effective operations: 104 •action: 10 •Delete: 11 •read: 50 •write: 33 •Microsoft.Authorization/*/read •Microsoft.Authorization/*/write •Microsoft.DeviceRegistry/register/action •Microsoft.DeviceRegistry/schemaRegistries/read •Microsoft.DeviceRegistry/schemaRegistries/write •Microsoft.Edge/sites/read •Microsoft.Insights/alertRules/* •Microsoft.IoTOperations/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 63bb64ad-9799-4770-b5c3-24ed299a07bf | Azure Kubernetes Fleet Manager Contributor Role | Grants read/write access to Azure resources provided by Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc. | Containers | False |
00031 effective control plane operations (unique) •action: 8 •delete: 7 •read: 9 •write: 7 |
Actions: 002 resolved operations: 31 effective operations: 31 •action: 8 •delete: 7 •read: 9 •write: 7 •Microsoft.ContainerService/fleets/* •Microsoft.Resources/deployments/* |
count: 001 •Configure AKS clusters to automatically join the specified Azure Kubernetes Fleet Manager | |||
| de2b316d-7a2c-4143-b4cd-c148f6a355a1 | Azure Kubernetes Fleet Manager Hub Agent Role | Grants access to Azure resources needed by Azure Kubernetes Fleet Manager hub agents. | Containers | False |
00007 effective control plane operations (unique) •delete: 2 •read: 3 •write: 2 |
Actions: 007 resolved operations: 7 effective operations: 7 •delete: 2 •read: 3 •write: 2 •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/trafficManagerProfiles/azureEndpoints/delete •Microsoft.Network/trafficManagerProfiles/azureEndpoints/read •Microsoft.Network/trafficManagerProfiles/azureEndpoints/write •Microsoft.Network/trafficManagerProfiles/delete •Microsoft.Network/trafficManagerProfiles/read •Microsoft.Network/trafficManagerProfiles/write | ||||
| 434fb43a-c01c-447e-9f67-c3ad923cfaba | Azure Kubernetes Fleet Manager RBAC Admin | Grants read/write access to Kubernetes resources within a namespace in the fleet-managed hub cluster - provides write permissions on most objects within a a namespace, with the exception of ResourceQuota object and the namespace object itself. Applying this role at cluster scope will give access across all namespaces. |
Containers | False |
00118 effective control plane and data plane operations (unique) •action: 4 •delete: 23 •read: 67 •write: 24 |
Actions: 006 resolved operations: 36 effective operations: 36 •action: 1 •read: 35 •Microsoft.Authorization/*/read •Microsoft.ContainerService/fleets/listCredentials/action •Microsoft.ContainerService/fleets/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 034 resolved data operations: 82 effective data operations: 82 •action: 3 •delete: 23 •read: 32 •write: 24 •Microsoft.ContainerService/fleets/apps/controllerrevisions/read •Microsoft.ContainerService/fleets/apps/daemonsets/* •Microsoft.ContainerService/fleets/apps/deployments/* •Microsoft.ContainerService/fleets/apps/statefulsets/* •Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessreviews/write •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/* •Microsoft.ContainerService/fleets/batch/cronjobs/* •Microsoft.ContainerService/fleets/batch/jobs/* •Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read •Microsoft.ContainerService/fleets/configmaps/* •Microsoft.ContainerService/fleets/endpoints/* •Microsoft.ContainerService/fleets/events.k8s.io/events/read •Microsoft.ContainerService/fleets/events/read •Microsoft.ContainerService/fleets/extensions/daemonsets/* •Microsoft.ContainerService/fleets/extensions/deployments/* •Microsoft.ContainerService/fleets/extensions/ingresses/* •Microsoft.ContainerService/fleets/extensions/networkpolicies/* •Microsoft.ContainerService/fleets/limitranges/read •Microsoft.ContainerService/fleets/namespaces/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/* •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/* •Microsoft.ContainerService/fleets/persistentvolumeclaims/* •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/* •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/* •Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/* •Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/* •Microsoft.ContainerService/fleets/replicationcontrollers/* •Microsoft.ContainerService/fleets/replicationcontrollers/* •Microsoft.ContainerService/fleets/resourcequotas/read •Microsoft.ContainerService/fleets/secrets/* •Microsoft.ContainerService/fleets/serviceaccounts/* •Microsoft.ContainerService/fleets/services/* | |||
| 18ab4d3d-a1bf-4477-8ad9-8359bc988f69 | Azure Kubernetes Fleet Manager RBAC Cluster Admin | Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster. | Containers | False |
00391 effective control plane and data plane operations (unique) •action: 10 •delete: 72 •read: 231 •write: 78 |
Actions: 006 resolved operations: 36 effective operations: 36 •action: 1 •read: 35 •Microsoft.Authorization/*/read •Microsoft.ContainerService/fleets/listCredentials/action •Microsoft.ContainerService/fleets/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 355 effective data operations: 355 •action: 9 •delete: 72 •read: 196 •write: 78 •Microsoft.ContainerService/fleets/* | |||
| bd80684d-2f5f-4130-892a-0955546282de | Azure Kubernetes Fleet Manager RBAC Cluster Reader | Grants read-only access to most Kubernetes cluster-scoped resources in the fleet-managed hub cluster. | None | False |
00037 effective control plane and data plane operations (unique) •action: 1 •read: 36 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.ContainerService/fleets/listCredentials/action •Microsoft.ContainerService/fleets/read |
DataActions: 035 resolved data operations: 35 effective data operations: 35 •read: 35 •Microsoft.ContainerService/fleets/apiextensions.k8s.io/customresourcedefinitions/read •Microsoft.ContainerService/fleets/apps/controllerrevisions/read •Microsoft.ContainerService/fleets/apps/daemonsets/read •Microsoft.ContainerService/fleets/apps/deployments/read •Microsoft.ContainerService/fleets/apps/statefulsets/read •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read •Microsoft.ContainerService/fleets/batch/cronjobs/read •Microsoft.ContainerService/fleets/batch/jobs/read •Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/memberclusters/read •Microsoft.ContainerService/fleets/configmaps/read •Microsoft.ContainerService/fleets/endpoints/read •Microsoft.ContainerService/fleets/events.k8s.io/events/read •Microsoft.ContainerService/fleets/events/read •Microsoft.ContainerService/fleets/extensions/daemonsets/read •Microsoft.ContainerService/fleets/extensions/deployments/read •Microsoft.ContainerService/fleets/extensions/ingresses/read •Microsoft.ContainerService/fleets/extensions/networkpolicies/read •Microsoft.ContainerService/fleets/limitranges/read •Microsoft.ContainerService/fleets/namespaces/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read •Microsoft.ContainerService/fleets/nodes/read •Microsoft.ContainerService/fleets/persistentvolumeclaims/read •Microsoft.ContainerService/fleets/persistentvolumes/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourcebindings/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceoverrides/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceoverridesnapshots/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceplacements/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourcesnapshots/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterschedulingpolicysnapshots/read •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read •Microsoft.ContainerService/fleets/replicationcontrollers/read •Microsoft.ContainerService/fleets/resourcequotas/read •Microsoft.ContainerService/fleets/serviceaccounts/read •Microsoft.ContainerService/fleets/services/read | |||
| 1dc4cd5a-de51-4ee4-bc8e-b40e9c17e320 | Azure Kubernetes Fleet Manager RBAC Cluster Writer | Grants read/write access to most Kubernetes cluster-scoped resources in the fleet-managed hub cluster. | None | False |
00063 effective control plane and data plane operations (unique) •action: 1 •read: 37 •write: 25 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.ContainerService/fleets/listCredentials/action •Microsoft.ContainerService/fleets/read |
DataActions: 061 resolved data operations: 61 effective data operations: 61 •read: 36 •write: 25 •Microsoft.ContainerService/fleets/apiextensions.k8s.io/customresourcedefinitions/read •Microsoft.ContainerService/fleets/apps/controllerrevisions/read •Microsoft.ContainerService/fleets/apps/daemonsets/read •Microsoft.ContainerService/fleets/apps/daemonsets/write •Microsoft.ContainerService/fleets/apps/deployments/read •Microsoft.ContainerService/fleets/apps/deployments/write •Microsoft.ContainerService/fleets/apps/statefulsets/read •Microsoft.ContainerService/fleets/apps/statefulsets/write •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write •Microsoft.ContainerService/fleets/batch/cronjobs/read •Microsoft.ContainerService/fleets/batch/cronjobs/write •Microsoft.ContainerService/fleets/batch/jobs/read •Microsoft.ContainerService/fleets/batch/jobs/write •Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/memberclusters/read •Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/memberclusters/write •Microsoft.ContainerService/fleets/configmaps/read •Microsoft.ContainerService/fleets/configmaps/write •Microsoft.ContainerService/fleets/endpoints/read •Microsoft.ContainerService/fleets/endpoints/write •Microsoft.ContainerService/fleets/events.k8s.io/events/read •Microsoft.ContainerService/fleets/events/read •Microsoft.ContainerService/fleets/extensions/daemonsets/read •Microsoft.ContainerService/fleets/extensions/daemonsets/write •Microsoft.ContainerService/fleets/extensions/deployments/read •Microsoft.ContainerService/fleets/extensions/deployments/write •Microsoft.ContainerService/fleets/extensions/ingresses/read •Microsoft.ContainerService/fleets/extensions/ingresses/write •Microsoft.ContainerService/fleets/extensions/networkpolicies/read •Microsoft.ContainerService/fleets/extensions/networkpolicies/write •Microsoft.ContainerService/fleets/limitranges/read •Microsoft.ContainerService/fleets/namespaces/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write •Microsoft.ContainerService/fleets/nodes/read •Microsoft.ContainerService/fleets/nodes/write •Microsoft.ContainerService/fleets/persistentvolumeclaims/read •Microsoft.ContainerService/fleets/persistentvolumeclaims/write •Microsoft.ContainerService/fleets/persistentvolumes/read •Microsoft.ContainerService/fleets/persistentvolumes/write •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourcebindings/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceoverrides/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceoverrides/write •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceoverridesnapshots/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceplacements/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourceplacements/write •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterresourcesnapshots/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/clusterschedulingpolicysnapshots/read •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write •Microsoft.ContainerService/fleets/replicationcontrollers/read •Microsoft.ContainerService/fleets/replicationcontrollers/write •Microsoft.ContainerService/fleets/resourcequotas/read •Microsoft.ContainerService/fleets/secrets/read •Microsoft.ContainerService/fleets/secrets/write •Microsoft.ContainerService/fleets/serviceaccounts/read •Microsoft.ContainerService/fleets/serviceaccounts/write •Microsoft.ContainerService/fleets/services/read •Microsoft.ContainerService/fleets/services/write | |||
| 30b27cfc-9c84-438e-b0ce-70e35255df80 | Azure Kubernetes Fleet Manager RBAC Reader | Grants read-only access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. |
Containers | False |
00065 effective control plane and data plane operations (unique) •action: 1 •read: 64 |
Actions: 006 resolved operations: 36 effective operations: 36 •action: 1 •read: 35 •Microsoft.Authorization/*/read •Microsoft.ContainerService/fleets/listCredentials/action •Microsoft.ContainerService/fleets/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 030 resolved data operations: 29 effective data operations: 29 •read: 29 •Microsoft.ContainerService/fleets/apps/controllerrevisions/read •Microsoft.ContainerService/fleets/apps/daemonsets/read •Microsoft.ContainerService/fleets/apps/deployments/read •Microsoft.ContainerService/fleets/apps/statefulsets/read •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read •Microsoft.ContainerService/fleets/batch/cronjobs/read •Microsoft.ContainerService/fleets/batch/jobs/read •Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read •Microsoft.ContainerService/fleets/configmaps/read •Microsoft.ContainerService/fleets/endpoints/read •Microsoft.ContainerService/fleets/events.k8s.io/events/read •Microsoft.ContainerService/fleets/events/read •Microsoft.ContainerService/fleets/extensions/daemonsets/read •Microsoft.ContainerService/fleets/extensions/deployments/read •Microsoft.ContainerService/fleets/extensions/ingresses/read •Microsoft.ContainerService/fleets/extensions/networkpolicies/read •Microsoft.ContainerService/fleets/limitranges/read •Microsoft.ContainerService/fleets/namespaces/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read •Microsoft.ContainerService/fleets/persistentvolumeclaims/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read •Microsoft.ContainerService/fleets/replicationcontrollers/read •Microsoft.ContainerService/fleets/replicationcontrollers/read •Microsoft.ContainerService/fleets/resourcequotas/read •Microsoft.ContainerService/fleets/serviceaccounts/read •Microsoft.ContainerService/fleets/services/read | |||
| 5af6afb3-c06c-4fa4-8848-71a8aee05683 | Azure Kubernetes Fleet Manager RBAC Writer | Grants read/write access to most Kubernetes resources within a namespace in the fleet-managed hub cluster. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. |
Containers | False |
00087 effective control plane and data plane operations (unique) •action: 1 •read: 65 •write: 21 |
Actions: 006 resolved operations: 36 effective operations: 36 •action: 1 •read: 35 •Microsoft.Authorization/*/read •Microsoft.ContainerService/fleets/listCredentials/action •Microsoft.ContainerService/fleets/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 051 resolved data operations: 51 effective data operations: 51 •read: 30 •write: 21 •Microsoft.ContainerService/fleets/apps/controllerrevisions/read •Microsoft.ContainerService/fleets/apps/daemonsets/read •Microsoft.ContainerService/fleets/apps/daemonsets/write •Microsoft.ContainerService/fleets/apps/deployments/read •Microsoft.ContainerService/fleets/apps/deployments/write •Microsoft.ContainerService/fleets/apps/statefulsets/read •Microsoft.ContainerService/fleets/apps/statefulsets/write •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read •Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/write •Microsoft.ContainerService/fleets/batch/cronjobs/read •Microsoft.ContainerService/fleets/batch/cronjobs/write •Microsoft.ContainerService/fleets/batch/jobs/read •Microsoft.ContainerService/fleets/batch/jobs/write •Microsoft.ContainerService/fleets/cluster.kubernetes-fleet.io/internalmemberclusters/read •Microsoft.ContainerService/fleets/configmaps/read •Microsoft.ContainerService/fleets/configmaps/write •Microsoft.ContainerService/fleets/endpoints/read •Microsoft.ContainerService/fleets/endpoints/write •Microsoft.ContainerService/fleets/events.k8s.io/events/read •Microsoft.ContainerService/fleets/events/read •Microsoft.ContainerService/fleets/extensions/daemonsets/read •Microsoft.ContainerService/fleets/extensions/daemonsets/write •Microsoft.ContainerService/fleets/extensions/deployments/read •Microsoft.ContainerService/fleets/extensions/deployments/write •Microsoft.ContainerService/fleets/extensions/ingresses/read •Microsoft.ContainerService/fleets/extensions/ingresses/write •Microsoft.ContainerService/fleets/extensions/networkpolicies/read •Microsoft.ContainerService/fleets/extensions/networkpolicies/write •Microsoft.ContainerService/fleets/limitranges/read •Microsoft.ContainerService/fleets/namespaces/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read •Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/write •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read •Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/write •Microsoft.ContainerService/fleets/persistentvolumeclaims/read •Microsoft.ContainerService/fleets/persistentvolumeclaims/write •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverrides/write •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/resourceoverridesnapshots/read •Microsoft.ContainerService/fleets/placement.kubernetes-fleet.io/works/read •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read •Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/write •Microsoft.ContainerService/fleets/replicationcontrollers/read •Microsoft.ContainerService/fleets/replicationcontrollers/write •Microsoft.ContainerService/fleets/resourcequotas/read •Microsoft.ContainerService/fleets/secrets/read •Microsoft.ContainerService/fleets/secrets/write •Microsoft.ContainerService/fleets/serviceaccounts/read •Microsoft.ContainerService/fleets/serviceaccounts/write •Microsoft.ContainerService/fleets/services/read •Microsoft.ContainerService/fleets/services/write | |||
| 1b7f3653-4324-473a-9165-bc55e4d04ba8 | Azure Kubernetes Service Agent Pool Manager Role | Role for agentpool related actions | None | False |
00005 effective control plane operations (unique) •action: 2 •delete: 1 •read: 1 •write: 1 |
Actions: 005 resolved operations: 5 effective operations: 5 •action: 2 •delete: 1 •read: 1 •write: 1 •Microsoft.ContainerService/managedClusters/agentPools/abort/action •Microsoft.ContainerService/managedClusters/agentPools/delete •Microsoft.ContainerService/managedClusters/agentPools/read •Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/action •Microsoft.ContainerService/managedClusters/agentPools/write | ||||
| b29efa5f-7782-4dc3-9537-4d5bc70a5e9f | Azure Kubernetes Service Arc Cluster Admin Role | List cluster admin credential action. | Containers | False |
00003 effective control plane operations (unique) •action: 1 •read: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 2 •Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.Kubernetes/connectedClusters/Read | ||||
| 233ca253-b031-42ff-9fba-87ef12d6b55f | Azure Kubernetes Service Arc Cluster User Role | List cluster user credential action. | Containers | False |
00003 effective control plane operations (unique) •action: 1 •read: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 2 •Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.Kubernetes/connectedClusters/Read | ||||
| 5d3f1697-4507-4d08-bb4a-477695db5f82 | Azure Kubernetes Service Arc Contributor Role | Grants access to read and write Azure Kubernetes Services hybrid clusters | Containers | False |
00025 effective control plane operations (unique) •action: 2 •delete: 6 •Read: 11 •write: 6 |
Actions: 025 resolved operations: 25 effective operations: 25 •action: 2 •delete: 6 •Read: 11 •write: 6 •Microsoft.AzureStackHCI/clusters/read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/read •Microsoft.HybridContainerService/kubernetesVersions/delete •Microsoft.HybridContainerService/kubernetesVersions/read •Microsoft.HybridContainerService/kubernetesVersions/write •Microsoft.HybridContainerService/Locations/operationStatuses/read •Microsoft.HybridContainerService/Operations/read •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write •Microsoft.HybridContainerService/provisionedClusterInstances/delete •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read •Microsoft.HybridContainerService/provisionedClusterInstances/write •Microsoft.HybridContainerService/skus/delete •Microsoft.HybridContainerService/skus/read •Microsoft.HybridContainerService/skus/write •Microsoft.HybridContainerService/virtualNetworks/delete •Microsoft.HybridContainerService/virtualNetworks/read •Microsoft.HybridContainerService/virtualNetworks/write •Microsoft.Kubernetes/connectedClusters/Delete •Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action •Microsoft.Kubernetes/connectedClusters/Read •Microsoft.Kubernetes/connectedClusters/Write | ||||
| 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 | Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. | Containers | False |
00004 effective control plane operations (unique) •action: 3 •read: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 3 •read: 1 •Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action •Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action •Microsoft.ContainerService/managedClusters/read •Microsoft.ContainerService/managedClusters/runcommand/action | ||||
| 1afdec4b-e479-420e-99e7-f82237c7c5e6 | Azure Kubernetes Service Cluster Monitoring User | List cluster monitoring user credential action. | Containers | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredential/action •Microsoft.ContainerService/managedClusters/read | ||||
| 4abbcc35-e782-43d8-92c5-2d3f1bd2253f | Azure Kubernetes Service Cluster User Role | List cluster user credential action. | Containers | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.ContainerService/managedClusters/listClusterUserCredential/action •Microsoft.ContainerService/managedClusters/read | ||||
| ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8 | Azure Kubernetes Service Contributor Role | Grants access to read and write Azure Kubernetes Service clusters | Containers | False |
00128 effective control plane operations (unique) •action: 25 •delete: 14 •read: 72 •write: 17 |
Actions: 008 resolved operations: 128 effective operations: 128 •action: 25 •delete: 14 •read: 72 •write: 17 •Microsoft.Authorization/*/read •Microsoft.ContainerService/locations/* •Microsoft.ContainerService/managedClusters/* •Microsoft.ContainerService/managedclustersnapshots/* •Microsoft.ContainerService/snapshots/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
count: 008 •[Preview]: Deploy Image Integrity on Azure Kubernetes Service •Azure Kubernetes Service clusters should be a member of an Azure Kubernetes Fleet Manager. •Configure AKS clusters to automatically join the specified Azure Kubernetes Fleet Manager •Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access •Configure Node OS Auto upgrade on Azure Kubernetes Cluster •Deploy Azure Policy Add-on to Azure Kubernetes Service clusters •Deploy Image Cleaner on Azure Kubernetes Service •Disable Command Invoke on Azure Kubernetes Service clusters | |||
| b5092dac-c796-4349-8681-1a322a31c3f9 | Azure Kubernetes Service Hybrid Cluster Admin Role | List cluster admin credential action. | None | False |
00003 effective control plane operations (unique) •action: 1 •read: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 2 •Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubeconfig/action •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.Kubernetes/connectedClusters/Read | ||||
| fc3f91a1-40bf-4439-8c46-45edbd83563a | Azure Kubernetes Service Hybrid Cluster User Role | List cluster user credential action. | None | False |
00003 effective control plane operations (unique) •action: 1 •read: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 2 •Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeconfig/action •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.Kubernetes/connectedClusters/Read | ||||
| e7037d40-443a-4434-a3fb-8cd202011e1d | Azure Kubernetes Service Hybrid Contributor Role | Grants access to read and write Azure Kubernetes Services hybrid clusters | None | False |
00024 effective control plane operations (unique) •action: 2 •delete: 6 •read: 10 •write: 6 |
Actions: 024 resolved operations: 24 effective operations: 24 •action: 2 •delete: 6 •read: 10 •write: 6 •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/read •Microsoft.HybridContainerService/kubernetesVersions/delete •Microsoft.HybridContainerService/kubernetesVersions/read •Microsoft.HybridContainerService/kubernetesVersions/write •Microsoft.HybridContainerService/Locations/operationStatuses/read •Microsoft.HybridContainerService/Operations/read •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/delete •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/read •Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/write •Microsoft.HybridContainerService/provisionedClusterInstances/delete •Microsoft.HybridContainerService/provisionedClusterInstances/read •Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfiles/read •Microsoft.HybridContainerService/provisionedClusterInstances/write •Microsoft.HybridContainerService/skus/delete •Microsoft.HybridContainerService/skus/read •Microsoft.HybridContainerService/skus/write •Microsoft.HybridContainerService/virtualNetworks/delete •Microsoft.HybridContainerService/virtualNetworks/read •Microsoft.HybridContainerService/virtualNetworks/write •Microsoft.Kubernetes/connectedClusters/Delete •Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action •Microsoft.Kubernetes/connectedClusters/Read •Microsoft.Kubernetes/connectedClusters/Write | ||||
| 8e253927-1f29-4d89-baa2-c3a549eff423 | Azure Kubernetes Service Machine Manager Role | Role for machine related actions | None | False |
00003 effective control plane operations (unique) •action: 1 •read: 1 •write: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 1 •write: 1 •Microsoft.ContainerService/managedClusters/agentPools/deleteMachines/action •Microsoft.ContainerService/managedClusters/agentPools/machines/read •Microsoft.ContainerService/managedClusters/agentPools/machines/write | ||||
| 289d8817-ee69-43f1-a0af-43a45505b488 | Azure Kubernetes Service Namespace Contributor | Allows users to create and manage Azure Kubernetes Service namespace resources. | None | False |
00052 effective control plane operations (unique) •action: 8 •delete: 3 •read: 38 •write: 3 |
Actions: 005 resolved operations: 52 effective operations: 52 •action: 8 •delete: 3 •read: 38 •write: 3 •Microsoft.Authorization/*/read •Microsoft.ContainerService/managedClusters/managedNamespaces/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| c9f76ca8-b262-4b10-8ed2-09cf0948aa35 | Azure Kubernetes Service Namespace User | Allows users to read Azure Kubernetes Service namespace resources. In-cluster namespace access further requires assignment of Azure Kubernetes Service RBAC roles to the namespace resource for an Entra ID enabled cluster. | None | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.ContainerService/managedClusters/managedNamespaces/listCredential/action •Microsoft.ContainerService/managedClusters/managedNamespaces/read | ||||
| 18ed5180-3e48-46fd-8541-4ea054d57064 | Azure Kubernetes Service Policy Add-on Deployment | Deploy the Azure Policy add-on on Azure Kubernetes Service clusters | None | False |
00014 effective control plane operations (unique) •action: 7 •delete: 1 •read: 4 •write: 2 |
Actions: 006 resolved operations: 14 effective operations: 14 •action: 7 •delete: 1 •read: 4 •write: 2 •Microsoft.Compute/diskEncryptionSets/read •Microsoft.Compute/proximityPlacementGroups/write •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPPrefixes/join/action •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Resources/deployments/* |
count: 006 •[Preview]: Deploy Image Integrity on Azure Kubernetes Service •Configure Microsoft Entra ID integrated Azure Kubernetes Service Clusters with required Admin Group Access •Configure Node OS Auto upgrade on Azure Kubernetes Cluster •Deploy Azure Policy Add-on to Azure Kubernetes Service clusters •Deploy Image Cleaner on Azure Kubernetes Service •Disable Command Invoke on Azure Kubernetes Service clusters | |||
| 3498e952-d568-435e-9b2c-8d77e338d7f7 | Azure Kubernetes Service RBAC Admin | Lets you manage all resources under cluster/namespace, except update or delete resource quotas and namespaces. | Containers | False |
00414 effective control plane and data plane operations (unique) •action: 11 •delete: 79 •read: 239 •write: 85 |
Actions: 005 resolved operations: 35 effective operations: 35 •action: 1 •read: 34 •Microsoft.Authorization/*/read •Microsoft.ContainerService/managedClusters/listClusterUserCredential/action •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 383 effective data operations: 379 •action: 10 •delete: 79 •read: 205 •write: 85 •Microsoft.ContainerService/managedClusters/* |
NotDataActions: 004 resolved not data operations: 4 effective not data operations: 3192 •Microsoft.ContainerService/managedClusters/namespaces/delete •Microsoft.ContainerService/managedClusters/namespaces/write •Microsoft.ContainerService/managedClusters/resourcequotas/delete •Microsoft.ContainerService/managedClusters/resourcequotas/write | ||
| b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b | Azure Kubernetes Service RBAC Cluster Admin | Lets you manage all resources in the cluster. | Containers | False |
00418 effective control plane and data plane operations (unique) •action: 11 •delete: 81 •read: 239 •write: 87 |
Actions: 005 resolved operations: 35 effective operations: 35 •action: 1 •read: 34 •Microsoft.Authorization/*/read •Microsoft.ContainerService/managedClusters/listClusterUserCredential/action •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 383 effective data operations: 383 •action: 10 •delete: 81 •read: 205 •write: 87 •Microsoft.ContainerService/managedClusters/* | |||
| 7f6c6a51-bcf8-42ba-9220-52d62157d7db | Azure Kubernetes Service RBAC Reader | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. |
Containers | False |
00065 effective control plane and data plane operations (unique) •read: 65 |
Actions: 004 resolved operations: 34 effective operations: 34 •read: 34 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 031 resolved data operations: 31 effective data operations: 31 •read: 31 •Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read •Microsoft.ContainerService/managedClusters/apps/daemonsets/read •Microsoft.ContainerService/managedClusters/apps/deployments/read •Microsoft.ContainerService/managedClusters/apps/replicasets/read •Microsoft.ContainerService/managedClusters/apps/statefulsets/read •Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read •Microsoft.ContainerService/managedClusters/batch/cronjobs/read •Microsoft.ContainerService/managedClusters/batch/jobs/read •Microsoft.ContainerService/managedClusters/configmaps/read •Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read •Microsoft.ContainerService/managedClusters/endpoints/read •Microsoft.ContainerService/managedClusters/events.k8s.io/events/read •Microsoft.ContainerService/managedClusters/events/read •Microsoft.ContainerService/managedClusters/extensions/daemonsets/read •Microsoft.ContainerService/managedClusters/extensions/deployments/read •Microsoft.ContainerService/managedClusters/extensions/ingresses/read •Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read •Microsoft.ContainerService/managedClusters/extensions/replicasets/read •Microsoft.ContainerService/managedClusters/limitranges/read •Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read •Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read •Microsoft.ContainerService/managedClusters/namespaces/read •Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read •Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read •Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read •Microsoft.ContainerService/managedClusters/pods/read •Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read •Microsoft.ContainerService/managedClusters/replicationcontrollers/read •Microsoft.ContainerService/managedClusters/resourcequotas/read •Microsoft.ContainerService/managedClusters/serviceaccounts/read •Microsoft.ContainerService/managedClusters/services/read | |||
| a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb | Azure Kubernetes Service RBAC Writer | Allows read/write access to most objects in a namespace.This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. |
Containers | False |
00119 effective control plane and data plane operations (unique) •action: 2 •delete: 25 •read: 67 •write: 25 |
Actions: 004 resolved operations: 34 effective operations: 34 •read: 34 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 035 resolved data operations: 85 effective data operations: 85 •action: 2 •delete: 25 •read: 33 •write: 25 •Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read •Microsoft.ContainerService/managedClusters/apps/daemonsets/* •Microsoft.ContainerService/managedClusters/apps/deployments/* •Microsoft.ContainerService/managedClusters/apps/replicasets/* •Microsoft.ContainerService/managedClusters/apps/statefulsets/* •Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/* •Microsoft.ContainerService/managedClusters/batch/cronjobs/* •Microsoft.ContainerService/managedClusters/batch/jobs/* •Microsoft.ContainerService/managedClusters/configmaps/* •Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delete •Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read •Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write •Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read •Microsoft.ContainerService/managedClusters/endpoints/* •Microsoft.ContainerService/managedClusters/events.k8s.io/events/read •Microsoft.ContainerService/managedClusters/events/* •Microsoft.ContainerService/managedClusters/extensions/daemonsets/* •Microsoft.ContainerService/managedClusters/extensions/deployments/* •Microsoft.ContainerService/managedClusters/extensions/ingresses/* •Microsoft.ContainerService/managedClusters/extensions/networkpolicies/* •Microsoft.ContainerService/managedClusters/extensions/replicasets/* •Microsoft.ContainerService/managedClusters/limitranges/read •Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read •Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read •Microsoft.ContainerService/managedClusters/namespaces/read •Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/* •Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/* •Microsoft.ContainerService/managedClusters/persistentvolumeclaims/* •Microsoft.ContainerService/managedClusters/pods/* •Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/* •Microsoft.ContainerService/managedClusters/replicationcontrollers/* •Microsoft.ContainerService/managedClusters/resourcequotas/read •Microsoft.ContainerService/managedClusters/secrets/* •Microsoft.ContainerService/managedClusters/serviceaccounts/* •Microsoft.ContainerService/managedClusters/services/* | |||
| ea01e6af-a1c1-4350-9563-ad00f8c72ec5 | Azure Machine Learning Workspace Connection Secrets Reader | Can list workspace connection secrets | None | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.MachineLearningServices/workspaces/connections/listsecrets/action •Microsoft.MachineLearningServices/workspaces/metadata/secrets/read | ||||
| 5c2d7e57-b7c2-4d8a-be4f-82afa42c6e95 | Azure Managed Grafana Workspace Contributor | Can manage Azure Managed Grafana resources, without providing access to the workspaces themselves. | Monitor | False |
00062 effective control plane operations (unique) •action: 10 •delete: 7 •read: 37 •write: 8 |
Actions: 032 resolved operations: 62 effective operations: 62 •action: 10 •delete: 7 •read: 37 •write: 8 •Microsoft.Authorization/*/read •Microsoft.Dashboard/grafana/delete •Microsoft.Dashboard/grafana/integrationFabrics/delete •Microsoft.Dashboard/grafana/integrationFabrics/write •Microsoft.Dashboard/grafana/managedPrivateEndpoints/action •Microsoft.Dashboard/grafana/managedPrivateEndpoints/delete •Microsoft.Dashboard/grafana/managedPrivateEndpoints/write •Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/delete •Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/validate/action •Microsoft.Dashboard/grafana/privateEndpointConnectionProxies/write •Microsoft.Dashboard/grafana/privateEndpointConnections/delete •Microsoft.Dashboard/grafana/privateEndpointConnections/write •Microsoft.Dashboard/grafana/PrivateEndpointConnectionsApproval/action •Microsoft.Dashboard/grafana/write •Microsoft.Dashboard/locations/operationStatuses/write •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| dba33070-676a-4fb0-87fa-064dc56ff7fb | Azure Maps Contributor | Grants access all Azure Maps resource management. | None | False |
00066 effective control plane operations (unique) •action: 10 •delete: 5 •read: 45 •write: 6 |
Actions: 004 resolved operations: 66 effective operations: 66 •action: 10 •delete: 5 •read: 45 •write: 6 •Microsoft.Authorization/*/read •Microsoft.Maps/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204 | Azure Maps Data Contributor | Grants access to read, write, and delete access to map related data from an Azure maps account. | Web and Mobile | False |
00019 effective data plane operations (unique) •action: 1 •delete: 2 •read: 12 •write: 4 |
DataActions: 004 resolved data operations: 19 effective data operations: 19 •action: 1 •delete: 2 •read: 12 •write: 4 •Microsoft.Maps/accounts/*/action •Microsoft.Maps/accounts/*/delete •Microsoft.Maps/accounts/*/read •Microsoft.Maps/accounts/*/write | ||||
| d6470a16-71bd-43ab-86b3-6f3a73f4e787 | Azure Maps Data Read and Batch Role | This role can be used to assign read and batch actions on Azure Maps. | None | False |
00013 effective data plane operations (unique) •action: 1 •read: 12 |
DataActions: 002 resolved data operations: 13 effective data operations: 13 •action: 1 •read: 12 •Microsoft.Maps/accounts/services/*/read •Microsoft.Maps/accounts/services/batch/action | ||||
| 423170ca-a8f6-4b0f-8487-9e4eb8f49bfa | Azure Maps Data Reader | Grants access to read map related data from an Azure maps account. | Web and Mobile | False |
00012 effective data plane operations (unique) •read: 12 |
DataActions: 001 resolved data operations: 12 effective data operations: 12 •read: 12 •Microsoft.Maps/accounts/*/read | ||||
| 6be48352-4f82-47c9-ad5e-0acacefdb005 | Azure Maps Search and Render Data Reader | Grants access to very limited set of data APIs for common visual web SDK scenarios. Specifically, render and search data APIs. | Web and Mobile | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.Maps/accounts/services/render/read •Microsoft.Maps/accounts/services/search/read | ||||
| f27b7598-bc64-41f7-8a44-855ff16326c2 | Azure Messaging Catalog Data Owner | Allows for full access to Azure Messaging Catalog resources. | None | False |
00009 effective control plane and data plane operations (unique) •delete: 3 •read: 3 •write: 3 |
Actions: 001 resolved operations: n/a effective operations: n/a •Microsoft.MessagingCatalog/* |
DataActions: 001 resolved data operations: 9 effective data operations: 9 •delete: 3 •read: 3 •write: 3 •Microsoft.MessagingCatalog/* | |||
| ff478a4e-8633-416e-91bc-ec33ce7c9516 | Azure Messaging Connectors Owner | Allows for full access to Azure Messaging Connectors resources. | None | False |
00005 effective control plane and data plane operations (unique) •action: 2 •delete: 1 •read: 1 •write: 1 |
Actions: 001 resolved operations: 5 effective operations: 5 •action: 2 •delete: 1 •read: 1 •write: 1 •Microsoft.MessagingConnectors/* |
DataActions: 001 resolved data operations: n/a effective data operations: n/a •Microsoft.MessagingConnectors/* | |||
| 0618ae3d-2930-4bb7-aa00-718db34ee9f9 | Azure Monitor Dashboards with Grafana Contributor | Can manage dashboards with Grafana. | None | False |
00012 effective control plane operations (unique) •action: 4 •delete: 2 •read: 4 •write: 2 |
Actions: 012 resolved operations: 12 effective operations: 12 •action: 4 •delete: 2 •read: 4 •write: 2 •Microsoft.Dashboard/dashboards/delete •Microsoft.Dashboard/dashboards/read •Microsoft.Dashboard/dashboards/write •Microsoft.Dashboard/locations/read •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| c20923c5-b089-47a5-bf67-fd89569c4ad9 | Azure Programmable Connectivity Gateway Dataplane User | Allows access to all Gateway dataplane APIs. | None | False |
00050 effective control plane and data plane operations (unique) •Action: 7 •Delete: 2 •NetworkAPIAccess: 1 •read: 38 •Write: 2 |
Actions: 005 resolved operations: 49 effective operations: 49 •Action: 7 •Delete: 2 •read: 38 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •NetworkAPIAccess: 1 •Microsoft.ProgrammableConnectivity/Gateways/NetworkAPIAccess | |||
| 609c0c20-e0a0-4a71-b99f-e7e755ac493d | Azure Programmable Connectivity Gateway User | Allows access to all Gateway dataplane APIs. | None | False |
00049 effective control plane operations (unique) •Action: 7 •Delete: 2 •read: 38 •Write: 2 |
Actions: 005 resolved operations: 49 effective operations: 49 •Action: 7 •Delete: 2 •read: 38 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a1f96423-95ce-4224-ab27-4e3dc72facd4 | Azure Red Hat OpenShift Cloud Controller Manager | Manage and update the cloud controller manager deployed on top of OpenShift. | Containers | False |
00017 effective control plane operations (unique) •action: 7 •read: 6 •write: 4 |
Actions: 017 resolved operations: 17 effective operations: 17 •action: 7 •read: 6 •write: 4 •Microsoft.Compute/virtualMachines/read •Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/inboundNatRules/join/action •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/write •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/write •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/publicIPAddresses/write •Microsoft.Network/publicIPPrefixes/join/action •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read | ||||
| 0336e1d3-7a87-462b-b6db-342b63f7802c | Azure Red Hat OpenShift Cluster Ingress Operator | Manage and configure the OpenShift router. | Containers | False |
00006 effective control plane operations (unique) •action: 1 •delete: 2 •read: 1 •write: 2 |
Actions: 006 resolved operations: 6 effective operations: 6 •action: 1 •delete: 2 •read: 1 •write: 2 •Microsoft.Network/dnsZones/A/delete •Microsoft.Network/dnsZones/A/write •Microsoft.Network/privateDnsZones/A/delete •Microsoft.Network/privateDnsZones/A/write •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read | ||||
| 5b7237c5-45e1-49d6-bc18-a1f62f400748 | Azure Red Hat OpenShift Disk Storage Operator | Install Container Storage Interface (CSI) drivers that enable your cluster to use Azure Disks. Set OpenShift cluster-wide storage defaults to ensure a default storageclass exists for clusters. | Containers | False |
00016 effective control plane operations (unique) •action: 1 •delete: 2 •read: 9 •write: 4 |
Actions: 016 resolved operations: 16 effective operations: 16 •action: 1 •delete: 2 •read: 9 •write: 4 •Microsoft.Compute/diskEncryptionSets/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/disks/delete •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Compute/locations/DiskOperations/read •Microsoft.Compute/locations/operations/read •Microsoft.Compute/snapshots/delete •Microsoft.Compute/snapshots/read •Microsoft.Compute/snapshots/write •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write •Microsoft.Compute/virtualMachineScaleSets/read •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| ef318e2a-8334-4a05-9e4a-295a196c6a6e | Azure Red Hat OpenShift Federated Credential | Create, update and delete federated credentials on user assigned managed identities in order to build a trust relationship between the managed identity, OpenID Connect (OIDC), and the service account. | Containers | False |
00004 effective control plane operations (unique) •delete: 1 •read: 2 •write: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •delete: 1 •read: 2 •write: 1 •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write •Microsoft.ManagedIdentity/userAssignedIdentities/read | ||||
| 0d7aedc0-15fd-4a67-a412-efad370c947e | Azure Red Hat OpenShift File Storage Operator | Install Container Storage Interface (CSI) drivers that enable your cluster to use Azure Files. Set OpenShift cluster-wide storage defaults to ensure a default storageclass exists for clusters. | Containers | False |
00013 effective control plane operations (unique) •action: 4 •delete: 2 •read: 4 •write: 3 |
Actions: 013 resolved operations: 13 effective operations: 13 •action: 4 •delete: 2 •read: 4 •write: 3 •Microsoft.Network/natGateways/join/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/routeTables/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Storage/storageAccounts/delete •Microsoft.Storage/storageAccounts/fileServices/read •Microsoft.Storage/storageAccounts/fileServices/shares/delete •Microsoft.Storage/storageAccounts/fileServices/shares/read •Microsoft.Storage/storageAccounts/fileServices/shares/write •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/write | ||||
| 88366f10-ed47-4cc0-9fab-c8a06148393e | Azure Red Hat OpenShift Hosted Control Planes Cluster API Provider | Enables permissions to allow cluster API to manage nodes, networks and disks for OpenShift cluster. | None | False |
00015 effective control plane operations (unique) •action: 3 •delete: 4 •read: 4 •write: 4 |
Actions: 015 resolved operations: 15 effective operations: 15 •action: 3 •delete: 4 •read: 4 •write: 4 •Microsoft.Compute/availabilitySets/delete •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/availabilitySets/write •Microsoft.Compute/disks/delete •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Compute/virtualMachines/delete •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/virtualNetworks/subnets/join/action | ||||
| fc0c873f-45e9-4d0d-a7d1-585aab30c6ed | Azure Red Hat OpenShift Hosted Control Planes Control Plane Operator | Enables the control plane operator to read resources necessary for OpenShift cluster. | None | False |
00003 effective control plane operations (unique) •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/virtualNetworks/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| c0ff367d-66d8-445e-917c-583feb0ef0d4 | Azure Red Hat OpenShift Hosted Control Planes Service Managed Identity | Azure Red Hat OpenShift Hosted Control Planes Service Managed Identity | None | False |
00009 effective control plane operations (unique) •action: 3 •read: 5 •write: 1 |
Actions: 009 resolved operations: 9 effective operations: 9 •action: 3 •read: 5 •write: 1 •Microsoft.Network/natGateways/join/action •Microsoft.Network/natGateways/read •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/routeTables/join/action •Microsoft.Network/routeTables/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write | ||||
| 8b32b316-c2f5-4ddf-b05b-83dacd2d08b5 | Azure Red Hat OpenShift Image Registry Operator | Enables permissions for the operator to manage a singleton instance of the OpenShift image registry. It manages all configuration of the registry, including creating storage. | Containers | False |
00015 effective control plane and data plane operations (unique) •action: 4 •delete: 3 •read: 4 •write: 4 |
Actions: 010 resolved operations: 10 effective operations: 10 •action: 2 •delete: 2 •read: 3 •write: 3 •Microsoft.Resources/tags/write •Microsoft.Storage/storageAccounts/blobServices/containers/delete •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/delete •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/write |
DataActions: 005 resolved data operations: 5 effective data operations: 5 •action: 2 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | |||
| 0358943c-7e01-48ba-8889-02cc51d78637 | Azure Red Hat OpenShift Machine API Operator | Manage the lifecycle of specific-purpose custom resource definitions (CRD), controllers, and Azure RBAC objects that extend the Kubernetes API to declares the desired state of machines in a cluster. | Containers | False |
00035 effective control plane operations (unique) •action: 10 •delete: 5 •read: 14 •write: 6 |
Actions: 035 resolved operations: 35 effective operations: 35 •action: 10 •delete: 5 •read: 14 •write: 6 •Microsoft.Compute/availabilitySets/delete •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/availabilitySets/write •Microsoft.Compute/capacityReservationGroups/deploy/action •Microsoft.Compute/diskEncryptionSets/read •Microsoft.Compute/disks/delete •Microsoft.Compute/galleries/images/versions/read •Microsoft.Compute/skus/read •Microsoft.Compute/virtualMachines/delete •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write •Microsoft.ManagedIdentity/userAssignedIdentities/assign/action •Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action •Microsoft.Network/applicationSecurityGroups/read •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action •Microsoft.Network/loadBalancers/inboundNATRules/join/action •Microsoft.Network/loadBalancers/read •Microsoft.Network/loadBalancers/write •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/write •Microsoft.Network/publicIPAddresses/delete •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/publicIPAddresses/write •Microsoft.Network/routeTables/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| be7a6435-15ae-4171-8f30-4a343eff9e8f | Azure Red Hat OpenShift Network Operator | Install and upgrade the networking components on an OpenShift cluster. | Containers | False |
00007 effective control plane operations (unique) •action: 2 •read: 4 •write: 1 |
Actions: 007 resolved operations: 7 effective operations: 7 •action: 2 •read: 4 •write: 1 •Microsoft.Compute/virtualMachines/read •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/backendAddressPools/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action | ||||
| 4436bae4-7702-4c84-919b-c4069ff25ee2 | Azure Red Hat OpenShift Service Operator | Maintain machine health, network configuration, monitoring, and other features that are specific to an OpenShift cluster's continued functionality as a managed service. | Containers | False |
00010 effective control plane operations (unique) •action: 7 •read: 2 •write: 1 |
Actions: 010 resolved operations: 10 effective operations: 10 •action: 7 •read: 2 •write: 1 •Microsoft.Network/natGateways/join/action •Microsoft.Network/networkIntentPolicies/join/action •Microsoft.Network/networkManagers/ipamPools/associateResourcesToPool/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/routeTables/join/action •Microsoft.Network/serviceEndpointPolicies/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/read | ||||
| 26e0b698-aa6d-4085-9386-aadae190014d | Azure Relay Listener | Allows for listen access to Azure Relay resources. | Integration | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Relay/*/hybridConnections/read •Microsoft.Relay/*/wcfRelays/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Relay/*/listen/action | |||
| 2787bf04-f1f5-4bfe-8383-c8a24483ee38 | Azure Relay Owner | Allows for full access to Azure Relay resources. | Integration | False |
00064 effective control plane and data plane operations (unique) •action: 22 •delete: 10 •read: 20 •write: 12 |
Actions: 001 resolved operations: 62 effective operations: 62 •action: 20 •delete: 10 •read: 20 •write: 12 •Microsoft.Relay/* |
DataActions: 001 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.Relay/* | |||
| 26baccc8-eea7-41f1-98f4-1762cc7f685d | Azure Relay Sender | Allows for send access to Azure Relay resources. | Integration | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Relay/*/hybridConnections/read •Microsoft.Relay/*/wcfRelays/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Relay/*/send/action | |||
| 7b1f81f9-4196-4058-8aae-762e593270df | Azure Resource Bridge Deployment Role | Azure Resource Bridge Deployment Role | Hybrid + multicloud | False |
00036 effective control plane operations (unique) •Action: 10 •delete: 3 •read: 17 •Write: 6 |
Actions: 036 resolved operations: 36 effective operations: 36 •Action: 10 •delete: 3 •read: 17 •Write: 6 •Microsoft.Authorization/roleassignments/read •Microsoft.AzureStackHCI/Register/Action •Microsoft.AzureStackHCI/StorageContainers/Read •Microsoft.AzureStackHCI/StorageContainers/Write •Microsoft.ExtendedLocation/customLocations/delete •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/read •Microsoft.ExtendedLocation/customLocations/write •Microsoft.ExtendedLocation/register/action •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.HybridConnectivity/register/action •Microsoft.HybridContainerService/kubernetesVersions/read •Microsoft.HybridContainerService/kubernetesVersions/write •Microsoft.HybridContainerService/register/action •Microsoft.HybridContainerService/skus/read •Microsoft.HybridContainerService/skus/write •Microsoft.Kubernetes/register/action •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.KubernetesConfiguration/namespaces/read •Microsoft.KubernetesConfiguration/operations/read •Microsoft.KubernetesConfiguration/register/action •Microsoft.ResourceConnector/appliances/delete •Microsoft.ResourceConnector/appliances/listClusterUserCredential/action •Microsoft.ResourceConnector/appliances/listKeys/action •Microsoft.ResourceConnector/appliances/read •Microsoft.ResourceConnector/appliances/upgradeGraphs/read •Microsoft.ResourceConnector/appliances/write •Microsoft.ResourceConnector/locations/operationresults/read •Microsoft.ResourceConnector/locations/operationsstatus/read •Microsoft.ResourceConnector/operations/read •Microsoft.ResourceConnector/register/action •Microsoft.ResourceConnector/telemetryconfig/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 0b962ed2-6d56-471c-bd5f-3477d83a7ba4 | Azure Resource Notifications System Topics Subscriber | Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications | Integration | False |
00009 effective control plane operations (unique) •action: 7 •write: 2 |
Actions: 009 resolved operations: 9 effective operations: 9 •action: 7 •write: 2 •Microsoft.EventGrid/eventSubscriptions/write •Microsoft.EventGrid/systemTopics/eventSubscriptions/write •Microsoft.ResourceNotifications/systemTopics/subscribeToComputeResources/action •Microsoft.ResourceNotifications/systemTopics/subscribeToComputeScheduleResources/action •Microsoft.ResourceNotifications/systemTopics/subscribeToContainerServiceEventResources/action •Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/action •Microsoft.ResourceNotifications/systemTopics/subscribeToImpactReportingResources/action •Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResources/action •Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action | ||||
| 090c5cfd-751d-490a-894a-3ce6f1109419 | Azure Service Bus Data Owner | Allows for full access to Azure Service Bus resources. | Integration | False |
00094 effective control plane and data plane operations (unique) •action: 28 •delete: 17 •read: 30 •write: 19 |
Actions: 001 resolved operations: 90 effective operations: 90 •action: 24 •delete: 17 •read: 30 •write: 19 •Microsoft.ServiceBus/* |
DataActions: 001 resolved data operations: 4 effective data operations: 4 •action: 4 •Microsoft.ServiceBus/* |
count: 002 •Configure Azure Service Bus namespaces to disable local authentication •Configure Service Bus namespaces with private endpoints | ||
| 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 | Azure Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. | Integration | False |
00004 effective control plane and data plane operations (unique) •action: 1 •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.ServiceBus/*/queues/read •Microsoft.ServiceBus/*/topics/read •Microsoft.ServiceBus/*/topics/subscriptions/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.ServiceBus/*/receive/action | |||
| 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 | Azure Service Bus Data Sender | Allows for send access to Azure Service Bus resources. | Integration | False |
00004 effective control plane and data plane operations (unique) •action: 1 •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.ServiceBus/*/queues/read •Microsoft.ServiceBus/*/topics/read •Microsoft.ServiceBus/*/topics/subscriptions/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.ServiceBus/*/send/action | |||
| 8b9dfcab-4b77-4632-a6df-94bd07820648 | Azure Sphere Contributor | Allows user read and write access to Azure Sphere resources. | None | False |
00089 effective control plane operations (unique) •action: 22 •delete: 9 •read: 48 •write: 10 |
Actions: 007 resolved operations: 89 effective operations: 89 •action: 22 •delete: 9 •read: 48 •write: 10 •Microsoft.Authorization/*/read •Microsoft.AzureSphere/* •Microsoft.Insights/alertRules/* •Microsoft.Insights/DiagnosticSettings/* •Microsoft.Insights/DiagnosticSettingsCategories/Read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 5a382001-fe36-41ff-bba4-8bf06bd54da9 | Azure Sphere Owner | Allows user read and write access to Azure Sphere resources and RBAC configuration, includes an ABAC condition to constrain role assignments. | None | True |
00103 effective control plane operations (unique) •action: 25 •delete: 10 •read: 56 •write: 12 |
Actions: 015 resolved operations: 103 effective operations: 103 •action: 25 •delete: 10 •read: 56 •write: 12 •Microsoft.Authorization/*/read •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/delete •Microsoft.Authorization/roleAssignments/write •Microsoft.AzureSphere/* •Microsoft.Insights/alertRules/* •Microsoft.Insights/DiagnosticSettings/* •Microsoft.Insights/DiagnosticSettingsCategories/Read •Microsoft.Management/managementGroups/read •Microsoft.Resources/deployments/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 6d994134-994b-4a59-9974-f479f0b227fb | Azure Sphere Publisher | Allows user to read and download Azure Sphere resources and upload images. | None | False |
00052 effective control plane operations (unique) •action: 9 •read: 42 •write: 1 |
Actions: 014 resolved operations: 52 effective operations: 52 •action: 9 •read: 42 •write: 1 •Microsoft.Authorization/*/read •Microsoft.AzureSphere/*/read •Microsoft.AzureSphere/catalogs/certificates/retrieveCertChain/action •Microsoft.AzureSphere/catalogs/certificates/retrieveProofOfPossessionNonce/action •Microsoft.AzureSphere/catalogs/countDevices/action •Microsoft.AzureSphere/catalogs/images/write •Microsoft.AzureSphere/catalogs/listDeviceGroups/action •Microsoft.AzureSphere/catalogs/listDeviceInsights/action •Microsoft.AzureSphere/catalogs/listDevices/action •Microsoft.AzureSphere/catalogs/products/countDevices/action •Microsoft.AzureSphere/catalogs/products/deviceGroups/countDevices/action •Microsoft.AzureSphere/catalogs/uploadImage/action •Microsoft.Insights/DiagnosticSettings/Read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| c8ae6279-5a0b-4cb2-b3f0-d4d62845742c | Azure Sphere Reader | Allows user to read Azure Sphere resources. | None | False |
00050 effective control plane operations (unique) •action: 8 •read: 42 |
Actions: 012 resolved operations: 50 effective operations: 50 •action: 8 •read: 42 •Microsoft.Authorization/*/read •Microsoft.AzureSphere/*/read •Microsoft.AzureSphere/catalogs/certificates/retrieveCertChain/action •Microsoft.AzureSphere/catalogs/countDevices/action •Microsoft.AzureSphere/catalogs/listDeployments/action •Microsoft.AzureSphere/catalogs/listDeviceGroups/action •Microsoft.AzureSphere/catalogs/listDeviceInsights/action •Microsoft.AzureSphere/catalogs/listDevices/action •Microsoft.AzureSphere/catalogs/products/countDevices/action •Microsoft.AzureSphere/catalogs/products/deviceGroups/countDevices/action •Microsoft.Insights/DiagnosticSettings/Read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 25211fc6-dc78-40b6-b205-e4ac934fd9fd | Azure Spring Apps Application Configuration Service Config File Pattern Reader Role | Read content of config file pattern for Application Configuration Service in Azure Spring Apps | Web and Mobile | False |
00003 effective control plane and data plane operations (unique) •read: 3 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.AppPlatform/Spring/configurationServices/read •Microsoft.AppPlatform/Spring/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.AppPlatform/Spring/ApplicationConfigurationService/read | |||
| 6593e776-2a30-40f9-8a32-4fe28b77655d | Azure Spring Apps Application Configuration Service Log Reader Role | Read real-time logs for Application Configuration Service in Azure Spring Apps | Web and Mobile | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.AppPlatform/Spring/configurationServices/read •Microsoft.AppPlatform/Spring/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/ApplicationConfigurationService/logstream/action | |||
| 80558df3-64f9-4c0f-b32d-e5094b036b0b | Azure Spring Apps Connect Role | Azure Spring Apps Connect Role | Web and Mobile | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/apps/deployments/connect/action | ||||
| 91422e52-bb88-4415-bb4a-90f5b71f6dcb | Azure Spring Apps Job Execution Instance List Role | List instances for job executions in Azure Spring Apps | None | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/jobs/executions/listInstances/action | ||||
| b459aa1d-e3c8-436f-ae21-c0531140f43e | Azure Spring Apps Job Log Reader Role | Read real-time logs for jobs in Azure Spring Apps | Web and Mobile | False |
00005 effective control plane and data plane operations (unique) •action: 2 •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.AppPlatform/Spring/jobs/executions/read •Microsoft.AppPlatform/Spring/jobs/read •Microsoft.AppPlatform/Spring/read |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.AppPlatform/Spring/jobs/executions/listInstances/action •Microsoft.AppPlatform/Spring/jobs/executions/logstream/action | |||
| 52fd16bd-6ed5-46af-9c40-29cbd7952a29 | Azure Spring Apps Managed Components Log Reader Role | Read real-time logs for all managed components in Azure Spring Apps | None | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/managedComponents/logstream/action | ||||
| a99b0159-1064-4c22-a57b-c9b3caa1c054 | Azure Spring Apps Remote Debugging Role | Azure Spring Apps Remote Debugging Role | Web and Mobile | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/apps/deployments/remotedebugging/action | ||||
| 74252426-c508-480e-9345-4607bbebead4 | Azure Spring Apps Spring Cloud Config Server Log Reader Role | Read real-time logs for Spring Cloud Config Server in Azure Spring Apps | None | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.AppPlatform/Spring/configServers/read •Microsoft.AppPlatform/Spring/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/configService/logstream/action | |||
| 4301dc2a-25a9-44b0-ae63-3636cf7f2bd2 | Azure Spring Apps Spring Cloud Gateway Log Reader Role | Read real-time logs for Spring Cloud Gateway in Azure Spring Apps | Web and Mobile | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.AppPlatform/Spring/gateways/read •Microsoft.AppPlatform/Spring/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.AppPlatform/Spring/SpringCloudGateway/logstream/action | |||
| a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b | Azure Spring Cloud Config Server Contributor | Allow read, write and delete access to Azure Spring Cloud Config Server | Web and Mobile | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.AppPlatform/Spring/configService/delete •Microsoft.AppPlatform/Spring/configService/read •Microsoft.AppPlatform/Spring/configService/write | ||||
| d04c6db6-4947-4782-9e91-30a88feb7be7 | Azure Spring Cloud Config Server Reader | Allow read access to Azure Spring Cloud Config Server | Web and Mobile | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.AppPlatform/Spring/configService/read | ||||
| b5537268-8956-4941-a8f0-646150406f0c | Azure Spring Cloud Data Reader | Allow read access to Azure Spring Cloud Data | Web and Mobile | False |
00004 effective data plane operations (unique) •read: 4 |
DataActions: 001 resolved data operations: 4 effective data operations: 4 •read: 4 •Microsoft.AppPlatform/Spring/*/read | ||||
| f5880b48-c26d-48be-b172-7927bfa1c8f1 | Azure Spring Cloud Service Registry Contributor | Allow read, write and delete access to Azure Spring Cloud Service Registry | Web and Mobile | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.AppPlatform/Spring/eurekaService/delete •Microsoft.AppPlatform/Spring/eurekaService/read •Microsoft.AppPlatform/Spring/eurekaService/write | ||||
| cff1b556-2399-4e7e-856d-a8f754be7b65 | Azure Spring Cloud Service Registry Reader | Allow read access to Azure Spring Cloud Service Registry | Web and Mobile | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.AppPlatform/Spring/eurekaService/read | ||||
| 12b8206a-0216-4469-908d-a3e2025fe085 | Azure Stack Edge Operations Role | Built in role for managing operations in azure stack edge | None | False |
00040 effective control plane operations (unique) •action: 15 •delete: 12 •write: 13 |
Actions: 040 resolved operations: 40 effective operations: 40 •action: 15 •delete: 12 •write: 13 •Microsoft.DataBoxEdge/dataBoxEdgeDevices/bandwidthSchedules/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/bandwidthSchedules/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/deviceCapacityCheck/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/downloadUpdates/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/generateCertificate/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/getExtendedInformation/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/installUpdates/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/orders/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/orders/listDCAccessCode/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/orders/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/providers/Microsoft.Insights/diagnosticSettings/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/publishers/offers/skus/versions/generatesastoken/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/addons/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/addons/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/migrate/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/monitoringConfig/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/monitoringConfig/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/roles/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/scanForUpdates/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/securitySettings/update/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/shares/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/shares/refresh/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/shares/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccountCredentials/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccountCredentials/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/containers/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/containers/refresh/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/containers/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/storageAccounts/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/triggers/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/triggers/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/triggerSupportPackage/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/updateExtendedInformation/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/uploadCertificate/action •Microsoft.DataBoxEdge/dataBoxEdgeDevices/users/delete •Microsoft.DataBoxEdge/dataBoxEdgeDevices/users/write •Microsoft.DataBoxEdge/dataBoxEdgeDevices/write | ||||
| bda0d508-adf1-4af0-9c28-88919fc3ae06 | Azure Stack HCI Administrator | Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader | Hybrid + multicloud | True |
00246 effective control plane operations (unique) •Action: 56 •delete: 37 •read: 113 •write: 40 |
Actions: 103 resolved operations: 246 effective operations: 246 •Action: 56 •delete: 37 •read: 113 •write: 40 •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.AzureStackHCI/* •Microsoft.AzureStackHCI/clusters/* •Microsoft.AzureStackHCI/DevicePools/* •Microsoft.AzureStackHCI/EdgeMachines/* •Microsoft.AzureStackHCI/NetworkSecurityGroups/Delete •Microsoft.AzureStackHCI/NetworkSecurityGroups/join/action •Microsoft.AzureStackHCI/NetworkSecurityGroups/Read •Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Delete •Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read •Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Write •Microsoft.AzureStackHCI/NetworkSecurityGroups/Write •Microsoft.AzureStackHCI/register/action •Microsoft.AzureStackHCI/StorageContainers/Read •Microsoft.AzureStackHCI/StorageContainers/Write •Microsoft.AzureStackHCI/Unregister/Action •Microsoft.EdgeMarketplace/offers/read •Microsoft.EdgeMarketplace/publishers/read •Microsoft.ExtendedLocation/customLocations/delete •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/read •Microsoft.ExtendedLocation/customLocations/write •Microsoft.ExtendedLocation/register/action •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.GuestConfiguration/register/action •Microsoft.HybridCompute/gateways/delete •Microsoft.HybridCompute/gateways/read •Microsoft.HybridCompute/gateways/write •Microsoft.HybridCompute/licenses/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.HybridCompute/register/action •Microsoft.HybridCompute/settings/read •Microsoft.HybridCompute/settings/write •Microsoft.HybridConnectivity/register/action •Microsoft.HybridContainerService/register/action •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.Kubernetes/register/action •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.KubernetesConfiguration/namespaces/read •Microsoft.KubernetesConfiguration/operations/read •Microsoft.KubernetesConfiguration/register/action •Microsoft.Management/managementGroups/read •Microsoft.ResourceConnector/appliances/delete •Microsoft.ResourceConnector/appliances/listClusterUserCredential/action •Microsoft.ResourceConnector/appliances/listKeys/action •Microsoft.ResourceConnector/appliances/read •Microsoft.ResourceConnector/appliances/write •Microsoft.ResourceConnector/locations/operationresults/read •Microsoft.ResourceConnector/locations/operationsstatus/read •Microsoft.ResourceConnector/operations/read •Microsoft.ResourceConnector/register/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/delete •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Support/* | ||||
| c99c945f-8bd1-4fb1-a903-01460aae6068 | Azure Stack HCI Connected InfraVMs | Role of Arc Integration for Azure Stack HCI Infrastructure Virtual Machines. | Hybrid + multicloud | False |
00030 effective control plane operations (unique) •action: 1 •delete: 2 •read: 25 •write: 2 |
Actions: 007 resolved operations: 30 effective operations: 30 •action: 1 •delete: 2 •read: 25 •write: 2 •Microsoft.HybridCompute/*/read •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/write | ||||
| 865ae368-6a45-4bd1-8fbf-0d5151f56fc1 | Azure Stack HCI Device Management Role | Microsoft.AzureStackHCI Device Management Role | Hybrid + multicloud | False |
00070 effective control plane operations (unique) •Action: 15 •Delete: 11 •read: 30 •Write: 14 |
Actions: 036 resolved operations: 70 effective operations: 70 •Action: 15 •Delete: 11 •read: 30 •Write: 14 •Microsoft.Authorization/roleassignments/read •Microsoft.AzureStackHCI/Clusters/* •Microsoft.AzureStackHCI/DevicePools/*/read •Microsoft.AzureStackHCI/EdgeDevices/* •Microsoft.AzureStackHCI/EdgeMachines/*/read •Microsoft.AzureStackHCI/Register/Action •Microsoft.AzureStackHCI/StorageContainers/Read •Microsoft.AzureStackHCI/StorageContainers/Write •Microsoft.ExtendedLocation/customLocations/delete •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/read •Microsoft.ExtendedLocation/customLocations/write •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.HybridContainerService/kubernetesVersions/read •Microsoft.HybridContainerService/kubernetesVersions/write •Microsoft.HybridContainerService/register/action •Microsoft.HybridContainerService/skus/read •Microsoft.HybridContainerService/skus/write •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.KubernetesConfiguration/namespaces/read •Microsoft.KubernetesConfiguration/operations/read •Microsoft.ResourceConnector/appliances/delete •Microsoft.ResourceConnector/appliances/listClusterUserCredential/action •Microsoft.ResourceConnector/appliances/listKeys/action •Microsoft.ResourceConnector/appliances/read •Microsoft.ResourceConnector/appliances/upgradeGraphs/read •Microsoft.ResourceConnector/appliances/write •Microsoft.ResourceConnector/locations/operationresults/read •Microsoft.ResourceConnector/locations/operationsstatus/read •Microsoft.ResourceConnector/operations/read •Microsoft.ResourceConnector/telemetryconfig/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 1a6f9009-515c-4455-b170-143e4c9ce229 | Azure Stack HCI Edge Machine Contributor Role | Microsoft.AzureStackHCI Edge Machine Contributor Role | None | False |
00007 effective control plane operations (unique) •Action: 1 •Delete: 2 •Read: 2 •Write: 2 |
Actions: 001 resolved operations: 7 effective operations: 7 •Action: 1 •Delete: 2 •Read: 2 •Write: 2 •Microsoft.AzureStackHCI/EdgeMachines/* | ||||
| 874d1c73-6003-4e60-a13a-cb31ea190a85 | Azure Stack HCI VM Contributor | Grants permissions to perform all VM actions | Hybrid + multicloud | False |
00128 effective control plane operations (unique) •action: 25 •Delete: 12 •read: 78 •Write: 13 |
Actions: 075 resolved operations: 128 effective operations: 128 •action: 25 •Delete: 12 •read: 78 •Write: 13 •Microsoft.Authorization/*/read •Microsoft.AzureStackHCI/Clusters/ArcSettings/Read •Microsoft.AzureStackHCI/Clusters/Read •Microsoft.AzureStackHCI/GalleryImages/deploy/action •Microsoft.AzureStackHCI/GalleryImages/Read •Microsoft.AzureStackHCI/LogicalNetworks/join/action •Microsoft.AzureStackHCI/LogicalNetworks/Read •Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action •Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read •Microsoft.AzureStackHCI/NetworkInterfaces/* •Microsoft.AzureStackHCI/NetworkSecurityGroups/Read •Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read •Microsoft.AzureStackHCI/StorageContainers/deploy/action •Microsoft.AzureStackHCI/StorageContainers/Read •Microsoft.AzureStackHCI/VirtualHardDisks/* •Microsoft.AzureStackHCI/virtualMachineInstances/* •Microsoft.AzureStackHCI/VirtualMachines/* •Microsoft.AzureStackHCI/VirtualNetworks/join/action •Microsoft.AzureStackHCI/VirtualNetworks/Read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/Read •Microsoft.HybridCompute/licenses/delete •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/licenses/write •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/locations/updateCenterOperationResults/read •Microsoft.HybridCompute/machines/assessPatches/action •Microsoft.HybridCompute/machines/delete •Microsoft.HybridCompute/machines/extensions/delete •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/extensions/write •Microsoft.HybridCompute/machines/hybridIdentityMetadata/read •Microsoft.HybridCompute/machines/installPatches/action •Microsoft.HybridCompute/machines/licenseProfiles/delete •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/licenseProfiles/write •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/runcommands/delete •Microsoft.HybridCompute/machines/runcommands/read •Microsoft.HybridCompute/machines/runcommands/write •Microsoft.HybridCompute/machines/UpgradeExtensions/action •Microsoft.HybridCompute/machines/write •Microsoft.HybridCompute/operations/read •Microsoft.HybridCompute/osType/agentVersions/latest/read •Microsoft.HybridCompute/osType/agentVersions/read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 4b3fe76c-f777-4d24-a2d7-b027b0f7b273 | Azure Stack HCI VM Reader | Grants permissions to view VMs | Hybrid + multicloud | False |
00072 effective control plane operations (unique) •Action: 4 •Delete: 1 •read: 66 •Write: 1 |
Actions: 042 resolved operations: 72 effective operations: 72 •Action: 4 •Delete: 1 •read: 66 •Write: 1 •Microsoft.Authorization/*/read •Microsoft.AzureStackHCI/GalleryImages/Read •Microsoft.AzureStackHCI/LogicalNetworks/Read •Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read •Microsoft.AzureStackHCI/NetworkInterfaces/Read •Microsoft.AzureStackHCI/NetworkSecurityGroups/Read •Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read •Microsoft.AzureStackHCI/StorageContainers/Read •Microsoft.AzureStackHCI/VirtualHardDisks/Read •Microsoft.AzureStackHCI/virtualMachineInstances/Read •Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read •Microsoft.AzureStackHCI/VirtualMachines/Read •Microsoft.AzureStackHCI/VirtualNetworks/Read •Microsoft.HybridCompute/licenses/read •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/licenseProfiles/read •Microsoft.HybridCompute/machines/patchAssessmentResults/read •Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read •Microsoft.HybridCompute/machines/patchInstallationResults/read •Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read •Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read •Microsoft.HybridCompute/privateLinkScopes/read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 6f12a6df-dd06-4f3e-bcb1-ce8be600526a | Azure Stack Registration Owner | Lets you manage Azure Stack registrations. | Hybrid + multicloud | False |
00007 effective control plane operations (unique) •action: 4 •read: 3 |
Actions: 004 resolved operations: 7 effective operations: 7 •action: 4 •read: 3 •Microsoft.AzureStack/edgeSubscriptions/read •Microsoft.AzureStack/registrations/products/*/action •Microsoft.AzureStack/registrations/products/read •Microsoft.AzureStack/registrations/read | ||||
| f0310ce6-e953-4cf8-b892-fb1c87eaf7f6 | Azure Usage Billing Data Sender | Azure Usage Billing shared BuiltIn role to be used for all Customer Account Authentication | None | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.UsageBilling/accounts/inputs/send/action | ||||
| 6ae96244-5829-4925-a7d3-5975537d91dd | Azure VM Managed identities restore Contributor | Azure VM Managed identities restore Contributors are allowed to perform Azure VM Restores with managed identities both user and system | None | False |
00031 effective control plane operations (unique) •read: 31 |
Actions: 001 resolved operations: 31 effective operations: 31 •read: 31 •Microsoft.Authorization/*/read | ||||
| e503ece1-11d0-4e8e-8e2c-7a6c3bf38815 | AzureML Compute Operator | Can access and perform CRUD operations on Machine Learning Services managed compute resources (including Notebook VMs). | AI + machine learning | False |
00018 effective control plane operations (unique) •action: 12 •delete: 2 •read: 2 •write: 2 |
Actions: 002 resolved operations: 18 effective operations: 18 •action: 12 •delete: 2 •read: 2 •write: 2 •Microsoft.MachineLearningServices/workspaces/computes/* •Microsoft.MachineLearningServices/workspaces/notebooks/vm/* | ||||
| f6c7c914-8db3-469d-8ca1-694a8f32e121 | AzureML Data Scientist | Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. | AI + machine learning | False |
00277 effective control plane operations (unique) •action: 54 •delete: 57 •read: 98 •write: 68 |
Actions: 004 resolved operations: 283 effective operations: 277 •action: 54 •delete: 57 •read: 98 •write: 68 •Microsoft.MachineLearningServices/workspaces/*/action •Microsoft.MachineLearningServices/workspaces/*/delete •Microsoft.MachineLearningServices/workspaces/*/read •Microsoft.MachineLearningServices/workspaces/*/write |
NotActions: 010 resolved not operations: 8 effective not operations: 16559 •Microsoft.MachineLearningServices/workspaces/computes/*/delete •Microsoft.MachineLearningServices/workspaces/computes/*/write •Microsoft.MachineLearningServices/workspaces/computes/listKeys/action •Microsoft.MachineLearningServices/workspaces/delete •Microsoft.MachineLearningServices/workspaces/featurestores/delete •Microsoft.MachineLearningServices/workspaces/featurestores/write •Microsoft.MachineLearningServices/workspaces/hubs/delete •Microsoft.MachineLearningServices/workspaces/hubs/write •Microsoft.MachineLearningServices/workspaces/listKeys/action •Microsoft.MachineLearningServices/workspaces/write | |||
| 635dd51f-9968-44d3-b7fb-6d9a6bd613ae | AzureML Metrics Writer (preview) | Lets you write metrics to AzureML workspace | AI + machine learning | False |
00001 effective control plane operations (unique) •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •write: 1 •Microsoft.MachineLearningServices/workspaces/metrics/*/write | ||||
| 1823dd4f-9b8c-4ab6-ab4e-7397a3684615 | AzureML Registry User | Can perform all actions on Machine Learning Services Registry assets as well as get Registry resources. | AI + machine learning | False |
00005 effective control plane operations (unique) •delete: 1 •read: 2 •write: 2 |
Actions: 002 resolved operations: 5 effective operations: 5 •delete: 1 •read: 2 •write: 2 •Microsoft.MachineLearningServices/registries/assets/* •Microsoft.MachineLearningServices/registries/read | ||||
| 5e467623-bb1f-42f4-a55d-6e525e11384b | Backup Contributor | Lets you manage backups, but can't delete vaults and give access to others | Storage | False |
00185 effective control plane operations (unique) •action: 50 •delete: 11 •read: 103 •write: 21 |
Actions: 088 resolved operations: 185 effective operations: 185 •action: 50 •delete: 11 •read: 103 •write: 21 •Microsoft.Authorization/*/read •Microsoft.DataProtection/backupVaults/backupInstances/backup/action •Microsoft.DataProtection/backupVaults/backupInstances/delete •Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action •Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/restore/action •Microsoft.DataProtection/backupVaults/backupInstances/SuspendBackups/action •Microsoft.DataProtection/backupVaults/backupInstances/validateForModifyBackup/action •Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action •Microsoft.DataProtection/backupVaults/backupInstances/write •Microsoft.DataProtection/backupVaults/backupPolicies/delete •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupPolicies/write •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write •Microsoft.DataProtection/backupVaults/deletedBackupInstances/read •Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/action •Microsoft.DataProtection/backupVaults/operationResults/read •Microsoft.DataProtection/backupVaults/operationStatus/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/validateForBackup/action •Microsoft.DataProtection/backupVaults/write •Microsoft.DataProtection/locations/checkFeatureSupport/action •Microsoft.DataProtection/locations/checkNameAvailability/action •Microsoft.DataProtection/locations/getBackupStatus/action •Microsoft.DataProtection/locations/operationResults/read •Microsoft.DataProtection/locations/operationStatus/read •Microsoft.DataProtection/operations/read •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/locations/* •Microsoft.RecoveryServices/locations/backupPreValidateProtection/action •Microsoft.RecoveryServices/locations/backupStatus/action •Microsoft.RecoveryServices/locations/backupValidateFeatures/action •Microsoft.RecoveryServices/locations/operationStatus/read •Microsoft.RecoveryServices/operations/read •Microsoft.RecoveryServices/Vaults/backupconfig/* •Microsoft.RecoveryServices/Vaults/backupEngines/read •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* •Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* •Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* •Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action •Microsoft.RecoveryServices/Vaults/backupJobs/* •Microsoft.RecoveryServices/Vaults/backupJobsExport/action •Microsoft.RecoveryServices/Vaults/backupOperationResults/* •Microsoft.RecoveryServices/Vaults/backupOperations/read •Microsoft.RecoveryServices/Vaults/backupPolicies/* •Microsoft.RecoveryServices/Vaults/backupProtectableItems/* •Microsoft.RecoveryServices/Vaults/backupProtectedItems/* •Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* •Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read •Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete •Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read •Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action •Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write •Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* •Microsoft.RecoveryServices/Vaults/backupstorageconfig/* •Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read •Microsoft.RecoveryServices/Vaults/backupValidateOperation/action •Microsoft.RecoveryServices/Vaults/certificates/* •Microsoft.RecoveryServices/Vaults/extendedInformation/* •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/write •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* •Microsoft.RecoveryServices/vaults/operationResults/read •Microsoft.RecoveryServices/vaults/operationStatus/read •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/* •Microsoft.RecoveryServices/Vaults/usages/* •Microsoft.RecoveryServices/Vaults/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* |
count: 015 •[Preview]: Configure Azure Recovery Services vaults to disable public network access •[Preview]: Configure backup for Azure Disks (Managed Disks) with a given tag to an existing backup vault in the same region •[Preview]: Configure backup for Azure Disks (Managed Disks) without a given tag to an existing backup vault in the same region •[Preview]: Configure backup for Azure Files Shares with a given tag to a new recovery services vault with a new policy •[Preview]: Configure backup for Azure Files Shares with a given tag to an existing recovery services vault in the same location •[Preview]: Configure backup for Azure Files Shares without a given tag to a new recovery services vault with a new policy •[Preview]: Configure backup for Azure Files Shares without a given tag to an existing recovery services vault in the same location •[Preview]: Configure backup for blobs on storage accounts with a given tag to an existing backup vault in the same region •[Preview]: Configure blob backup for all storage accounts that do not contain a given tag to a backup vault in the same region •[Preview]: Disable Cross Subscription Restore for Azure Recovery Services vaults •[Preview]: Disable Cross Subscription Restore for Backup Vaults •Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location •Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location | |||
| c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8 | Backup MUA Admin | Backup MultiUser-Authorization. Can create/delete ResourceGuard | Storage | False |
00074 effective control plane operations (unique) •action: 7 •delete: 3 •read: 60 •write: 4 |
Actions: 026 resolved operations: 74 effective operations: 74 •action: 7 •delete: 3 •read: 60 •write: 4 •Microsoft.Authorization/*/read •Microsoft.DataProtection/*/read •Microsoft.DataProtection/*/resourceGuards/write •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write •Microsoft.DataProtection/locations/checkFeatureSupport/action •Microsoft.DataProtection/locations/getBackupStatus/action •Microsoft.DataProtection/locations/operationResults/read •Microsoft.DataProtection/locations/operationStatus/read •Microsoft.DataProtection/subscriptions/providers/resourceGuards/read •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/operationStatus/read •Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/{operationName}/read •Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/delete •Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/read •Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGuards/write •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| f54b6d04-23c6-443e-b462-9c16ab7b4a52 | Backup MUA Operator | Backup MultiUser-Authorization. Allows user to perform critical operation protected by resourceguard | Storage | False |
00072 effective control plane operations (unique) •action: 24 •read: 48 |
Actions: 003 resolved operations: 72 effective operations: 72 •action: 24 •read: 48 •Microsoft.Authorization/*/read •Microsoft.DataProtection/*/action •Microsoft.DataProtection/*/read | ||||
| 00c29273-979b-4161-815c-10b084fb9324 | Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others | Storage | False |
00153 effective control plane operations (unique) •action: 39 •delete: 3 •read: 97 •write: 14 |
Actions: 103 resolved operations: 153 effective operations: 153 •action: 39 •delete: 3 •read: 97 •write: 14 •Microsoft.Authorization/*/read •Microsoft.DataProtection/backupVaults/backupInstances/backup/action •Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action •Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/restore/action •Microsoft.DataProtection/backupVaults/backupInstances/validateForModifyBackup/action •Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action •Microsoft.DataProtection/backupVaults/backupInstances/write •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDelete/action •Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write •Microsoft.DataProtection/backupVaults/deletedBackupInstances/read •Microsoft.DataProtection/backupVaults/operationResults/read •Microsoft.DataProtection/backupVaults/operationStatus/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/validateForBackup/action •Microsoft.DataProtection/locations/checkFeatureSupport/action •Microsoft.DataProtection/locations/operationResults/read •Microsoft.DataProtection/locations/operationStatus/read •Microsoft.DataProtection/operations/read •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/crossRegionRestore/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/validateCrossRegionRestore/action •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/locations/backupAadProperties/read •Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action •Microsoft.RecoveryServices/locations/backupCrrJob/action •Microsoft.RecoveryServices/locations/backupCrrJobs/action •Microsoft.RecoveryServices/locations/backupCrrOperationResults/read •Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read •Microsoft.RecoveryServices/locations/backupPreValidateProtection/action •Microsoft.RecoveryServices/locations/backupStatus/action •Microsoft.RecoveryServices/locations/backupValidateFeatures/action •Microsoft.RecoveryServices/locations/operationStatus/read •Microsoft.RecoveryServices/operations/read •Microsoft.RecoveryServices/Vaults/backupEngines/read •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write •Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read •Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/accessToken/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write •Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action •Microsoft.RecoveryServices/Vaults/backupJobs/* •Microsoft.RecoveryServices/Vaults/backupJobsExport/action •Microsoft.RecoveryServices/Vaults/backupOperationResults/* •Microsoft.RecoveryServices/Vaults/backupOperations/read •Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read •Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read •Microsoft.RecoveryServices/Vaults/backupPolicies/read •Microsoft.RecoveryServices/Vaults/backupProtectableItems/* •Microsoft.RecoveryServices/Vaults/backupProtectedItems/read •Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read •Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read •Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete •Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read •Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/action •Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write •Microsoft.RecoveryServices/Vaults/backupstorageconfig/* •Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action •Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read •Microsoft.RecoveryServices/Vaults/backupValidateOperation/action •Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read •Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read •Microsoft.RecoveryServices/Vaults/certificates/write •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/extendedInformation/write •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/write •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/write •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* | ||||
| a795c7a0-d4a2-40c1-ae25-d81f01202912 | Backup Reader | Can view backup services, but can't make changes | Storage | False |
00096 effective control plane operations (unique) •action: 15 •read: 78 •write: 3 |
Actions: 068 resolved operations: 96 effective operations: 96 •action: 15 •read: 78 •write: 3 •Microsoft.Authorization/*/read •Microsoft.DataProtection/backupVaults/backupInstances/backup/action •Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRanges/action •Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read •Microsoft.DataProtection/backupVaults/backupInstances/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read •Microsoft.DataProtection/backupVaults/backupInstances/restore/action •Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/action •Microsoft.DataProtection/backupVaults/backupInstances/write •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/backupPolicies/read •Microsoft.DataProtection/backupVaults/deletedBackupInstances/read •Microsoft.DataProtection/backupVaults/operationResults/read •Microsoft.DataProtection/backupVaults/operationStatus/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/read •Microsoft.DataProtection/backupVaults/validateForBackup/action •Microsoft.DataProtection/locations/checkFeatureSupport/action •Microsoft.DataProtection/locations/getBackupStatus/action •Microsoft.DataProtection/locations/operationResults/read •Microsoft.DataProtection/locations/operationStatus/read •Microsoft.DataProtection/operations/read •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJob/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchCrossRegionRestoreJobs/action •Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/fetchSecondaryRecoveryPoints/action •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/locations/backupCrrJob/action •Microsoft.RecoveryServices/locations/backupCrrJobs/action •Microsoft.RecoveryServices/locations/backupCrrOperationResults/read •Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read •Microsoft.RecoveryServices/locations/backupStatus/action •Microsoft.RecoveryServices/locations/backupValidateFeatures/action •Microsoft.RecoveryServices/locations/operationStatus/read •Microsoft.RecoveryServices/operations/read •Microsoft.RecoveryServices/Vaults/backupconfig/read •Microsoft.RecoveryServices/Vaults/backupEngines/read •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read •Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read •Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read •Microsoft.RecoveryServices/Vaults/backupJobs/read •Microsoft.RecoveryServices/Vaults/backupJobsExport/action •Microsoft.RecoveryServices/Vaults/backupOperationResults/read •Microsoft.RecoveryServices/Vaults/backupOperations/read •Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read •Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read •Microsoft.RecoveryServices/Vaults/backupPolicies/read •Microsoft.RecoveryServices/Vaults/backupProtectedItems/read •Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read •Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read •Microsoft.RecoveryServices/Vaults/backupstorageconfig/read •Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/write •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/Vaults/usages/read | ||||
| 39138f76-04e6-41f0-ba6b-c411b59081a9 | Bayer Ag Powered Services Crop Id Solution User Role | Provide access to Crop Id Solution by Bayer Ag Powered Services | None | False |
00019 effective data plane operations (unique) •action: 5 •delete: 3 •read: 6 •write: 5 |
DataActions: 007 resolved data operations: 19 effective data operations: 19 •action: 5 •delete: 3 •read: 6 •write: 5 •Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/* •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/write •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* •Microsoft.AgFoodPlatform/farmBeats/parties/read •Microsoft.AgFoodPlatform/farmBeats/scenes/* | ||||
| a9b99099-ead7-47db-8fcf-072597a61dfa | Bayer Ag Powered Services CWUM Solution | Provide access to CWUM Solution by Bayer Ag Powered Services | None | False |
00023 effective data plane operations (unique) •action: 5 •delete: 3 •read: 8 •write: 7 |
DataActions: 011 resolved data operations: 23 effective data operations: 23 •action: 5 •delete: 3 •read: 8 •write: 7 •Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/* •Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read •Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/write •Microsoft.AgFoodPlatform/farmBeats/parties/farms/read •Microsoft.AgFoodPlatform/farmBeats/parties/farms/write •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/write •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* •Microsoft.AgFoodPlatform/farmBeats/parties/read •Microsoft.AgFoodPlatform/farmBeats/scenes/* | ||||
| 1af232de-e806-426f-8ca1-c36142449755 | Bayer Ag Powered Services Field Imagery Solution Service Role | Provide access to Field Imagery Solution by Bayer Ag Powered Services | None | False |
00017 effective data plane operations (unique) •action: 5 •delete: 3 •read: 5 •write: 4 |
DataActions: 006 resolved data operations: 17 effective data operations: 17 •action: 5 •delete: 3 •read: 5 •write: 4 •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/write •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* •Microsoft.AgFoodPlatform/farmBeats/parties/read •Microsoft.AgFoodPlatform/farmBeats/scenes/* | ||||
| c4bc862a-3b64-4a35-a021-a380c159b042 | Bayer Ag Powered Services GDU Solution | Provide access to GDU Solution by Bayer Ag Powered Services | None | False |
00013 effective data plane operations (unique) •action: 3 •delete: 2 •read: 6 •write: 2 |
DataActions: 006 resolved data operations: 13 effective data operations: 13 •action: 3 •delete: 2 •read: 6 •write: 2 •Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read •Microsoft.AgFoodPlatform/farmBeats/parties/farms/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* •Microsoft.AgFoodPlatform/farmBeats/parties/read | ||||
| b5b192c1-773c-4543-bfb0-6c59254b74a9 | Bayer Ag Powered Services Historical Weather Data Solution User Role | Provide access to Historical Weather Data Solution by Bayer Ag Powered Services | None | False |
00014 effective data plane operations (unique) •action: 3 •delete: 2 •read: 5 •write: 4 |
DataActions: 007 resolved data operations: 14 effective data operations: 14 •action: 3 •delete: 2 •read: 5 •write: 4 •Microsoft.AgFoodPlatform/farmBeats/parties/farms/read •Microsoft.AgFoodPlatform/farmBeats/parties/farms/write •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/write •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* •Microsoft.AgFoodPlatform/farmBeats/parties/read | ||||
| ef29765d-0d37-4119-a4f8-f9f9902c9588 | Bayer Ag Powered Services Imagery Solution | Provide access to Imagery Solution by Bayer Ag Powered Services | None | False |
00023 effective data plane operations (unique) •action: 5 •delete: 3 •read: 8 •write: 7 |
DataActions: 011 resolved data operations: 23 effective data operations: 23 •action: 5 •delete: 3 •read: 8 •write: 7 •Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/* •Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/read •Microsoft.AgFoodPlatform/farmBeats/parties/boundaries/write •Microsoft.AgFoodPlatform/farmBeats/parties/farms/read •Microsoft.AgFoodPlatform/farmBeats/parties/farms/write •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/write •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* •Microsoft.AgFoodPlatform/farmBeats/parties/read •Microsoft.AgFoodPlatform/farmBeats/scenes/* | ||||
| 539283cd-c185-4a9a-9503-d35217a1db7b | Bayer Ag Powered Services Smart Boundary Solution User Role | Provide access to Smart Boundary Solution by Bayer Ag Powered Services | None | False |
00019 effective data plane operations (unique) •action: 5 •delete: 3 •read: 6 •write: 5 |
DataActions: 007 resolved data operations: 19 effective data operations: 19 •action: 5 •delete: 3 •read: 6 •write: 5 •Microsoft.AgFoodPlatform/farmBeats/ingestionJobs/satelliteDataIngestionJobs/* •Microsoft.AgFoodPlatform/farmBeats/parties/fields/read •Microsoft.AgFoodPlatform/farmBeats/parties/fields/write •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insightAttachments/* •Microsoft.AgFoodPlatform/farmBeats/parties/models/resourceTypes/resources/insights/* •Microsoft.AgFoodPlatform/farmBeats/parties/read •Microsoft.AgFoodPlatform/farmBeats/scenes/* | ||||
| fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 | Billing Reader | Allows read access to billing data | Management and governance | False |
00193 effective control plane operations (unique) •action: 3 •read: 189 •write: 1 |
Actions: 007 resolved operations: 193 effective operations: 193 •action: 3 •read: 189 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Billing/*/read •Microsoft.Commerce/*/read •Microsoft.Consumption/*/read •Microsoft.CostManagement/*/read •Microsoft.Management/managementGroups/read •Microsoft.Support/* | ||||
| 5e3c6656-6cfa-4708-81fe-0de47ac73342 | BizTalk Contributor | Lets you manage BizTalk services, but not access to them. | Integration | False |
00059 effective control plane operations (unique) •Action: 10 •Delete: 2 •read: 44 •Write: 3 |
Actions: 007 resolved operations: 59 effective operations: 59 •Action: 10 •Delete: 2 •read: 44 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.BizTalkServices/BizTalk/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 31a002a1-acaf-453e-8a5b-297c9ca1ea24 | Blockchain Member Node Access (Preview) | Allows for access to Blockchain Member nodes | None | False |
00002 effective control plane and data plane operations (unique) •action: 1 •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Blockchain/blockchainMembers/transactionNodes/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Blockchain/blockchainMembers/transactionNodes/connect/action | |||
| 41077137-e803-4205-871c-5a86e6a753b4 | Blueprint Contributor | Can manage blueprint definitions, but not assign them. | Management and governance | False |
00061 effective control plane operations (unique) •action: 7 •delete: 4 •read: 45 •write: 5 |
Actions: 005 resolved operations: 61 effective operations: 61 •action: 7 •delete: 4 •read: 45 •write: 5 •Microsoft.Authorization/*/read •Microsoft.Blueprint/blueprints/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 437d2ced-4a38-4302-8479-ed2bcb43d090 | Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. | Management and governance | False |
00056 effective control plane operations (unique) •action: 8 •delete: 2 •read: 43 •write: 3 |
Actions: 005 resolved operations: 56 effective operations: 56 •action: 8 •delete: 2 •read: 43 •write: 3 •Microsoft.Authorization/*/read •Microsoft.Blueprint/blueprintAssignments/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| fa0d39e6-28e5-40cf-8521-1eb320653a4c | Carbon Optimization Reader | Allow read access to Azure Carbon Optimization data | Management and governance | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.Carbon/carbonEmissionReports/action •Microsoft.Carbon/carbonEmissionReports/read | ||||
| 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 | CDN Endpoint Contributor | Can manage CDN endpoints, but can't grant access to other users. | Networking | False |
00156 effective control plane operations (unique) •action: 44 •delete: 22 •read: 66 •write: 24 |
Actions: 008 resolved operations: 156 effective operations: 156 •action: 44 •delete: 22 •read: 66 •write: 24 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/endpoints/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 871e35f6-b5c1-49cc-a043-bde969a0f2cd | CDN Endpoint Reader | Can view CDN endpoints, but can't make changes. | Networking | False |
00139 effective control plane operations (unique) •action: 37 •delete: 18 •read: 65 •write: 19 |
Actions: 009 resolved operations: 139 effective operations: 139 •action: 37 •delete: 18 •read: 65 •write: 19 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action •Microsoft.Cdn/profiles/endpoints/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| ec156ff8-a8d1-4d15-830c-5b80698ca432 | CDN Profile Contributor | Can manage CDN and Azure Front Door standard and premium profiles and their endpoints, but can't grant access to other users. | Networking | False |
00218 effective control plane operations (unique) •action: 66 •delete: 32 •read: 85 •write: 35 |
Actions: 008 resolved operations: 218 effective operations: 218 •action: 66 •delete: 32 •read: 85 •write: 35 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 8f96442b-4075-438f-813d-ad51ab4019af | CDN Profile Reader | Can view CDN profiles and their endpoints, but can't make changes. | Networking | False |
00160 effective control plane operations (unique) •action: 39 •delete: 18 •read: 84 •write: 19 |
Actions: 011 resolved operations: 160 effective operations: 160 •action: 39 •delete: 18 •read: 84 •write: 19 •Microsoft.Authorization/*/read •Microsoft.Cdn/edgenodes/read •Microsoft.Cdn/operationresults/* •Microsoft.Cdn/profiles/*/read •Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action •Microsoft.Cdn/profiles/CheckResourceUsage/action •Microsoft.Cdn/profiles/endpoints/CheckResourceUsage/action •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 7c2e40b7-25eb-482a-82cb-78ba06cb46d5 | Chaos Studio Experiment Contributor | Can create, run, and see details for experiments, onboard targets, and manage capabilities. | DevOps | False |
00069 effective control plane operations (unique) •action: 12 •delete: 5 •read: 47 •write: 5 |
Actions: 005 resolved operations: 69 effective operations: 69 •action: 12 •delete: 5 •read: 47 •write: 5 •Microsoft.Authorization/*/read •Microsoft.Chaos/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 1a40e87e-6645-48e0-b27a-0b115d849a20 | Chaos Studio Operator | Can run and see details for experiments but cannot create experiments or manage targets and capabilities. | DevOps | False |
00061 effective control plane operations (unique) •action: 10 •Delete: 2 •read: 47 •Write: 2 |
Actions: 010 resolved operations: 61 effective operations: 61 •action: 10 •Delete: 2 •read: 47 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Chaos/*/read •Microsoft.Chaos/experiments/cancel/action •Microsoft.Chaos/experiments/executions/getExecutionDetails/action •Microsoft.Chaos/experiments/start/action •Microsoft.Chaos/locations/operationResults/read •Microsoft.Chaos/locations/operationStatuses/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 29e2da8a-229c-4157-8ae8-cc72fc506b74 | Chaos Studio Reader | Can view targets, capabilities, experiments, and experiment details. | DevOps | False |
00059 effective control plane operations (unique) •action: 8 •Delete: 2 •read: 47 •Write: 2 |
Actions: 006 resolved operations: 59 effective operations: 59 •action: 8 •Delete: 2 •read: 47 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Chaos/*/read •Microsoft.Chaos/experiments/executions/getExecutionDetails/action •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 59a618e3-3c9a-406e-9f03-1a20dd1c55f1 | Chaos Studio Target Contributor | Can onboard targets and manage capabilities but cannot create, run, or see details for experiments | DevOps | False |
00056 effective control plane operations (unique) •Action: 7 •delete: 4 •read: 41 •write: 4 |
Actions: 012 resolved operations: 56 effective operations: 56 •Action: 7 •delete: 4 •read: 41 •write: 4 •Microsoft.Authorization/*/read •Microsoft.Chaos/locations/targetTypes/capabilityTypes/read •Microsoft.Chaos/locations/targetTypes/read •Microsoft.Chaos/targets/capabilities/delete •Microsoft.Chaos/targets/capabilities/read •Microsoft.Chaos/targets/capabilities/write •Microsoft.Chaos/targets/delete •Microsoft.Chaos/targets/read •Microsoft.Chaos/targets/write •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| b34d265f-36f7-4a0d-a4d4-e158ca92e90f | Classic Network Contributor | Lets you manage classic networks, but not access to them. | Networking | False |
00131 effective control plane operations (unique) •action: 32 •delete: 12 •read: 72 •write: 15 |
Actions: 007 resolved operations: 131 effective operations: 131 •action: 32 •delete: 12 •read: 72 •write: 15 •Microsoft.Authorization/*/read •Microsoft.ClassicNetwork/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 | Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. | Storage | False |
00103 effective control plane operations (unique) •action: 16 •delete: 7 •read: 67 •write: 13 |
Actions: 007 resolved operations: 103 effective operations: 103 •action: 16 •delete: 7 •read: 67 •write: 13 •Microsoft.Authorization/*/read •Microsoft.ClassicStorage/storageAccounts/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 985d6b00-f706-48f5-a6fe-d0ca12fb668d | Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts | Storage | False |
00002 effective control plane operations (unique) •action: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 2 •Microsoft.ClassicStorage/storageAccounts/listkeys/action •Microsoft.ClassicStorage/storageAccounts/regeneratekey/action | ||||
| d73bb868-a0df-4d4d-bd69-98a00b01fccb | Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | Compute | False |
00164 effective control plane operations (unique) •action: 35 •delete: 11 •read: 94 •write: 24 |
Actions: 017 resolved operations: 164 effective operations: 164 •action: 35 •delete: 11 •read: 94 •write: 24 •Microsoft.Authorization/*/read •Microsoft.ClassicCompute/domainNames/* •Microsoft.ClassicCompute/virtualMachines/* •Microsoft.ClassicNetwork/networkSecurityGroups/join/action •Microsoft.ClassicNetwork/reservedIps/link/action •Microsoft.ClassicNetwork/reservedIps/read •Microsoft.ClassicNetwork/virtualNetworks/join/action •Microsoft.ClassicNetwork/virtualNetworks/read •Microsoft.ClassicStorage/storageAccounts/disks/read •Microsoft.ClassicStorage/storageAccounts/images/read •Microsoft.ClassicStorage/storageAccounts/listKeys/action •Microsoft.ClassicStorage/storageAccounts/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 9106cda0-8a86-4e81-b686-29a22c54effe | ClearDB MySQL DB Contributor | Lets you manage ClearDB MySQL databases, but not access to them. | None | False |
00059 effective control plane operations (unique) •Action: 10 •Delete: 2 •read: 44 •Write: 3 |
Actions: 007 resolved operations: 59 effective operations: 59 •Action: 10 •Delete: 2 •read: 44 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •successbricks.cleardb/databases/* | ||||
| 4e9d0bd4-5aab-4f91-92df-9def33fe287c | CloudTest Contributor Role | Read, write, delete and perform actions on CloudTest Accounts, CloudTest Pools, 1ES Hosted Pools and 1ES Images. | None | False |
00063 effective control plane operations (unique) •action: 9 •delete: 6 •read: 42 •write: 6 |
Actions: 015 resolved operations: 63 effective operations: 63 •action: 9 •delete: 6 •read: 42 •write: 6 •Microsoft.Authorization/*/read •Microsoft.CloudTest/*/read •Microsoft.CloudTest/accounts/delete •Microsoft.CloudTest/accounts/write •Microsoft.CloudTest/hostedpools/delete •Microsoft.CloudTest/hostedpools/write •Microsoft.CloudTest/images/cancel/action •Microsoft.CloudTest/images/delete •Microsoft.CloudTest/images/refresh/action •Microsoft.CloudTest/images/write •Microsoft.CloudTest/pools/delete •Microsoft.CloudTest/pools/write •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read | ||||
| 7ac06ca7-21ca-47e3-a67b-cbd6e6223baf | Cognitive Search Serverless Data Contributor (Deprecated) | This role has been deprecated | None | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.CognitiveSearch/indexes/documents/* •Microsoft.CognitiveSearch/indexes/schema/* | ||||
| 79b01272-bf9f-4f4c-9517-5506269cf524 | Cognitive Search Serverless Data Reader (Deprecated) | This role has been deprecated | None | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.CognitiveSearch/indexes/documents/read •Microsoft.CognitiveSearch/indexes/schema/read | ||||
| 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 | Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. | AI + machine learning | False |
00172 effective control plane operations (unique) •action: 26 •delete: 23 •read: 97 •write: 26 |
Actions: 018 resolved operations: 172 effective operations: 172 •action: 26 •delete: 23 •read: 97 •write: 26 •Microsoft.Authorization/*/read •Microsoft.CognitiveServices/* •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Features/providers/features/register/action •Microsoft.Insights/alertRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Insights/logDefinitions/read •Microsoft.Insights/metricdefinitions/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 003 •Configure Azure AI Services resources to disable local key access (disable local authentication) •Configure Azure AI Services resources to disable local key access (disable local authentication) •Configure Cognitive Services accounts with private endpoints | |||
| c1ff6cc2-c111-46fe-8896-e0ef812ad9f3 | Cognitive Services Custom Vision Contributor | Full access to the project, including the ability to view, create, edit, or delete projects. | AI + machine learning | False |
00116 effective control plane and data plane operations (unique) •action: 33 •delete: 11 •read: 65 •write: 7 |
Actions: 001 resolved operations: 42 effective operations: 42 •read: 42 •Microsoft.CognitiveServices/*/read |
DataActions: 001 resolved data operations: 74 effective data operations: 74 •action: 33 •delete: 11 •read: 23 •write: 7 •Microsoft.CognitiveServices/accounts/CustomVision/* | |||
| 5c4089e1-6d96-4d2f-b296-c1bc7137275f | Cognitive Services Custom Vision Deployment | Publish, unpublish or export models. Deployment can view the project but can't update. | AI + machine learning | False |
00079 effective control plane and data plane operations (unique) •action: 13 •delete: 2 •read: 64 |
Actions: 001 resolved operations: 42 effective operations: 42 •read: 42 •Microsoft.CognitiveServices/*/read |
DataActions: 007 resolved data operations: 38 effective data operations: 37 •action: 13 •delete: 2 •read: 22 •Microsoft.CognitiveServices/accounts/CustomVision/*/read •Microsoft.CognitiveServices/accounts/CustomVision/classify/* •Microsoft.CognitiveServices/accounts/CustomVision/detect/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/export/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publish/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/* |
NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3534 •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 88424f51-ebe7-446f-bc41-7fa16989e96c | Cognitive Services Custom Vision Labeler | View, edit training images and create, add, remove, or delete the image tags. Labelers can view the project but can't update anything other than training images and tags. | AI + machine learning | False |
00082 effective control plane and data plane operations (unique) •action: 13 •delete: 4 •read: 64 •write: 1 |
Actions: 001 resolved operations: 42 effective operations: 42 •read: 42 •Microsoft.CognitiveServices/*/read |
DataActions: 006 resolved data operations: 41 effective data operations: 40 •action: 13 •delete: 4 •read: 22 •write: 1 •Microsoft.CognitiveServices/accounts/CustomVision/*/read •Microsoft.CognitiveServices/accounts/CustomVision/projects/images/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action •Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/* •Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/suggestions/action |
NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3531 •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 93586559-c37d-4a6b-ba08-b9f0940c2d73 | Cognitive Services Custom Vision Reader | Read-only actions in the project. Readers can't create or update the project. | AI + machine learning | False |
00065 effective control plane and data plane operations (unique) •action: 1 •read: 64 |
Actions: 001 resolved operations: 42 effective operations: 42 •read: 42 •Microsoft.CognitiveServices/*/read |
DataActions: 002 resolved data operations: 24 effective data operations: 23 •action: 1 •read: 22 •Microsoft.CognitiveServices/accounts/CustomVision/*/read •Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/query/action |
NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3548 •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read | ||
| 0a5ae4ab-0d65-4eeb-be61-29fc9b54394b | Cognitive Services Custom Vision Trainer | View, edit projects and train the models, including the ability to publish, unpublish, export the models. Trainers can't create or delete the project. | AI + machine learning | False |
00112 effective control plane and data plane operations (unique) •action: 31 •delete: 10 •read: 64 •write: 7 |
Actions: 001 resolved operations: 42 effective operations: 42 •read: 42 •Microsoft.CognitiveServices/*/read |
DataActions: 001 resolved data operations: 74 effective data operations: 70 •action: 31 •delete: 10 •read: 22 •write: 7 •Microsoft.CognitiveServices/accounts/CustomVision/* |
NotDataActions: 004 resolved not data operations: 4 effective not data operations: 3501 •Microsoft.CognitiveServices/accounts/CustomVision/projects/action •Microsoft.CognitiveServices/accounts/CustomVision/projects/delete •Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read •Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action | ||
| 19c28022-e58e-450d-a464-0b2a53034789 | Cognitive Services Data Contributor (Preview) | Allows to call data plane APIs, but not any control plane APIs for Microsoft Cognitive Services. This role is in preview and subject to change. | None | False |
01536 effective data plane operations (unique) •action: 450 •delete: 220 •read: 612 •write: 254 |
DataActions: 001 resolved data operations: 1536 effective data operations: 1536 •action: 450 •delete: 220 •read: 612 •write: 254 •Microsoft.CognitiveServices/* | ||||
| b59867f0-fa02-499b-be73-45a86b5b3e1c | Cognitive Services Data Reader | Lets you read Cognitive Services data. | AI + machine learning | False |
00612 effective data plane operations (unique) •read: 612 |
DataActions: 001 resolved data operations: 612 effective data operations: 612 •read: 612 •Microsoft.CognitiveServices/*/read | ||||
| b5b0c71d-aca9-4081-aee2-9b1bb335fc1a | Cognitive Services Face Contributor | Full access to perform all Face APIs | None | False |
00118 effective control plane and data plane operations (unique) •action: 20 •delete: 16 •read: 68 •write: 14 |
Actions: 003 resolved operations: 44 effective operations: 44 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read |
DataActions: 001 resolved data operations: 74 effective data operations: 74 •action: 20 •delete: 16 •read: 24 •write: 14 •Microsoft.CognitiveServices/accounts/Face/* | |||
| 9894cab4-e18a-44aa-828b-cb588cd6f2d7 | Cognitive Services Face Recognizer | Lets you perform detect, verify, identify, group, and find similar operations on Face API. This role does not allow create or delete operations, which makes it well suited for endpoints that only need inferencing capabilities, following 'least privilege' best practices. |
AI + machine learning | False |
00016 effective data plane operations (unique) •action: 10 •delete: 2 •read: 4 |
DataActions: 012 resolved data operations: 16 effective data operations: 16 •action: 10 •delete: 2 •read: 4 •Microsoft.CognitiveServices/accounts/Face/*/sessions/action •Microsoft.CognitiveServices/accounts/Face/*/sessions/audit/read •Microsoft.CognitiveServices/accounts/Face/*/sessions/delete •Microsoft.CognitiveServices/accounts/Face/*/sessions/read •Microsoft.CognitiveServices/accounts/Face/detect/action •Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action •Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action •Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemodal/action •Microsoft.CognitiveServices/accounts/Face/findsimilars/action •Microsoft.CognitiveServices/accounts/Face/group/action •Microsoft.CognitiveServices/accounts/Face/identify/action •Microsoft.CognitiveServices/accounts/Face/verify/action | ||||
| b2de6794-95db-4659-8781-7e080d3f2b9d | Cognitive Services Immersive Reader User | Provides access to create Immersive Reader sessions and call APIs | AI + machine learning | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.CognitiveServices/accounts/ImmersiveReader/getcontentmodelforreader/action | ||||
| f07febfe-79bc-46b1-8b37-790e26e6e498 | Cognitive Services Language Owner | Has access to all Read, Test, Write, Deploy and Delete functions under Language portal | AI + machine learning | False |
00240 effective control plane and data plane operations (unique) •action: 60 •delete: 12 •read: 154 •write: 14 |
Actions: 004 resolved operations: 45 effective operations: 45 •action: 1 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/listkeys/action |
DataActions: 004 resolved data operations: 212 effective data operations: 195 •action: 59 •delete: 12 •read: 110 •write: 14 •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/* •Microsoft.CognitiveServices/accounts/Language/* •Microsoft.CognitiveServices/accounts/LanguageAuthoring/* •Microsoft.CognitiveServices/accounts/TextAnalytics/* |
NotDataActions: 001 resolved not data operations: 17 effective not data operations: 3376 •Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/* | ||
| 7628b7b8-a8b2-4cdc-b46f-e9b35248918e | Cognitive Services Language Reader | Has access to Read and Test functions under Language portal | AI + machine learning | False |
00173 effective control plane and data plane operations (unique) •action: 19 •read: 154 |
Actions: 003 resolved operations: 44 effective operations: 44 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read |
DataActions: 016 resolved data operations: 146 effective data operations: 129 •action: 19 •read: 110 •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*/read •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/export/action •Microsoft.CognitiveServices/accounts/Language/*/projects/export/action •Microsoft.CognitiveServices/accounts/Language/*/read •Microsoft.CognitiveServices/accounts/Language/analyze-conversations/action •Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobs/action •Microsoft.CognitiveServices/accounts/Language/analyze-conversations/jobscancel/action •Microsoft.CognitiveServices/accounts/Language/analyze-text/action •Microsoft.CognitiveServices/accounts/Language/analyze-text/jobs/action •Microsoft.CognitiveServices/accounts/Language/analyze-text/jobscancel/action •Microsoft.CognitiveServices/accounts/Language/generate/action •Microsoft.CognitiveServices/accounts/Language/query-dataverse/action •Microsoft.CognitiveServices/accounts/Language/query-knowledgebases/action •Microsoft.CognitiveServices/accounts/Language/query-text/action •Microsoft.CognitiveServices/accounts/LanguageAuthoring/*/read •Microsoft.CognitiveServices/accounts/TextAnalytics/* |
NotDataActions: 001 resolved not data operations: 17 effective not data operations: 3442 •Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/* | ||
| f2310ca1-dc64-4889-bb49-c8e0fa3d47a8 | Cognitive Services Language Writer | Has access to all Read, Test, and Write functions under Language Portal | AI + machine learning | False |
00227 effective control plane and data plane operations (unique) •action: 56 •delete: 7 •read: 154 •write: 10 |
Actions: 003 resolved operations: 44 effective operations: 44 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read |
DataActions: 004 resolved data operations: 212 effective data operations: 183 •action: 56 •delete: 7 •read: 110 •write: 10 •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/* •Microsoft.CognitiveServices/accounts/Language/* •Microsoft.CognitiveServices/accounts/LanguageAuthoring/* •Microsoft.CognitiveServices/accounts/TextAnalytics/* |
NotDataActions: 007 resolved not data operations: 29 effective not data operations: 3388 •Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/projects/deployments/write •Microsoft.CognitiveServices/accounts/Language/*/projects/delete •Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/delete •Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/swap/action •Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/write •Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/* | ||
| f72c8140-2111-481c-87ff-72b910f6e3f8 | Cognitive Services LUIS Owner | Has access to all Read, Test, Write, Deploy and Delete functions under LUIS | AI + machine learning | False |
00266 effective control plane and data plane operations (unique) •action: 19 •delete: 40 •read: 155 •write: 52 |
Actions: 004 resolved operations: 45 effective operations: 45 •action: 1 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/listkeys/action |
DataActions: 001 resolved data operations: 221 effective data operations: 221 •action: 18 •delete: 40 •read: 111 •write: 52 •Microsoft.CognitiveServices/accounts/LUIS/* | |||
| 18e81cdc-4e98-4e29-a639-e7d10c5a6226 | Cognitive Services LUIS Reader | Has access to Read and Test functions under LUIS. | AI + machine learning | False |
00156 effective control plane and data plane operations (unique) •read: 155 •write: 1 |
Actions: 003 resolved operations: 44 effective operations: 44 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read |
DataActions: 002 resolved data operations: 112 effective data operations: 112 •read: 111 •write: 1 •Microsoft.CognitiveServices/accounts/LUIS/*/read •Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/write | |||
| 6322a993-d5c9-4bed-b113-e49bbea25b27 | Cognitive Services LUIS Writer | Has access to all Read, Test, and Write functions under LUIS | AI + machine learning | False |
00259 effective control plane and data plane operations (unique) •action: 15 •delete: 38 •read: 155 •write: 51 |
Actions: 003 resolved operations: 44 effective operations: 44 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read |
DataActions: 001 resolved data operations: 221 effective data operations: 215 •action: 15 •delete: 38 •read: 111 •write: 51 •Microsoft.CognitiveServices/accounts/LUIS/* |
NotDataActions: 006 resolved not data operations: 6 effective not data operations: 3356 •Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/action •Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/delete •Microsoft.CognitiveServices/accounts/LUIS/apps/delete •Microsoft.CognitiveServices/accounts/LUIS/apps/move/action •Microsoft.CognitiveServices/accounts/LUIS/apps/publish/action •Microsoft.CognitiveServices/accounts/LUIS/apps/settings/write | ||
| cb43c632-a144-4ec5-977c-e80c4affc34a | Cognitive Services Metrics Advisor Administrator | Full access to the project, including the system level configuration. | AI + machine learning | False |
00096 effective control plane and data plane operations (unique) •action: 14 •delete: 8 •read: 65 •write: 9 |
Actions: 001 resolved operations: 42 effective operations: 42 •read: 42 •Microsoft.CognitiveServices/*/read |
DataActions: 001 resolved data operations: 54 effective data operations: 54 •action: 14 •delete: 8 •read: 23 •write: 9 •Microsoft.CognitiveServices/accounts/MetricsAdvisor/* | |||
| 3b20f47b-3825-43cb-8114-4bd2201156a8 | Cognitive Services Metrics Advisor User | Access to the project. | AI + machine learning | False |
00095 effective control plane and data plane operations (unique) •action: 14 •delete: 8 •read: 64 •write: 9 |
Actions: 001 resolved operations: 42 effective operations: 42 •read: 42 •Microsoft.CognitiveServices/*/read |
DataActions: 001 resolved data operations: 54 effective data operations: 53 •action: 14 •delete: 8 •read: 22 •write: 9 •Microsoft.CognitiveServices/accounts/MetricsAdvisor/* |
NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3518 •Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/* | ||
| a001fd3d-188f-4b5d-821b-7da978bf7442 | Cognitive Services OpenAI Contributor | Full access including the ability to fine-tune, deploy and generate text | AI + machine learning | False |
00134 effective control plane and data plane operations (unique) •action: 20 •delete: 20 •read: 71 •write: 23 |
Actions: 011 resolved operations: 50 effective operations: 50 •delete: 3 •read: 44 •write: 3 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/commitmentplans/delete •Microsoft.CognitiveServices/accounts/commitmentplans/read •Microsoft.CognitiveServices/accounts/commitmentplans/write •Microsoft.CognitiveServices/accounts/deployments/delete •Microsoft.CognitiveServices/accounts/deployments/write •Microsoft.CognitiveServices/accounts/raiPolicies/delete •Microsoft.CognitiveServices/accounts/raiPolicies/read •Microsoft.CognitiveServices/accounts/raiPolicies/write |
DataActions: 001 resolved data operations: 84 effective data operations: 84 •action: 20 •delete: 17 •read: 27 •write: 20 •Microsoft.CognitiveServices/accounts/OpenAI/* |
count: 002 •Configure Azure AI Services resources to disable local key access (disable local authentication) •Configure Azure AI Services resources to disable local key access (disable local authentication) | ||
| 5e0bd9bd-7b93-4f28-af87-19fc36ad61bd | Cognitive Services OpenAI User | Ability to view files, models, deployments. Readers can't make any changes They can inference and create images | AI + machine learning | False |
00099 effective control plane and data plane operations (unique) •action: 12 •delete: 8 •read: 70 •write: 9 |
Actions: 003 resolved operations: 44 effective operations: 44 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read |
DataActions: 016 resolved data operations: 56 effective data operations: 55 •action: 12 •delete: 8 •read: 26 •write: 9 •Microsoft.CognitiveServices/accounts/OpenAI/*/read •Microsoft.CognitiveServices/accounts/OpenAI/assistants/* •Microsoft.CognitiveServices/accounts/OpenAI/deployments/audio/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/completions/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/realtime/action •Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action •Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action •Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action •Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action •Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action •Microsoft.CognitiveServices/accounts/OpenAI/responses/* •Microsoft.CognitiveServices/accounts/OpenAI/video/generations/*/action •Microsoft.CognitiveServices/accounts/OpenAI/video/generations/*/delete |
NotDataActions: 001 resolved not data operations: 1 effective not data operations: 3516 •Microsoft.CognitiveServices/accounts/OpenAI/stored-completions/read | ||
| f4cc2bf9-21be-47a1-bdf1-5c5804381025 | Cognitive Services QnA Maker Editor | Let's you create, edit, import and export a KB. You cannot publish or delete a KB. | AI + machine learning | False |
00083 effective control plane and data plane operations (unique) •action: 9 •read: 62 •write: 12 |
Actions: 003 resolved operations: 44 effective operations: 44 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read |
DataActions: 039 resolved data operations: 39 effective data operations: 39 •action: 9 •read: 18 •write: 12 •Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write •Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read •Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write •Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/action •Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write •Microsoft.CognitiveServices/accounts/QnAMaker/operations/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/refreshkeys/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/create/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/train/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/write •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read | |||
| 466ccd10-b268-4a11-b098-b4849f024126 | Cognitive Services QnA Maker Reader | Let's you read and test a KB only. | AI + machine learning | False |
00062 effective control plane and data plane operations (unique) •action: 3 •read: 59 |
Actions: 003 resolved operations: 44 effective operations: 44 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read |
DataActions: 018 resolved data operations: 18 effective data operations: 18 •action: 3 •read: 15 •Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read •Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsettings/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/download/read •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/generateanswer/action •Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/read | |||
| 0e75ca1e-0464-4b4d-8b93-68208a576181 | Cognitive Services Speech Contributor | Full access to Speech projects, including read, write and delete all entities, for real-time speech recognition and batch transcription tasks, real-time speech synthesis and long audio tasks, custom speech and custom voice. | AI + machine learning | False |
00248 effective control plane and data plane operations (unique) •action: 43 •delete: 36 •read: 125 •write: 44 |
Actions: 003 resolved operations: 44 effective operations: 44 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read |
DataActions: 007 resolved data operations: 204 effective data operations: 204 •action: 43 •delete: 36 •read: 81 •write: 44 •Microsoft.CognitiveServices/accounts/AudioContentCreation/* •Microsoft.CognitiveServices/accounts/BatchAvatar/* •Microsoft.CognitiveServices/accounts/BatchTextToSpeech/* •Microsoft.CognitiveServices/accounts/CustomAvatar/* •Microsoft.CognitiveServices/accounts/CustomVoice/* •Microsoft.CognitiveServices/accounts/SpeechServices/* •Microsoft.CognitiveServices/accounts/VideoTranslation/* | |||
| f2dc8367-1007-4938-bd23-fe263f013447 | Cognitive Services Speech User | Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. |
AI + machine learning | False |
00182 effective control plane and data plane operations (unique) •action: 28 •delete: 15 •read: 123 •write: 16 |
Actions: 003 resolved operations: 44 effective operations: 44 •read: 44 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.CognitiveServices/*/read |
DataActions: 016 resolved data operations: 140 effective data operations: 138 •action: 28 •delete: 15 •read: 79 •write: 16 •Microsoft.CognitiveServices/accounts/AudioContentCreation/* •Microsoft.CognitiveServices/accounts/BatchAvatar/* •Microsoft.CognitiveServices/accounts/BatchTextToSpeech/* •Microsoft.CognitiveServices/accounts/CustomAvatar/*/read •Microsoft.CognitiveServices/accounts/CustomVoice/*/read •Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/* •Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/* •Microsoft.CognitiveServices/accounts/SpeechServices/*/frontend/action •Microsoft.CognitiveServices/accounts/SpeechServices/*/read •Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/action •Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/delete •Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/read •Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/write •Microsoft.CognitiveServices/accounts/SpeechServices/text-dependent/*/action •Microsoft.CognitiveServices/accounts/SpeechServices/text-independent/*/action •Microsoft.CognitiveServices/accounts/VideoTranslation/* |
NotDataActions: 002 resolved not data operations: 2 effective not data operations: 3433 •Microsoft.CognitiveServices/accounts/CustomVoice/datasets/files/read •Microsoft.CognitiveServices/accounts/CustomVoice/datasets/utterances/read | ||
| bba48692-92b0-4667-a9ad-c31c7b334ac2 | Cognitive Services Usages Reader | Minimal permission to view Cognitive Services usages. | AI + machine learning | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.CognitiveServices/locations/usages/read | ||||
| a97b65f3-24c7-4388-baec-2e87135dc908 | Cognitive Services User | Lets you read and list keys of Cognitive Services. | AI + machine learning | False |
01599 effective control plane and data plane operations (unique) •action: 454 •delete: 220 •read: 670 •write: 255 |
Actions: 013 resolved operations: 63 effective operations: 63 •action: 4 •read: 58 •write: 1 •Microsoft.CognitiveServices/*/read •Microsoft.CognitiveServices/accounts/listkeys/action •Microsoft.Insights/alertRules/read •Microsoft.Insights/diagnosticSettings/read •Microsoft.Insights/logDefinitions/read •Microsoft.Insights/metricdefinitions/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 001 resolved data operations: 1536 effective data operations: 1536 •action: 450 •delete: 220 •read: 612 •write: 254 •Microsoft.CognitiveServices/* | |||
| daa9e50b-21df-454c-94a6-a8050adab352 | Collaborative Data Contributor | Can manage data packages of a collaborative. | None | False |
00060 effective control plane operations (unique) •action: 12 •Delete: 2 •read: 43 •Write: 3 |
Actions: 013 resolved operations: 60 effective operations: 60 •action: 12 •Delete: 2 •read: 43 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.IndustryDataLifecycle/custodianCollaboratives/*/read •Microsoft.IndustryDataLifecycle/custodianCollaboratives/auditLogs/action •Microsoft.IndustryDataLifecycle/custodianCollaboratives/dataModels/* •Microsoft.IndustryDataLifecycle/custodianCollaboratives/receivedDataPackages/* •Microsoft.IndustryDataLifecycle/custodianCollaboratives/rejectDataPackage/action •Microsoft.IndustryDataLifecycle/locations/dataPackages/* •Microsoft.IndustryDataLifecycle/memberCollaboratives/*/read •Microsoft.IndustryDataLifecycle/memberCollaboratives/sharedDataPackages/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 7a6f0e70-c033-4fb1-828c-08514e5f4102 | Collaborative Runtime Operator | Can manage resources created by AICS at runtime | None | False |
00058 effective control plane operations (unique) •Action: 10 •Delete: 2 •read: 43 •Write: 3 |
Actions: 008 resolved operations: 58 effective operations: 58 •Action: 10 •Delete: 2 •read: 43 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.IndustryDataLifecycle/derivedModels/* •Microsoft.IndustryDataLifecycle/modelMappings/* •Microsoft.IndustryDataLifecycle/pipelineSets/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 09976791-48a7-449e-bb21-39d1a415f350 | Communication and Email Service Owner | Create, read, modify, and delete Communications and Email Service resources. | None | False |
00031 effective control plane operations (unique) •action: 7 •Delete: 7 •Read: 9 •Write: 8 |
Actions: 031 resolved operations: 31 effective operations: 31 •action: 7 •Delete: 7 •Read: 9 •Write: 8 •Microsoft.Communication/CheckNameAvailability/action •Microsoft.Communication/CommunicationServices/delete •Microsoft.Communication/CommunicationServices/EventGridFilters/delete •Microsoft.Communication/CommunicationServices/EventGridFilters/read •Microsoft.Communication/CommunicationServices/EventGridFilters/write •Microsoft.Communication/CommunicationServices/LinkNotificationHub/action •Microsoft.Communication/CommunicationServices/ListKeys/action •Microsoft.Communication/CommunicationServices/read •Microsoft.Communication/CommunicationServices/RegenerateKey/action •Microsoft.Communication/CommunicationServices/write •Microsoft.Communication/EmailServices/delete •Microsoft.Communication/EmailServices/Domains/* •Microsoft.Communication/EmailServices/Domains/CancelVerification/action •Microsoft.Communication/EmailServices/Domains/delete •Microsoft.Communication/EmailServices/Domains/InitiateVerification/action •Microsoft.Communication/EmailServices/Domains/read •Microsoft.Communication/EmailServices/Domains/SenderUsernames/delete •Microsoft.Communication/EmailServices/Domains/SenderUsernames/read •Microsoft.Communication/EmailServices/Domains/SenderUsernames/write •Microsoft.Communication/EmailServices/Domains/SuppressionLists/delete •Microsoft.Communication/EmailServices/Domains/SuppressionLists/read •Microsoft.Communication/EmailServices/Domains/SuppressionLists/SuppressionListAddresses/delete •Microsoft.Communication/EmailServices/Domains/SuppressionLists/SuppressionListAddresses/read •Microsoft.Communication/EmailServices/Domains/SuppressionLists/SuppressionListAddresses/write •Microsoft.Communication/EmailServices/Domains/SuppressionLists/write •Microsoft.Communication/EmailServices/Domains/write •Microsoft.Communication/EmailServices/read •Microsoft.Communication/EmailServices/write •Microsoft.Communication/Locations/OperationStatuses/read •Microsoft.Communication/Locations/OperationStatuses/write •Microsoft.Communication/Operations/read | ||||
| 49435da6-99fe-48a5-a235-fc668b9dc04a | Community Contributor Role | Community Contributor Role to access the resources of Microsoft.Mission stored with RPSAAS. | None | False |
00062 effective control plane operations (unique) •action: 2 •read: 51 •write: 9 |
Actions: 032 resolved operations: 62 effective operations: 62 •action: 2 •read: 51 •write: 9 •Microsoft.Authorization/*/read •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Insights/alertRules/read •Microsoft.Mission/approvals/read •Microsoft.Mission/approvals/write •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/communityEndpoints/write •Microsoft.Mission/communities/read •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/communities/transitHubs/write •Microsoft.Mission/communities/write •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/Locations/OperationStatuses/read •Microsoft.Mission/Locations/OperationStatuses/write •Microsoft.Mission/Operations/read •Microsoft.Mission/register/action •Microsoft.Mission/unregister/action •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read •Microsoft.Mission/virtualEnclaves/endpoints/read •Microsoft.Mission/virtualEnclaves/endpoints/write •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.Mission/virtualEnclaves/workloads/write •Microsoft.Mission/virtualEnclaves/write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 5e28a61e-8040-49db-b175-bb5b88af6239 | Community Owner Role | Community Owner Role to access the resources of Microsoft.Mission stored with RPSAAS. | None | False |
00066 effective control plane operations (unique) •action: 2 •delete: 6 •read: 50 •write: 8 |
Actions: 036 resolved operations: 66 effective operations: 66 •action: 2 •delete: 6 •read: 50 •write: 8 •Microsoft.Authorization/*/read •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Insights/alertRules/read •Microsoft.Mission/approvals/delete •Microsoft.Mission/approvals/read •Microsoft.Mission/approvals/write •Microsoft.Mission/communities/communityEndpoints/delete •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/communityEndpoints/write •Microsoft.Mission/communities/delete •Microsoft.Mission/communities/read •Microsoft.Mission/communities/transitHubs/delete •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/communities/transitHubs/write •Microsoft.Mission/communities/write •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/Locations/OperationStatuses/read •Microsoft.Mission/Locations/OperationStatuses/write •Microsoft.Mission/Operations/read •Microsoft.Mission/register/action •Microsoft.Mission/unregister/action •Microsoft.Mission/virtualEnclaves/delete •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/workloads/delete •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.Mission/virtualEnclaves/workloads/write •Microsoft.Mission/virtualEnclaves/write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| e6aadb6b-e64f-41c0-9392-d2bba3bc3ebc | Community Reader Role | Community Reader Role to access the resources of Microsoft.Mission stored with RPSAAS. | None | False |
00065 effective control plane operations (unique) •Action: 7 •Delete: 2 •read: 54 •Write: 2 |
Actions: 021 resolved operations: 65 effective operations: 65 •Action: 7 •Delete: 2 •read: 54 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Insights/alertRules/* •Microsoft.Mission/approvals/read •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/read •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/Locations/OperationStatuses/read •Microsoft.Mission/Operations/read •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read •Microsoft.Mission/virtualEnclaves/endpoints/read •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| df2711a6-406d-41cf-b366-b0250bff9ad1 | Compute Diagnostics Role | Grants permissions to execute diagnostics provided by Compute Diagnostic Service for Compute Resources. | None | False |
00033 effective control plane operations (unique) •action: 2 •read: 31 |
Actions: 003 resolved operations: 33 effective operations: 33 •action: 2 •read: 31 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/virtualmachinescalesets/disks/beginGetAccess/action | ||||
| 2bed379c-9fba-455b-99e4-6b911073bcf2 | Compute Fleet Contributor | Allows users to manage Compute Fleet resources. | Compute | False |
00052 effective control plane operations (unique) •Action: 7 •delete: 3 •read: 39 •write: 3 |
Actions: 006 resolved operations: 52 effective operations: 52 •Action: 7 •delete: 3 •read: 39 •write: 3 •Microsoft.Authorization/*/read •Microsoft.AzureFleet/fleets/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 85a2d0d9-2eba-4c9c-b355-11c2cc0788ab | Compute Gallery Artifacts Publisher | This is the role for publishing gallery artifacts. | Compute | False |
00083 effective control plane operations (unique) •action: 8 •delete: 10 •read: 53 •write: 12 |
Actions: 011 resolved operations: 84 effective operations: 83 •action: 8 •delete: 10 •read: 53 •write: 12 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/write •Microsoft.Compute/galleries/* •Microsoft.Compute/images/* •Microsoft.Compute/locations/capsOperations/read •Microsoft.Compute/locations/communityGalleries/* •Microsoft.Compute/locations/sharedGalleries/* •Microsoft.Compute/virtualMachines/write •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
NotActions: 001 resolved not operations: 1 effective not operations: 16753 •Microsoft.Compute/galleries/share/action | |||
| cf7c76d2-98a3-4358-a134-615aa78bf44d | Compute Gallery Image Reader | This is the role for reading gallery images. | Compute | False |
00002 effective control plane operations (unique) •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Compute/galleries/images/read •Microsoft.Compute/galleries/images/versions/read | ||||
| 1ef6a3be-d0ac-425d-8c01-acb62866290b | Compute Gallery Sharing Admin | This role allows user to share gallery to another subscription/tenant or share it to the public. | Compute | False |
00001 effective control plane operations (unique) •action: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •action: 1 •Microsoft.Compute/galleries/share/action | ||||
| e82342c9-ac7f-422b-af64-e426d2e12b2d | Compute Recommendations Role | Grants permissions to call Compute Recommendations APIs provided by Compute Diagnostic Resource Provider service. | None | False |
00001 effective control plane operations (unique) •action: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •action: 1 •Microsoft.Compute/locations/placementScores/generate/action | ||||
| 65a14201-8f6c-4c28-bec4-12619c5a9aaa | Connected Cluster Managed Identity CheckAccess Reader | Built-in role that allows a Connected Cluster managed identity to call the checkAccess API | Containers | False |
00031 effective control plane operations (unique) •read: 31 |
Actions: 001 resolved operations: 31 effective operations: 31 •read: 31 •Microsoft.Authorization/*/read | ||||
| 6cdbb904-5ff3-429d-8169-7d7818b91bd8 | Connector Reader | Read connectors and their associated resources, such as impacts and insights. | None | False |
00003 effective control plane operations (unique) •Read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •Read: 3 •Microsoft.Impact/Connectors/Read •Microsoft.Impact/WorkloadImpacts/Insights/Read •Microsoft.Impact/WorkloadImpacts/Read | ||||
| c459b115-f629-486b-b359-35feb5568b83 | Connector Writer | Write connectors and have basic customer permissions like reading authorizations, alert rules and resourceGroups | None | False |
00040 effective control plane operations (unique) •Action: 3 •Delete: 1 •read: 34 •Write: 2 |
Actions: 004 resolved operations: 40 effective operations: 40 •Action: 3 •Delete: 1 •read: 34 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Impact/Connectors/Write •Microsoft.Insights/alertRules/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 6f4fe6fc-f04f-4d97-8528-8bc18c848dca | Container Apps ConnectedEnvironments Contributor | Full management of Container Apps ConnectedEnvironments, including creation, deletion, and updates. | Containers | False |
00062 effective control plane operations (unique) •action: 10 •delete: 6 •read: 40 •write: 6 |
Actions: 009 resolved operations: 62 effective operations: 62 •action: 10 •delete: 6 •read: 40 •write: 6 •Microsoft.App/connectedEnvironments/* •Microsoft.App/connectedEnvironments/*/action •Microsoft.App/connectedEnvironments/*/delete •Microsoft.App/connectedEnvironments/*/read •Microsoft.App/connectedEnvironments/*/write •Microsoft.App/connectedEnvironments/daprComponents/listSecrets/action •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* | ||||
| d5adeb5b-107f-4aca-99ea-4e3f4fc008d5 | Container Apps ConnectedEnvironments Reader | Read access to Container Apps ConnectedEnvironments. | Containers | False |
00052 effective control plane operations (unique) •Action: 7 •Delete: 2 •read: 41 •Write: 2 |
Actions: 006 resolved operations: 52 effective operations: 52 •Action: 7 •Delete: 2 •read: 41 •Write: 2 •Microsoft.App/connectedEnvironments/*/read •Microsoft.App/connectedEnvironments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 358470bc-b998-42bd-ab17-a7e34c199c0f | Container Apps Contributor | Full management of Container Apps, including creation, deletion, and updates. | Containers | False |
00099 effective control plane operations (unique) •action: 19 •delete: 9 •read: 65 •write: 6 |
Actions: 014 resolved operations: 99 effective operations: 99 •action: 19 •delete: 9 •read: 65 •write: 6 •Microsoft.App/connectedEnvironments/*/read •Microsoft.App/connectedEnvironments/checknameavailability/action •Microsoft.App/connectedEnvironments/join/action •Microsoft.App/connectedEnvironments/read •Microsoft.App/containerApps/*/action •Microsoft.App/containerApps/*/delete •Microsoft.App/containerApps/*/read •Microsoft.App/containerApps/*/write •Microsoft.App/managedEnvironments/*/read •Microsoft.App/managedEnvironments/checknameavailability/action •Microsoft.App/managedEnvironments/join/action •Microsoft.App/managedEnvironments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* | ||||
| 4e3d2b60-56ae-4dc6-a233-09c8e5a82e68 | Container Apps Jobs Contributor | Full management of Container Apps jobs, including creation, deletion, and updates. | Containers | False |
00087 effective control plane operations (unique) •action: 20 •delete: 3 •read: 61 •write: 3 |
Actions: 016 resolved operations: 87 effective operations: 87 •action: 20 •delete: 3 •read: 61 •write: 3 •Microsoft.App/connectedEnvironments/*/read •Microsoft.App/connectedEnvironments/checknameavailability/action •Microsoft.App/connectedEnvironments/join/action •Microsoft.app/connectedEnvironments/read •Microsoft.App/jobs/*/action •Microsoft.App/jobs/*/read •Microsoft.App/jobs/delete •microsoft.app/jobs/read •Microsoft.App/jobs/write •Microsoft.App/managedenvironments/*/read •Microsoft.App/managedenvironments/checknameavailability/action •Microsoft.App/managedenvironments/join/action •Microsoft.app/managedenvironments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* | ||||
| b9a307c4-5aa3-4b52-ba60-2b17c136cd7b | Container Apps Jobs Operator | Read, start, and stop Container Apps jobs. | Containers | False |
00078 effective control plane and data plane operations (unique) •action: 18 •Delete: 1 •read: 58 •Write: 1 |
Actions: 013 resolved operations: 76 effective operations: 76 •action: 16 •Delete: 1 •read: 58 •Write: 1 •Microsoft.App/connectedEnvironments/*/read •Microsoft.App/connectedEnvironments/checknameavailability/action •Microsoft.App/connectedEnvironments/join/action •Microsoft.app/connectedEnvironments/read •Microsoft.App/jobs/*/action •Microsoft.App/jobs/*/read •microsoft.app/jobs/read •Microsoft.App/managedenvironments/*/read •Microsoft.App/managedenvironments/checknameavailability/action •Microsoft.App/managedenvironments/join/action •Microsoft.app/managedenvironments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.App/jobs/exec/action •Microsoft.App/jobs/logstream/action | |||
| edd66693-d32a-450b-997d-0158c03976b0 | Container Apps Jobs Reader | Read access to ContainerApps jobs | Containers | False |
00005 effective control plane operations (unique) •read: 5 |
Actions: 003 resolved operations: 5 effective operations: 5 •read: 5 •Microsoft.App/jobs/*/read •microsoft.app/jobs/read •Microsoft.App/managedenvironments/read | ||||
| 57cc5028-e6a7-4284-868d-0611c5923f8d | Container Apps ManagedEnvironments Contributor | Full management of Container Apps ManagedEnvironments, including creation, deletion, and updates. | Containers | False |
00092 effective control plane operations (unique) •action: 12 •delete: 14 •read: 52 •write: 14 |
Actions: 007 resolved operations: 92 effective operations: 92 •action: 12 •delete: 14 •read: 52 •write: 14 •Microsoft.App/managedEnvironments/*/action •Microsoft.App/managedEnvironments/*/delete •Microsoft.App/managedEnvironments/*/read •Microsoft.App/managedEnvironments/*/write •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* | ||||
| 1b32c00b-7eff-4c22-93e6-93d11d72d2d8 | Container Apps ManagedEnvironments Reader | Read access to ContainerApps managedenvironments. | Containers | False |
00054 effective control plane operations (unique) •Action: 3 •Delete: 1 •read: 49 •Write: 1 |
Actions: 003 resolved operations: 54 effective operations: 54 •Action: 3 •Delete: 1 •read: 49 •Write: 1 •Microsoft.App/managedEnvironments/*/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* | ||||
| f3bd1b5c-91fa-40e7-afe7-0c11d331232c | Container Apps Operator | Read, logstream and exec into Container Apps. | Containers | False |
00089 effective control plane and data plane operations (unique) •action: 22 •Delete: 1 •read: 65 •Write: 1 |
Actions: 012 resolved operations: 86 effective operations: 86 •action: 19 •Delete: 1 •read: 65 •Write: 1 •Microsoft.App/connectedEnvironments/*/read •Microsoft.App/connectedEnvironments/checknameavailability/action •Microsoft.App/connectedEnvironments/join/action •Microsoft.App/connectedEnvironments/read •Microsoft.App/containerApps/*/action •Microsoft.App/containerApps/*/read •Microsoft.App/managedEnvironments/*/read •Microsoft.App/managedEnvironments/checknameavailability/action •Microsoft.App/managedEnvironments/join/action •Microsoft.App/managedEnvironments/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •action: 3 •Microsoft.App/containerApps/debug/action •Microsoft.App/containerApps/exec/action •Microsoft.App/containerApps/logstream/action | |||
| f7669afb-68b2-44b4-9c5f-6d2a47fddda0 | Container Apps SessionPools Contributor | Full management of Container Apps SessionPools, including creation, deletion, and updates. | Containers | False |
00073 effective control plane operations (unique) •action: 12 •Delete: 2 •read: 57 •Write: 2 |
Actions: 015 resolved operations: 73 effective operations: 73 •action: 12 •Delete: 2 •read: 57 •Write: 2 •Microsoft.App/connectedEnvironments/*/read •Microsoft.App/connectedEnvironments/checknameavailability/action •Microsoft.App/connectedEnvironments/join/action •microsoft.App/connectedEnvironments/read •Microsoft.App/managedEnvironments/*/read •Microsoft.App/managedEnvironments/checknameavailability/action •Microsoft.App/managedEnvironments/join/action •microsoft.App/managedEnvironments/read •Microsoft.App/sessionPools/*/action •Microsoft.App/sessionPools/*/delete •Microsoft.App/sessionPools/*/read •Microsoft.App/sessionPools/*/write •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* | ||||
| af61e8fc-2633-4b95-bed3-421ad6826515 | Container Apps SessionPools Reader | Read access to ContainerApps sessionpools. | Containers | False |
00038 effective control plane operations (unique) •Action: 3 •Delete: 1 •read: 33 •Write: 1 |
Actions: 003 resolved operations: 38 effective operations: 38 •Action: 3 •Delete: 1 •read: 33 •Write: 1 •Microsoft.App/sessionPools/*/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* | ||||
| df87f177-bb12-4db1-9793-a413691eff94 | Container Registry Cache Rule Administrator | Create, Read, Update, and Delete Cache Rules in Container Registry. This role doesn't grant permissions to manage Credential Sets. | Containers | False |
00004 effective control plane operations (unique) •delete: 1 •read: 2 •write: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •delete: 1 •read: 2 •write: 1 •Microsoft.ContainerRegistry/registries/cacheRules/delete •Microsoft.ContainerRegistry/registries/cacheRules/operationStatuses/read •Microsoft.ContainerRegistry/registries/cacheRules/read •Microsoft.ContainerRegistry/registries/cacheRules/write | ||||
| c357b964-0002-4b64-a50d-7a28f02edc52 | Container Registry Cache Rule Reader | Read the configuration of Cache Rules in Container Registry. This permission doesn't grant permission to read Credential Sets. | Containers | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ContainerRegistry/registries/cacheRules/read | ||||
| 69b07be0-09bf-439a-b9a6-e73de851bd59 | Container Registry Configuration Reader and Data Access Configuration Reader | Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks. |
Containers | False |
00027 effective control plane operations (unique) •action: 6 •Delete: 1 •read: 18 •write: 2 |
Actions: 027 resolved operations: 27 effective operations: 27 •action: 6 •Delete: 1 •read: 18 •write: 2 •Microsoft.ContainerRegistry/registries/connectedRegistries/read •Microsoft.ContainerRegistry/registries/listCredentials/action •Microsoft.ContainerRegistry/registries/operationStatuses/read •Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read •Microsoft.ContainerRegistry/registries/privateEndpointConnections/read •Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read •Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write •Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read •Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.ContainerRegistry/registries/read •Microsoft.ContainerRegistry/registries/replications/operationStatuses/read •Microsoft.ContainerRegistry/registries/replications/read •Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read •Microsoft.ContainerRegistry/registries/scopeMaps/read •Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read •Microsoft.ContainerRegistry/registries/tokens/read •Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action •Microsoft.ContainerRegistry/registries/webhooks/listEvents/action •Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read •Microsoft.ContainerRegistry/registries/webhooks/read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write | ||||
| 3bc748fc-213d-45c1-8d91-9da5725539b9 | Container Registry Contributor and Data Access Configuration Administrator | Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks. |
Containers | False |
00093 effective control plane operations (unique) •action: 16 •delete: 9 •read: 56 •write: 12 |
Actions: 055 resolved operations: 93 effective operations: 93 •action: 16 •delete: 9 •read: 56 •write: 12 •Microsoft.Authorization/*/read •Microsoft.ContainerRegistry/locations/operationResults/read •Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action •Microsoft.ContainerRegistry/registries/connectedRegistries/delete •Microsoft.ContainerRegistry/registries/connectedRegistries/read •Microsoft.ContainerRegistry/registries/connectedRegistries/write •Microsoft.ContainerRegistry/registries/delete •Microsoft.ContainerRegistry/registries/generateCredentials/action •Microsoft.ContainerRegistry/registries/listCredentials/action •Microsoft.ContainerRegistry/registries/operationStatuses/read •Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete •Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read •Microsoft.ContainerRegistry/registries/privateEndpointConnections/read •Microsoft.ContainerRegistry/registries/privateEndpointConnections/write •Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action •Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read •Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write •Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read •Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.ContainerRegistry/registries/read •Microsoft.ContainerRegistry/registries/regenerateCredential/action •Microsoft.ContainerRegistry/registries/replications/delete •Microsoft.ContainerRegistry/registries/replications/operationStatuses/read •Microsoft.ContainerRegistry/registries/replications/read •Microsoft.ContainerRegistry/registries/replications/write •Microsoft.ContainerRegistry/registries/scopeMaps/delete •Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read •Microsoft.ContainerRegistry/registries/scopeMaps/read •Microsoft.ContainerRegistry/registries/scopeMaps/write •Microsoft.ContainerRegistry/registries/tokens/delete •Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read •Microsoft.ContainerRegistry/registries/tokens/read •Microsoft.ContainerRegistry/registries/tokens/write •Microsoft.ContainerRegistry/registries/webhooks/delete •Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action •Microsoft.ContainerRegistry/registries/webhooks/listEvents/action •Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read •Microsoft.ContainerRegistry/registries/webhooks/ping/action •Microsoft.ContainerRegistry/registries/webhooks/read •Microsoft.ContainerRegistry/registries/webhooks/write •Microsoft.ContainerRegistry/registries/write •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| f094fb07-0703-4400-ad6a-e16dd8000e14 | Container Registry Credential Set Administrator | Create, Read, Update, and Delete Credential Sets in Container Registry. This role doesn't affect the needed permissions for storing content inside Azure Key Vault. This role also doesn't grant permissions to manage Cache Rules. | Containers | False |
00004 effective control plane operations (unique) •delete: 1 •read: 2 •write: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •delete: 1 •read: 2 •write: 1 •Microsoft.ContainerRegistry/registries/credentialSets/delete •Microsoft.ContainerRegistry/registries/credentialSets/operationStatuses/read •Microsoft.ContainerRegistry/registries/credentialSets/read •Microsoft.ContainerRegistry/registries/credentialSets/write | ||||
| 29093635-9924-4f2c-913b-650a12949526 | Container Registry Credential Set Reader | Read the configuration of Credential Sets in Container Registry. This permission doesn't allow permission to see content inside Azure Key vault only the content inside Container Registry. This permission doesn't grant permission to read Cache Rules. |
Containers | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ContainerRegistry/registries/credentialSets/read | ||||
| 577a9874-89fd-4f24-9dbd-b5034d0ad23a | Container Registry Data Importer and Data Reader | Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules. |
Containers | False |
00006 effective control plane and data plane operations (unique) •action: 1 •read: 5 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 1 •read: 2 •Microsoft.ContainerRegistry/registries/importImage/action •Microsoft.ContainerRegistry/registries/pull/read •Microsoft.ContainerRegistry/registries/read |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •read: 3 •Microsoft.ContainerRegistry/registries/catalog/read •Microsoft.ContainerRegistry/registries/repositories/content/read •Microsoft.ContainerRegistry/registries/repositories/metadata/read | |||
| bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7 | Container Registry Repository Catalog Lister | Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change. | Containers | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.ContainerRegistry/registries/catalog/read | ||||
| 2efddaa5-3f1f-4df3-97df-af3f13818f4c | Container Registry Repository Contributor | Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change. | Containers | False |
00006 effective data plane operations (unique) •delete: 2 •read: 2 •write: 2 |
DataActions: 006 resolved data operations: 6 effective data operations: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.ContainerRegistry/registries/repositories/content/delete •Microsoft.ContainerRegistry/registries/repositories/content/read •Microsoft.ContainerRegistry/registries/repositories/content/write •Microsoft.ContainerRegistry/registries/repositories/metadata/delete •Microsoft.ContainerRegistry/registries/repositories/metadata/read •Microsoft.ContainerRegistry/registries/repositories/metadata/write | ||||
| b93aa761-3e63-49ed-ac28-beffa264f7ac | Container Registry Repository Reader | Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change. | Containers | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.ContainerRegistry/registries/repositories/content/read •Microsoft.ContainerRegistry/registries/repositories/metadata/read | ||||
| 2a1e307c-b015-4ebd-883e-5b7698a07328 | Container Registry Repository Writer | Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change. | Containers | False |
00004 effective data plane operations (unique) •read: 2 •write: 2 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •read: 2 •write: 2 •Microsoft.ContainerRegistry/registries/repositories/content/read •Microsoft.ContainerRegistry/registries/repositories/content/write •Microsoft.ContainerRegistry/registries/repositories/metadata/read •Microsoft.ContainerRegistry/registries/repositories/metadata/write | ||||
| fb382eab-e894-4461-af04-94435c366c3f | Container Registry Tasks Contributor | Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts. |
Containers | False |
00032 effective control plane operations (unique) •action: 11 •delete: 4 •read: 12 •write: 5 |
Actions: 024 resolved operations: 32 effective operations: 32 •action: 11 •delete: 4 •read: 12 •write: 5 •Microsoft.ContainerRegistry/registries/agentpools/delete •Microsoft.ContainerRegistry/registries/agentpools/listQueueStatus/action •Microsoft.ContainerRegistry/registries/agentpools/operationResults/status/read •Microsoft.ContainerRegistry/registries/agentpools/operationStatuses/read •Microsoft.ContainerRegistry/registries/agentpools/read •Microsoft.ContainerRegistry/registries/agentpools/write •Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action •Microsoft.ContainerRegistry/registries/read •Microsoft.ContainerRegistry/registries/runs/cancel/action •Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action •Microsoft.ContainerRegistry/registries/runs/read •Microsoft.ContainerRegistry/registries/runs/write •Microsoft.ContainerRegistry/registries/scheduleRun/action •Microsoft.ContainerRegistry/registries/taskruns/delete •Microsoft.ContainerRegistry/registries/taskruns/listDetails/action •Microsoft.ContainerRegistry/registries/taskruns/operationStatuses/read •Microsoft.ContainerRegistry/registries/taskruns/read •Microsoft.ContainerRegistry/registries/taskruns/write •Microsoft.ContainerRegistry/registries/tasks/delete •Microsoft.ContainerRegistry/registries/tasks/listDetails/action •Microsoft.ContainerRegistry/registries/tasks/read •Microsoft.ContainerRegistry/registries/tasks/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| bf94e731-3a51-4a7c-8c54-a1ab9971dfc1 | Container Registry Transfer Pipeline Contributor | Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments. |
Containers | False |
00010 effective control plane operations (unique) •delete: 3 •read: 4 •write: 3 |
Actions: 010 resolved operations: 10 effective operations: 10 •delete: 3 •read: 4 •write: 3 •Microsoft.ContainerRegistry/registries/exportPipelines/delete •Microsoft.ContainerRegistry/registries/exportPipelines/read •Microsoft.ContainerRegistry/registries/exportPipelines/write •Microsoft.ContainerRegistry/registries/importPipelines/delete •Microsoft.ContainerRegistry/registries/importPipelines/read •Microsoft.ContainerRegistry/registries/importPipelines/write •Microsoft.ContainerRegistry/registries/pipelineRuns/delete •Microsoft.ContainerRegistry/registries/pipelineRuns/operationStatuses/read •Microsoft.ContainerRegistry/registries/pipelineRuns/read •Microsoft.ContainerRegistry/registries/pipelineRuns/write | ||||
| ad2dd5fb-cd4b-4fd4-a9b6-4fed3630980b | ContainerApp Reader | View all containerapp resources, but does not allow you to make any changes. | None | False |
00060 effective control plane operations (unique) •Action: 7 •Delete: 2 •read: 49 •Write: 2 |
Actions: 006 resolved operations: 60 effective operations: 60 •Action: 7 •Delete: 2 •read: 49 •Write: 2 •Microsoft.App/containerApps/*/read •Microsoft.App/containerApps/read •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| b24988ac-6180-42a0-ab88-20f7382dd24c | Contributor | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. | Privileged | False |
16790 effective control plane operations (unique) •action: 3835 •delete: 2562 •read: 7225 •write: 3168 |
Actions: 001 resolved operations: 16836 effective operations: 16790 •action: 3835 •delete: 2562 •read: 7225 •write: 3168 •* |
NotActions: 011 resolved not operations: 46 effective not operations: 46 •Microsoft.Authorization/*/Delete •Microsoft.Authorization/*/Write •Microsoft.Authorization/elevateAccess/Action •Microsoft.Blueprint/blueprintAssignments/delete •Microsoft.Blueprint/blueprintAssignments/write •Microsoft.Compute/galleries/share/action •Microsoft.Purview/consents/delete •Microsoft.Purview/consents/write •Microsoft.Resources/deploymentStacks/manageDenySetting/action •Microsoft.Subscription/cancel/action •Microsoft.Subscription/enable/action |
count: 207 •[Deprecated]: Configure Arc machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent •[Deprecated]: Configure Arc machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent •[Deprecated]: Configure Azure Arc-enabled Linux machines with Log Analytics agents connected to default Log Analytics workspace •[Deprecated]: Configure Azure Arc-enabled Windows machines with Log Analytics agents connected to default Log Analytics workspace •[Deprecated]: Configure machines to create the Microsoft Defender for Cloud user-defined pipeline using Azure Monitor Agent •[Deprecated]: Configure virtual machines to be onboarded to Azure Automanage •[Deprecated]: Configure virtual machines to create the default Microsoft Defender for Cloud pipeline using Azure Monitor Agent •[Deprecated]: Deploy prerequisites to audit Linux VMs that allow remote connections from accounts without passwords •[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions set to 0644 •[Deprecated]: Deploy prerequisites to audit Linux VMs that do not have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Linux VMs that have accounts without passwords •[Deprecated]: Deploy prerequisites to audit Linux VMs that have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Windows Server VMs on which Windows Serial Console is not enabled •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Control Panel' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - MSS (Legacy)' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - Network' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Administrative Templates - System' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Accounts' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Audit' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Devices' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Interactive Logon' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Client' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Microsoft Network Server' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Access' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Network Security' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Recovery console' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - Shutdown' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System objects' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - System settings' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Options - User Account Control' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Security Settings - Account Policies' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Logon' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Account Management' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Detailed Tracking' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Logon-Logoff' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Object Access' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Policy Change' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - Privilege Use' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'System Audit Policies - System' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Components' •[Deprecated]: Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall Properties' •[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group contains any of the specified members •[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain all the specified members •[Deprecated]: Deploy prerequisites to audit Windows VMs if the Administrators group doesn't contain only specified members •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the DSC configuration is not compliant •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the Log Analytics agent is not connected as expected •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the remote connection status does not match the specified one •[Deprecated]: Deploy prerequisites to audit Windows VMs on which the specified services are not installed and 'Running' •[Deprecated]: Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit Guard is not enabled •[Deprecated]: Deploy prerequisites to audit Windows VMs that allow re-use of the previous 24 passwords •[Deprecated]: Deploy prerequisites to audit Windows VMs that are not joined to the specified domain •[Deprecated]: Deploy prerequisites to audit Windows VMs that are not set to the specified time zone •[Deprecated]: Deploy prerequisites to audit Windows VMs that contain certificates expiring within the specified number of days •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not contain the specified certificates in Trusted Root •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a maximum password age of 70 days •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have a minimum password age of 1 day •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the password complexity setting enabled •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell execution policy •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not have the specified Windows PowerShell modules installed •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not restrict the minimum password length to 14 characters •[Deprecated]: Deploy prerequisites to audit Windows VMs that do not store passwords using reversible encryption •[Deprecated]: Deploy prerequisites to audit Windows VMs that have not restarted within the specified number of days •[Deprecated]: Deploy prerequisites to audit Windows VMs that have the specified applications installed •[Deprecated]: Deploy prerequisites to audit Windows VMs with a pending reboot •[Deprecated]: Deploy prerequisites to audit Windows web servers that are not using secure communication protocols •[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Linux VMs. •[Deprecated]: Deploy prerequisites to enable Guest Configuration Policy on Windows VMs. •[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines •[Preview]: Configure Azure Defender for SQL agent on virtual machine •[Preview]: Configure subscriptions to enable service health alert monitoring rule •[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux hybrid machines •[Preview]: Deploy Microsoft Defender for Endpoint agent on Linux virtual machines •[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows Azure Arc machines •[Preview]: Deploy Microsoft Defender for Endpoint agent on Windows virtual machines •[Preview]: Enable system-assigned identity to SQL VM •Add a tag to resource groups •Add a tag to resources •Add or replace a tag on resource groups •Add or replace a tag on resources •Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities •Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity •Configure Advanced Threat Protection to be enabled on Azure database for MariaDB servers •Configure Advanced Threat Protection to be enabled on Azure database for MySQL flexible servers •Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers •Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL flexible servers •Configure Advanced Threat Protection to be enabled on Azure database for PostgreSQL servers •Configure App Configuration stores to disable local authentication methods •Configure App Configuration to disable public network access •Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace •Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace •Configure Azure Automation account to disable local authentication •Configure Azure Automation accounts to disable public network access •Configure Azure Cache for Redis Enterprise with private endpoints •Configure Azure Databricks Workspaces with private endpoints •Configure Azure Device Update for IoT Hub accounts to disable public network access •Configure Azure Device Update for IoT Hub accounts to use private DNS zones •Configure Azure Device Update for IoT Hub accounts with private endpoint •Configure Azure File Sync with private endpoints •Configure Azure HDInsight clusters with private endpoints •Configure Azure IoT Hub to disable local authentication •Configure Azure Machine Learning Computes to disable local authentication methods •Configure Azure Machine Learning Workspaces to disable public network access •Configure Azure Managed Grafana workspaces to disable email settings •Configure Azure Managed Grafana workspaces to disable public network access •Configure Azure Managed Grafana workspaces to disable service account •Configure Azure Managed Grafana workspaces with private endpoints •Configure Azure Monitor Private Link Scope to block access to non private link resources •Configure Azure Monitor Private Link Scopes with private endpoints •Configure Azure Synapse Workspace Dedicated SQL minimum TLS version •Configure Azure Synapse workspaces to disable public network access •Configure Azure Synapse workspaces with private endpoints •Configure Azure Virtual Desktop hostpools with private endpoints •Configure Azure Virtual Desktop workspaces with private endpoints •Configure Batch accounts to disable local authentication •Configure Batch accounts to disable public network access •Configure Batch accounts with private endpoints •Configure Cognitive Services accounts to disable local authentication methods •Configure Cognitive Services accounts to disable public network access •Configure container registries to disable anonymous authentication. •Configure container registries to disable ARM audience token authentication. •Configure container registries to disable local admin account. •Configure Container registries to disable public network access •Configure container registries to disable repository scoped access token. •Configure Container registries with private endpoints •Configure CosmosDB accounts to disable public network access •Configure CosmosDB accounts with private endpoints •Configure disk access resources with private endpoints •Configure installation of Flux extension on Kubernetes cluster •Configure IoT Hub device provisioning instances to use private DNS zones •Configure IoT Hub device provisioning service instances to disable public network access •Configure IoT Hub device provisioning service instances with private endpoints •Configure Kubernetes clusters with Flux v2 configuration using Bucket source and secrets in KeyVault •Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS CA Certificate •Configure Kubernetes clusters with Flux v2 configuration using Git repository and HTTPS secrets •Configure Kubernetes clusters with Flux v2 configuration using Git repository and local secrets •Configure Kubernetes clusters with Flux v2 configuration using Git repository and SSH secrets •Configure Kubernetes clusters with Flux v2 configuration using public Git repository •Configure Kubernetes clusters with specified Flux v2 Bucket source using local secrets •Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets •Configure Kubernetes clusters with specified GitOps configuration using no secrets •Configure Kubernetes clusters with specified GitOps configuration using SSH secrets •Configure Log Analytics workspace and automation account to centralize logs and monitoring •Configure managed disks to disable public network access •Configure network security groups to enable traffic analytics •Configure network security groups to use specific workspace, storage account and flowlog retention policy for traffic analytics •Configure Packet Core Control Plane diagnostic access to use authentication type Microsoft EntraID •Configure periodic checking for missing system updates on azure virtual machines •Configure private endpoint connections on Azure Automation accounts •Configure private endpoints for App Configuration •Configure Private Link for Azure AD with private endpoints •Configure secure communication protocols(TLS 1.1 or TLS 1.2) on Windows machines •Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace •Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace •Configure subscriptions to set up preview features •Configure Synapse Workspaces to use only Microsoft Entra identities for authentication •Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation •Configure the Microsoft Defender for SQL Log Analytics workspace •Configure virtual machines to be onboarded to Azure Automanage •Configure virtual machines to be onboarded to Azure Automanage with Custom Configuration Profile •Configure virtual network to enable Flow Log and Traffic Analytics •Configure virtual networks to enforce workspace, storage account and retention interval for Flow logs and Traffic Analytics •Create and assign a built-in user-assigned managed identity •Deploy - Configure Azure IoT Hubs to use private DNS zones •Deploy - Configure Azure IoT Hubs with private endpoints •Deploy - Configure diagnostic settings to an Event Hub to be enabled on Azure Key Vault Managed HSM •Deploy - Configure IoT Central to use private DNS zones •Deploy - Configure IoT Central with private endpoints •Deploy a flow log resource with target network security group •Deploy a Flow Log resource with target virtual network •Deploy associations for a custom provider •Deploy associations for a managed application •Deploy Diagnostic Settings for Azure SQL Database to Event Hub •Deploy Diagnostic Settings for Batch Account to Event Hub •Deploy Diagnostic Settings for Data Lake Analytics to Event Hub •Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub •Deploy Diagnostic Settings for Event Hub to Event Hub •Deploy Diagnostic Settings for Key Vault to Event Hub •Deploy Diagnostic Settings for Logic Apps to Event Hub •Deploy Diagnostic Settings for Search Services to Event Hub •Deploy Diagnostic Settings for Service Bus to Event Hub •Deploy Diagnostic Settings for Stream Analytics to Event Hub •Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data •Deploy export to Event Hub for Microsoft Defender for Cloud data •Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data •Deploy Planned Maintenance to schedule and control upgrades for your Azure Kubernetes Service (AKS) cluster •Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs •Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs •Deploy Workflow Automation for Microsoft Defender for Cloud alerts •Deploy Workflow Automation for Microsoft Defender for Cloud recommendations •Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance •Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. •Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. •Inherit a tag from the resource group •Inherit a tag from the resource group if missing •Inherit a tag from the subscription •Inherit a tag from the subscription if missing •Modify - Configure Azure File Sync to disable public network access •Modify - Configure Azure IoT Hubs to disable public network access •Modify - Configure IoT Central to disable public network access •Modify API Management to disable username and password authentication •Protect your data with authentication requirements when exporting or uploading to a disk or snapshot. •Schedule recurring updates using Azure Update Manager •Set prerequisite for Scheduling recurring updates on Azure virtual machines. | ||
| 6cd4ddd5-44f4-45bf-853e-a23e79738ce8 | Copilot in Azure User | Enables users access to Copilot in Azure. | None | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.PortalServices/copilotSettings/conversations/action | |||
| fbdf93bf-df7d-467e-a4d2-9458aa1360c8 | Cosmos DB Account Reader Role | Can read Azure Cosmos DB Accounts data | Databases | False |
00206 effective control plane operations (unique) •action: 4 •read: 201 •write: 1 |
Actions: 007 resolved operations: 206 effective operations: 206 •action: 4 •read: 201 •write: 1 •Microsoft.Authorization/*/read •Microsoft.DocumentDB/*/read •Microsoft.DocumentDB/databaseAccounts/readonlykeys/action •Microsoft.Insights/MetricDefinitions/read •Microsoft.Insights/Metrics/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 230815da-be43-4aae-9cb4-875f7bd000aa | Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. | Databases | False |
00313 effective control plane operations (unique) •action: 54 •delete: 28 •read: 183 •write: 48 |
Actions: 008 resolved operations: 338 effective operations: 313 •action: 54 •delete: 28 •read: 183 •write: 48 •Microsoft.Authorization/*/read •Microsoft.DocumentDb/databaseAccounts/* •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
NotActions: 014 resolved not operations: 25 effective not operations: 16523 •Microsoft.DocumentDB/databaseAccounts/copyJobs/* •Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/* •Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* •Microsoft.DocumentDB/databaseAccounts/listKeys/* •Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete •Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write •Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete •Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write •Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* •Microsoft.DocumentDB/databaseAccounts/regenerateKey/* •Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete •Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write •Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete •Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write | |||
| db7b14f2-5adf-42da-9f96-f2ee17bab5cb | CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account | Databases | False |
00002 effective control plane operations (unique) •action: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 2 •Microsoft.DocumentDB/databaseAccounts/backup/action •Microsoft.DocumentDB/databaseAccounts/restore/action | ||||
| 35ffec73-9cb8-4593-8718-40d5bc4b7f6f | CosmosDB Fleet Operator Role | Lets you manage Azure CosmosDB Fleets and related child resources | None | False |
00003 effective control plane operations (unique) •delete: 1 •read: 1 •write: 1 |
Actions: 001 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.DocumentDB/fleets/* | ||||
| 5432c526-bc82-444a-b7ba-57c5b0b5b34f | CosmosRestoreOperator | Can perform restore action for Cosmos DB database account with continuous backup mode | Databases | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 003 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read •Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read •Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action | ||||
| 434105ed-43f6-45c7-a02f-909b2ba83430 | Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) | Management and governance | False |
00099 effective control plane operations (unique) •action: 23 •delete: 5 •read: 63 •write: 8 |
Actions: 010 resolved operations: 99 effective operations: 99 •action: 23 •delete: 5 •read: 63 •write: 8 •Microsoft.Advisor/configurations/read •Microsoft.Advisor/recommendations/read •Microsoft.Billing/billingPeriods/read •Microsoft.Billing/billingProperty/read •Microsoft.Consumption/* •Microsoft.CostManagement/* •Microsoft.Management/managementGroups/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 72fafb9e-0641-4937-9268-a91bfd8191a3 | Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) | Management and governance | False |
00067 effective control plane operations (unique) •action: 3 •read: 63 •write: 1 |
Actions: 010 resolved operations: 67 effective operations: 67 •action: 3 •read: 63 •write: 1 •Microsoft.Advisor/configurations/read •Microsoft.Advisor/recommendations/read •Microsoft.Billing/billingPeriods/read •Microsoft.Billing/billingProperty/read •Microsoft.Consumption/*/read •Microsoft.CostManagement/*/read •Microsoft.Management/managementGroups/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 399c3b2b-64c2-4ff1-af34-571db925b068 | CrossConnectionManager | Allows for read, write access to ExpressRoute CrossConnections | None | False |
00018 effective control plane operations (unique) •action: 2 •delete: 2 •read: 10 •write: 4 |
Actions: 003 resolved operations: 19 effective operations: 18 •action: 2 •delete: 2 •read: 10 •write: 4 •Microsoft.ClassicNetwork/expressRouteCrossConnections/* •Microsoft.Features/providers/features/read •Microsoft.Network/expressRouteCrossConnections/* |
NotActions: 001 resolved not operations: 1 effective not operations: 16818 •Microsoft.Network/expressRouteCrossConnections/delete | |||
| b6ee44de-fe58-4ddc-b5c2-ab174eb23f05 | CrossConnectionReader | Allows for read access to ExpressRoute CrossConnections | None | False |
00008 effective control plane operations (unique) •read: 8 |
Actions: 003 resolved operations: 8 effective operations: 8 •read: 8 •Microsoft.ClassicNetwork/expressRouteCrossConnections/*/read •Microsoft.Features/providers/features/read •Microsoft.Network/expressRouteCrossConnections/*/read | ||||
| d1a38570-4b05-4d70-b8e4-1100bcf76d12 | Data Boundary Tenant Administrator | Allows tenant level administration for data boundaries. | None | False |
00042 effective control plane operations (unique) •action: 4 •delete: 1 •read: 35 •write: 2 |
Actions: 004 resolved operations: 42 effective operations: 42 •action: 4 •delete: 1 •read: 35 •write: 2 •Microsoft.Authorization/*/read •Microsoft.Resources/dataBoundaries/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| add466c9-e687-43fc-8d98-dfcf8d720be5 | Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. | Storage | False |
00075 effective control plane operations (unique) •action: 21 •delete: 3 •read: 47 •write: 4 |
Actions: 006 resolved operations: 75 effective operations: 75 •action: 21 •delete: 3 •read: 47 •write: 4 •Microsoft.Authorization/*/read •Microsoft.Databox/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 | Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. | Storage | False |
00053 effective control plane operations (unique) •action: 9 •read: 43 •write: 1 |
Actions: 010 resolved operations: 53 effective operations: 53 •action: 9 •read: 43 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Databox/*/read •Microsoft.Databox/jobs/listcredentials/action •Microsoft.Databox/jobs/listsecrets/action •Microsoft.Databox/locations/availableSkus/action •Microsoft.Databox/locations/regionConfiguration/action •Microsoft.Databox/locations/validateAddress/action •Microsoft.Databox/locations/validateInputs/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Support/* | ||||
| 673868aa-7521-48a0-acc6-0f60742d39f5 | Data Factory Contributor | Create and manage data factories, as well as child resources within them. | Analytics | False |
00221 effective control plane operations (unique) •action: 66 •delete: 24 •read: 100 •write: 31 |
Actions: 009 resolved operations: 221 effective operations: 221 •action: 66 •delete: 24 •read: 100 •write: 31 •Microsoft.Authorization/*/read •Microsoft.DataFactory/dataFactories/* •Microsoft.DataFactory/factories/* •Microsoft.EventGrid/eventSubscriptions/write •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 002 •Configure Data Factories to disable public network access •Configure private endpoints for Data factories | |||
| c6decf44-fd0a-444c-a844-d653c394e7ab | Data Labeling - Labeler | Can label data in Labeling. | None | False |
00006 effective control plane operations (unique) •read: 5 •write: 1 |
Actions: 006 resolved operations: 6 effective operations: 6 •read: 5 •write: 1 •Microsoft.MachineLearningServices/workspaces/experiments/runs/read •Microsoft.MachineLearningServices/workspaces/labeling/labels/read •Microsoft.MachineLearningServices/workspaces/labeling/labels/write •Microsoft.MachineLearningServices/workspaces/labeling/projects/read •Microsoft.MachineLearningServices/workspaces/labeling/projects/summary/read •Microsoft.MachineLearningServices/workspaces/read | ||||
| 47b7735b-770e-4598-a7da-8b91488b4c88 | Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. | Storage | False |
00079 effective control plane operations (unique) •action: 13 •delete: 4 •read: 56 •write: 6 |
Actions: 008 resolved operations: 93 effective operations: 79 •action: 13 •delete: 4 •read: 56 •write: 6 •Microsoft.Authorization/*/read •Microsoft.BigAnalytics/accounts/* •Microsoft.DataLakeAnalytics/accounts/* •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
NotActions: 014 resolved not operations: 14 effective not operations: 16757 •Microsoft.BigAnalytics/accounts/Delete •Microsoft.BigAnalytics/accounts/TakeOwnership/action •Microsoft.BigAnalytics/accounts/Write •Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete •Microsoft.DataLakeAnalytics/accounts/computePolicies/Write •Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete •Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write •Microsoft.DataLakeAnalytics/accounts/Delete •Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete •Microsoft.DataLakeAnalytics/accounts/firewallRules/Write •Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete •Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write •Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action •Microsoft.DataLakeAnalytics/accounts/Write | |||
| 959f8984-c045-4866-89c7-12bf9737be2e | Data Operator for Managed Disks | Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. | Compute | False |
00004 effective data plane operations (unique) •action: 4 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 4 •Microsoft.Compute/disks/download/action •Microsoft.Compute/disks/upload/action •Microsoft.Compute/snapshots/download/action •Microsoft.Compute/snapshots/upload/action | ||||
| 150f5e0c-0603-4f03-8c7f-cf70034c4e90 | Data Purger | Can purge analytics data | Monitor | False |
00881 effective control plane operations (unique) •Action: 2 •Read: 879 |
Actions: 004 resolved operations: 881 effective operations: 881 •Action: 2 •Read: 879 •Microsoft.Insights/components/*/read •Microsoft.Insights/components/purge/action •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/purge/action | ||||
| 96ebd254-ecc7-4590-aff5-e9af3ff5f3b3 | Dedicated Host Contributor Role | This is the role created for DedicatedHosts Contributor | None | False |
00006 effective control plane operations (unique) •delete: 2 •read: 2 •write: 2 |
Actions: 006 resolved operations: 6 effective operations: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.Compute/hostGroups/delete •Microsoft.Compute/hostGroups/hosts/delete •Microsoft.Compute/hostGroups/hosts/read •Microsoft.Compute/hostGroups/hosts/write •Microsoft.Compute/hostGroups/read •Microsoft.Compute/hostGroups/write | ||||
| 0b6ca2e8-2cdc-4bd6-b896-aa3d8c21fc35 | Defender CSPM Storage Data Scanner | Grants access to read blobs and files. This role is used by the data scanner of Dfender CSPM. | None | False |
00004 effective control plane and data plane operations (unique) •read: 4 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/fileServices/shares/read |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | |||
| 8480c0f0-4509-4229-9339-7c10018cb8c4 | Defender CSPM Storage Scanner Operator | Lets you enable and configure Microsoft Defender CSPM's sensitive data discovery feature on your storage accounts. Includes an ABAC condition to limit role assignments. | None | True |
00060 effective control plane operations (unique) •action: 7 •delete: 3 •read: 45 •write: 5 |
Actions: 013 resolved operations: 60 effective operations: 60 •action: 7 •delete: 3 •read: 45 •write: 5 •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/delete •Microsoft.Authorization/roleAssignments/write •Microsoft.Management/managementGroups/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/dataScanners/delete •Microsoft.Security/datascanners/read •Microsoft.Security/datascanners/write •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/write •Microsoft.Support/* | ||||
| 1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40 | Defender for Storage Data Scanner | Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage. | Storage | False |
00004 effective control plane and data plane operations (unique) •read: 3 •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/read |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •read: 2 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write | |||
| 0f641de8-0b88-4198-bdef-bd8b45ceba96 | Defender for Storage Scanner Operator | Lets you enable and configure Microsoft Defender for Storage's malware scanning and sensitive data discovery features on your storage accounts. Includes an ABAC condition to limit role assignments. | None | True |
00068 effective control plane operations (unique) •action: 7 •delete: 4 •read: 49 •write: 8 |
Actions: 022 resolved operations: 68 effective operations: 68 •action: 7 •delete: 4 •read: 49 •write: 8 •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.EventGrid/eventSubscriptions/delete •Microsoft.EventGrid/eventSubscriptions/read •Microsoft.EventGrid/eventSubscriptions/write •Microsoft.EventGrid/topics/read •Microsoft.Management/managementGroups/read •Microsoft.Resources/deployments/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/advancedThreatProtectionSettings/read •Microsoft.Security/advancedThreatProtectionSettings/write •Microsoft.Security/dataScanners/delete •Microsoft.Security/datascanners/read •Microsoft.Security/datascanners/write •Microsoft.Security/defenderforstoragesettings/read •Microsoft.Security/defenderforstoragesettings/write •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/write •Microsoft.Support/* | ||||
| 8bb6f106-b146-4ee6-a3f9-b9c5a96e0ae5 | Defender Kubernetes Agent Operator | Grants Microsoft Defender for Cloud permissions to provision the Kubernetes defender security agent | None | False |
00063 effective control plane operations (unique) •Action: 11 •Delete: 3 •read: 43 •Write: 6 |
Actions: 019 resolved operations: 63 effective operations: 63 •Action: 11 •Delete: 3 •read: 43 •Write: 6 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Kubernetes/connectedClusters/read •Microsoft.Kubernetes/connectedClusters/Write •Microsoft.Kubernetes/register/action •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.KubernetesConfiguration/register/action •Microsoft.OperationalInsights/workspaces/listKeys/action •Microsoft.OperationalInsights/workspaces/read •Microsoft.OperationalInsights/workspaces/sharedkeys/action •Microsoft.OperationalInsights/workspaces/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/write |
count: 002 •[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension •Configure Azure Kubernetes Service clusters to enable Defender profile | |||
| 8a90fa6b-6997-4a07-8a95-30633a7c97b9 | DeID Batch Data Owner | Create and manage DeID batch jobs. This role is in preview and subject to change. | Integration | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.HealthDataAIServices/DeidServices/Batch/delete •Microsoft.HealthDataAIServices/DeidServices/Batch/read •Microsoft.HealthDataAIServices/DeidServices/Batch/write | ||||
| b73a14ee-91f5-41b7-bd81-920e12466be9 | DeID Batch Data Reader | Read DeID batch jobs. This role is in preview and subject to change. | Integration | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.HealthDataAIServices/DeidServices/Batch/read |
NotDataActions: 002 resolved not data operations: 2 effective not data operations: 3570 •Microsoft.HealthDataAIServices/DeidServices/Batch/delete •Microsoft.HealthDataAIServices/DeidServices/Batch/write | |||
| 78e4b983-1a0b-472e-8b7d-8d770f7c5890 | DeID Data Owner | Full access to DeID data. This role is in preview and subject to change | Integration | False |
00012 effective data plane operations (unique) •action: 2 •delete: 3 •read: 4 •write: 3 |
DataActions: 001 resolved data operations: 12 effective data operations: 12 •action: 2 •delete: 3 •read: 4 •write: 3 •Microsoft.HealthDataAIServices/DeidServices/* | ||||
| bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e | DeID Realtime Data User | Execute requests against DeID realtime endpoint. This role is in preview and subject to change. | Integration | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.HealthDataAIServices/DeidServices/Realtime/action | ||||
| eb960402-bf75-4cc3-8d68-35b34f960f72 | Deployment Environments Reader | Provides read access to environment resources. | DevOps | False |
00046 effective control plane and data plane operations (unique) •action: 3 •read: 43 |
Actions: 004 resolved operations: 45 effective operations: 43 •read: 43 •Microsoft.Authorization/*/read •Microsoft.DevCenter/projects/*/read •Microsoft.DevCenter/projects/read •Microsoft.Resources/subscriptions/resourceGroups/read |
NotActions: 002 resolved not operations: 2 effective not operations: 16793 •Microsoft.DevCenter/projects/pools/read •Microsoft.DevCenter/projects/pools/schedules/read |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •action: 3 •Microsoft.DevCenter/projects/users/environments/adminActionRead/action •Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action •Microsoft.DevCenter/projects/users/environments/adminRead/action | ||
| 18e40d4e-8d2e-438d-97e1-9528336e149c | Deployment Environments User | Provides access to manage environment resources. | DevOps | False |
00048 effective control plane and data plane operations (unique) •action: 5 •read: 43 |
Actions: 004 resolved operations: 45 effective operations: 43 •read: 43 •Microsoft.Authorization/*/read •Microsoft.DevCenter/projects/*/read •Microsoft.DevCenter/projects/read •Microsoft.Resources/subscriptions/resourceGroups/read |
NotActions: 002 resolved not operations: 2 effective not operations: 16793 •Microsoft.DevCenter/projects/pools/read •Microsoft.DevCenter/projects/pools/schedules/read |
DataActions: 005 resolved data operations: 5 effective data operations: 5 •action: 5 •Microsoft.DevCenter/projects/users/environments/userActionManage/action •Microsoft.DevCenter/projects/users/environments/userDelete/action •Microsoft.DevCenter/projects/users/environments/userOutputsRead/action •Microsoft.DevCenter/projects/users/environments/userRead/action •Microsoft.DevCenter/projects/users/environments/userWrite/action | ||
| 97dfb3ce-e936-462c-9425-9cdb67e66d45 | Desktop Virtualization App Attach Contributor | Provide permission to manage app attach resources | None | False |
00053 effective control plane operations (unique) •Action: 7 •delete: 3 •read: 40 •write: 3 |
Actions: 009 resolved operations: 53 effective operations: 53 •Action: 7 •delete: 3 •read: 40 •write: 3 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/appattachpackages/delete •Microsoft.DesktopVirtualization/appattachpackages/read •Microsoft.DesktopVirtualization/appattachpackages/write •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 86240b0e-9422-4c43-887b-b61143f32ba8 | Desktop Virtualization Application Group Contributor | Contributor of the Desktop Virtualization Application Group. | Compute | False |
00076 effective control plane operations (unique) •action: 11 •delete: 5 •read: 52 •write: 8 |
Actions: 008 resolved operations: 76 effective operations: 76 •action: 11 •delete: 5 •read: 52 •write: 8 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/applicationgroups/* •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 | Desktop Virtualization Application Group Reader | Reader of the Desktop Virtualization Application Group. | Compute | False |
00053 effective control plane operations (unique) •action: 3 •read: 49 •write: 1 |
Actions: 009 resolved operations: 53 effective operations: 53 •action: 3 •read: 49 •write: 1 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/applicationgroups/*/read •Microsoft.DesktopVirtualization/applicationgroups/read •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.Insights/alertRules/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 082f0a83-3be5-4ba1-904c-961cca79b387 | Desktop Virtualization Contributor | Contributor of Desktop Virtualization. | Compute | False |
00177 effective control plane operations (unique) •action: 32 •delete: 22 •read: 93 •write: 30 |
Actions: 006 resolved operations: 177 effective operations: 177 •action: 32 •delete: 22 •read: 93 •write: 30 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| e307426c-f9b6-4e81-87de-d99efb3c32bc | Desktop Virtualization Host Pool Contributor | Contributor of the Desktop Virtualization Host Pool. | Compute | False |
00110 effective control plane operations (unique) •action: 24 •delete: 9 •read: 65 •write: 12 |
Actions: 006 resolved operations: 110 effective operations: 110 •action: 24 •delete: 9 •read: 65 •write: 12 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/hostpools/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 002 •Configure Azure Virtual Desktop hostpools to disable public network access •Configure Azure Virtual Desktop hostpools to disable public network access only for session hosts | |||
| ceadfde2-b300-400a-ab7b-6143895aa822 | Desktop Virtualization Host Pool Reader | Reader of the Desktop Virtualization Host Pool. | Compute | False |
00066 effective control plane operations (unique) •action: 3 •read: 62 •write: 1 |
Actions: 007 resolved operations: 66 effective operations: 66 •action: 3 •read: 62 •write: 1 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/hostpools/*/read •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.Insights/alertRules/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 489581de-a3bd-480d-9518-53dea7416b33 | Desktop Virtualization Power On Contributor | Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines. | Compute | False |
00058 effective control plane operations (unique) •Action: 9 •Delete: 2 •read: 45 •Write: 2 |
Actions: 014 resolved operations: 58 effective operations: 58 •Action: 9 •Delete: 2 •read: 45 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.AzureStackHCI/operations/read •Microsoft.AzureStackHCI/virtualMachineInstances/read •Microsoft.AzureStackHCI/virtualMachineInstances/start/action •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/start/action •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/operations/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 40c5ff49-9181-41f8-ae61-143b0e78555e | Desktop Virtualization Power On Off Contributor | Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines. | Compute | False |
00081 effective control plane operations (unique) •Action: 25 •delete: 3 •read: 49 •write: 4 |
Actions: 037 resolved operations: 81 effective operations: 81 •Action: 25 •delete: 3 •read: 49 •write: 4 •Microsoft.Authorization/*/read •Microsoft.AzureStackHCI/operations/read •Microsoft.AzureStackHCI/virtualMachineInstances/read •Microsoft.AzureStackHCI/virtualMachineInstances/restart/action •Microsoft.AzureStackHCI/virtualMachineInstances/start/action •Microsoft.AzureStackHCI/virtualMachineInstances/stop/action •Microsoft.Compute/virtualMachines/deallocate/action •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/powerOff/action •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/restart/action •Microsoft.Compute/virtualMachines/start/action •Microsoft.ComputeSchedule/locations/virtualMachinesCancelOperations/action •Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDeallocate/action •Microsoft.ComputeSchedule/locations/virtualMachinesExecuteHibernate/action •Microsoft.ComputeSchedule/locations/virtualMachinesExecuteStart/action •Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationErrors/action •Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationStatus/action •Microsoft.ComputeSchedule/locations/virtualMachinesSubmitDeallocate/action •Microsoft.ComputeSchedule/locations/virtualMachinesSubmitHibernate/action •Microsoft.ComputeSchedule/locations/virtualMachinesSubmitStart/action •Microsoft.ComputeSchedule/register/action •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action •Microsoft.DesktopVirtualization/hostpools/sessionhosts/write •Microsoft.DesktopVirtualization/hostpools/write •Microsoft.HybridCompute/locations/operationresults/read •Microsoft.HybridCompute/locations/operationstatus/read •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/operations/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/eventtypes/values/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 49a72310-ab8d-41df-bbb0-79b649203868 | Desktop Virtualization Reader | Reader of Desktop Virtualization. | Compute | False |
00094 effective control plane operations (unique) •action: 3 •read: 90 •write: 1 |
Actions: 006 resolved operations: 94 effective operations: 94 •action: 3 •read: 90 •write: 1 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 2ad6aaab-ead9-4eaa-8ac5-da422f562408 | Desktop Virtualization Session Host Operator | Operator of the Desktop Virtualization Session Host. | Compute | False |
00068 effective control plane operations (unique) •action: 13 •delete: 4 •read: 46 •write: 5 |
Actions: 007 resolved operations: 68 effective operations: 68 •action: 13 •delete: 4 •read: 46 •write: 5 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63 | Desktop Virtualization User | Allows user to use the applications in an application group. | Compute | False |
00002 effective data plane operations (unique) •action: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.DesktopVirtualization/appAttachPackages/useApplications/action •Microsoft.DesktopVirtualization/applicationGroups/useApplications/action | ||||
| ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6 | Desktop Virtualization User Session Operator | Operator of the Desktop Virtualization User Session. | Compute | False |
00065 effective control plane operations (unique) •action: 12 •delete: 3 •read: 46 •write: 4 |
Actions: 008 resolved operations: 65 effective operations: 65 •action: 12 •delete: 3 •read: 46 •write: 4 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| a959dbd1-f747-45e3-8ba6-dd80f235f97c | Desktop Virtualization Virtual Machine Contributor | This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines. | Compute | False |
00102 effective control plane operations (unique) •action: 20 •delete: 7 •read: 64 •write: 11 |
Actions: 059 resolved operations: 102 effective operations: 102 •action: 20 •delete: 7 •read: 64 •write: 11 •Microsoft.Authorization/*/read •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/availabilitySets/vmSizes/read •Microsoft.Compute/availabilitySets/write •Microsoft.Compute/disks/delete •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Compute/galleries/images/read •Microsoft.Compute/galleries/images/versions/read •Microsoft.Compute/galleries/read •Microsoft.Compute/images/read •Microsoft.Compute/locations/usages/read •Microsoft.Compute/locations/vmSizes/read •Microsoft.Compute/operations/read •Microsoft.Compute/skus/read •Microsoft.Compute/virtualMachines/deallocate/action •Microsoft.Compute/virtualMachines/delete •Microsoft.Compute/virtualMachines/extensions/delete •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/extensions/write •Microsoft.Compute/virtualMachines/powerOff/action •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/restart/action •Microsoft.Compute/virtualMachines/runCommand/action •Microsoft.Compute/virtualMachines/runCommands/read •Microsoft.Compute/virtualMachines/runCommands/write •Microsoft.Compute/virtualMachines/start/action •Microsoft.Compute/virtualMachines/vmSizes/read •Microsoft.Compute/virtualMachines/write •Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action •Microsoft.DesktopVirtualization/hostpools/read •Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action •Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete •Microsoft.DesktopVirtualization/hostpools/sessionhosts/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/retryprovisioning/action •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read •Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action •Microsoft.DesktopVirtualization/hostpools/sessionhosts/write •Microsoft.DesktopVirtualization/hostpools/write •Microsoft.DesktopVirtualization/scalingPlans/read •Microsoft.DesktopVirtualization/scalingPlans/write •Microsoft.Insights/alertRules/* •Microsoft.KeyVault/vaults/deploy/action •Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/usages/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read | ||||
| 21efdde3-836f-432b-bf3d-3e8e734d4b2b | Desktop Virtualization Workspace Contributor | Contributor of the Desktop Virtualization Workspace. | Compute | False |
00075 effective control plane operations (unique) •action: 12 •delete: 5 •read: 51 •write: 7 |
Actions: 007 resolved operations: 75 effective operations: 75 •action: 12 •delete: 5 •read: 51 •write: 7 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/applicationgroups/read •Microsoft.DesktopVirtualization/workspaces/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 001 •Configure Azure Virtual Desktop workspaces to disable public network access | |||
| 0fa44ee9-7a7d-466b-9bb2-2bf446b1204d | Desktop Virtualization Workspace Reader | Reader of the Desktop Virtualization Workspace. | Compute | False |
00046 effective control plane operations (unique) •action: 3 •read: 42 •write: 1 |
Actions: 007 resolved operations: 46 effective operations: 46 •action: 3 •read: 42 •write: 1 •Microsoft.Authorization/*/read •Microsoft.DesktopVirtualization/applicationgroups/read •Microsoft.DesktopVirtualization/workspaces/read •Microsoft.Insights/alertRules/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 45d50f46-0b78-4001-a660-4198cbe8cd05 | DevCenter Dev Box User | Provides access to create and manage dev boxes. | DevOps | False |
00056 effective control plane and data plane operations (unique) •action: 11 •read: 45 |
Actions: 004 resolved operations: 45 effective operations: 45 •read: 45 •Microsoft.Authorization/*/read •Microsoft.DevCenter/projects/*/read •Microsoft.DevCenter/projects/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 011 resolved data operations: 11 effective data operations: 11 •action: 11 •Microsoft.DevCenter/projects/users/devboxes/userActionManage/action •Microsoft.DevCenter/projects/users/devboxes/userActionRead/action •Microsoft.DevCenter/projects/users/devboxes/userCustomize/action •Microsoft.DevCenter/projects/users/devboxes/userDelete/action •Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action •Microsoft.DevCenter/projects/users/devboxes/userRead/action •Microsoft.DevCenter/projects/users/devboxes/userStart/action •Microsoft.DevCenter/projects/users/devboxes/userStop/action •Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionManage/action •Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionRead/action •Microsoft.DevCenter/projects/users/devboxes/userWrite/action | |||
| 4c6569b6-f23e-4295-9b90-bd4cc4ff3292 | DevCenter Owner | Provides access to manage all Microsoft.DevCenter resources, and to manage access to Microsoft.DevCenter resources by adding or removing role assignments for the DevCenter Project Admin and DevCenter Dev Box roles. | None | True |
00124 effective control plane operations (unique) •action: 26 •delete: 15 •read: 67 •write: 16 |
Actions: 006 resolved operations: 124 effective operations: 124 •action: 26 •delete: 15 •read: 67 •write: 16 •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.DevCenter/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 331c37c6-af14-46d9-b9f4-e1909e1b95a0 | DevCenter Project Admin | Provides access to manage project resources. | DevOps | False |
00097 effective control plane and data plane operations (unique) •action: 39 •delete: 5 •read: 48 •write: 5 |
Actions: 004 resolved operations: 75 effective operations: 73 •action: 15 •delete: 5 •read: 48 •write: 5 •Microsoft.Authorization/*/read •Microsoft.DevCenter/projects/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
NotActions: 002 resolved not operations: 2 effective not operations: 16763 •Microsoft.DevCenter/projects/delete •Microsoft.DevCenter/projects/write |
DataActions: 024 resolved data operations: 24 effective data operations: 24 •action: 24 •Microsoft.DevCenter/projects/users/devboxes/adminAlign/action •Microsoft.DevCenter/projects/users/devboxes/adminDelete/action •Microsoft.DevCenter/projects/users/devboxes/adminRead/action •Microsoft.DevCenter/projects/users/devboxes/adminStart/action •Microsoft.DevCenter/projects/users/devboxes/adminStop/action •Microsoft.DevCenter/projects/users/devboxes/adminWrite/action •Microsoft.DevCenter/projects/users/devboxes/userActionManage/action •Microsoft.DevCenter/projects/users/devboxes/userActionRead/action •Microsoft.DevCenter/projects/users/devboxes/userCustomize/action •Microsoft.DevCenter/projects/users/devboxes/userDelete/action •Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action •Microsoft.DevCenter/projects/users/devboxes/userRead/action •Microsoft.DevCenter/projects/users/devboxes/userStart/action •Microsoft.DevCenter/projects/users/devboxes/userStop/action •Microsoft.DevCenter/projects/users/devboxes/userWrite/action •Microsoft.DevCenter/projects/users/environments/adminAction/action •Microsoft.DevCenter/projects/users/environments/adminActionManage/action •Microsoft.DevCenter/projects/users/environments/adminActionRead/action •Microsoft.DevCenter/projects/users/environments/adminDelete/action •Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action •Microsoft.DevCenter/projects/users/environments/adminRead/action •Microsoft.DevCenter/projects/users/environments/adminWrite/action •Microsoft.DevCenter/projects/users/environments/userDelete/action •Microsoft.DevCenter/projects/users/environments/userWrite/action | ||
| dfce44e4-17b7-4bd1-a6d1-04996ec95633 | Device Provisioning Service Data Contributor | Allows for full access to Device Provisioning Service data-plane operations. | Internet of Things | False |
00009 effective data plane operations (unique) •action: 1 •delete: 3 •read: 3 •write: 2 |
DataActions: 001 resolved data operations: 9 effective data operations: 9 •action: 1 •delete: 3 •read: 3 •write: 2 •Microsoft.Devices/provisioningServices/* | ||||
| 10745317-c249-44a1-a5ce-3a4353c0bbd8 | Device Provisioning Service Data Reader | Allows for full read access to Device Provisioning Service data-plane properties. | Internet of Things | False |
00003 effective data plane operations (unique) •read: 3 |
DataActions: 001 resolved data operations: 3 effective data operations: 3 •read: 3 •Microsoft.Devices/provisioningServices/*/read | ||||
| 02ca0879-e8e4-47a5-a61e-5c618b76e64a | Device Update Administrator | Gives you full access to management and content operations | Internet of Things | False |
00064 effective control plane and data plane operations (unique) •Action: 10 •delete: 4 •read: 45 •write: 5 |
Actions: 005 resolved operations: 58 effective operations: 58 •Action: 10 •Delete: 2 •read: 43 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 006 resolved data operations: 6 effective data operations: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.DeviceUpdate/accounts/instances/management/delete •Microsoft.DeviceUpdate/accounts/instances/management/read •Microsoft.DeviceUpdate/accounts/instances/management/write •Microsoft.DeviceUpdate/accounts/instances/updates/delete •Microsoft.DeviceUpdate/accounts/instances/updates/read •Microsoft.DeviceUpdate/accounts/instances/updates/write | |||
| 0378884a-3af5-44ab-8323-f5b22f9f3c98 | Device Update Content Administrator | Gives you full access to content operations | Internet of Things | False |
00061 effective control plane and data plane operations (unique) •Action: 10 •delete: 3 •read: 44 •write: 4 |
Actions: 005 resolved operations: 58 effective operations: 58 •Action: 10 •Delete: 2 •read: 43 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.DeviceUpdate/accounts/instances/updates/delete •Microsoft.DeviceUpdate/accounts/instances/updates/read •Microsoft.DeviceUpdate/accounts/instances/updates/write | |||
| d1ee9a80-8b14-47f0-bdc2-f4a351625a7b | Device Update Content Reader | Gives you read access to content operations, but does not allow making changes | Internet of Things | False |
00059 effective control plane and data plane operations (unique) •Action: 10 •Delete: 2 •read: 44 •Write: 3 |
Actions: 005 resolved operations: 58 effective operations: 58 •Action: 10 •Delete: 2 •read: 43 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.DeviceUpdate/accounts/instances/updates/read | |||
| e4237640-0e3d-4a46-8fda-70bc94856432 | Device Update Deployments Administrator | Gives you full access to management operations | Internet of Things | False |
00062 effective control plane and data plane operations (unique) •Action: 10 •delete: 3 •read: 45 •write: 4 |
Actions: 005 resolved operations: 58 effective operations: 58 •Action: 10 •Delete: 2 •read: 43 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •delete: 1 •read: 2 •write: 1 •Microsoft.DeviceUpdate/accounts/instances/management/delete •Microsoft.DeviceUpdate/accounts/instances/management/read •Microsoft.DeviceUpdate/accounts/instances/management/write •Microsoft.DeviceUpdate/accounts/instances/updates/read | |||
| 49e2f5d2-7741-4835-8efa-19e1fe35e47f | Device Update Deployments Reader | Gives you read access to management operations, but does not allow making changes | Internet of Things | False |
00060 effective control plane and data plane operations (unique) •Action: 10 •Delete: 2 •read: 45 •Write: 3 |
Actions: 005 resolved operations: 58 effective operations: 58 •Action: 10 •Delete: 2 •read: 43 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.DeviceUpdate/accounts/instances/management/read •Microsoft.DeviceUpdate/accounts/instances/updates/read | |||
| e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f | Device Update Reader | Gives you read access to management and content operations, but does not allow making changes | Internet of Things | False |
00060 effective control plane and data plane operations (unique) •Action: 10 •Delete: 2 •read: 45 •Write: 3 |
Actions: 005 resolved operations: 58 effective operations: 58 •Action: 10 •Delete: 2 •read: 43 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.DeviceUpdate/accounts/instances/management/read •Microsoft.DeviceUpdate/accounts/instances/updates/read | |||
| 76153a9e-0edb-49bc-8e01-93c47e6b5180 | DevOps Infrastructure Contributor | Read, write, delete and perform actions on Managed DevOps Pools | DevOps | False |
00060 effective control plane operations (unique) •action: 9 •delete: 3 •read: 44 •write: 4 |
Actions: 010 resolved operations: 60 effective operations: 60 •action: 9 •delete: 3 •read: 44 •write: 4 •Microsoft.Authorization/*/read •Microsoft.DevOpsInfrastructure/*/read •Microsoft.DevOpsInfrastructure/Locations/OperationStatuses/write •Microsoft.DevOpsInfrastructure/pools/delete •Microsoft.DevOpsInfrastructure/pools/write •Microsoft.DevOpsInfrastructure/register/action •Microsoft.DevOpsInfrastructure/unregister/action •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 76283e04-6283-4c54-8f91-bcf1374a3c64 | DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. | DevOps | False |
00105 effective control plane operations (unique) •action: 16 •delete: 1 •read: 86 •write: 2 |
Actions: 032 resolved operations: 106 effective operations: 105 •action: 16 •delete: 1 •read: 86 •write: 2 •Microsoft.Authorization/*/read •Microsoft.Compute/availabilitySets/read •Microsoft.Compute/virtualMachines/*/read •Microsoft.Compute/virtualMachines/deallocate/action •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/restart/action •Microsoft.Compute/virtualMachines/start/action •Microsoft.DevTestLab/*/read •Microsoft.DevTestLab/labs/claimAnyVm/action •Microsoft.DevTestLab/labs/createEnvironment/action •Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action •Microsoft.DevTestLab/labs/formulas/delete •Microsoft.DevTestLab/labs/formulas/read •Microsoft.DevTestLab/labs/formulas/write •Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action •Microsoft.DevTestLab/labs/virtualMachines/claim/action •Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action •Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/inboundNatRules/join/action •Microsoft.Network/networkInterfaces/*/read •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/publicIPAddresses/*/read •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/listKeys/action |
NotActions: 001 resolved not operations: 1 effective not operations: 16731 •Microsoft.Compute/virtualMachines/vmSizes/read | |||
| 58a3b984-7adf-4c20-983a-32417c86fbc8 | DICOM Data Owner | Full access to DICOM data. | Integration | False |
00005 effective data plane operations (unique) •action: 2 •delete: 1 •read: 1 •write: 1 |
DataActions: 001 resolved data operations: 5 effective data operations: 5 •action: 2 •delete: 1 •read: 1 •write: 1 •Microsoft.HealthcareApis/workspaces/dicomservices/resources/* | ||||
| e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a | DICOM Data Reader | Read and search DICOM data. | Integration | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.HealthcareApis/workspaces/dicomservices/resources/read | ||||
| 3e5e47e6-65f7-47ef-90b5-e5dd4d455f24 | Disk Backup Reader | Provides permission to backup vault to perform disk backup. | Compute | False |
00033 effective control plane operations (unique) •action: 1 •read: 32 |
Actions: 003 resolved operations: 33 effective operations: 33 •action: 1 •read: 32 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/disks/read | ||||
| 136d308c-0937-4a49-9bd7-edfb42adbffc | Disk Encryption Set Operator for Managed Disks | Provides permissions to read, write or delete disk encryption sets which are used for encrypting managed disks with customer managed keys | None | False |
00003 effective control plane operations (unique) •delete: 1 •read: 1 •write: 1 |
Actions: 001 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Compute/diskEncryptionSets/* | ||||
| 60fc6e62-5479-42d4-8bf4-67625fcc2840 | Disk Pool Operator | Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool. | Compute | False |
00050 effective control plane operations (unique) •Action: 7 •Delete: 2 •read: 38 •write: 3 |
Actions: 006 resolved operations: 50 effective operations: 50 •Action: 7 •Delete: 2 •read: 38 •write: 3 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| b50d9833-a0cb-478e-945f-707fcc997c13 | Disk Restore Operator | Provides permission to backup vault to perform disk restore. | Compute | False |
00034 effective control plane operations (unique) •read: 33 •write: 1 |
Actions: 004 resolved operations: 34 effective operations: 34 •read: 33 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 7efff54f-a5b4-42b5-a1c5-5411624893ce | Disk Snapshot Contributor | Provides permission to backup vault to manage disk snapshots. | Compute | False |
00042 effective control plane operations (unique) •action: 4 •delete: 2 •read: 34 •write: 2 |
Actions: 012 resolved operations: 42 effective operations: 42 •action: 4 •delete: 2 •read: 34 •write: 2 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/snapshots/beginGetAccess/action •Microsoft.Compute/snapshots/delete •Microsoft.Compute/snapshots/endGetAccess/action •Microsoft.Compute/snapshots/read •Microsoft.Compute/snapshots/write •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/delete •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/write | ||||
| 0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d | DNS Resolver Contributor | Lets you manage DNS resolver resources. | None | False |
00083 effective control plane operations (unique) •Action: 19 •Delete: 8 •read: 47 •Write: 9 |
Actions: 041 resolved operations: 83 effective operations: 83 •Action: 19 •Delete: 8 •read: 47 •Write: 9 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/dnsForwardingRulesets/delete •Microsoft.Network/dnsForwardingRulesets/forwardingRules/delete •Microsoft.Network/dnsForwardingRulesets/forwardingRules/read •Microsoft.Network/dnsForwardingRulesets/forwardingRules/write •Microsoft.Network/dnsForwardingRulesets/join/action •Microsoft.Network/dnsForwardingRulesets/read •Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/delete •Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/read •Microsoft.Network/dnsForwardingRulesets/virtualNetworkLinks/write •Microsoft.Network/dnsForwardingRulesets/write •Microsoft.Network/dnsResolvers/delete •Microsoft.Network/dnsResolvers/inboundEndpoints/delete •Microsoft.Network/dnsResolvers/inboundEndpoints/join/action •Microsoft.Network/dnsResolvers/inboundEndpoints/read •Microsoft.Network/dnsResolvers/inboundEndpoints/write •Microsoft.Network/dnsResolvers/join/action •Microsoft.Network/dnsResolvers/outboundEndpoints/delete •Microsoft.Network/dnsResolvers/outboundEndpoints/join/action •Microsoft.Network/dnsResolvers/outboundEndpoints/read •Microsoft.Network/dnsResolvers/outboundEndpoints/write •Microsoft.Network/dnsResolvers/read •Microsoft.Network/dnsResolvers/write •Microsoft.Network/locations/dnsResolverOperationResults/read •Microsoft.Network/locations/dnsResolverOperationStatuses/read •Microsoft.Network/natGateways/join/action •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/routeTables/join/action •Microsoft.Network/serviceEndpointPolicies/join/action •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/joinLoadBalancer/action •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| befefa01-2a29-4197-83a8-272ff33ce314 | DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. | Networking | False |
00105 effective control plane operations (unique) •Action: 10 •Delete: 15 •read: 62 •Write: 18 |
Actions: 007 resolved operations: 105 effective operations: 105 •Action: 10 •Delete: 15 •read: 62 •Write: 18 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/dnsZones/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 5bd9cd88-fe45-4216-938b-f97437e15450 | DocumentDB Account Contributor | Lets you manage DocumentDB accounts, but not access to them. | Databases | False |
00338 effective control plane operations (unique) •action: 66 •delete: 32 •read: 186 •write: 54 |
Actions: 008 resolved operations: 338 effective operations: 338 •action: 66 •delete: 32 •read: 186 •write: 54 •Microsoft.Authorization/*/read •Microsoft.DocumentDb/databaseAccounts/* •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 003 •Configure Cosmos DB database accounts to disable local authentication •Configure CosmosDB accounts to disable public network access •Configure CosmosDB accounts with private endpoints | |||
| eeaeda52-9324-47f6-8069-5d5bade478b2 | Domain Services Contributor | Can manage Azure AD Domain Services and related network configurations | Identity | False |
00124 effective control plane operations (unique) •action: 21 •delete: 14 •read: 75 •write: 14 |
Actions: 069 resolved operations: 124 effective operations: 124 •action: 21 •delete: 14 •read: 75 •write: 14 •Microsoft.AAD/domainServices/* •Microsoft.AAD/register/action •Microsoft.AAD/unregister/action •Microsoft.Authorization/*/read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/DiagnosticSettings/* •Microsoft.Insights/DiagnosticSettingsCategories/Read •Microsoft.Insights/Logs/Read •Microsoft.Insights/Metrics/Read •Microsoft.Network/azureFirewalls/read •Microsoft.Network/ddosProtectionPlans/join/action •Microsoft.Network/ddosProtectionPlans/read •Microsoft.Network/loadBalancers/*/read •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/delete •Microsoft.Network/loadBalancers/inboundNatRules/join/action •Microsoft.Network/loadBalancers/read •Microsoft.Network/natGateways/join/action •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read •Microsoft.Network/networkSecurityGroups/delete •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/securityRules/delete •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/networkSecurityGroups/securityRules/write •Microsoft.Network/networkSecurityGroups/write •Microsoft.Network/register/action •Microsoft.Network/routeTables/delete •Microsoft.Network/routeTables/join/action •Microsoft.Network/routeTables/read •Microsoft.Network/routeTables/routes/delete •Microsoft.Network/routeTables/routes/read •Microsoft.Network/routeTables/routes/write •Microsoft.Network/routeTables/write •Microsoft.Network/unregister/action •Microsoft.Network/virtualNetworks/delete •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/peer/action •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/delete •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write •Microsoft.Network/virtualNetworks/write •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 361898ef-9ed1-48c2-849c-a832951106bb | Domain Services Reader | Can view Azure AD Domain Services and related network configurations | Identity | False |
00075 effective control plane operations (unique) •read: 75 |
Actions: 028 resolved operations: 75 effective operations: 75 •read: 75 •Microsoft.AAD/domainServices/*/read •Microsoft.Authorization/*/read •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/DiagnosticSettings/read •Microsoft.Insights/DiagnosticSettingsCategories/Read •Microsoft.Insights/Logs/Read •Microsoft.Insights/Metrics/read •Microsoft.Network/azureFirewalls/read •Microsoft.Network/ddosProtectionPlans/read •Microsoft.Network/loadBalancers/*/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/natGateways/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/routeTables/read •Microsoft.Network/routeTables/routes/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSettings/read •Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefinitions/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 0ad04412-c4d5-4796-b79c-f76d14c8d402 | Durable Task Data Contributor | Durable Task role for all data access operations. | Integration | False |
00010 effective data plane operations (unique) •action: 6 •read: 4 |
DataActions: 001 resolved data operations: 10 effective data operations: 10 •action: 6 •read: 4 •Microsoft.DurableTask/* | ||||
| d6a5505f-6ebb-45a4-896e-ac8274cfc0ac | Durable Task Data Reader | Read all Durable Task Scheduler data. | Integration | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.DurableTask/schedulers/taskhubs/orchestrations/metadata/read •Microsoft.DurableTask/schedulers/taskhubs/orchestrations/read | ||||
| 80d0d6b0-f522-40a4-8886-a5a11720c375 | Durable Task Worker | Used by worker applications to interact with the Durable Task service | Integration | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.DurableTask/schedulers/taskhubs/orchestrations/execute/action | ||||
| 53e48117-a530-4075-bcbe-d91913e3bdb8 | Edge Management Copilot User | Enables users access to Edge Management Copilot. | None | False |
00001 effective control plane operations (unique) •action: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •action: 1 •Microsoft.EdgeManagement/locations/chat/action | ||||
| fa6cecf6-5db3-4c43-8470-c540bcb4eafa | Elastic SAN Network Admin | Allows access to create Private Endpoints on SAN resources, and to read SAN resources | Storage | False |
00009 effective control plane operations (unique) •action: 1 •delete: 1 •read: 6 •write: 1 |
Actions: 005 resolved operations: 9 effective operations: 9 •action: 1 •delete: 1 •read: 6 •write: 1 •Microsoft.ElasticSan/elasticSans/*/read •Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete •Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write •Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action •Microsoft.ElasticSan/locations/asyncoperations/read | ||||
| 80dcbedb-47ef-405d-95bd-188a1b4ac406 | Elastic SAN Owner | Allows for full access to all resources under Azure Elastic SAN including changing network security policies to unblock data path access | Storage | False |
00067 effective control plane operations (unique) •action: 10 •delete: 7 •read: 43 •write: 7 |
Actions: 006 resolved operations: 67 effective operations: 67 •action: 10 •delete: 7 •read: 43 •write: 7 •Microsoft.Authorization/*/read •Microsoft.ElasticSan/elasticSans/* •Microsoft.ElasticSan/locations/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| af6a70f8-3c9f-4105-acf1-d719e9fca4ca | Elastic SAN Reader | Allows for control path read access to Azure Elastic SAN | Storage | False |
00009 effective control plane operations (unique) •read: 9 |
Actions: 005 resolved operations: 9 effective operations: 9 •read: 9 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.ElasticSan/elasticSans/*/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 1c4770c0-34f7-4110-a1ea-a5855cc7a939 | Elastic SAN Snapshot Exporter | Allows for creating and exporting Snapshot of Elastic San Volume | None | False |
00085 effective control plane operations (unique) •action: 8 •delete: 3 •read: 71 •write: 3 |
Actions: 015 resolved operations: 85 effective operations: 85 •action: 8 •delete: 3 •read: 71 •write: 3 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/delete •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Compute/locations/* •Microsoft.Compute/snapshots/delete •Microsoft.Compute/snapshots/read •Microsoft.Compute/snapshots/write •Microsoft.ElasticSan/elasticSans/*/read •Microsoft.ElasticSan/elasticSans/volumeGroups/preBackup/action •Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/beginGetAccess/action •Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/delete •Microsoft.ElasticSan/elasticSans/volumeGroups/snapshots/write •Microsoft.ElasticSan/locations/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a8281131-f312-4f34-8d98-ae12be9f0d23 | Elastic SAN Volume Group Owner | Allows for full access to a volume group in Azure Elastic SAN including changing network security policies to unblock data path access | Storage | False |
00015 effective control plane operations (unique) •action: 3 •delete: 3 •read: 6 •write: 3 |
Actions: 004 resolved operations: 15 effective operations: 15 •action: 3 •delete: 3 •read: 6 •write: 3 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.ElasticSan/elasticSans/volumeGroups/* •Microsoft.ElasticSan/locations/asyncoperations/read | ||||
| 90e8b822-3e73-47b5-868a-787dc80c008f | Elastic SAN Volume Importer | Allows for Importing Elastic San Volume | None | False |
00081 effective control plane operations (unique) •action: 11 •delete: 1 •read: 68 •write: 1 |
Actions: 014 resolved operations: 81 effective operations: 81 •action: 11 •delete: 1 •read: 68 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/disks/endGetAccess/action •Microsoft.Compute/disks/read •Microsoft.Compute/locations/* •Microsoft.Compute/snapshots/beginGetAccess/action •Microsoft.Compute/snapshots/endGetAccess/action •Microsoft.Compute/snapshots/read •Microsoft.ElasticSan/elasticSans/volumeGroups/*/read •Microsoft.ElasticSan/elasticSans/volumeGroups/preRestore/action •Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/delete •Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/write •Microsoft.ElasticSan/locations/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 2142ea27-02ad-4094-bfea-2dbac6d24934 | Enclave Approver Role | Read all resources in Azure Virtual Enclaves and Approve approval requests within the Enclave | None | False |
00070 effective control plane operations (unique) •Action: 12 •Delete: 2 •read: 53 •Write: 3 |
Actions: 026 resolved operations: 70 effective operations: 70 •Action: 12 •Delete: 2 •read: 53 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Insights/alertRules/* •Microsoft.Mission/approvals/initiatorCallback/action •Microsoft.Mission/approvals/read •Microsoft.Mission/approvals/write •Microsoft.Mission/communities/communityEndpoints/approvalCallback/action •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/read •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/enclaveConnections/approvalCallback/action •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/Operations/read •Microsoft.Mission/virtualEnclaves/approvalCallback/action •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/approvalCallback/action •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read •Microsoft.Mission/virtualEnclaves/endpoints/read •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 19feefae-eacc-4106-81fd-ac34c0671f14 | Enclave Contributor Role | Enclave Contributor Role to access the resources of Microsoft.Mission stored with RPSAAS. | None | False |
00061 effective control plane operations (unique) •action: 2 •read: 51 •write: 8 |
Actions: 031 resolved operations: 61 effective operations: 61 •action: 2 •read: 51 •write: 8 •Microsoft.Authorization/*/read •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Insights/alertRules/read •Microsoft.Mission/approvals/read •Microsoft.Mission/approvals/write •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/read •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/enclaveConnections/write •Microsoft.Mission/Locations/OperationStatuses/read •Microsoft.Mission/Locations/OperationStatuses/write •Microsoft.Mission/Operations/read •Microsoft.Mission/register/action •Microsoft.Mission/unregister/action •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/write •Microsoft.Mission/virtualEnclaves/endpoints/read •Microsoft.Mission/virtualEnclaves/endpoints/write •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.Mission/virtualEnclaves/workloads/write •Microsoft.Mission/virtualEnclaves/write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 3d5f3eff-eb94-473d-91e3-7aac74d6c0bb | Enclave Owner Role | Enclave Owner Role to access the resources of Microsoft.Mission stored with RPSAAS. | None | False |
00062 effective control plane operations (unique) •delete: 5 •read: 50 •write: 7 |
Actions: 032 resolved operations: 62 effective operations: 62 •delete: 5 •read: 50 •write: 7 •Microsoft.Authorization/*/read •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Insights/alertRules/read •Microsoft.Mission/approvals/delete •Microsoft.Mission/approvals/read •Microsoft.Mission/approvals/write •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/read •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/enclaveConnections/delete •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/enclaveConnections/write •Microsoft.Mission/Locations/OperationStatuses/read •Microsoft.Mission/Locations/OperationStatuses/write •Microsoft.Mission/Operations/read •Microsoft.Mission/virtualEnclaves/delete •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/delete •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/write •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/workloads/delete •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.Mission/virtualEnclaves/workloads/write •Microsoft.Mission/virtualEnclaves/write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 86fede04-b259-4277-8c3e-e26b9865abd8 | Enclave Reader Role | Enclave Reader Role to access the resources of Microsoft.Mission stored with RPSAAS. | None | False |
00064 effective control plane operations (unique) •Action: 7 •Delete: 2 •read: 53 •Write: 2 |
Actions: 020 resolved operations: 64 effective operations: 64 •Action: 7 •Delete: 2 •read: 53 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Insights/alertRules/* •Microsoft.Mission/approvals/read •Microsoft.Mission/communities/communityEndpoints/read •Microsoft.Mission/communities/read •Microsoft.Mission/communities/transitHubs/read •Microsoft.Mission/enclaveConnections/read •Microsoft.Mission/Operations/read •Microsoft.Mission/virtualEnclaves/enclaveEndpoints/read •Microsoft.Mission/virtualEnclaves/endpoints/read •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 93629c8c-5d36-4533-85cd-f5bb3338710e | Entra Connect Health Service Admin | Can set up and manage Microsoft Entra Connect Health. Includes agent set up and managing services on the Azure portal | None | False |
00056 effective control plane operations (unique) •action: 6 •delete: 4 •read: 40 •write: 6 |
Actions: 056 resolved operations: 56 effective operations: 56 •action: 6 •delete: 4 •read: 40 •write: 6 •Microsoft.ADHybridHealthService/addsservices/action •Microsoft.ADHybridHealthService/addsservices/addomainservicemembers/read •Microsoft.ADHybridHealthService/addsservices/alerts/read •Microsoft.ADHybridHealthService/addsservices/configuration/read •Microsoft.ADHybridHealthService/addsservices/delete •Microsoft.ADHybridHealthService/addsservices/dimensions/read •Microsoft.ADHybridHealthService/addsservices/features/userpreference/read •Microsoft.ADHybridHealthService/addsservices/forestsummary/read •Microsoft.ADHybridHealthService/addsservices/metricmetadata/read •Microsoft.ADHybridHealthService/addsservices/metrics/groups/read •Microsoft.ADHybridHealthService/addsservices/premiumcheck/read •Microsoft.ADHybridHealthService/addsservices/read •Microsoft.ADHybridHealthService/addsservices/replicationdetails/read •Microsoft.ADHybridHealthService/addsservices/replicationstatus/read •Microsoft.ADHybridHealthService/addsservices/replicationsummary/read •Microsoft.ADHybridHealthService/addsservices/servicemembers/action •Microsoft.ADHybridHealthService/addsservices/servicemembers/credentials/read •Microsoft.ADHybridHealthService/addsservices/servicemembers/delete •Microsoft.ADHybridHealthService/addsservices/write •Microsoft.ADHybridHealthService/configuration/action •Microsoft.ADHybridHealthService/configuration/read •Microsoft.ADHybridHealthService/configuration/write •Microsoft.ADHybridHealthService/services/action •Microsoft.ADHybridHealthService/services/alerts/read •Microsoft.ADHybridHealthService/services/checkservicefeatureavailibility/read •Microsoft.ADHybridHealthService/services/delete •Microsoft.ADHybridHealthService/services/exporterrors/read •Microsoft.ADHybridHealthService/services/exportstatus/read •Microsoft.ADHybridHealthService/services/feedbacktype/feedback/read •Microsoft.ADHybridHealthService/services/ipAddressAggregates/read •Microsoft.ADHybridHealthService/services/ipAddressAggregateSettings/read •Microsoft.ADHybridHealthService/services/ipAddressAggregateSettings/write •Microsoft.ADHybridHealthService/services/metricmetadata/read •Microsoft.ADHybridHealthService/services/metrics/groups/average/read •Microsoft.ADHybridHealthService/services/metrics/groups/read •Microsoft.ADHybridHealthService/services/metrics/groups/sum/read •Microsoft.ADHybridHealthService/services/monitoringconfiguration/write •Microsoft.ADHybridHealthService/services/monitoringconfigurations/read •Microsoft.ADHybridHealthService/services/monitoringconfigurations/write •Microsoft.ADHybridHealthService/services/premiumcheck/read •Microsoft.ADHybridHealthService/services/read •Microsoft.ADHybridHealthService/services/reports/blobUris/read •Microsoft.ADHybridHealthService/services/reports/details/read •Microsoft.ADHybridHealthService/services/reports/generateBlobUri/action •Microsoft.ADHybridHealthService/services/servicemembers/action •Microsoft.ADHybridHealthService/services/servicemembers/alerts/read •Microsoft.ADHybridHealthService/services/servicemembers/credentials/read •Microsoft.ADHybridHealthService/services/servicemembers/datafreshness/read •Microsoft.ADHybridHealthService/services/servicemembers/delete •Microsoft.ADHybridHealthService/services/servicemembers/exportstatus/read •Microsoft.ADHybridHealthService/services/servicemembers/metrics/groups/read •Microsoft.ADHybridHealthService/services/servicemembers/metrics/read •Microsoft.ADHybridHealthService/services/servicemembers/read •Microsoft.ADHybridHealthService/services/servicemembers/serviceconfiguration/read •Microsoft.ADHybridHealthService/services/tenantwhitelisting/read •Microsoft.ADHybridHealthService/services/write | ||||
| 1e241071-0855-49ea-94dc-649edcd759de | EventGrid Contributor | Lets you manage EventGrid operations. | Integration | False |
00254 effective control plane operations (unique) •action: 57 •delete: 37 •read: 116 •write: 44 |
Actions: 006 resolved operations: 254 effective operations: 254 •action: 57 •delete: 37 •read: 116 •write: 44 •Microsoft.Authorization/*/read •Microsoft.EventGrid/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 009 •Configure Azure Event Grid domains to disable local authentication •Configure Azure Event Grid namespace MQTT broker with private endpoints •Configure Azure Event Grid namespaces with private endpoints •Configure Azure Event Grid partner namespaces to disable local authentication •Configure Azure Event Grid topics to disable local authentication •Deploy - Configure Azure Event Grid domains with private endpoints •Deploy - Configure Azure Event Grid topics with private endpoints •Modify - Configure Azure Event Grid domains to disable public network access •Modify - Configure Azure Event Grid topics to disable public network access | |||
| 1d8c3fe3-8864-474b-8749-01e3783e8157 | EventGrid Data Contributor | Allows send and receive access to event grid events. | None | False |
00042 effective control plane and data plane operations (unique) •action: 2 •read: 40 |
Actions: 010 resolved operations: 40 effective operations: 40 •read: 40 •Microsoft.Authorization/*/read •Microsoft.EventGrid/domains/read •Microsoft.EventGrid/eventSubscriptions/read •Microsoft.EventGrid/locations/eventSubscriptions/read •Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read •Microsoft.EventGrid/namespaces/read •Microsoft.EventGrid/partnerNamespaces/read •Microsoft.EventGrid/topics/read •Microsoft.EventGrid/topicTypes/eventSubscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.EventGrid/events/receive/action •Microsoft.EventGrid/events/send/action | |||
| 78cbd9e7-9798-4e2e-9b5a-547d9ebb31fb | EventGrid Data Receiver | Allows receive access to event grid events. | None | False |
00038 effective control plane and data plane operations (unique) •action: 1 •read: 37 |
Actions: 007 resolved operations: 37 effective operations: 37 •read: 37 •Microsoft.Authorization/*/read •Microsoft.EventGrid/eventSubscriptions/read •Microsoft.EventGrid/locations/eventSubscriptions/read •Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read •Microsoft.EventGrid/namespaces/read •Microsoft.EventGrid/topicTypes/eventSubscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventGrid/events/receive/action | |||
| d5a91429-5739-47e2-a06b-3470a27159e7 | EventGrid Data Sender | Allows send access to event grid events. | Integration | False |
00037 effective control plane and data plane operations (unique) •action: 1 •read: 36 |
Actions: 006 resolved operations: 36 effective operations: 36 •read: 36 •Microsoft.Authorization/*/read •Microsoft.EventGrid/domains/read •Microsoft.EventGrid/namespaces/read •Microsoft.EventGrid/partnerNamespaces/read •Microsoft.EventGrid/topics/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventGrid/events/send/action | |||
| 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 | EventGrid EventSubscription Contributor | Lets you manage EventGrid event subscription operations. | Integration | False |
00069 effective control plane operations (unique) •action: 12 •delete: 3 •read: 49 •write: 5 |
Actions: 009 resolved operations: 69 effective operations: 69 •action: 12 •delete: 3 •read: 49 •write: 5 •Microsoft.Authorization/*/read •Microsoft.EventGrid/eventSubscriptions/* •Microsoft.EventGrid/locations/eventSubscriptions/read •Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read •Microsoft.EventGrid/topicTypes/eventSubscriptions/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 2414bbcf-6497-4faf-8c65-045460748405 | EventGrid EventSubscription Reader | Lets you read EventGrid event subscriptions. | Integration | False |
00036 effective control plane operations (unique) •read: 36 |
Actions: 006 resolved operations: 36 effective operations: 36 •read: 36 •Microsoft.Authorization/*/read •Microsoft.EventGrid/eventSubscriptions/read •Microsoft.EventGrid/locations/eventSubscriptions/read •Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read •Microsoft.EventGrid/topicTypes/eventSubscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a12b0b94-b317-4dcd-84a8-502ce99884c6 | EventGrid TopicSpaces Publisher | Lets you publish messages on topicspaces. | Integration | False |
00122 effective control plane and data plane operations (unique) •action: 8 •Delete: 2 •read: 110 •Write: 2 |
Actions: 005 resolved operations: 121 effective operations: 121 •Action: 7 •Delete: 2 •read: 110 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.EventGrid/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventGrid/topicSpaces/publish/action | |||
| 4b0f2fd7-60b4-4eca-896f-4435034f8bf5 | EventGrid TopicSpaces Subscriber | Lets you subscribe messages on topicspaces. | Integration | False |
00122 effective control plane and data plane operations (unique) •action: 8 •Delete: 2 •read: 110 •Write: 2 |
Actions: 005 resolved operations: 121 effective operations: 121 •Action: 7 •Delete: 2 •read: 110 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.EventGrid/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.EventGrid/topicSpaces/subscribe/action | |||
| 7f646f1b-fa08-80eb-a33b-edd6ce5c915c | Experimentation Administrator | Experimentation Administrator | None | False |
00014 effective control plane and data plane operations (unique) •action: 7 •delete: 2 •read: 3 •write: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Experimentation/experimentWorkspaces/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 013 resolved data operations: 13 effective data operations: 13 •action: 7 •delete: 2 •read: 2 •write: 2 •Microsoft.Experimentation/experimentWorkspaces/admin/action •Microsoft.Experimentation/experimentWorkspaces/delete •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/admin/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experimentadmin/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write •Microsoft.Experimentation/experimentWorkspaces/metricwrite/action •Microsoft.Experimentation/experimentWorkspaces/read •Microsoft.Experimentation/experimentWorkspaces/write | |||
| 7f646f1b-fa08-80eb-a22b-edd6ce5c915c | Experimentation Contributor | Experimentation Contributor | None | False |
00009 effective control plane and data plane operations (unique) •action: 2 •delete: 2 •read: 3 •write: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Experimentation/experimentWorkspaces/read •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 008 resolved data operations: 8 effective data operations: 8 •action: 2 •delete: 2 •read: 2 •write: 2 •Microsoft.Experimentation/experimentWorkspaces/delete •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/delete •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/emergencystop/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/experiment/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/write •Microsoft.Experimentation/experimentWorkspaces/read •Microsoft.Experimentation/experimentWorkspaces/write | |||
| 6188b7c9-7d01-4f99-a59f-c88b630326c0 | Experimentation Metric Contributor | Allows for creation, writes and reads to the metric set via the metrics service APIs. | None | False |
00004 effective control plane and data plane operations (unique) •action: 2 •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Experimentation/experimentWorkspaces/read |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 2 •read: 2 •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/metricwrite/action •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read •Microsoft.Experimentation/experimentWorkspaces/metricwrite/action •Microsoft.Experimentation/experimentWorkspaces/read | |||
| 49632ef5-d9ac-41f4-b8e7-bbe587fa74a1 | Experimentation Reader | Experimentation Reader | None | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Experimentation/experimentWorkspaces/read |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.Experimentation/experimentWorkspaces/experimentationGroups/read •Microsoft.Experimentation/experimentWorkspaces/read | |||
| 548d7e7c-65ee-412b-ae37-2dbb419d4207 | Experimentation Resource Admin | Experimentation Resource Admin | None | False |
00007 effective control plane operations (unique) •delete: 1 •read: 4 •write: 2 |
Actions: 001 resolved operations: 7 effective operations: 7 •delete: 1 •read: 4 •write: 2 •Microsoft.Experimentation/* | ||||
| 804db8d3-32c7-4ad4-a975-3f6f90d5f5f5 | FHIR Data Bulk Operator | Role allows user or principal to perform bulk operations | None | False |
00016 effective data plane operations (unique) •action: 10 •delete: 2 •read: 2 •write: 2 |
DataActions: 016 resolved data operations: 16 effective data operations: 16 •action: 10 •delete: 2 •read: 2 •write: 2 •Microsoft.HealthcareApis/services/fhir/resources/bulkOperator/action •Microsoft.HealthcareApis/services/fhir/resources/delete •Microsoft.HealthcareApis/services/fhir/resources/export/action •Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action •Microsoft.HealthcareApis/services/fhir/resources/import/action •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/services/fhir/resources/reindex/action •Microsoft.HealthcareApis/services/fhir/resources/write •Microsoft.HealthcareApis/workspaces/fhirservices/resources/bulkOperator/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete •Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/write | ||||
| 5a1fc7df-4bf1-4951-a576-89034ee01acd | FHIR Data Contributor | Role allows user or principal full access to FHIR Data | Integration | False |
00024 effective data plane operations (unique) •action: 18 •delete: 2 •read: 2 •write: 2 |
DataActions: 002 resolved data operations: 26 effective data operations: 24 •action: 18 •delete: 2 •read: 2 •write: 2 •Microsoft.HealthcareApis/services/fhir/resources/* •Microsoft.HealthcareApis/workspaces/fhirservices/resources/* |
NotDataActions: 002 resolved not data operations: 2 effective not data operations: 3547 •Microsoft.HealthcareApis/services/fhir/resources/smart/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action | |||
| a1705bd2-3a8f-45a5-8683-466fcfd5cc24 | FHIR Data Converter | Role allows user or principal to convert data from legacy format to FHIR | Integration | False |
00002 effective data plane operations (unique) •action: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.HealthcareApis/services/fhir/resources/convertData/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action | ||||
| 3db33094-8700-4567-8da5-1501d4e7e843 | FHIR Data Exporter | Role allows user or principal to read and export FHIR Data | Integration | False |
00004 effective data plane operations (unique) •action: 2 •read: 2 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 2 •read: 2 •Microsoft.HealthcareApis/services/fhir/resources/export/action •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | ||||
| 4465e953-8ced-4406-a58e-0f6e3f3b530b | FHIR Data Importer | Role allows user or principal to read and import FHIR Data | Integration | False |
00002 effective data plane operations (unique) •action: 1 •read: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | ||||
| 4c8d0bbc-75d3-4935-991f-5f3c56d81508 | FHIR Data Reader | Role allows user or principal to read FHIR Data | Integration | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read | ||||
| 3f88fce4-5892-4214-ae73-ba5294559913 | FHIR Data Writer | Role allows user or principal to read and write FHIR Data | Integration | False |
00018 effective data plane operations (unique) •action: 12 •delete: 2 •read: 2 •write: 2 |
DataActions: 018 resolved data operations: 18 effective data operations: 18 •action: 12 •delete: 2 •read: 2 •write: 2 •Microsoft.HealthcareApis/services/fhir/resources/convertData/action •Microsoft.HealthcareApis/services/fhir/resources/delete •Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action •Microsoft.HealthcareApis/services/fhir/resources/export/action •Microsoft.HealthcareApis/services/fhir/resources/import/action •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/services/fhir/resources/reindex/action •Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action •Microsoft.HealthcareApis/services/fhir/resources/write •Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete •Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/write | ||||
| 4ba50f17-9666-485c-a643-ff00808643f0 | FHIR SMART User | Role allows user to access FHIR Service according to SMART on FHIR specification | Integration | False |
00004 effective data plane operations (unique) •action: 2 •read: 2 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 2 •read: 2 •Microsoft.HealthcareApis/services/fhir/resources/read •Microsoft.HealthcareApis/services/fhir/resources/smart/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action | ||||
| 9c1607d1-791d-4c68-885d-c7b7aaff7c8a | Firmware Analysis Admin | Upload and analyze firmware images in Defender for IoT | Internet of Things | False |
00096 effective control plane operations (unique) •action: 35 •delete: 5 •read: 50 •write: 6 |
Actions: 004 resolved operations: 96 effective operations: 96 •action: 35 •delete: 5 •read: 50 •write: 6 •Microsoft.Authorization/*/read •Microsoft.IoTFirmwareDefense/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 61eb6405-5f4a-440b-ad03-fe06c5c85e44 | Flux Configurations Contributor | Can create, update, get, list and delete Flux Configurations | None | False |
00052 effective control plane operations (unique) •Action: 7 •Delete: 3 •read: 39 •Write: 3 |
Actions: 008 resolved operations: 52 effective operations: 52 •Action: 7 •Delete: 3 •read: 39 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KubernetesConfiguration/fluxConfigurations/delete •Microsoft.KubernetesConfiguration/fluxConfigurations/operations/read •Microsoft.KubernetesConfiguration/fluxConfigurations/read •Microsoft.KubernetesConfiguration/fluxConfigurations/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| c9c97b9c-105d-4bb5-a2a7-7d15666c2484 | GeoCatalog Administrator | Grants full access to manage GeoCatalogs, but does not allow you to assign roles in Azure RBAC. | None | False |
00052 effective control plane operations (unique) •Action: 7 •Delete: 3 •read: 39 •Write: 3 |
Actions: 006 resolved operations: 52 effective operations: 52 •Action: 7 •Delete: 3 •read: 39 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Orbital/geoCatalogs/* •Microsoft.Orbital/operations/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| b7b8f583-43d0-40ae-b147-6b46f53661c1 | GeoCatalog Reader | View GeoCatalogs, but does not allow you to make any changes. | None | False |
00050 effective control plane operations (unique) •Action: 7 •Delete: 2 •read: 39 •Write: 2 |
Actions: 006 resolved operations: 50 effective operations: 50 •Action: 7 •Delete: 2 •read: 39 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Orbital/geoCatalogs/read •Microsoft.Orbital/operations/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 22926164-76b3-42b3-bc55-97df8dab3e41 | Grafana Admin | Manage server-wide settings and manage access to resources such as organizations, users, and licenses. | Monitor | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action | ||||
| a79a5197-3a5c-4973-a920-486035ffd60f | Grafana Editor | Create, edit, delete, or view dashboards; create, edit, or delete folders; and edit or view playlists. | Monitor | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action | ||||
| 41e04612-9dac-4699-a02b-c82ff2cc3fb5 | Grafana Limited Viewer | View home page. | Monitor | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Dashboard/grafana/ActAsGrafanaLimitedViewer/action | ||||
| 60921a7e-fef1-4a43-9b16-a26c52ad4769 | Grafana Viewer | View dashboards, playlists, and query data sources. | Monitor | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action | ||||
| b60367af-1334-4454-b71e-769d9a4f83d9 | Graph Owner | Create and manage all aspects of the Enterprise Graph - Ontology, Schema mapping, Conflation and Conversational AI and Ingestions | None | False |
00014 effective control plane operations (unique) •delete: 1 •read: 7 •write: 6 |
Actions: 014 resolved operations: 14 effective operations: 14 •delete: 1 •read: 7 •write: 6 •Microsoft.EnterpriseKnowledgeGraph/operations/read •Microsoft.EnterpriseKnowledgeGraph/services/conflation/read •Microsoft.EnterpriseKnowledgeGraph/services/conflation/write •Microsoft.EnterpriseKnowledgeGraph/services/delete •Microsoft.EnterpriseKnowledgeGraph/services/ingestion/read •Microsoft.EnterpriseKnowledgeGraph/services/ingestion/write •Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/read •Microsoft.EnterpriseKnowledgeGraph/services/intentclassification/write •Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read •Microsoft.EnterpriseKnowledgeGraph/services/knowledge/write •Microsoft.EnterpriseKnowledgeGraph/services/ontology/read •Microsoft.EnterpriseKnowledgeGraph/services/ontology/write •Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/read •Microsoft.EnterpriseKnowledgeGraph/services/sourceschema/write | ||||
| 2016c9ed-c18d-4120-93d7-178e583efe92 | Grounding with Bing User | Enable Approved Microsoft Applications to connect to Bing to retrieve and ground responses using real-time data | None | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Bing/accounts/useGrounding/action | ||||
| d0f495dc-44ef-4140-aeb0-b89110e6a7c1 | GroupQuota Reader | Read GroupQuota requests, get GroupQuota request status, and get groupQuotaLimits. | None | False |
00040 effective control plane operations (unique) •action: 1 •read: 39 |
Actions: 010 resolved operations: 40 effective operations: 40 •action: 1 •read: 39 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Quota/GROUPQUOTAS/groupQuotaLimits/READ •Microsoft.Quota/GROUPQUOTAS/quotaAllocations/READ •Microsoft.Quota/GROUPQUOTAS/READ •Microsoft.Quota/GROUPQUOTAS/subscriptions/READ •MICROSOFT.QUOTA/QUOTAREQUESTS/READ •MICROSOFT.QUOTA/QUOTAS/READ •MICROSOFT.QUOTA/REGISTER/ACTION •MICROSOFT.QUOTA/USAGES/READ | ||||
| e2217c0e-04bb-4724-9580-91cf9871bc01 | GroupQuota Request Operator | Read and create GroupQuota requests, get GroupQuota request status, and get groupQuotaLimits. | None | False |
00046 effective control plane operations (unique) •action: 1 •delete: 1 •read: 40 •write: 4 |
Actions: 010 resolved operations: 46 effective operations: 46 •action: 1 •delete: 1 •read: 40 •write: 4 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.Quota/GROUPQUOTAS/*/DELETE •Microsoft.Quota/GROUPQUOTAS/*/READ •Microsoft.Quota/GROUPQUOTAS/*/WRITE •MICROSOFT.QUOTA/QUOTAREQUESTS/READ •MICROSOFT.QUOTA/QUOTAS/READ •MICROSOFT.QUOTA/QUOTAS/WRITE •MICROSOFT.QUOTA/REGISTER/ACTION •MICROSOFT.QUOTA/USAGES/READ | ||||
| ed2561a6-b260-4d25-9d88-54ee1b8e8b37 | Guest configuration deploy policy role | Lets you deploy guest configuration policy on to machines under a subscription or resource group. | None | False |
00002 effective control plane operations (unique) •read: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/write | ||||
| 088ab73d-1256-47ae-bea9-9de8e7131f31 | Guest Configuration Resource Contributor | Lets you read, write Guest Configuration Resource. | None | False |
00012 effective control plane operations (unique) •action: 4 •delete: 1 •read: 5 •write: 2 |
Actions: 004 resolved operations: 12 effective operations: 12 •action: 4 •delete: 1 •read: 5 •write: 2 •Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/read •Microsoft.GuestConfiguration/guestConfigurationAssignments/write •Microsoft.Resources/deployments/* |
count: 007 •[Preview]: Configure SSH security posture for Windows •[Preview]: Configure Windows Server to disable local users. •[Preview]: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended. •Configure Linux Server to disable local users. •Configure SSH security posture for Linux (powered by OSConfig) •Configure time zone on Windows machines. •Local authentication methods should be disabled on Linux machines | |||
| 0847e196-2fd2-4c2f-a48c-fca6fd030f44 | HDInsight Cluster Admin | Can read, create, modify and delete HDInsight clusters, configuration, extensions, etc. | None | False |
00048 effective control plane operations (unique) •action: 14 •delete: 4 •read: 26 •write: 4 |
Actions: 048 resolved operations: 48 effective operations: 48 •action: 14 •delete: 4 •read: 26 •write: 4 •MICROSOFT.HDINSIGHT/CLUSTERS/APPLICATIONS/DELETE •MICROSOFT.HDINSIGHT/CLUSTERS/APPLICATIONS/READ •MICROSOFT.HDINSIGHT/CLUSTERS/APPLICATIONS/WRITE •MICROSOFT.HDINSIGHT/CLUSTERS/AZUREASYNCOPERATIONS/READ •MICROSOFT.HDINSIGHT/CLUSTERS/CONFIGURATIONS/ACTION •MICROSOFT.HDINSIGHT/CLUSTERS/CONFIGURATIONS/READ •MICROSOFT.HDINSIGHT/CLUSTERS/DELETE •MICROSOFT.HDINSIGHT/CLUSTERS/EXECUTESCRIPTACTIONS/ACTION •MICROSOFT.HDINSIGHT/CLUSTERS/EXTENSIONS/DELETE •MICROSOFT.HDINSIGHT/CLUSTERS/EXTENSIONS/READ •MICROSOFT.HDINSIGHT/CLUSTERS/EXTENSIONS/WRITE •MICROSOFT.HDINSIGHT/CLUSTERS/GETGATEWAYSETTINGS/ACTION •MICROSOFT.HDINSIGHT/CLUSTERS/LISTHOSTS/ACTION •MICROSOFT.HDINSIGHT/CLUSTERS/OPERATIONRESULTS/READ •MICROSOFT.HDINSIGHT/CLUSTERS/PRIVATEENDPOINTCONNECTIONS/READ •MICROSOFT.HDINSIGHT/CLUSTERS/PRIVATELINKRESOURCES/READ •MICROSOFT.HDINSIGHT/CLUSTERS/READ •MICROSOFT.HDINSIGHT/CLUSTERS/RESOLVEPRIVATELINKSERVICEID/ACTION •MICROSOFT.HDINSIGHT/CLUSTERS/RESTARTHOSTS/ACTION •MICROSOFT.HDINSIGHT/CLUSTERS/ROLES/AUTOSCALE/ACTION •MICROSOFT.HDINSIGHT/CLUSTERS/ROLES/RESIZE/ACTION •MICROSOFT.HDINSIGHT/CLUSTERS/SCRIPTACTIONS/DELETE •MICROSOFT.HDINSIGHT/CLUSTERS/SCRIPTACTIONS/READ •MICROSOFT.HDINSIGHT/CLUSTERS/SCRIPTEXECUTIONHISTORY/PROMOTE/ACTION •MICROSOFT.HDINSIGHT/CLUSTERS/SCRIPTEXECUTIONHISTORY/READ •MICROSOFT.HDINSIGHT/CLUSTERS/UPDATEGATEWAYSETTINGS/ACTION •MICROSOFT.HDINSIGHT/CLUSTERS/WRITE •MICROSOFT.HDINSIGHT/LOCATIONS/AVAILABLECLUSTERVERSIONS/READ •MICROSOFT.HDINSIGHT/LOCATIONS/AZUREASYNCOPERATIONS/READ •MICROSOFT.HDINSIGHT/LOCATIONS/BILLINGSPECS/READ •MICROSOFT.HDINSIGHT/LOCATIONS/CAPABILITIES/READ •MICROSOFT.HDINSIGHT/LOCATIONS/CHECKNAMEAVAILABILITY/ACTION •MICROSOFT.HDINSIGHT/LOCATIONS/OPERATIONRESULTS/READ •MICROSOFT.HDINSIGHT/LOCATIONS/OPERATIONSTATUSES/READ •MICROSOFT.HDINSIGHT/LOCATIONS/OPERATIONSTATUSES/WRITE •MICROSOFT.HDINSIGHT/LOCATIONS/USAGES/READ •MICROSOFT.HDINSIGHT/LOCATIONS/VALIDATECREATEREQUEST/ACTION •MICROSOFT.HDINSIGHT/OPERATIONS/READ •MICROSOFT.HDINSIGHT/REGISTER/ACTION •MICROSOFT.HDINSIGHT/RESOURCETYPES/READ •MICROSOFT.HDINSIGHT/UNREGISTER/ACTION •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 61ed4efc-fab3-44fd-b111-e24485cc132a | HDInsight Cluster Operator | Lets you read and modify HDInsight cluster configurations. | Analytics | False |
00091 effective control plane operations (unique) •action: 9 •Delete: 1 •read: 79 •Write: 2 |
Actions: 009 resolved operations: 91 effective operations: 91 •action: 9 •Delete: 1 •read: 79 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.HDInsight/*/read •Microsoft.HDInsight/clusters/configurations/* •Microsoft.HDInsight/clusters/getGatewaySettings/action •Microsoft.HDInsight/clusters/updateGatewaySettings/action •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 8d8d5a11-05d3-4bda-a417-a08778121c7c | HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package | Analytics | False |
00010 effective control plane operations (unique) •delete: 1 •read: 8 •write: 1 |
Actions: 003 resolved operations: 10 effective operations: 10 •delete: 1 •read: 8 •write: 1 •Microsoft.AAD/*/read •Microsoft.AAD/domainServices/*/read •Microsoft.AAD/domainServices/oucontainer/* | ||||
| fd036e6b-1266-47a0-b0bb-a05d04831731 | HDInsight on AKS Cluster Admin | Grants a user/group the ability to create, delete and manage clusters within a given cluster pool. Cluster Admin can also run workloads, monitor, and manage all user activity on these clusters. | Analytics | False |
00065 effective control plane operations (unique) •action: 10 •delete: 2 •read: 50 •write: 3 |
Actions: 035 resolved operations: 65 effective operations: 65 •action: 10 •delete: 2 •read: 50 •write: 3 •Microsoft.Authorization/*/read •Microsoft.HDInsight/clusterPools/clusters/availableupgrades/read •Microsoft.HDInsight/clusterPools/clusters/delete •Microsoft.HDInsight/clusterpools/clusters/instanceviews/read •Microsoft.HDInsight/clusterPools/clusters/jobs/read •Microsoft.HDInsight/clusterPools/clusters/libraries/read •Microsoft.HDInsight/clusterPools/clusters/managelibraries/action •Microsoft.HDInsight/clusterPools/clusters/read •Microsoft.HDInsight/clusterPools/clusters/resize/action •Microsoft.HDInsight/clusterPools/clusters/rollback/action •Microsoft.HDInsight/clusterPools/clusters/runjob/action •Microsoft.HDInsight/clusterpools/clusters/serviceconfigs/read •Microsoft.HDInsight/clusterPools/clusters/upgrade/action •Microsoft.HDInsight/clusterPools/clusters/upgradehistories/read •Microsoft.HDInsight/clusterPools/clusters/write •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/logs/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/*/read •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| bcf28286-af25-4c81-bb6f-351fcab5dbe9 | HDInsight on AKS Cluster Operator | Grants a user/group the ability to read cluster configurations, resize clusters and run jobs | None | False |
00028 effective control plane operations (unique) •action: 6 •Delete: 1 •read: 20 •Write: 1 |
Actions: 028 resolved operations: 28 effective operations: 28 •action: 6 •Delete: 1 •read: 20 •Write: 1 •Microsoft.HDInsight/clusterPools/clusters/availableupgrades/read •Microsoft.HDInsight/clusterpools/clusters/instanceviews/read •Microsoft.HDInsight/clusterPools/clusters/jobs/read •Microsoft.HDInsight/clusterPools/clusters/libraries/read •Microsoft.HDInsight/clusterPools/clusters/managelibraries/action •Microsoft.Hdinsight/clusterpools/clusters/read •Microsoft.HDInsight/clusterPools/clusters/resize/action •Microsoft.HDInsight/clusterPools/clusters/runjob/action •Microsoft.HDInsight/clusterpools/clusters/serviceconfigs/read •Microsoft.HDInsight/clusterPools/clusters/upgradehistories/read •Microsoft.HDInsight/clusterPools/read •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/diagnosticSettings/read •Microsoft.Insights/logs/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 7656b436-37d4-490a-a4ab-d39f838f0042 | HDInsight on AKS Cluster Pool Admin | Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters | Analytics | False |
00059 effective control plane operations (unique) •action: 6 •delete: 2 •read: 47 •write: 4 |
Actions: 030 resolved operations: 59 effective operations: 59 •action: 6 •delete: 2 •read: 47 •write: 4 •Microsoft.Authorization/*/read •Microsoft.HDInsight/clusterpools/availableupgrades/read •Microsoft.HDInsight/clusterPools/clusters/read •Microsoft.HDInsight/clusterPools/clusters/write •Microsoft.HDInsight/clusterPools/delete •Microsoft.HDInsight/clusterPools/read •Microsoft.HDInsight/clusterpools/upgrade/action •Microsoft.HDInsight/clusterPools/upgradehistories/read •Microsoft.HDInsight/clusterPools/write •Microsoft.Insights/AlertRules/Activated/Action •Microsoft.Insights/AlertRules/Delete •Microsoft.Insights/AlertRules/Incidents/Read •Microsoft.Insights/AlertRules/Read •Microsoft.Insights/AlertRules/Resolved/Action •Microsoft.Insights/AlertRules/Throttled/Action •Microsoft.Insights/AlertRules/Write •Microsoft.Insights/logs/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/*/read •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read •Microsoft.Resources/subscriptions/resourcegroups/deployments/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 566f0da3-e2a5-4393-9089-763f8bab8fb6 | Health Safeguards Data User | Allows processing of health data in all available Health Safeguards | None | False |
00008 effective data plane operations (unique) •Action: 8 |
DataActions: 008 resolved data operations: 8 effective data operations: 8 •Action: 8 •Microsoft.HealthBot/healthBots/HealthSafeguards/ClinicalAnchoring/Process/Action •Microsoft.HealthBot/healthBots/HealthSafeguards/ClinicalCodesValidation/Process/Action •Microsoft.HealthBot/healthBots/HealthSafeguards/ClinicalConflictDetection/Process/Action •Microsoft.HealthBot/healthBots/HealthSafeguards/ClinicalEvidenceVerification/Process/Action •Microsoft.HealthBot/healthBots/HealthSafeguards/ClinicalProvenance/Process/Action •Microsoft.HealthBot/healthBots/HealthSafeguards/ClinicalSemanticValidation/Process/Action •Microsoft.HealthBot/healthBots/HealthSafeguards/DetectHallucinationsAndOmissions/Process/Action •Microsoft.HealthBot/healthBots/HealthSafeguards/HealthAdaptedFiltering/Process/Action | ||||
| f1082fec-a70f-419f-9230-885d2550fb38 | Healthcare Agent Admin | Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys & secrets. | AI + machine learning | False |
00067 effective data plane operations (unique) •Action: 17 •Delete: 13 •Read: 24 •Write: 13 |
DataActions: 001 resolved data operations: 75 effective data operations: 67 •Action: 17 •Delete: 13 •Read: 24 •Write: 13 •Microsoft.HealthBot/healthBots/* |
NotDataActions: 001 resolved not data operations: 8 effective not data operations: 3504 •Microsoft.HealthBot/healthBots/HealthSafeguards/* | |||
| af854a69-80ce-4ff7-8447-f1118a2e0ca8 | Healthcare Agent Editor | Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys & secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels. |
AI + machine learning | False |
00042 effective data plane operations (unique) •Action: 7 •Delete: 8 •Read: 18 •Write: 9 |
DataActions: 001 resolved data operations: 75 effective data operations: 42 •Action: 7 •Delete: 8 •Read: 18 •Write: 9 •Microsoft.HealthBot/healthBots/* |
NotDataActions: 002 resolved not data operations: 33 effective not data operations: 3529 •Microsoft.HealthBot/healthBots/Admin/* •Microsoft.HealthBot/healthBots/HealthSafeguards/* | |||
| eb5a76d5-50e7-4c33-a449-070e7c9c4cf2 | Healthcare Agent Reader | Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys & secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). |
AI + machine learning | False |
00019 effective data plane operations (unique) •Action: 1 •Read: 18 |
DataActions: 002 resolved data operations: 25 effective data operations: 19 •Action: 1 •Read: 18 •Microsoft.HealthBot/healthBots/*/Read •Microsoft.HealthBot/healthBots/Reader/Action |
NotDataActions: 002 resolved not data operations: 33 effective not data operations: 3552 •Microsoft.HealthBot/healthBots/Admin/* •Microsoft.HealthBot/healthBots/HealthSafeguards/* | |||
| 29f61507-bdfb-4987-b629-20033be2d6c3 | Healthcare Apis contributor | Allows all actions on healthcareapis provider resources | None | False |
00104 effective control plane operations (unique) •action: 9 •delete: 14 •read: 63 •write: 18 |
Actions: 006 resolved operations: 104 effective operations: 104 •action: 9 •delete: 14 •read: 63 •write: 18 •Microsoft.Authorization/*/read •Microsoft.HealthcareApis/services/* •Microsoft.HealthcareApis/workspaces/* •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 350f8d15-c687-4448-8ae1-157740a3936d | Hierarchy Settings Administrator | Allows users to edit and delete Hierarchy Settings | Management and governance | False |
00002 effective control plane operations (unique) •delete: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •delete: 1 •write: 1 •Microsoft.Management/managementGroups/settings/delete •Microsoft.Management/managementGroups/settings/write | ||||
| 5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb | Hybrid Server Onboarding | Can onboard new Hybrid servers to the Hybrid Resource Provider. | None | False |
00002 effective control plane operations (unique) •read: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.HybridCompute/machines/read •Microsoft.HybridCompute/machines/write | ||||
| 48b40c6e-82e0-4eb3-90d5-19e40f49b624 | Hybrid Server Resource Administrator | Can read, write, delete, and re-onboard Hybrid servers to the Hybrid Resource Provider. | Hybrid + multicloud | False |
00038 effective control plane operations (unique) •action: 5 •delete: 4 •read: 25 •write: 4 |
Actions: 002 resolved operations: 38 effective operations: 38 •action: 5 •delete: 4 •read: 25 •write: 4 •Microsoft.HybridCompute/*/read •Microsoft.HybridCompute/machines/* |
count: 001 •[Preview]: Enable Extended Security Updates (ESUs) license to keep Windows 2012 machines protected after their support lifecycle has ended. | |||
| e9701b4d-e6e7-4657-91cd-360a0881d224 | HybridCompute Machine ListAccessDetails Action In-Built Role | In-Built Role definition that grants permissions to execute the listAccessDetails action on HybridCompute Machines | None | False |
00001 effective control plane operations (unique) •action: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •action: 1 •Microsoft.HybridCompute/machines/listAccessDetails/action | ||||
| 68ff5d27-c7f5-4fa9-a21c-785d0df7bd9e | Impact Reader | Allows read-only access to reported impacts and impact categories | None | False |
00002 effective control plane operations (unique) •Read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •Read: 2 •Microsoft.Impact/ImpactCategories/read •Microsoft.Impact/WorkloadImpacts/read | ||||
| 36e80216-a7e8-4f42-a7e1-f12c98cbaf8a | Impact Reporter | Allows access to create/report, read and delete impacts | None | False |
00004 effective control plane operations (unique) •Read: 3 •Write: 1 |
Actions: 002 resolved operations: 4 effective operations: 4 •Read: 3 •Write: 1 •Microsoft.Impact/ImpactCategories/read •Microsoft.Impact/WorkloadImpacts/* | ||||
| a41e2c5b-bd99-4a07-88f4-9bf657a760b8 | Integration Service Environment Contributor | Lets you manage integration service environments, but not access to them. | Integration | False |
00053 effective control plane operations (unique) •action: 5 •delete: 1 •read: 44 •write: 3 |
Actions: 003 resolved operations: 53 effective operations: 53 •action: 5 •delete: 1 •read: 44 •write: 3 •Microsoft.Authorization/*/read •Microsoft.Logic/integrationServiceEnvironments/* •Microsoft.Support/* | ||||
| c7aa55d3-1abb-444a-a5ca-5e51e485d6ec | Integration Service Environment Developer | Allows developers to create and update workflows, integration accounts and API connections in integration service environments. | Integration | False |
00043 effective control plane operations (unique) •action: 4 •read: 38 •write: 1 |
Actions: 004 resolved operations: 43 effective operations: 43 •action: 4 •read: 38 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Logic/integrationServiceEnvironments/*/join/action •Microsoft.Logic/integrationServiceEnvironments/read •Microsoft.Support/* | ||||
| 03a6d094-3444-4b3d-88af-7477090a9e5e | Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. | Integration | False |
00059 effective control plane operations (unique) •Action: 10 •Delete: 2 •read: 44 •Write: 3 |
Actions: 007 resolved operations: 59 effective operations: 59 •Action: 10 •Delete: 2 •read: 44 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.IntelligentSystems/accounts/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 4fc6c259-987e-4a07-842e-c321cc9d413f | IoT Hub Data Contributor | Allows for full access to IoT Hub data plane operations. | Internet of Things | False |
00019 effective data plane operations (unique) •action: 7 •delete: 3 •read: 5 •write: 4 |
DataActions: 001 resolved data operations: 19 effective data operations: 19 •action: 7 •delete: 3 •read: 5 •write: 4 •Microsoft.Devices/IotHubs/* | ||||
| b447c946-2db7-41ec-983d-d8bf3b1c77e3 | IoT Hub Data Reader | Allows for full read access to IoT Hub data-plane properties | Internet of Things | False |
00006 effective data plane operations (unique) •action: 1 •read: 5 |
DataActions: 002 resolved data operations: 6 effective data operations: 6 •action: 1 •read: 5 •Microsoft.Devices/IotHubs/*/read •Microsoft.Devices/IotHubs/fileUpload/notifications/action | ||||
| 4ea46cd5-c1b2-4a8e-910b-273211f9ce47 | IoT Hub Registry Contributor | Allows for full access to IoT Hub device registry. | Internet of Things | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 001 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Devices/IotHubs/devices/* | ||||
| 494bdba2-168f-4f31-a0a1-191d2f7c028c | IoT Hub Twin Contributor | Allows for read and write access to all IoT Hub device and module twins. | Internet of Things | False |
00002 effective data plane operations (unique) •read: 1 •write: 1 |
DataActions: 001 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.Devices/IotHubs/twins/* | ||||
| 7b3e853f-ad5d-4fb5-a7b8-56a3581c7037 | IPAM Pool User | Read IPAM Pools and child resources. Create and remove associations. This role is in preview and subject to change. | None | False |
00006 effective control plane operations (unique) •action: 6 |
Actions: 003 resolved operations: 6 effective operations: 6 •action: 6 •Microsoft.Network/networkManagers/ipamPools/*/action •Microsoft.Network/networkManagers/ipamPools/*/read •Microsoft.Network/networkManagers/ipamPools/*/write | ||||
| 8d7ecc5c-f27b-43cf-883f-46409d445502 | Issue Contributor | Can read all issues data and update issues settings. | None | False |
00112 effective control plane operations (unique) •action: 18 •delete: 11 •read: 68 •write: 15 |
Actions: 005 resolved operations: 112 effective operations: 112 •action: 18 •delete: 11 •read: 68 •write: 15 •Microsoft.AlertsManagement/Issues/* •Microsoft.Authorization/*/read •Microsoft.Insights/components/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 00482a5a-887f-4fb3-b363-3b7fe8e74483 | Key Vault Administrator | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. |
Security | False |
00128 effective control plane and data plane operations (unique) •Action: 47 •Delete: 8 •read: 67 •Write: 6 |
Actions: 010 resolved operations: 77 effective operations: 77 •Action: 10 •Delete: 2 •read: 62 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/operations/read •Microsoft.KeyVault/vaults/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 001 resolved data operations: 52 effective data operations: 52 •action: 37 •delete: 6 •read: 6 •write: 3 •Microsoft.KeyVault/vaults/* | |||
| db79e9a7-68ee-4b58-9aeb-b90e7c24fcba | Key Vault Certificate User | Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | Security | False |
00004 effective data plane operations (unique) •action: 2 •read: 2 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 2 •read: 2 •Microsoft.KeyVault/vaults/certificates/read •Microsoft.KeyVault/vaults/keys/read •Microsoft.KeyVault/vaults/secrets/getSecret/action •Microsoft.KeyVault/vaults/secrets/readMetadata/action | ||||
| a4417e6f-fecd-4de8-b567-7b0420556985 | Key Vault Certificates Officer | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | Security | False |
00090 effective control plane and data plane operations (unique) •Action: 17 •Delete: 4 •read: 64 •Write: 5 |
Actions: 010 resolved operations: 77 effective operations: 77 •Action: 10 •Delete: 2 •read: 62 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/operations/read •Microsoft.KeyVault/vaults/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 003 resolved data operations: 13 effective data operations: 13 •action: 7 •delete: 2 •read: 2 •write: 2 •Microsoft.KeyVault/vaults/certificatecas/* •Microsoft.KeyVault/vaults/certificatecontacts/write •Microsoft.KeyVault/vaults/certificates/* | |||
| f25e0fa2-a7c8-4377-a976-54943a77a395 | Key Vault Contributor | Lets you manage key vaults, but not access to them. | Security | False |
00104 effective control plane operations (unique) •Action: 20 •Delete: 8 •read: 64 •Write: 12 |
Actions: 006 resolved operations: 128 effective operations: 104 •Action: 20 •Delete: 8 •read: 64 •Write: 12 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KeyVault/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
NotActions: 003 resolved not operations: 24 effective not operations: 16732 •Microsoft.KeyVault/hsmPools/* •Microsoft.KeyVault/locations/deletedVaults/purge/action •Microsoft.KeyVault/managedHsms/* |
count: 002 •Configure Azure Key Vaults with private endpoints •Configure key vaults to enable firewall | ||
| 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 | Key Vault Crypto Officer | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | Security | False |
00095 effective control plane and data plane operations (unique) •Action: 25 •Delete: 3 •read: 63 •Write: 4 |
Actions: 010 resolved operations: 77 effective operations: 77 •Action: 10 •Delete: 2 •read: 62 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/operations/read •Microsoft.KeyVault/vaults/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 002 resolved data operations: 19 effective data operations: 19 •action: 15 •delete: 1 •read: 2 •write: 1 •Microsoft.KeyVault/vaults/keyrotationpolicies/* •Microsoft.KeyVault/vaults/keys/* | |||
| e147488a-f6f5-4113-8e2d-b22465e65bf6 | Key Vault Crypto Service Encryption User | Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. | Security | False |
00006 effective control plane and data plane operations (unique) •action: 2 •delete: 1 •read: 2 •write: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.EventGrid/eventSubscriptions/delete •Microsoft.EventGrid/eventSubscriptions/read •Microsoft.EventGrid/eventSubscriptions/write |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •action: 2 •read: 1 •Microsoft.KeyVault/vaults/keys/read •Microsoft.KeyVault/vaults/keys/unwrap/action •Microsoft.KeyVault/vaults/keys/wrap/action | |||
| 08bbd89e-9f13-488c-ac41-acfcb10c90ab | Key Vault Crypto Service Release User | Release keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | Security | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.KeyVault/vaults/keys/release/action | ||||
| 12338af0-0e69-4776-bea7-57ae8d297424 | Key Vault Crypto User | Perform cryptographic operations using keys. Only works for key vaults that use the 'Azure role-based access control' permission model. | Security | False |
00009 effective data plane operations (unique) •action: 8 •read: 1 |
DataActions: 009 resolved data operations: 9 effective data operations: 9 •action: 8 •read: 1 •Microsoft.KeyVault/vaults/keys/backup/action •Microsoft.KeyVault/vaults/keys/decrypt/action •Microsoft.KeyVault/vaults/keys/encrypt/action •Microsoft.KeyVault/vaults/keys/read •Microsoft.KeyVault/vaults/keys/sign/action •Microsoft.KeyVault/vaults/keys/unwrap/action •Microsoft.KeyVault/vaults/keys/update/action •Microsoft.KeyVault/vaults/keys/verify/action •Microsoft.KeyVault/vaults/keys/wrap/action | ||||
| 8b54135c-b56d-4d72-a534-26097cfdc8d8 | Key Vault Data Access Administrator | Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments. |
Security | True |
00067 effective control plane operations (unique) •action: 7 •delete: 2 •read: 55 •write: 3 |
Actions: 010 resolved operations: 67 effective operations: 67 •action: 7 •delete: 2 •read: 55 •write: 3 •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.KeyVault/vaults/*/read •Microsoft.Management/managementGroups/read •Microsoft.Resources/deployments/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| a68e7c17-0ab2-4c09-9a58-125dae29748c | Key Vault Purge Operator | Allows permanent deletion of soft-deleted vaults. | None | False |
00052 effective control plane operations (unique) •Action: 8 •Delete: 2 •read: 40 •Write: 2 |
Actions: 008 resolved operations: 52 effective operations: 52 •Action: 8 •Delete: 2 •read: 40 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/deletedVaults/purge/action •Microsoft.KeyVault/locations/deletedVaults/read •Microsoft.KeyVault/locations/operationResults/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 21090545-7ca7-4776-b22c-e363652d74d2 | Key Vault Reader | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. | Security | False |
00083 effective control plane and data plane operations (unique) •Action: 11 •Delete: 2 •read: 67 •Write: 3 |
Actions: 010 resolved operations: 77 effective operations: 77 •Action: 10 •Delete: 2 •read: 62 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/operations/read •Microsoft.KeyVault/vaults/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 002 resolved data operations: 7 effective data operations: 7 •action: 1 •read: 6 •Microsoft.KeyVault/vaults/*/read •Microsoft.KeyVault/vaults/secrets/readMetadata/action | |||
| b86a8fe4-44ce-4948-aee5-eccb2c155cd7 | Key Vault Secrets Officer | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | Security | False |
00086 effective control plane and data plane operations (unique) •Action: 18 •Delete: 3 •read: 62 •Write: 3 |
Actions: 010 resolved operations: 77 effective operations: 77 •Action: 10 •Delete: 2 •read: 62 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KeyVault/checkNameAvailability/read •Microsoft.KeyVault/deletedVaults/read •Microsoft.KeyVault/locations/*/read •Microsoft.KeyVault/operations/read •Microsoft.KeyVault/vaults/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 001 resolved data operations: 9 effective data operations: 9 •action: 8 •delete: 1 •Microsoft.KeyVault/vaults/secrets/* | |||
| 4633458b-17de-408a-b874-0445c86b69e6 | Key Vault Secrets User | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | Security | False |
00002 effective data plane operations (unique) •action: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.KeyVault/vaults/secrets/getSecret/action •Microsoft.KeyVault/vaults/secrets/readMetadata/action | ||||
| ee361c5d-f7b5-4119-b4b6-892157c8f64c | Knowledge Consumer | Knowledge Read permission to consume Enterprise Graph Knowledge using entity search and graph query | None | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.EnterpriseKnowledgeGraph/services/knowledge/read | ||||
| 5e93ba01-8f92-4c7a-b12a-801e3df23824 | Kubernetes Agent Operator | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services | None | False |
00062 effective control plane operations (unique) •Action: 9 •delete: 3 •read: 44 •write: 6 |
Actions: 018 resolved operations: 62 effective operations: 62 •Action: 9 •delete: 3 •read: 44 •write: 6 •Microsoft.Authorization/*/read •Microsoft.ContainerService/managedClusters/read •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write •Microsoft.ContainerService/managedClusters/write •Microsoft.Insights/alertRules/* •Microsoft.OperationalInsights/workspaces/listKeys/action •Microsoft.OperationalInsights/workspaces/read •Microsoft.OperationalInsights/workspaces/sharedkeys/action •Microsoft.OperationalInsights/workspaces/sharedkeys/read •Microsoft.OperationalInsights/workspaces/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/write •Microsoft.Security/pricings/securityoperators/read |
count: 002 •[Preview]: Configure Azure Arc enabled Kubernetes clusters to install Microsoft Defender for Cloud extension •Configure Azure Kubernetes Service clusters to enable Defender profile | |||
| ada52afe-776a-4b4d-a8f2-55670d3d8178 | Kubernetes Agent Subscription Level Operator | Grants Microsoft Defender for Cloud subscription level permissions needed to activate Containers plan | None | False |
00056 effective control plane operations (unique) •Action: 9 •Delete: 2 •read: 41 •Write: 4 |
Actions: 012 resolved operations: 56 effective operations: 56 •Action: 9 •Delete: 2 •read: 41 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.OperationalInsights/workspaces/listKeys/action •Microsoft.OperationalInsights/workspaces/read •Microsoft.OperationalInsights/workspaces/sharedkeys/action •Microsoft.OperationalInsights/workspaces/sharedkeys/read •Microsoft.OperationalInsights/workspaces/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/write | ||||
| d5a2ae44-610b-4500-93be-660a0c5f5ca6 | Kubernetes Agentless Operator | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services | Containers | False |
00008 effective control plane operations (unique) •action: 1 •delete: 1 •read: 5 •write: 1 |
Actions: 008 resolved operations: 8 effective operations: 8 •action: 1 •delete: 1 •read: 5 •write: 1 •Microsoft.ContainerService/managedClusters/read •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read •Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Features/providers/features/register/action •Microsoft.Security/pricings/securityoperators/read | ||||
| 34e09817-6cbe-4d01-b1a2-e0eac5743d41 | Kubernetes Cluster - Azure Arc Onboarding | Role definition to authorize any user/service to create connectedClusters resource | Containers | False |
00058 effective control plane operations (unique) •Action: 6 •Delete: 2 •read: 45 •Write: 5 |
Actions: 013 resolved operations: 58 effective operations: 58 •Action: 6 •Delete: 2 •read: 45 •Write: 5 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Kubernetes/connectedClusters/read •Microsoft.Kubernetes/connectedClusters/Write •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 002 •Configure Azure Arc Private Link Scopes with private endpoints •Configure Azure Arc-enabled Kubernetes clusters to use an Azure Arc Private Link Scope | |||
| 85cb6faf-e071-4c9b-8136-154b5a04f717 | Kubernetes Extension Contributor | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | Containers | False |
00052 effective control plane operations (unique) •Action: 7 •Delete: 3 •read: 39 •Write: 3 |
Actions: 008 resolved operations: 52 effective operations: 52 •Action: 7 •Delete: 3 •read: 39 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KubernetesConfiguration/extensions/delete •Microsoft.KubernetesConfiguration/extensions/operations/read •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.KubernetesConfiguration/extensions/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
count: 001 •Configure Azure Arc enabled Kubernetes clusters to install the Azure Policy extension | |||
| ba79058c-0414-4a34-9e42-c3399d80cd5a | Kubernetes Namespace User | Allows a user to read namespace resources and retrieve kubeconfig for the cluster | None | False |
00002 effective control plane operations (unique) •action: 1 •read: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.KubernetesConfiguration/namespaces/listUserCredential/action •Microsoft.KubernetesConfiguration/namespaces/read | ||||
| 0cd9749a-3aaf-4ae5-8803-bd217705bf3b | Kubernetes Runtime Storage Class Contributor Role | Read, write, and delete Kubernetes Runtime storage classes in an Arc connected Kubernetes cluster | None | False |
00051 effective control plane operations (unique) •Action: 7 •Delete: 3 •read: 38 •Write: 3 |
Actions: 007 resolved operations: 51 effective operations: 51 •Action: 7 •Delete: 3 •read: 38 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KubernetesRuntime/storageClasses/delete •Microsoft.KubernetesRuntime/storageClasses/read •Microsoft.KubernetesRuntime/storageClasses/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 1a5682fc-4f12-4b25-927e-e8cfed0c539e | KubernetesRuntime Load Balancer Contributor Role | Read, write, and delete load balancers in an Arc connected Kubernetes cluster | None | False |
00059 effective control plane operations (unique) •Action: 7 •Delete: 6 •read: 39 •Write: 7 |
Actions: 015 resolved operations: 59 effective operations: 59 •Action: 7 •Delete: 6 •read: 39 •Write: 7 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.KubernetesRuntime/bfdProfiles/delete •Microsoft.KubernetesRuntime/bfdProfiles/write •Microsoft.KubernetesRuntime/bgpPeers/delete •Microsoft.KubernetesRuntime/bgpPeers/read •Microsoft.KubernetesRuntime/bgpPeers/write •Microsoft.KubernetesRuntime/loadBalancers/delete •Microsoft.KubernetesRuntime/loadBalancers/read •Microsoft.KubernetesRuntime/loadBalancers/write •Microsoft.KubernetesRuntime/locations/operationStatuses/write •Microsoft.KubernetesRuntime/services/delete •Microsoft.KubernetesRuntime/services/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| ce40b423-cede-4313-a93f-9b28290b72e1 | Lab Assistant | The lab assistant role | DevOps | False |
00061 effective control plane operations (unique) •Action: 12 •Delete: 2 •read: 45 •Write: 2 |
Actions: 017 resolved operations: 61 effective operations: 61 •Action: 12 •Delete: 2 •read: 45 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/users/invite/action •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/labs/virtualMachines/redeploy/action •Microsoft.LabServices/labs/virtualMachines/reimage/action •Microsoft.LabServices/labs/virtualMachines/start/action •Microsoft.LabServices/labs/virtualMachines/stop/action •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 5daaa2af-1fe8-407c-9122-bba179798270 | Lab Contributor | The lab contributor role | DevOps | False |
00072 effective control plane and data plane operations (unique) •Action: 17 •Delete: 5 •read: 45 •Write: 5 |
Actions: 027 resolved operations: 71 effective operations: 71 •Action: 16 •Delete: 5 •read: 45 •Write: 5 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labPlans/saveImage/action •Microsoft.LabServices/labs/delete •Microsoft.LabServices/labs/publish/action •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/schedules/delete •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/schedules/write •Microsoft.LabServices/labs/syncGroup/action •Microsoft.LabServices/labs/users/delete •Microsoft.LabServices/labs/users/invite/action •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/users/write •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/labs/virtualMachines/redeploy/action •Microsoft.LabServices/labs/virtualMachines/reimage/action •Microsoft.LabServices/labs/virtualMachines/resetPassword/action •Microsoft.LabServices/labs/virtualMachines/start/action •Microsoft.LabServices/labs/virtualMachines/stop/action •Microsoft.LabServices/labs/write •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.LabServices/labPlans/createLab/action | |||
| b97fb8bc-a8b2-4522-a38b-dd33c7e65ead | Lab Creator | Lets you create new labs under your Azure Lab Accounts. | DevOps | False |
00079 effective control plane and data plane operations (unique) •Action: 15 •Delete: 2 •read: 59 •Write: 3 |
Actions: 018 resolved operations: 78 effective operations: 78 •Action: 14 •Delete: 2 •read: 59 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labAccounts/*/read •Microsoft.LabServices/labAccounts/createLab/action •Microsoft.LabServices/labAccounts/getPricingAndAvailability/action •Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labPlans/saveImage/action •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.LabServices/labPlans/createLab/action | |||
| a36e6959-b6be-4b12-8e9f-ef4b474d304d | Lab Operator | The lab operator role | DevOps | False |
00068 effective control plane operations (unique) •Action: 15 •Delete: 4 •read: 45 •Write: 4 |
Actions: 024 resolved operations: 68 effective operations: 68 •Action: 15 •Delete: 4 •read: 45 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LabServices/labPlans/images/read •Microsoft.LabServices/labPlans/read •Microsoft.LabServices/labPlans/saveImage/action •Microsoft.LabServices/labs/publish/action •Microsoft.LabServices/labs/read •Microsoft.LabServices/labs/schedules/delete •Microsoft.LabServices/labs/schedules/read •Microsoft.LabServices/labs/schedules/write •Microsoft.LabServices/labs/users/delete •Microsoft.LabServices/labs/users/invite/action •Microsoft.LabServices/labs/users/read •Microsoft.LabServices/labs/users/write •Microsoft.LabServices/labs/virtualMachines/read •Microsoft.LabServices/labs/virtualMachines/redeploy/action •Microsoft.LabServices/labs/virtualMachines/reimage/action •Microsoft.LabServices/labs/virtualMachines/resetPassword/action •Microsoft.LabServices/labs/virtualMachines/start/action •Microsoft.LabServices/labs/virtualMachines/stop/action •Microsoft.LabServices/locations/usages/read •Microsoft.LabServices/skus/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| f69b8690-cc87-41d6-b77a-a4bc3c0a966f | Lab Services Contributor | The lab services contributor role | DevOps | False |
00127 effective control plane and data plane operations (unique) •Action: 41 •Delete: 15 •read: 56 •Write: 15 |
Actions: 005 resolved operations: 126 effective operations: 126 •Action: 40 •Delete: 15 •read: 56 •Write: 15 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LabServices/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.LabServices/labPlans/createLab/action | |||
| 2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc | Lab Services Reader | The lab services reader role | DevOps | False |
00060 effective control plane operations (unique) •action: 4 •delete: 1 •read: 54 •write: 1 |
Actions: 004 resolved operations: 60 effective operations: 60 •action: 4 •delete: 1 •read: 54 •write: 1 •Microsoft.Authorization/*/read •Microsoft.LabServices/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| bf2b6809-e9a5-4aea-a6e1-40a9dc8c43a7 | Landing Zone Account Owner | Microsoft.Sovereign Landing Zone Account Owner allowing to review and modify Landing Zone Account, Landing Zone Configurations, as well as reading and adding Landing Zone Registrations. Also enables read-access to policies and management groups for enabling the full user experience of the Sovereign Services RP in the Azure Portal (as otherwise some elements might not be accessible to end users). |
None | False |
00052 effective control plane operations (unique) •action: 7 •delete: 4 •read: 37 •write: 4 |
Actions: 003 resolved operations: 52 effective operations: 52 •action: 7 •delete: 4 •read: 37 •write: 4 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Sovereign/landingZoneAccounts/* | ||||
| 2718b1f7-eb07-424e-8868-0137541392a1 | Landing Zone Account Reader | Microsoft.Sovereign Landing Zone Account Reader allowing to read Landing Zone Account, Landing Zone Configurations and Landing Zone Registrations. Also enables read-access to policies and management groups for enabling the full user experience of the Sovereign Services RP in the Azure Portal (as otherwise some elements might not be accessible to end users). |
None | False |
00002 effective control plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Sovereign/landingZoneAccounts/*/read | ||||
| 38863829-c2a4-4f8d-b1d2-2e325973ebc7 | Landing Zone Management Owner | Microsoft.Sovereign Landing Zone Management Owner allowing to review and modify Landing Zone Configurations as well as reading and adding Landing Zone Registrations. Also enables read-access to policies and management groups for enabling the full user experience of the Sovereign Services RP in the Azure Portal (as otherwise some elements might not be accessible to end users). |
None | False |
00049 effective control plane operations (unique) •action: 7 •delete: 3 •read: 36 •write: 3 |
Actions: 004 resolved operations: 49 effective operations: 49 •action: 7 •delete: 3 •read: 36 •write: 3 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Sovereign/landingZoneConfigurations/* •Microsoft.Sovereign/landingZoneRegistrations/* | ||||
| 8fe6e843-6d9e-417b-9073-106b048f50bb | Landing Zone Management Reader | Microsoft.Sovereign Landing Zone Management Reader allowing to review Landing Zone Configurations and corresponding Registrations without the ability to modify. Also enables read-access to policies and management groups for enabling the full user experience of the Sovereign Services RP in the Azure Portal (as otherwise some elements might not be accessible to end users). |
None | False |
00002 effective control plane operations (unique) •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 2 •Microsoft.Sovereign/landingZoneConfigurations/read •Microsoft.Sovereign/landingZoneRegistrations/read | ||||
| 225efd4d-4ca0-42a1-ae53-5f233ba23c73 | Liftr Elastic Owner | Grants full access to manage Elastic resources | None | False |
00079 effective control plane operations (unique) •action: 27 •delete: 2 •read: 44 •write: 6 |
Actions: 004 resolved operations: 79 effective operations: 79 •action: 27 •delete: 2 •read: 44 •write: 6 •Microsoft.Authorization/*/read •Microsoft.Elastic/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 749a398d-560b-491b-bb21-08924219302e | Load Test Contributor | View, create, update, delete and execute load tests. View and list load test resources but can not make any changes. | DevOps | False |
00068 effective control plane and data plane operations (unique) •Action: 13 •Delete: 4 •read: 47 •Write: 4 |
Actions: 005 resolved operations: 56 effective operations: 56 •Action: 7 •Delete: 2 •read: 45 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LoadTestService/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 003 resolved data operations: 12 effective data operations: 12 •action: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.LoadTestService/loadtests/* •Microsoft.LoadTestService/testProfileRuns/* •Microsoft.LoadTestService/testProfiles/* | |||
| 45bb0b16-2f0c-4e78-afaa-a07599b003f6 | Load Test Owner | Execute all operations on load test resources and load tests | DevOps | False |
00081 effective control plane and data plane operations (unique) •Action: 17 •Delete: 7 •read: 48 •Write: 9 |
Actions: 005 resolved operations: 67 effective operations: 67 •Action: 11 •Delete: 5 •read: 45 •Write: 6 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LoadTestService/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 14 effective data operations: 14 •action: 6 •delete: 2 •Read: 3 •Write: 3 •Microsoft.LoadTestService/* | |||
| 3ae3fb29-0000-4ccd-bf80-542e7b26e081 | Load Test Reader | View and list all load tests and load test resources but can not make any changes | DevOps | False |
00059 effective control plane and data plane operations (unique) •Action: 8 •Delete: 2 •read: 47 •Write: 2 |
Actions: 005 resolved operations: 56 effective operations: 56 •Action: 7 •Delete: 2 •read: 45 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.LoadTestService/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •action: 1 •read: 2 •Microsoft.LoadTestService/loadtests/readTest/action •Microsoft.LoadTestService/testProfileRuns/read •Microsoft.LoadTestService/testProfiles/read | |||
| a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2 | LocalNGFirewallAdministrator role | Allows user to create, modify, describe, or delete NGFirewalls. | None | False |
00088 effective control plane operations (unique) •Action: 17 •Delete: 4 •read: 60 •Write: 7 |
Actions: 028 resolved operations: 88 effective operations: 88 •Action: 17 •Delete: 4 •read: 60 •Write: 7 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metricDefinitions/read •Microsoft.Insights/metrics/read •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkVirtualAppliances/delete •Microsoft.Network/networkVirtualAppliances/read •Microsoft.Network/networkVirtualAppliances/write •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/publicIPAddresses/write •Microsoft.Network/virtualHubs/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualWans/read •Microsoft.Network/virtualWans/virtualHubs/read •Microsoft.OperationalInsights/workspaces/read •Microsoft.OperationalInsights/workspaces/sharedKeys/read •Microsoft.OperationalInsights/workspaces/write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •PaloAltoNetworks.Cloudngfw/firewalls/* •PaloAltoNetworks.Cloudngfw/globalRulestacks/read •PaloAltoNetworks.Cloudngfw/localRulestacks/read •PaloAltoNetworks.Cloudngfw/Locations/operationStatuses/read | ||||
| bfc3b73d-c6ff-45eb-9a5f-40298295bf20 | LocalRulestacksAdministrator role | Allows users to create, modify, describe, or delete Rulestacks. | None | False |
00087 effective control plane operations (unique) •Action: 23 •Delete: 7 •read: 49 •Write: 8 |
Actions: 007 resolved operations: 87 effective operations: 87 •Action: 23 •Delete: 7 •read: 49 •Write: 8 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •PaloAltoNetworks.Cloudngfw/localRulestacks/* | ||||
| 28bf596f-4eb7-45ce-b5bc-6cf482fec137 | Locks Contributor | Can Manage Locks Operations. | Security | False |
00003 effective control plane operations (unique) •delete: 1 •read: 1 •write: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Authorization/locks/delete •Microsoft.Authorization/locks/read •Microsoft.Authorization/locks/write | ||||
| 92aaf0da-9dab-42b6-94a3-d43ce8d16293 | Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources. |
Monitor | False |
07322 effective control plane operations (unique) •action: 35 •delete: 28 •read: 7225 •write: 34 |
Actions: 013 resolved operations: 7322 effective operations: 7322 •action: 35 •delete: 28 •read: 7225 •write: 34 •*/read •Microsoft.ClassicCompute/virtualMachines/extensions/* •Microsoft.ClassicStorage/storageAccounts/listKeys/action •Microsoft.Compute/virtualMachines/extensions/* •Microsoft.HybridCompute/machines/extensions/write •Microsoft.Insights/alertRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.OperationalInsights/* •Microsoft.OperationsManagement/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourcegroups/deployments/* •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Support/* |
count: 504 •[Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace •[Deprecated]: Configure supported Linux Arc machines to automatically install the Azure Security agent •[Deprecated]: Configure supported Windows Arc machines to automatically install the Azure Security agent •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group •[Deprecated]: Deploy default Log Analytics Extension for Ubuntu VMs •[Deprecated]: Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below •[Deprecated]: Deploy Log Analytics extension for Linux VMs. See deprecation notice below •Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. •Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL •Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR •Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR •Configure Azure Activity logs to stream to specified Log Analytics workspace •Configure Azure Log Analytics workspaces to disable public network access for log ingestion and querying •Configure Azure SQL database servers diagnostic settings to Log Analytics workspace •Configure Dependency agent on Azure Arc enabled Linux servers •Configure Dependency agent on Azure Arc enabled Linux servers with Azure Monitoring Agent settings •Configure Dependency agent on Azure Arc enabled Windows servers •Configure Dependency agent on Azure Arc enabled Windows servers with Azure Monitoring Agent settings •Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace •Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace •Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace •Configure diagnostic settings for Blob Services to Log Analytics workspace •Configure diagnostic settings for container groups to Log Analytics workspace •Configure diagnostic settings for File Services to Log Analytics workspace •Configure diagnostic settings for Queue Services to Log Analytics workspace •Configure diagnostic settings for Storage Accounts to Log Analytics workspace •Configure diagnostic settings for Table Services to Log Analytics workspace •Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure Log Analytics extension on Azure Arc enabled Linux servers. See deprecation notice below •Configure Log Analytics extension on Azure Arc enabled Windows servers •Configure SQL servers to have auditing enabled to Log Analytics workspace •Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL •Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL extension •Configure Synapse workspaces to have auditing enabled to Log Analytics workspace •Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory •Deploy - Configure Dependency agent to be enabled on Windows virtual machines •Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace •Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace •Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace •Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM •Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets •Deploy - Configure Log Analytics extension to be enabled on Windows virtual machines •Deploy Dependency agent for Linux virtual machines •Deploy Dependency agent for Linux virtual machines with Azure Monitoring Agent settings •Deploy Dependency agent to be enabled on Windows virtual machines with Azure Monitoring Agent settings •Deploy Diagnostic Settings for Batch Account to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace •Deploy Diagnostic Settings for Event Hub to Log Analytics workspace •Deploy Diagnostic Settings for Key Vault to Log Analytics workspace •Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace •Deploy Diagnostic Settings for PostgreSQL flexible servers to Log Analytics workspace •Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. •Deploy Diagnostic Settings for Search Services to Log Analytics workspace •Deploy Diagnostic Settings for Service Bus to Log Analytics workspace •Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace •Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Event Hub •Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Log Analytics •Enable logging by category group for 1ES Hosted Pools (microsoft.cloudtest/hostedpools) to Storage •Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Event Hub •Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Log Analytics •Enable logging by category group for Analysis Services (microsoft.analysisservices/servers) to Storage •Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Event Hub •Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Log Analytics •Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Storage •Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub •Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics •Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage •Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Event Hub •Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics •Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Storage •Enable logging by category group for App Service (microsoft.web/sites) to Log Analytics •Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Event Hub •Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Log Analytics •Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Storage •Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Event Hub •Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Log Analytics •Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Storage •Enable logging by category group for Application group (microsoft.desktopvirtualization/applicationgroups) to Log Analytics •Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Event Hub •Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Log Analytics •Enable logging by category group for Application groups (microsoft.desktopvirtualization/applicationgroups) to Storage •Enable logging by category group for Application Insights (microsoft.insights/components) to Event Hub •Enable logging by category group for Application Insights (microsoft.insights/components) to Log Analytics •Enable logging by category group for Application Insights (Microsoft.Insights/components) to Log Analytics (Virtual Enclaves) •Enable logging by category group for Application Insights (microsoft.insights/components) to Storage •Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Event Hub •Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics •Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Storage •Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Event Hub •Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics •Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Storage •Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Event Hub •Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics •Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Storage •Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Event Hub •Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Log Analytics •Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Storage •Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Event Hub •Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Log Analytics •Enable logging by category group for Azure API for FHIR (microsoft.healthcareapis/services) to Storage •Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Event Hub •Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics •Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Storage •Enable logging by category group for Azure Cosmos DB (microsoft.documentdb/databaseaccounts) to Log Analytics •Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Event Hub •Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Log Analytics •Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Storage •Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Event Hub •Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Log Analytics •Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Storage •Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Event Hub •Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Log Analytics •Enable logging by category group for Azure Database for MariaDB servers (microsoft.dbformariadb/servers) to Storage •Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub •Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Log Analytics •Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Storage •Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Event Hub •Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Log Analytics •Enable logging by category group for Azure Databricks Services (microsoft.databricks/workspaces) to Storage •Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Event Hub •Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Log Analytics •Enable logging by category group for Azure Digital Twins (microsoft.digitaltwins/digitaltwinsinstances) to Storage •Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Event Hub •Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics •Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Storage •Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Event Hub •Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Log Analytics •Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Storage •Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Event Hub •Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics •Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Storage •Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Event Hub •Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Log Analytics •Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Storage •Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Event Hub •Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Log Analytics •Enable logging by category group for Azure Spring Apps (microsoft.appplatform/spring) to Storage •Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Event Hub •Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Log Analytics •Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Storage •Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Event Hub •Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Log Analytics •Enable logging by category group for Azure Video Indexer (microsoft.videoindexer/accounts) to Storage •Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Event Hub •Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Log Analytics •Enable logging by category group for Backup vaults (microsoft.dataprotection/backupvaults) to Storage •Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Event Hub •Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics •Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Storage •Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Event Hub •Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Log Analytics •Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Storage •Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Event Hub •Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Log Analytics •Enable logging by category group for Bot Services (microsoft.botservice/botservices) to Storage •Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Event Hub •Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Log Analytics •Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Storage •Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Event Hub •Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Log Analytics •Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Storage •Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Event Hub •Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Log Analytics •Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Storage •Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Event Hub •Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics •Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Storage •Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Event Hub •Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Log Analytics •Enable logging by category group for Communication Services (microsoft.communication/communicationservices) to Storage •Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Event Hub •Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Log Analytics •Enable logging by category group for Connected Cache Resources (microsoft.connectedcache/ispcustomers) to Storage •Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Event Hub •Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Log Analytics •Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Storage •Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Event Hub •Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Log Analytics •Enable logging by category group for Container instances (microsoft.containerinstance/containergroups) to Storage •Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Event Hub •Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics •Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Storage •Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Event Hub •Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Log Analytics •Enable logging by category group for Data collection rules (microsoft.insights/datacollectionrules) to Storage •Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Event Hub •Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Log Analytics •Enable logging by category group for Data factories (V2) (microsoft.datafactory/factories) to Storage •Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Event Hub •Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Log Analytics •Enable logging by category group for Data Lake Analytics (microsoft.datalakeanalytics/accounts) to Storage •Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Event Hub •Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Log Analytics •Enable logging by category group for Data Lake Storage Gen1 (microsoft.datalakestore/accounts) to Storage •Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Event Hub •Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Log Analytics •Enable logging by category group for Data Shares (microsoft.datashare/accounts) to Storage •Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Event Hub •Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Log Analytics •Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Storage •Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Event Hub •Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Log Analytics •Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Storage •Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Event Hub •Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Log Analytics •Enable logging by category group for DICOM service (microsoft.healthcareapis/workspaces/dicomservices) to Storage •Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Event Hub •Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Log Analytics •Enable logging by category group for Endpoints (microsoft.cdn/profiles/endpoints) to Storage •Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Event Hub •Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics •Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Storage •Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Event Hub •Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics •Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Storage •Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Event Hub •Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Log Analytics •Enable logging by category group for Event Grid Partner Topics (microsoft.eventgrid/partnertopics) to Storage •Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Event Hub •Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Log Analytics •Enable logging by category group for Event Grid System Topics (microsoft.eventgrid/systemtopics) to Storage •Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Event Hub •Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics •Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Storage •Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Event Hub •Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics •Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Storage •Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Event Hub •Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Log Analytics •Enable logging by category group for Experiment Workspaces (microsoft.experimentation/experimentworkspaces) to Storage •Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Event Hub •Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Log Analytics •Enable logging by category group for ExpressRoute circuits (microsoft.network/expressroutecircuits) to Storage •Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Event Hub •Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Log Analytics •Enable logging by category group for FHIR service (microsoft.healthcareapis/workspaces/fhirservices) to Storage •Enable logging by category group for Firewall (microsoft.network/azurefirewalls) to Log Analytics •Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Event Hub •Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Log Analytics •Enable logging by category group for Firewalls (microsoft.network/azurefirewalls) to Storage •Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Event Hub •Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics •Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Storage •Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Event Hub •Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics •Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Storage •Enable logging by category group for Function App (microsoft.web/sites) to Log Analytics •Enable logging by category group for Host pool (microsoft.desktopvirtualization/hostpools) to Log Analytics •Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Event Hub •Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Log Analytics •Enable logging by category group for Host pools (microsoft.desktopvirtualization/hostpools) to Storage •Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Event Hub •Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Log Analytics •Enable logging by category group for HPC caches (microsoft.storagecache/caches) to Storage •Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Event Hub •Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Log Analytics •Enable logging by category group for Integration accounts (microsoft.logic/integrationaccounts) to Storage •Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Event Hub •Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics •Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Storage •Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Event Hub •Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics •Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Storage •Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Event Hub •Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Log Analytics •Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Storage •Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Event Hub •Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Log Analytics •Enable logging by category group for Load balancers (microsoft.network/loadbalancers) to Storage •Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Event Hub •Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics •Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Storage •Enable logging by category group for Logic apps (microsoft.logic/workflows) to Event Hub •Enable logging by category group for Logic apps (microsoft.logic/workflows) to Log Analytics •Enable logging by category group for Logic apps (microsoft.logic/workflows) to Storage •Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Event Hub •Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Log Analytics •Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Storage •Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Event Hub •Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Log Analytics •Enable logging by category group for Managed databases (microsoft.sql/managedinstances/databases) to Storage •Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Event Hub •Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics •Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Storage •Enable logging by category group for Media Services (microsoft.media/mediaservices) to Event Hub •Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics •Enable logging by category group for Media Services (microsoft.media/mediaservices) to Storage •Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Event Hub •Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Log Analytics •Enable logging by category group for MedTech service (microsoft.healthcareapis/workspaces/iotconnectors) to Storage •Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Event Hub •Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics •Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Storage •Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Event Hub •Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Log Analytics •Enable logging by category group for microsoft.autonomousdevelopmentplatform/workspaces to Storage •Enable logging by category group for microsoft.azuresphere/catalogs to Event Hub •Enable logging by category group for microsoft.azuresphere/catalogs to Log Analytics •Enable logging by category group for microsoft.azuresphere/catalogs to Storage •Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Event Hub •Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Log Analytics •Enable logging by category group for microsoft.cdn/cdnwebapplicationfirewallpolicies to Storage •Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Event Hub •Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Log Analytics •Enable logging by category group for microsoft.classicnetwork/networksecuritygroups to Storage •Enable logging by category group for microsoft.community/communitytrainings to Event Hub •Enable logging by category group for microsoft.community/communitytrainings to Log Analytics •Enable logging by category group for microsoft.community/communitytrainings to Storage •Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Event Hub •Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Log Analytics •Enable logging by category group for microsoft.connectedcache/enterprisemcccustomers to Storage •Enable logging by category group for microsoft.customproviders/resourceproviders to Event Hub •Enable logging by category group for microsoft.customproviders/resourceproviders to Log Analytics •Enable logging by category group for microsoft.customproviders/resourceproviders to Storage •Enable logging by category group for microsoft.d365customerinsights/instances to Event Hub •Enable logging by category group for microsoft.d365customerinsights/instances to Log Analytics •Enable logging by category group for microsoft.d365customerinsights/instances to Storage •Enable logging by category group for microsoft.dbformysql/flexibleservers to Event Hub •Enable logging by category group for microsoft.dbformysql/flexibleservers to Log Analytics •Enable logging by category group for microsoft.dbformysql/flexibleservers to Storage •Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Event Hub •Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics •Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Storage •Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Event Hub •Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Log Analytics •Enable logging by category group for microsoft.dbforpostgresql/servergroupsv2 to Storage •Enable logging by category group for microsoft.dbforpostgresql/servers to Event Hub •Enable logging by category group for microsoft.dbforpostgresql/servers to Log Analytics •Enable logging by category group for microsoft.dbforpostgresql/servers to Storage •Enable logging by category group for microsoft.devices/provisioningservices to Event Hub •Enable logging by category group for microsoft.devices/provisioningservices to Log Analytics •Enable logging by category group for microsoft.devices/provisioningservices to Storage •Enable logging by category group for microsoft.documentdb/cassandraclusters to Event Hub •Enable logging by category group for microsoft.documentdb/cassandraclusters to Log Analytics •Enable logging by category group for microsoft.documentdb/cassandraclusters to Storage •Enable logging by category group for microsoft.documentdb/mongoclusters to Event Hub •Enable logging by category group for microsoft.documentdb/mongoclusters to Log Analytics •Enable logging by category group for microsoft.documentdb/mongoclusters to Storage •Enable logging by category group for microsoft.insights/autoscalesettings to Event Hub •Enable logging by category group for microsoft.insights/autoscalesettings to Log Analytics •Enable logging by category group for microsoft.insights/autoscalesettings to Storage •Enable logging by category group for microsoft.machinelearningservices/registries to Event Hub •Enable logging by category group for microsoft.machinelearningservices/registries to Log Analytics •Enable logging by category group for microsoft.machinelearningservices/registries to Storage •Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Event Hub •Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Log Analytics •Enable logging by category group for microsoft.machinelearningservices/workspaces/onlineendpoints to Storage •Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Event Hub •Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Log Analytics •Enable logging by category group for microsoft.managednetworkfabric/networkdevices to Storage •Enable logging by category group for microsoft.network/dnsresolverpolicies to Event Hub •Enable logging by category group for microsoft.network/dnsresolverpolicies to Log Analytics •Enable logging by category group for microsoft.network/dnsresolverpolicies to Storage •Enable logging by category group for microsoft.network/networkmanagers/ipampools to Event Hub •Enable logging by category group for microsoft.network/networkmanagers/ipampools to Log Analytics •Enable logging by category group for microsoft.network/networkmanagers/ipampools to Storage •Enable logging by category group for microsoft.network/networksecurityperimeters to Event Hub •Enable logging by category group for microsoft.network/networksecurityperimeters to Log Analytics •Enable logging by category group for microsoft.network/networksecurityperimeters to Storage •Enable logging by category group for microsoft.network/p2svpngateways to Event Hub •Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics •Enable logging by category group for microsoft.network/p2svpngateways to Storage •Enable logging by category group for microsoft.network/vpngateways to Event Hub •Enable logging by category group for microsoft.network/vpngateways to Log Analytics •Enable logging by category group for microsoft.network/vpngateways to Storage •Enable logging by category group for microsoft.networkanalytics/dataproducts to Event Hub •Enable logging by category group for microsoft.networkanalytics/dataproducts to Log Analytics •Enable logging by category group for microsoft.networkanalytics/dataproducts to Storage •Enable logging by category group for microsoft.networkcloud/baremetalmachines to Event Hub •Enable logging by category group for microsoft.networkcloud/baremetalmachines to Log Analytics •Enable logging by category group for microsoft.networkcloud/baremetalmachines to Storage •Enable logging by category group for microsoft.networkcloud/clusters to Event Hub •Enable logging by category group for microsoft.networkcloud/clusters to Log Analytics •Enable logging by category group for microsoft.networkcloud/clusters to Storage •Enable logging by category group for microsoft.networkcloud/storageappliances to Event Hub •Enable logging by category group for microsoft.networkcloud/storageappliances to Log Analytics •Enable logging by category group for microsoft.networkcloud/storageappliances to Storage •Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Event Hub •Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Log Analytics •Enable logging by category group for microsoft.networkfunction/azuretrafficcollectors to Storage •Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Event Hub •Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Log Analytics •Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Storage •Enable logging by category group for microsoft.openenergyplatform/energyservices to Event Hub •Enable logging by category group for microsoft.openenergyplatform/energyservices to Log Analytics •Enable logging by category group for microsoft.openenergyplatform/energyservices to Storage •Enable logging by category group for microsoft.powerbi/tenants/workspaces to Event Hub •Enable logging by category group for microsoft.powerbi/tenants/workspaces to Log Analytics •Enable logging by category group for microsoft.powerbi/tenants/workspaces to Storage •Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Event Hub •Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Log Analytics •Enable logging by category group for microsoft.servicenetworking/trafficcontrollers to Storage •Enable logging by category group for microsoft.synapse/workspaces/kustopools to Event Hub •Enable logging by category group for microsoft.synapse/workspaces/kustopools to Log Analytics •Enable logging by category group for microsoft.synapse/workspaces/kustopools to Storage •Enable logging by category group for microsoft.timeseriesinsights/environments to Event Hub •Enable logging by category group for microsoft.timeseriesinsights/environments to Log Analytics •Enable logging by category group for microsoft.timeseriesinsights/environments to Storage •Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Event Hub •Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Log Analytics •Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Storage •Enable logging by category group for microsoft.workloads/sapvirtualinstances to Event Hub •Enable logging by category group for microsoft.workloads/sapvirtualinstances to Log Analytics •Enable logging by category group for microsoft.workloads/sapvirtualinstances to Storage •Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Event Hub •Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Log Analytics •Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Storage •Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Event Hub •Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Log Analytics •Enable logging by category group for Network security groups (microsoft.network/networksecuritygroups) to Storage •Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Event Hub •Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Log Analytics •Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Storage •Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Event Hub •Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Log Analytics •Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Storage •Enable logging by category group for PostgreSQL flexible server (microsoft.dbforpostgresql/flexibleservers) to Log Analytics •Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Event Hub •Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Log Analytics •Enable logging by category group for Power BI Embedded (microsoft.powerbidedicated/capacities) to Storage •Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Event Hub •Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics •Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Storage •Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Event Hub •Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Log Analytics •Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Storage •Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Event Hub •Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Log Analytics •Enable logging by category group for Recovery Services vaults (microsoft.recoveryservices/vaults) to Storage •Enable logging by category group for Relays (microsoft.relay/namespaces) to Event Hub •Enable logging by category group for Relays (microsoft.relay/namespaces) to Log Analytics •Enable logging by category group for Relays (microsoft.relay/namespaces) to Storage •Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Event Hub •Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Log Analytics •Enable logging by category group for Scaling plans (microsoft.desktopvirtualization/scalingplans) to Storage •Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Event Hub •Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Log Analytics •Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Storage •Enable logging by category group for Search services (microsoft.search/searchservices) to Event Hub •Enable logging by category group for Search services (microsoft.search/searchservices) to Log Analytics •Enable logging by category group for Search services (microsoft.search/searchservices) to Storage •Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Event Hub •Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics •Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Storage •Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Event Hub •Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics •Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Storage •Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Event Hub •Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics •Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Storage •Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Event Hub •Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics •Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Storage •Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Event Hub •Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Log Analytics •Enable logging by category group for Storage movers (microsoft.storagemover/storagemovers) to Storage •Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Event Hub •Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Log Analytics •Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Storage •Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Event Hub •Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Log Analytics •Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Storage •Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Event Hub •Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Log Analytics •Enable logging by category group for Traffic Manager profiles (microsoft.network/trafficmanagerprofiles) to Storage •Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Event Hub •Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics •Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Storage •Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Event Hub •Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics •Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Storage •Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Event Hub •Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Log Analytics •Enable logging by category group for Virtual networks (microsoft.network/virtualnetworks) to Storage •Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Event Hub •Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics •Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Storage •Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Event Hub •Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics •Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Storage •Enable logging by category group for Workspace (microsoft.desktopvirtualization/workspaces) to Log Analytics •Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Event Hub •Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Log Analytics •Enable logging by category group for Workspaces (microsoft.desktopvirtualization/workspaces) to Storage •Public IP addresses should have resource logs enabled for Azure DDoS Protection | |||
| 73c42c96-874c-492b-b04d-ab87d138a893 | Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. | Monitor | False |
07230 effective control plane operations (unique) •action: 5 •read: 7224 •write: 1 |
Actions: 004 resolved operations: 7231 effective operations: 7230 •action: 5 •read: 7224 •write: 1 •*/read •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/search/action •Microsoft.Support/* |
NotActions: 001 resolved not operations: 1 effective not operations: 9606 •Microsoft.OperationalInsights/workspaces/sharedKeys/read | |||
| 87a39d53-fc1b-424a-814c-f7e04687dc9e | Logic App Contributor | Lets you manage logic app, but not access to them. | Integration | False |
00226 effective control plane operations (unique) •action: 67 •Delete: 27 •read: 102 •Write: 30 |
Actions: 021 resolved operations: 226 effective operations: 226 •action: 67 •Delete: 27 •read: 102 •Write: 30 •Microsoft.Authorization/*/read •Microsoft.ClassicStorage/storageAccounts/listKeys/action •Microsoft.ClassicStorage/storageAccounts/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Insights/logdefinitions/* •Microsoft.Insights/metricAlerts/* •Microsoft.Insights/metricDefinitions/* •Microsoft.Logic/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* •Microsoft.Web/connectionGateways/* •Microsoft.Web/connections/* •Microsoft.Web/customApis/* •Microsoft.Web/serverFarms/join/action •Microsoft.Web/serverFarms/read •Microsoft.Web/sites/functions/listSecrets/action | ||||
| 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe | Logic App Operator | Lets you read, enable and disable logic app. | Integration | False |
00097 effective control plane operations (unique) •action: 6 •read: 90 •write: 1 |
Actions: 017 resolved operations: 97 effective operations: 97 •action: 6 •read: 90 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/*/read •Microsoft.Insights/diagnosticSettings/*/read •Microsoft.Insights/metricAlerts/*/read •Microsoft.Insights/metricDefinitions/*/read •Microsoft.Logic/*/read •Microsoft.Logic/workflows/disable/action •Microsoft.Logic/workflows/enable/action •Microsoft.Logic/workflows/validate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/connectionGateways/*/read •Microsoft.Web/connections/*/read •Microsoft.Web/customApis/*/read •Microsoft.Web/serverFarms/read | ||||
| ad710c24-b039-4e85-a019-deb4a06e8570 | Logic Apps Standard Contributor (Preview) | You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership. | Integration | False |
00591 effective control plane operations (unique) •Action: 121 •Delete: 63 •read: 338 •Write: 69 |
Actions: 013 resolved operations: 591 effective operations: 591 •Action: 121 •Delete: 63 •read: 338 •Write: 69 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/*/read •Microsoft.Web/certificates/* •Microsoft.Web/connectionGateways/* •Microsoft.Web/connections/* •Microsoft.Web/customApis/* •Microsoft.Web/serverFarms/* •Microsoft.Web/sites/* | ||||
| 523776ba-4eb2-4600-a3c8-f2dc93da4bdb | Logic Apps Standard Developer (Preview) | You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope. | Integration | False |
00378 effective control plane operations (unique) •Action: 28 •Delete: 5 •read: 338 •Write: 7 |
Actions: 025 resolved operations: 378 effective operations: 378 •Action: 28 •Delete: 5 •read: 338 •Write: 7 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/*/read •Microsoft.Web/connections/* •Microsoft.Web/customApis/* •Microsoft.Web/sites/config/list/Action •microsoft.web/sites/config/web/appsettings/delete •microsoft.web/sites/config/web/appsettings/write •microsoft.web/sites/config/Write •microsoft.web/sites/deployWorkflowArtifacts/action •microsoft.web/sites/hostruntime/* •microsoft.web/sites/listworkflowsconnections/action •Microsoft.Web/sites/publish/Action •microsoft.web/sites/slots/config/appsettings/write •Microsoft.Web/sites/slots/config/list/Action •microsoft.web/sites/slots/config/web/appsettings/delete •microsoft.web/sites/slots/deployWorkflowArtifacts/action •microsoft.web/sites/slots/listworkflowsconnections/action •Microsoft.Web/sites/slots/publish/Action •microsoft.web/sites/workflows/* •microsoft.web/sites/workflowsconfiguration/* | ||||
| b70c96e9-66fe-4c09-b6e7-c98e69c98555 | Logic Apps Standard Operator (Preview) | You can enable and disable the logic app, resubmit workflow runs, as well as create connections. You can't edit workflows or settings. | Integration | False |
00361 effective control plane operations (unique) •Action: 19 •Delete: 1 •read: 338 •Write: 3 |
Actions: 019 resolved operations: 361 effective operations: 361 •Action: 19 •Delete: 1 •read: 338 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/*/read •Microsoft.Web/sites/applySlotConfig/Action •microsoft.web/sites/hostruntime/* •Microsoft.Web/sites/restart/Action •Microsoft.Web/sites/slots/restart/Action •Microsoft.Web/sites/slots/slotsswap/Action •Microsoft.Web/sites/slots/start/Action •Microsoft.Web/sites/slots/stop/Action •Microsoft.Web/sites/slotsdiffs/Action •Microsoft.Web/sites/slotsswap/Action •Microsoft.Web/sites/start/Action •Microsoft.Web/sites/stop/Action •Microsoft.Web/sites/write | ||||
| 4accf36b-2c05-432f-91c8-5c532dff4c73 | Logic Apps Standard Reader (Preview) | You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history. | Integration | False |
00347 effective control plane operations (unique) •Action: 6 •Delete: 1 •read: 338 •Write: 2 |
Actions: 007 resolved operations: 347 effective operations: 347 •Action: 6 •Delete: 1 •read: 338 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/*/read | ||||
| 641177b8-a67a-45b9-a033-47bc880bb21e | Managed Application Contributor Role | Allows for creating managed application resources. | Management and governance | False |
07243 effective control plane operations (unique) •action: 11 •delete: 3 •read: 7225 •write: 4 |
Actions: 005 resolved operations: 7243 effective operations: 7243 •action: 11 •delete: 3 •read: 7225 •write: 4 •*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/* •Microsoft.Solutions/applications/* •Microsoft.Solutions/register/action | ||||
| c7393b34-138c-406f-901b-d8cf2b17e6ae | Managed Application Operator Role | Lets you read and perform actions on Managed Application resources | Management and governance | False |
07232 effective control plane operations (unique) •action: 7 •read: 7225 |
Actions: 003 resolved operations: 7232 effective operations: 7232 •action: 7 •read: 7225 •*/read •Microsoft.Solutions/*/action •Microsoft.Solutions/applications/read | ||||
| b9331d33-8a36-4f8c-b097-4f54124fdb44 | Managed Application Publisher Operator | Allows the publisher to read resources in the managed resource group for Managed Application and request JIT access for additional operations. This role is only used by the Managed Application service to provide access to publishers. | Management and governance | False |
07233 effective control plane operations (unique) •action: 4 •delete: 2 •read: 7225 •write: 2 |
Actions: 003 resolved operations: 7233 effective operations: 7233 •action: 4 •delete: 2 •read: 7225 •write: 2 •*/read •Microsoft.Resources/deployments/* •Microsoft.Solutions/jitRequests/* | ||||
| 18500a29-7fe2-46b2-a342-b16a415e101d | Managed HSM contributor | Lets you manage managed HSM pools, but not access to them. | Security | False |
00023 effective control plane operations (unique) •action: 3 •delete: 3 •read: 12 •write: 5 |
Actions: 005 resolved operations: 23 effective operations: 23 •action: 3 •delete: 3 •read: 12 •write: 5 •Microsoft.KeyVault/deletedManagedHsms/read •Microsoft.KeyVault/locations/deletedManagedHsms/purge/action •Microsoft.KeyVault/locations/deletedManagedHsms/read •Microsoft.KeyVault/locations/managedHsmOperationResults/read •Microsoft.KeyVault/managedHSMs/* |
count: 002 •[Preview]: Configure Azure Key Vault Managed HSM to disable public network access •[Preview]: Configure Azure Key Vault Managed HSM with private endpoints | |||
| e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 | Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity | Identity | False |
00065 effective control plane operations (unique) •Action: 11 •Delete: 4 •read: 45 •Write: 5 |
Actions: 012 resolved operations: 65 effective operations: 65 •Action: 11 •Delete: 4 •read: 45 •Write: 5 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ManagedIdentity/userAssignedIdentities/delete •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write •Microsoft.ManagedIdentity/userAssignedIdentities/read •Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action •Microsoft.ManagedIdentity/userAssignedIdentities/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 001 •[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs | |||
| 7e559ce2-48d7-4b27-9128-fa1b247f1308 | Managed Identity Federated Identity Credential Contributor | Create, Read, Update, and Delete User Assigned Identity Federated Identity Credentials(FIC) | None | False |
00052 effective control plane operations (unique) •Action: 7 •Delete: 3 •read: 39 •Write: 3 |
Actions: 008 resolved operations: 52 effective operations: 52 •Action: 7 •Delete: 3 •read: 39 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read •Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write •Microsoft.ManagedIdentity/userAssignedIdentities/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| f1a07417-d97a-45cb-824c-7a7467783830 | Managed Identity Operator | Read and Assign User Assigned Identity | Identity | False |
00059 effective control plane operations (unique) •Action: 10 •Delete: 2 •read: 44 •Write: 3 |
Actions: 007 resolved operations: 59 effective operations: 59 •Action: 10 •Delete: 2 •read: 44 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action •Microsoft.ManagedIdentity/userAssignedIdentities/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 006 •[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs •Assign System Assigned identity to SQL Virtual Machines •Configure App Service app slots to disable public network access •Configure App Service apps to disable public network access •Configure Function app slots to disable public network access •Configure Function apps to disable public network access | |||
| 91c1777a-f3dc-4fae-b103-61d183457e46 | Managed Services Registration assignment Delete Role | Managed Services Registration Assignment Delete Role allows the managing tenant users to delete the registration assignment assigned to their tenant. | Management and governance | False |
00003 effective control plane operations (unique) •delete: 1 •read: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 2 •Microsoft.ManagedServices/operationStatuses/read •Microsoft.ManagedServices/registrationAssignments/delete •Microsoft.ManagedServices/registrationAssignments/read | ||||
| 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c | Management Group Contributor | Management Group Contributor Role | Management and governance | False |
00037 effective control plane operations (unique) •delete: 2 •read: 33 •write: 2 |
Actions: 007 resolved operations: 37 effective operations: 37 •delete: 2 •read: 33 •write: 2 •Microsoft.Authorization/*/read •Microsoft.Management/managementGroups/delete •Microsoft.Management/managementGroups/read •Microsoft.Management/managementGroups/subscriptions/delete •Microsoft.Management/managementGroups/subscriptions/read •Microsoft.Management/managementGroups/subscriptions/write •Microsoft.Management/managementGroups/write | ||||
| ac63b705-f282-497d-ac71-919bf39d939d | Management Group Reader | Management Group Reader Role | Management and governance | False |
00033 effective control plane operations (unique) •read: 33 |
Actions: 003 resolved operations: 33 effective operations: 33 •read: 33 •Microsoft.Authorization/*/read •Microsoft.Management/managementGroups/read •Microsoft.Management/managementGroups/subscriptions/read | ||||
| dd920d6d-f481-47f1-b461-f338c46b2d9f | Marketplace Admin | Marketplace Admin grants full access to manage Private Azure Marketplace, including read and take action for private marketplace notifications, but does not allow to assign Marketplace Admin role to others | None | False |
00060 effective control plane operations (unique) •action: 17 •delete: 2 •read: 35 •write: 6 |
Actions: 008 resolved operations: 60 effective operations: 60 •action: 17 •delete: 2 •read: 35 •write: 6 •Microsoft.Authorization/*/read •Microsoft.Marketplace/privateStores/*/action •Microsoft.Marketplace/privateStores/*/delete •Microsoft.Marketplace/privateStores/*/read •Microsoft.Marketplace/privateStores/*/write •Microsoft.Marketplace/privateStores/action •Microsoft.Marketplace/privateStores/delete •Microsoft.Marketplace/privateStores/write | ||||
| 7a2b6e6c-472e-4b39-8878-a26eb63d75c6 | Microsoft Discovery Platform Administrator (Preview) | Grants full access to manage Microsoft.Discovery resources. This role in preview and subjet to change. | None | True |
00118 effective control plane and data plane operations (unique) •action: 17 •delete: 18 •read: 65 •write: 18 |
Actions: 011 resolved operations: 103 effective operations: 103 •action: 14 •delete: 14 •read: 59 •write: 16 •Microsoft.Authorization/*/read •Microsoft.Discovery/* •Microsoft.Discovery/checkNameAvailability/action •Microsoft.Discovery/locations/operationStatuses/read •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 001 resolved data operations: 15 effective data operations: 15 •action: 3 •delete: 4 •read: 6 •write: 2 •Microsoft.Discovery/* | |||
| 01288891-85ee-45a7-b367-9db3b752fc65 | Microsoft Discovery Platform Contributor (Preview) | Grants permissions to view and operate on most Discovery platform resources, including workspaces, supercomputers, storages, agents, bookshelves, data containers, models, tools, workflows, and investigations, as well as perform data plane actions, but does not allow creating, updating, or deleting core resources such as workspaces, supercomputers, storages, bookshelves, node pools, or projects. This role is in preview and subject to change. |
None | False |
00099 effective control plane and data plane operations (unique) •action: 13 •delete: 12 •read: 63 •write: 11 |
Actions: 020 resolved operations: 84 effective operations: 84 •Action: 10 •delete: 8 •read: 57 •write: 9 •Microsoft.Authorization/*/read •Microsoft.Discovery/agents/* •Microsoft.Discovery/bookshelves/read •Microsoft.Discovery/dataContainers/* •Microsoft.Discovery/dataContainers/dataAssets/* •Microsoft.Discovery/locations/operationStatuses/read •Microsoft.Discovery/models/* •Microsoft.Discovery/operations/read •Microsoft.Discovery/operations/read •Microsoft.Discovery/storages/read •Microsoft.Discovery/supercomputers/nodePools/read •Microsoft.Discovery/supercomputers/read •Microsoft.Discovery/tools/* •Microsoft.Discovery/workflows/* •Microsoft.Discovery/workspaces/projects/read •Microsoft.Discovery/workspaces/read •Microsoft.Insights/AlertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
NotActions: 012 resolved not operations: 12 effective not operations: 16752 •Microsoft.Discovery/bookshelves/delete •Microsoft.Discovery/bookshelves/write •Microsoft.Discovery/storages/delete •Microsoft.Discovery/storages/write •Microsoft.Discovery/supercomputers/delete •Microsoft.Discovery/supercomputers/nodePools/delete •Microsoft.Discovery/supercomputers/nodePools/write •Microsoft.Discovery/supercomputers/write •Microsoft.Discovery/workspaces/delete •Microsoft.Discovery/workspaces/projects/delete •Microsoft.Discovery/workspaces/projects/write •Microsoft.Discovery/workspaces/write |
DataActions: 001 resolved data operations: 15 effective data operations: 15 •action: 3 •delete: 4 •read: 6 •write: 2 •Microsoft.Discovery/* | ||
| 3bb7c424-af4e-436b-bfcc-8779c8934c31 | Microsoft Discovery Platform Reader (Preview) | Grants readonly permissions to view Microsoft.Discovery resources. This role in preview and subjet to change. | None | False |
00030 effective control plane and data plane operations (unique) •action: 4 •delete: 1 •read: 24 •write: 1 |
Actions: 003 resolved operations: 24 effective operations: 24 •action: 4 •delete: 1 •read: 18 •write: 1 •Microsoft.Discovery/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 6 effective data operations: 6 •read: 6 •Microsoft.Discovery/*/read | |||
| 8c87871d-6201-42da-abb1-1c0c985ff71c | Microsoft PowerBI Tenant Operations Role | Allows management of tenant operations | None | False |
00006 effective control plane operations (unique) •delete: 2 •read: 2 •write: 2 |
Actions: 006 resolved operations: 6 effective operations: 6 •delete: 2 •read: 2 •write: 2 •Microsoft.PowerBI/tenants/delete •Microsoft.PowerBI/tenants/read •Microsoft.PowerBI/tenants/workspaces/delete •Microsoft.PowerBI/tenants/workspaces/read •Microsoft.PowerBI/tenants/workspaces/write •Microsoft.PowerBI/tenants/write | ||||
| f4c81013-99ee-4d62-a7ee-b3f1f648599a | Microsoft Sentinel Automation Contributor | Microsoft Sentinel Automation Contributor | Security | False |
00037 effective control plane operations (unique) •action: 2 •read: 35 |
Actions: 007 resolved operations: 37 effective operations: 37 •action: 2 •read: 35 •Microsoft.Authorization/*/read •Microsoft.Logic/workflows/runs/read •Microsoft.Logic/workflows/triggers/listCallbackUrl/action •Microsoft.Logic/workflows/triggers/read •Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read •Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action •Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read | ||||
| c18f9900-27b8-47c7-a8f0-5b3b3d4c2bc2 | Microsoft Sentinel Business Applications Agent Operator | List and update actions on a business applications system. This role is in preview and subject to change. | None | False |
00007 effective control plane operations (unique) •action: 2 •read: 3 •write: 2 |
Actions: 007 resolved operations: 7 effective operations: 7 •action: 2 •read: 3 •write: 2 •Microsoft.Authorization/roleAssignments/read •Microsoft.SecurityInsights/businessApplicationAgents/read •Microsoft.SecurityInsights/businessApplicationAgents/systems/listActions/action •Microsoft.SecurityInsights/businessApplicationAgents/systems/read •Microsoft.SecurityInsights/businessApplicationAgents/systems/reportActionStatus/action •Microsoft.SecurityInsights/businessApplicationAgents/systems/write •Microsoft.SecurityInsights/businessApplicationAgents/write | ||||
| ab8e14d6-4a74-4a29-9ba8-549422addade | Microsoft Sentinel Contributor | Microsoft Sentinel Contributor | Security | False |
01077 effective control plane operations (unique) •Action: 39 •Delete: 44 •read: 947 •Write: 47 |
Actions: 016 resolved operations: 1081 effective operations: 1077 •Action: 39 •Delete: 44 •read: 947 •Write: 47 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/myworkbooks/read •Microsoft.Insights/workbooks/* •Microsoft.OperationalInsights/querypacks/*/read •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.OperationalInsights/workspaces/query/*/read •Microsoft.OperationalInsights/workspaces/query/read •Microsoft.OperationalInsights/workspaces/savedSearches/* •Microsoft.OperationsManagement/solutions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SecurityInsights/* •Microsoft.Support/* |
NotActions: 002 resolved not operations: 4 effective not operations: 15759 •Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* •Microsoft.SecurityInsights/ConfidentialWatchlists/* | |||
| 51d6186e-6489-4900-b93f-92e23144cca5 | Microsoft Sentinel Playbook Operator | Microsoft Sentinel Playbook Operator | Security | False |
00004 effective control plane operations (unique) •action: 2 •read: 2 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 2 •read: 2 •Microsoft.Logic/workflows/read •Microsoft.Logic/workflows/triggers/listCallbackUrl/action •Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbackUrl/action •Microsoft.Web/sites/read | ||||
| 8d289c81-5878-46d4-8554-54e1e3d8b5cb | Microsoft Sentinel Reader | Microsoft Sentinel Reader | Security | False |
00966 effective control plane operations (unique) •Action: 14 •Delete: 2 •read: 947 •Write: 3 |
Actions: 021 resolved operations: 968 effective operations: 966 •Action: 14 •Delete: 2 •read: 947 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/myworkbooks/read •Microsoft.Insights/workbooks/read •Microsoft.OperationalInsights/querypacks/*/read •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.OperationalInsights/workspaces/LinkedServices/read •Microsoft.OperationalInsights/workspaces/query/*/read •Microsoft.OperationalInsights/workspaces/query/read •Microsoft.OperationalInsights/workspaces/savedSearches/read •Microsoft.OperationsManagement/solutions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/templateSpecs/*/read •Microsoft.SecurityInsights/*/read •Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action •Microsoft.SecurityInsights/threatIntelligence/indicators/query/action •Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action •Microsoft.Support/* |
NotActions: 002 resolved not operations: 4 effective not operations: 15870 •Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* •Microsoft.SecurityInsights/ConfidentialWatchlists/* | |||
| 3e150937-b8fe-4cfb-8069-0eaf05ecd056 | Microsoft Sentinel Responder | Microsoft Sentinel Responder | Security | False |
00983 effective control plane operations (unique) •Action: 21 •Delete: 5 •read: 946 •Write: 11 |
Actions: 029 resolved operations: 988 effective operations: 983 •Action: 21 •Delete: 5 •read: 946 •Write: 11 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/myworkbooks/read •Microsoft.Insights/workbooks/read •Microsoft.OperationalInsights/querypacks/*/read •Microsoft.OperationalInsights/workspaces/*/read •Microsoft.OperationalInsights/workspaces/analytics/query/action •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.OperationalInsights/workspaces/dataSources/read •Microsoft.OperationalInsights/workspaces/query/*/read •Microsoft.OperationalInsights/workspaces/query/read •Microsoft.OperationalInsights/workspaces/savedSearches/read •Microsoft.OperationsManagement/solutions/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SecurityInsights/*/read •Microsoft.SecurityInsights/automationRules/* •Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/action •Microsoft.SecurityInsights/cases/* •Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action •Microsoft.SecurityInsights/entities/runPlaybook/action •Microsoft.SecurityInsights/incidents/* •Microsoft.SecurityInsights/threatIntelligence/bulkTag/action •Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action •Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action •Microsoft.SecurityInsights/threatIntelligence/indicators/query/action •Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action •Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action •Microsoft.Support/* |
NotActions: 004 resolved not operations: 7 effective not operations: 15853 •Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/* •Microsoft.SecurityInsights/cases/*/Delete •Microsoft.SecurityInsights/ConfidentialWatchlists/* •Microsoft.SecurityInsights/incidents/*/Delete | |||
| b6d9c0f6-d69f-472b-91b4-7a6838c6d1cb | Microsoft.AzureStackHCI Device Pool Machine Manager | Microsoft.AzureStackHCI Device Pool Machine Manager | None | False |
00007 effective control plane operations (unique) •action: 1 •delete: 2 •read: 2 •write: 2 |
Actions: 007 resolved operations: 7 effective operations: 7 •action: 1 •delete: 2 •read: 2 •write: 2 •Microsoft.HybridConnectivity/endpoints/delete •Microsoft.HybridConnectivity/endpoints/listCredentials/action •Microsoft.HybridConnectivity/endpoints/read •Microsoft.HybridConnectivity/endpoints/serviceConfigurations/delete •Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read •Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write •Microsoft.HybridConnectivity/endpoints/write | ||||
| adc3c795-c41e-4a89-a478-0b321783324c | Microsoft.AzureStackHCI Device Pool Manager | Microsoft.AzureStackHCI Device Pool Manager | None | False |
00003 effective control plane operations (unique) •Action: 2 •Read: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •Action: 2 •Read: 1 •Microsoft.AzureStackHCI/DevicePools/ClaimDevices/action •Microsoft.AzureStackHCI/DevicePools/read •Microsoft.AzureStackHCI/DevicePools/ReleaseDevices/action | ||||
| 5f569efd-4da5-4123-99cd-d42fbb2a836e | Microsoft.AzureStackHCI EdgeMachine Reader | Microsoft.AzureStackHCI EdgeMachine Reader | None | False | n/a |
Actions: 002 resolved operations: n/a effective operations: n/a •Microsoft.AzureStackHCI/EdgeMachines/Jobs/Read/* •Microsoft.AzureStackHCI/EdgeMachines/Read/* | ||||
| 83ee7727-862c-4213-8ed8-2ce6c5d69a40 | Microsoft.Edge Winfields federated subscription read access role | Microsoft.Edge Winfields role for read access on federated subscriptions | None | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Resources/subscriptions/read | ||||
| 5548b2cf-c94c-4228-90ba-30851930a12f | Microsoft.Kubernetes connected cluster role | Microsoft.Kubernetes connected cluster role. | None | False |
00004 effective control plane operations (unique) •Delete: 1 •Read: 2 •Write: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •Delete: 1 •Read: 2 •Write: 1 •Microsoft.Kubernetes/connectedClusters/delete •Microsoft.Kubernetes/connectedClusters/read •Microsoft.Kubernetes/connectedClusters/write •Microsoft.Kubernetes/registeredSubscriptions/read | ||||
| 79732128-7761-4733-aebf-35590da9f29b | Microsoft.OffAzureSpringBoot Service Owner | Full access to Azure Microsoft.OffAzureSpringBoot Service REST APIs | None | False |
00016 effective control plane operations (unique) •action: 1 •delete: 5 •read: 5 •write: 5 |
Actions: 001 resolved operations: 16 effective operations: 16 •action: 1 •delete: 5 •read: 5 •write: 5 •Microsoft.OffAzureSpringBoot/springbootsites/* | ||||
| 21bffb94-04c0-4ed0-b676-68bb926e832b | Microsoft.Windows365.CloudPcDelegatedMsis Writer User | Built in role to perform Write operations on CloudPcDelegatedMsis resources. | None | False |
00006 effective control plane operations (unique) •action: 2 •delete: 1 •read: 2 •write: 1 |
Actions: 001 resolved operations: 6 effective operations: 6 •action: 2 •delete: 1 •read: 2 •write: 1 •Microsoft.Windows365/* | ||||
| 56be40e2-4db1-4ccf-93c3-7e44c597135b | Monitored Objects Contributor | Can read and update Monitored Objects and associated Data Collection Rules. | None | False |
00006 effective control plane operations (unique) •Delete: 2 •Read: 2 •Write: 2 |
Actions: 006 resolved operations: 6 effective operations: 6 •Delete: 2 •Read: 2 •Write: 2 •Microsoft.Insights/dataCollectionRuleAssociations/delete •Microsoft.Insights/dataCollectionRuleAssociations/read •Microsoft.Insights/dataCollectionRuleAssociations/write •Microsoft.Insights/monitoredObjects/delete •Microsoft.Insights/monitoredObjects/read •Microsoft.Insights/monitoredObjects/write | ||||
| 749f88d5-cbae-40b8-bcfc-e573ddc772fa | Monitoring Contributor | Can read all monitoring data and update monitoring settings. | Monitor | False |
07359 effective control plane operations (unique) •action: 41 •delete: 43 •read: 7225 •write: 50 |
Actions: 044 resolved operations: 7359 effective operations: 7359 •action: 41 •delete: 43 •read: 7225 •write: 50 •*/read •Microsoft.AlertsManagement/actionRules/* •Microsoft.AlertsManagement/alerts/* •Microsoft.AlertsManagement/alertsSummary/* •Microsoft.AlertsManagement/investigations/* •Microsoft.AlertsManagement/issues/* •Microsoft.AlertsManagement/migrateFromSmartDetection/* •Microsoft.AlertsManagement/prometheusRuleGroups/* •Microsoft.AlertsManagement/smartDetectorAlertRules/* •Microsoft.AlertsManagement/smartGroups/* •Microsoft.Insights/actiongroups/* •Microsoft.Insights/activityLogAlerts/* •Microsoft.Insights/AlertRules/* •Microsoft.Insights/components/* •Microsoft.Insights/createNotifications/* •Microsoft.Insights/dataCollectionEndpoints/* •Microsoft.Insights/dataCollectionRuleAssociations/* •Microsoft.Insights/dataCollectionRules/* •Microsoft.Insights/DiagnosticSettings/* •Microsoft.Insights/eventtypes/* •Microsoft.Insights/LogDefinitions/* •Microsoft.Insights/metricalerts/* •Microsoft.Insights/MetricDefinitions/* •Microsoft.Insights/Metrics/* •Microsoft.Insights/notificationStatus/* •Microsoft.Insights/privateLinkScopeOperationStatuses/* •Microsoft.Insights/privateLinkScopes/* •Microsoft.Insights/Register/Action •Microsoft.Insights/scheduledqueryrules/* •Microsoft.Insights/webtests/* •Microsoft.Insights/workbooks/* •Microsoft.Insights/workbooktemplates/* •Microsoft.Monitor/accounts/* •Microsoft.Monitor/investigations/* •Microsoft.OperationalInsights/locations/workspaces/failover/action •Microsoft.OperationalInsights/workspaces/failback/action •Microsoft.OperationalInsights/workspaces/intelligencepacks/* •Microsoft.OperationalInsights/workspaces/savedSearches/* •Microsoft.OperationalInsights/workspaces/search/action •Microsoft.OperationalInsights/workspaces/sharedKeys/action •Microsoft.OperationalInsights/workspaces/sharedKeys/read •Microsoft.OperationalInsights/workspaces/storageinsightconfigs/* •Microsoft.OperationalInsights/workspaces/write •Microsoft.Support/* |
count: 052 •[Deprecated]: Configure Association to link Arc machines to default Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link Arc machines to user-defined Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link virtual machines to default Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure Association to link virtual machines to user-defined Microsoft Defender for Cloud Data Collection Rule •[Deprecated]: Configure diagnostic settings for storage accounts to Log Analytics workspace •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMs in the Resource Group •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for all the VMSS in the Resource Group •[Deprecated]: Deploy a VMInsights Data Collection Rule and Data Collection Rule Association for Arc Machines in the Resource Group •Configure Arc-enabled Servers with SQL Server extension installed to enable or disable SQL best practices assessment. •Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR •Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR •Configure Azure Activity logs to stream to specified Log Analytics workspace •Configure diagnostic settings for Azure Databricks Workspaces to Log Analytics workspace •Configure diagnostic settings for Azure Machine Learning Workspaces to Log Analytics workspace •Configure diagnostic settings for Azure Network Security Groups to Log Analytics workspace •Configure diagnostic settings for Blob Services to Log Analytics workspace •Configure diagnostic settings for container groups to Log Analytics workspace •Configure diagnostic settings for File Services to Log Analytics workspace •Configure diagnostic settings for Queue Services to Log Analytics workspace •Configure diagnostic settings for Storage Accounts to Log Analytics workspace •Configure diagnostic settings for Table Services to Log Analytics workspace •Configure Linux Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure Linux Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure Linux Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Linux VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL •Configure Windows Arc Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Arc-enabled machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Virtual Machine Scale Sets to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows Virtual Machines to be associated with a Data Collection Rule for ChangeTracking and Inventory •Configure Windows Virtual Machines to be associated with a Data Collection Rule or a Data Collection Endpoint •Configure Windows VMSS to be associated with a Data Collection Rule for ChangeTracking and Inventory •Deploy - Configure diagnostic settings for Azure Key Vault to Log Analytics workspace •Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace •Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace •Deploy - Configure diagnostic settings to a Log Analytics workspace to be enabled on Azure Key Vault Managed HSM •Deploy Diagnostic Settings for Batch Account to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace •Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace •Deploy Diagnostic Settings for Event Hub to Log Analytics workspace •Deploy Diagnostic Settings for Key Vault to Log Analytics workspace •Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace •Deploy Diagnostic Settings for Network Security Groups •Deploy Diagnostic Settings for PostgreSQL flexible servers to Log Analytics workspace •Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. •Deploy Diagnostic Settings for Search Services to Log Analytics workspace •Deploy Diagnostic Settings for Service Bus to Log Analytics workspace •Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | |||
| b0d8363b-8ddd-447d-831f-62ca05bff136 | Monitoring Data Reader | Can access the data in an Azure Monitor Workspace. | None | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Monitor/accounts/data/metrics/read | ||||
| 3913510d-42f4-4e42-8a64-420c390055eb | Monitoring Metrics Publisher | Enables publishing metrics against Azure resources | Monitor | False |
00014 effective control plane and data plane operations (unique) •Action: 4 •read: 7 •Write: 3 |
Actions: 003 resolved operations: 12 effective operations: 12 •Action: 4 •read: 7 •write: 1 •Microsoft.Insights/Register/Action •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •Write: 2 •Microsoft.Insights/Metrics/Write •Microsoft.Insights/Telemetry/Write | |||
| 47be4a87-7950-4631-9daf-b664a405f074 | Monitoring Policy Contributor | Allows read access to all monitoring data, update permissions for monitoring settings and permissions to deploy and remediate Azure Monitor alert policies. | None | False |
07373 effective control plane operations (unique) •action: 48 •delete: 46 •read: 7225 •write: 54 |
Actions: 047 resolved operations: 7373 effective operations: 7373 •action: 48 •delete: 46 •read: 7225 •write: 54 •*/read •Microsoft.AlertsManagement/actionRules/* •Microsoft.AlertsManagement/alerts/* •Microsoft.AlertsManagement/alertsSummary/* •Microsoft.AlertsManagement/investigations/* •Microsoft.AlertsManagement/issues/* •Microsoft.AlertsManagement/migrateFromSmartDetection/* •Microsoft.AlertsManagement/prometheusRuleGroups/* •Microsoft.AlertsManagement/smartDetectorAlertRules/* •Microsoft.AlertsManagement/smartGroups/* •Microsoft.Insights/actiongroups/* •Microsoft.Insights/activityLogAlerts/* •Microsoft.Insights/AlertRules/* •Microsoft.Insights/components/* •Microsoft.Insights/createNotifications/* •Microsoft.Insights/dataCollectionEndpoints/* •Microsoft.Insights/dataCollectionRuleAssociations/* •Microsoft.Insights/dataCollectionRules/* •Microsoft.Insights/DiagnosticSettings/* •Microsoft.Insights/eventtypes/* •Microsoft.Insights/LogDefinitions/* •Microsoft.Insights/metricalerts/* •Microsoft.Insights/MetricDefinitions/* •Microsoft.Insights/Metrics/* •Microsoft.Insights/notificationStatus/* •Microsoft.Insights/privateLinkScopeOperationStatuses/* •Microsoft.Insights/privateLinkScopes/* •Microsoft.Insights/Register/Action •Microsoft.Insights/scheduledqueryrules/* •Microsoft.Insights/webtests/* •Microsoft.Insights/workbooks/* •Microsoft.Insights/workbooktemplates/* •Microsoft.Monitor/accounts/* •Microsoft.Monitor/investigations/* •Microsoft.OperationalInsights/locations/workspaces/failover/action •Microsoft.OperationalInsights/workspaces/failback/action •Microsoft.OperationalInsights/workspaces/intelligencepacks/* •Microsoft.OperationalInsights/workspaces/savedSearches/* •Microsoft.OperationalInsights/workspaces/search/action •Microsoft.OperationalInsights/workspaces/sharedKeys/action •Microsoft.OperationalInsights/workspaces/sharedKeys/read •Microsoft.OperationalInsights/workspaces/storageinsightconfigs/* •Microsoft.OperationalInsights/workspaces/write •Microsoft.PolicyInsights/remediations/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/* •Microsoft.Support/* | ||||
| 43d0d8ad-25c7-4714-9337-8ba259a9fe05 | Monitoring Reader | Can read all monitoring data. | Monitor | False |
07230 effective control plane operations (unique) •action: 4 •read: 7225 •write: 1 |
Actions: 003 resolved operations: 7230 effective operations: 7230 •action: 4 •read: 7225 •write: 1 •*/read •Microsoft.OperationalInsights/workspaces/search/action •Microsoft.Support/* | ||||
| d18ad5f3-1baf-4119-b49b-d944edb1f9d0 | MySQL Backup And Export Operator | Grants full access to manage backup and export resources | None | False |
00006 effective control plane operations (unique) •action: 2 •read: 4 |
Actions: 006 resolved operations: 6 effective operations: 6 •action: 2 •read: 4 •Microsoft.DBforMySQL/flexibleServers/backupAndExport/action •Microsoft.DBforMySQL/flexibleServers/validateBackup/action •Microsoft.DBforMySQL/locations/azureAsyncOperation/read •Microsoft.DBforMySQL/locations/operationResults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 4d97b98b-1d4f-4787-a291-c67834d212e7 | Network Contributor | Lets you manage networks, but not access to them. | Networking | False |
01091 effective control plane operations (unique) •Action: 289 •Delete: 186 •read: 407 •Write: 209 |
Actions: 007 resolved operations: 1091 effective operations: 1091 •Action: 289 •Delete: 186 •read: 407 •Write: 209 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 082 •[Deprecated]: Configure Azure Media Services to use private DNS zones •[Deprecated]: Configure Azure Media Services with private endpoints •[Preview]: Configure Azure Key Vault Managed HSM with private endpoints •[Preview]: Configure Azure Recovery Services vaults to use private DNS zones •[Preview]: Configure private endpoints on Azure Recovery Services vaults •[Preview]: Configure Recovery Services vaults to use private DNS zones for backup •[Preview]: Configure Recovery Services vaults to use private endpoints for backup •Configure a private DNS Zone ID for blob groupID •Configure a private DNS Zone ID for blob_secondary groupID •Configure a private DNS Zone ID for dfs groupID •Configure a private DNS Zone ID for dfs_secondary groupID •Configure a private DNS Zone ID for file groupID •Configure a private DNS Zone ID for queue groupID •Configure a private DNS Zone ID for queue_secondary groupID •Configure a private DNS Zone ID for table groupID •Configure a private DNS Zone ID for table_secondary groupID •Configure a private DNS Zone ID for web groupID •Configure a private DNS Zone ID for web_secondary groupID •Configure App Service app slots to disable public network access •Configure App Service apps to disable public network access •Configure App Service apps to use private DNS zones •Configure Azure AI Search services to disable public network access •Configure Azure AI Search services to use private DNS zones •Configure Azure AI Search services with private endpoints •Configure Azure Arc Private Link Scopes to use private DNS zones •Configure Azure Arc Private Link Scopes with private endpoints •Configure Azure Automation accounts with private DNS zones •Configure Azure Cache for Redis Enterprise to use private DNS zones •Configure Azure Cache for Redis to use private DNS zones •Configure Azure Data Explorer clusters with private endpoints •Configure Azure Databricks workspace to use private DNS zones •Configure Azure Device Update for IoT Hub accounts to use private DNS zones •Configure Azure Device Update for IoT Hub accounts with private endpoint •Configure Azure Event Grid namespace MQTT broker with private endpoints •Configure Azure Event Grid namespaces with private endpoints •Configure Azure File Sync to use private DNS zones •Configure Azure HDInsight clusters to use private DNS zones •Configure Azure Key Vaults to use private DNS zones •Configure Azure Key Vaults with private endpoints •Configure Azure Machine Learning workspace to use private DNS zones •Configure Azure Machine Learning workspaces with private endpoints •Configure Azure Managed Grafana workspaces to use private DNS zones •Configure Azure Migrate resources to use private DNS zones •Configure Azure Monitor Private Link Scope to use private DNS zones •Configure Azure SQL Server to enable private endpoint connections •Configure Azure Synapse workspaces to use private DNS zones •Configure Azure Virtual Desktop hostpool resources to use private DNS zones •Configure Azure Virtual Desktop workspace resources to use private DNS zones •Configure Azure Web PubSub Service to use private DNS zones •Configure Azure Web PubSub Service with private endpoints •Configure BotService resources to use private DNS zones •Configure BotService resources with private endpoints •Configure Cognitive Services accounts to use private DNS zones •Configure Cognitive Services accounts with private endpoints •Configure Container registries to use private DNS zones •Configure CosmosDB accounts to use private DNS zones •Configure disk access resources to use private DNS zones •Configure Event Hub namespaces to use private DNS zones •Configure Event Hub namespaces with private endpoints •Configure Function app slots to disable public network access •Configure Function apps to disable public network access •Configure private DNS zones for private endpoints connected to App Configuration •Configure private DNS zones for private endpoints that connect to Azure Data Factory •Configure private endpoint connections on Azure Automation accounts •Configure private endpoints for Data factories •Configure private endpoints to Azure SignalR Service •Configure Private Link for Azure AD to use private DNS zones •Configure Service Bus namespaces to use private DNS zones •Configure Service Bus namespaces with private endpoints •Configure Storage account to use a private link connection •Deploy - Configure Azure Event Grid domains to use private DNS zones •Deploy - Configure Azure Event Grid domains with private endpoints •Deploy - Configure Azure Event Grid topics to use private DNS zones •Deploy - Configure Azure Event Grid topics with private endpoints •Deploy - Configure Azure IoT Hubs to use private DNS zones •Deploy - Configure Azure IoT Hubs with private endpoints •Deploy - Configure IoT Central to use private DNS zones •Deploy - Configure IoT Central with private endpoints •Deploy - Configure private DNS zones for private endpoints connect to Azure SignalR Service •Deploy - Configure private DNS zones for private endpoints that connect to Batch accounts •Deploy network watcher when virtual networks are created •Virtual networks should be protected by Azure DDoS Protection | |||
| 5d28c62d-5b37-4476-8438-e587778df237 | New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. | Management and governance | False |
00059 effective control plane operations (unique) •Action: 10 •Delete: 2 •read: 44 •Write: 3 |
Actions: 007 resolved operations: 59 effective operations: 59 •Action: 10 •Delete: 2 •read: 44 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •NewRelic.APM/accounts/* | ||||
| 05fdd44c-adc6-4aff-981c-61041f0c929a | Nexus Network Fabric Service Reader | Read-only access to Nexus Network Fabric Service | None | False |
00100 effective control plane operations (unique) •Action: 7 •Delete: 2 •read: 89 •Write: 2 |
Actions: 005 resolved operations: 100 effective operations: 100 •Action: 7 •Delete: 2 •read: 89 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ManagedNetworkFabric/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a5eb8433-97a5-4a06-80b2-a877e1622c31 | Nexus Network Fabric Service Writer | Read-write access to Nexus Network Fabric Service | None | False |
00147 effective control plane operations (unique) •Action: 7 •Delete: 2 •read: 89 •Write: 49 |
Actions: 006 resolved operations: 147 effective operations: 147 •Action: 7 •Delete: 2 •read: 89 •Write: 49 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ManagedNetworkFabric/*/read •Microsoft.ManagedNetworkFabric/*/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| ca0835dd-bacc-42dd-8ed2-ed5e7230d15b | Object Anchors Account Owner | Provides user with ingestion capabilities for an object anchors account. | None | False |
00002 effective data plane operations (unique) •action: 1 •read: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/action •Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read | ||||
| 4a167cdf-cb95-4554-9203-2347fe489bd9 | Object Anchors Account Reader | Lets you read ingestion jobs for an object anchors account. | None | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.MixedReality/ObjectAnchorsAccounts/ingest/read | ||||
| 4dd61c23-6743-42fe-a388-d8bdd41cb745 | Object Understanding Account Owner | Provides user with ingestion capabilities for Azure Object Understanding. | None | False |
00002 effective data plane operations (unique) •action: 1 •read: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/action •Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read | ||||
| d18777c0-1514-4662-8490-608db7d334b6 | Object Understanding Account Reader | Lets you read ingestion jobs for an object understanding account. | None | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.MixedReality/ObjectUnderstandingAccounts/ingest/read | ||||
| 2c7a01fe-5518-4a42-93c2-658e45441691 | Online Experimentation Contributor | Grants permissions for all management operations to Online Experimentation resources. | None | False |
00017 effective control plane operations (unique) •action: 4 •delete: 3 •read: 6 •write: 4 |
Actions: 001 resolved operations: 17 effective operations: 17 •action: 4 •delete: 3 •read: 6 •write: 4 •Microsoft.OnlineExperimentation/* | ||||
| 53747cdd-e97c-477a-948c-b587d0e514b2 | Online Experimentation Data Owner | Allows full access to Online Experimentation data. | None | False |
00004 effective data plane operations (unique) •action: 1 •delete: 1 •read: 1 •write: 1 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 1 •delete: 1 •read: 1 •write: 1 •Microsoft.OnlineExperimentation/workspaces/action •Microsoft.OnlineExperimentation/workspaces/delete •Microsoft.OnlineExperimentation/workspaces/read •Microsoft.OnlineExperimentation/workspaces/write | ||||
| 1363e94d-546f-4fe9-8434-b0eefb292d59 | Online Experimentation Data Reader | Allows read access to Online Experimentation data. | None | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.OnlineExperimentation/workspaces/read | ||||
| 58b80de8-4b34-424c-9e47-23faf0f7cfe2 | Online Experimentation Reader | Grants permission for read operations to Online Experimentation resources. | None | False |
00006 effective control plane operations (unique) •read: 6 |
Actions: 001 resolved operations: 6 effective operations: 6 •read: 6 •Microsoft.OnlineExperimentation/*/read | ||||
| 4aa368ec-fba9-4e93-81ed-396b3d461cc5 | Operator Nexus Compute Contributor Role (Preview) | (Preview) Manage and configure Azure Operator Nexus infrastructure resources. This role is in preview and subject to change. | None | False |
00091 effective control plane operations (unique) •action: 27 •Delete: 7 •read: 50 •Write: 7 |
Actions: 091 resolved operations: 91 effective operations: 91 •action: 27 •Delete: 7 •read: 50 •Write: 7 •Microsoft.Authorization/classicAdministrators/operationstatuses/read •Microsoft.Authorization/classicAdministrators/read •Microsoft.Authorization/denyAssignments/read •Microsoft.Authorization/diagnosticSettings/read •Microsoft.Authorization/diagnosticSettingsCategories/read •Microsoft.Authorization/locks/read •Microsoft.Authorization/operations/read •Microsoft.Authorization/permissions/read •Microsoft.Authorization/policyAssignments/privateLinkAssociations/read •Microsoft.Authorization/policyAssignments/read •Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/read •Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/read •Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/read •Microsoft.Authorization/policyDefinitions/read •Microsoft.Authorization/policyExemptions/read •Microsoft.Authorization/policySetDefinitions/read •Microsoft.Authorization/providerOperations/read •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleAssignmentScheduleInstances/read •Microsoft.Authorization/roleAssignmentScheduleRequests/read •Microsoft.Authorization/roleAssignmentSchedules/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.Authorization/roleEligibilityScheduleInstances/read •Microsoft.Authorization/roleEligibilityScheduleRequests/read •Microsoft.Authorization/roleEligibilitySchedules/read •Microsoft.Authorization/roleManagementPolicies/read •Microsoft.Authorization/roleManagementPolicyAssignments/read •Microsoft.ExtendedLocation/customLocations/deploy/action •Microsoft.ExtendedLocation/customLocations/read •Microsoft.HybridCompute/machines/extensions/read •Microsoft.HybridCompute/machines/read •Microsoft.Insights/alertRules/activated/action •Microsoft.Insights/alertRules/delete •Microsoft.Insights/alertRules/incidents/read •Microsoft.Insights/alertRules/read •Microsoft.Insights/alertRules/resolved/action •Microsoft.Insights/alertRules/throttled/action •Microsoft.Insights/alertRules/write •Microsoft.Kubernetes/connectedClusters/read •Microsoft.KubernetesConfiguration/extensions/read •Microsoft.ManagedNetworkFabric/networkFabricControllers/join/action •Microsoft.ManagedNetworkFabric/networkFabrics/join/action •Microsoft.ManagedNetworkFabric/networkRacks/join/action •Microsoft.NetworkCloud/bareMetalMachines/cordon/action •Microsoft.NetworkCloud/bareMetalMachines/delete •Microsoft.NetworkCloud/bareMetalMachines/powerOff/action •Microsoft.NetworkCloud/bareMetalMachines/read •Microsoft.NetworkCloud/bareMetalMachines/reimage/action •Microsoft.NetworkCloud/bareMetalMachines/replace/action •Microsoft.NetworkCloud/bareMetalMachines/restart/action •Microsoft.NetworkCloud/bareMetalMachines/runDataExtracts/action •Microsoft.NetworkCloud/bareMetalMachines/runReadCommands/action •Microsoft.NetworkCloud/bareMetalMachines/start/action •Microsoft.NetworkCloud/bareMetalMachines/uncordon/action •Microsoft.NetworkCloud/bareMetalMachines/write •Microsoft.NetworkCloud/clusterManagers/delete •Microsoft.NetworkCloud/clusterManagers/read •Microsoft.NetworkCloud/clusterManagers/write •Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets/read •Microsoft.NetworkCloud/clusters/bmcKeySets/read •Microsoft.NetworkCloud/clusters/continueUpdateVersion/action •Microsoft.NetworkCloud/clusters/delete •Microsoft.NetworkCloud/clusters/deploy/action •Microsoft.NetworkCloud/clusters/metricsConfigurations/delete •Microsoft.NetworkCloud/clusters/metricsConfigurations/read •Microsoft.NetworkCloud/clusters/metricsConfigurations/write •Microsoft.NetworkCloud/clusters/read •Microsoft.NetworkCloud/clusters/scanRuntime/action •Microsoft.NetworkCloud/clusters/updateVersion/action •Microsoft.NetworkCloud/clusters/write •Microsoft.NetworkCloud/locations/operationStatuses/read •Microsoft.NetworkCloud/operations/read •Microsoft.NetworkCloud/racks/delete •Microsoft.NetworkCloud/racks/join/action •Microsoft.NetworkCloud/racks/read •Microsoft.NetworkCloud/racks/write •Microsoft.NetworkCloud/rackSkus/read •Microsoft.NetworkCloud/register/action •Microsoft.NetworkCloud/registeredSubscriptions/read •Microsoft.NetworkCloud/storageAppliances/read •Microsoft.NetworkCloud/unregister/action •Microsoft.Resources/deployments/cancel/action •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/exportTemplate/action •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/validate/action •Microsoft.Resources/deployments/whatIf/action •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 44f0a1a8-6fea-4b35-980a-8ff50c487c97 | Operator Nexus Key Vault Writer Service Role (Preview) | (Preview) Provides Azure Operator Nexus services the ability to write to a Key Vault. This role is in preview and subject to change. | None | False |
00002 effective control plane and data plane operations (unique) •action: 1 •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.KeyVault/vaults/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.KeyVault/vaults/secrets/setSecret/action | |||
| 77be276d-fb44-4f3b-beb5-9bf03c4cd2d3 | Operator Nexus Owner (Preview) | (Preview) This role allows full access to Azure Operator Nexus Network Cloud resources. This role is in preview and subject to change. | None | False |
00091 effective control plane operations (unique) •action: 32 •delete: 18 •read: 22 •write: 19 |
Actions: 001 resolved operations: 91 effective operations: 91 •action: 32 •delete: 18 •read: 22 •write: 19 •Microsoft.NetworkCloud/* | ||||
| 4caf51ec-f9f5-413f-8a94-b9f5fddba66b | Oracle Subscriptions Manager Built-in Role | Grants full access to manage all Oracle Subscriptions resources | None | False |
00027 effective control plane operations (unique) •action: 8 •delete: 1 •read: 16 •write: 2 |
Actions: 009 resolved operations: 27 effective operations: 27 •action: 8 •delete: 1 •read: 16 •write: 2 •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Oracle.Database/Locations/*/read •Oracle.Database/Locations/*/write •Oracle.Database/Operations/read •Oracle.Database/oracleSubscriptions/*/action •Oracle.Database/oracleSubscriptions/*/delete •Oracle.Database/oracleSubscriptions/*/read •Oracle.Database/oracleSubscriptions/*/write | ||||
| 59c05558-2358-462d-ba19-afbd7118936d | Oracle.Database Autonomous Database Administrator | Grants full access to manage all Autonomous Database resources | None | False |
00046 effective control plane operations (unique) •action: 14 •delete: 4 •read: 22 •write: 6 |
Actions: 017 resolved operations: 46 effective operations: 46 •action: 14 •delete: 4 •read: 22 •write: 6 •Microsoft.Network/locations/operations/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Oracle.Database/autonomousDatabases/*/action •Oracle.Database/autonomousDatabases/*/delete •Oracle.Database/autonomousDatabases/*/read •Oracle.Database/autonomousDatabases/*/write •Oracle.Database/Locations/*/read •Oracle.Database/Locations/*/write •Oracle.Database/networkAnchors/* •Oracle.Database/Operations/read •Oracle.Database/oracleSubscriptions/*/action •Oracle.Database/oracleSubscriptions/*/read •Oracle.Database/resourceAnchors/* | ||||
| 4cfdd23b-aece-4fd1-b614-ad3a06c53453 | Oracle.Database Exadata Infrastructure Administrator Built-in Role | Grants full access to manage all Exadata Infrastructure resources | None | False |
00046 effective control plane operations (unique) •action: 10 •delete: 4 •read: 25 •write: 7 |
Actions: 023 resolved operations: 46 effective operations: 46 •action: 10 •delete: 4 •read: 25 •write: 7 •Microsoft.Compute/sshPublicKeys/generateKeyPair/action •Microsoft.Compute/sshPublicKeys/read •Microsoft.Compute/sshPublicKeys/write •Microsoft.Network/locations/operations/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Oracle.Database/cloudExadataInfrastructures/*/delete •Oracle.Database/cloudExadataInfrastructures/*/read •Oracle.Database/cloudExadataInfrastructures/*/write •Oracle.Database/cloudVmClusters/*/action •Oracle.Database/cloudVmClusters/*/delete •Oracle.Database/cloudVmClusters/*/read •Oracle.Database/cloudVmClusters/*/write •Oracle.Database/Locations/*/read •Oracle.Database/Locations/*/write •Oracle.Database/networkAnchors/* •Oracle.Database/Operations/read •Oracle.Database/oracleSubscriptions/*/read •Oracle.Database/oracleSubscriptions/listCloudAccountDetails/action •Oracle.Database/resourceAnchors/* | ||||
| a00ed373-f085-4b75-a950-53eacdc52ac0 | Oracle.Database Exascale Storage Vault Administrator | Grants full access to manage Exascale Storage Vaults | None | False |
00032 effective control plane operations (unique) •action: 4 •delete: 4 •read: 19 •write: 5 |
Actions: 011 resolved operations: 32 effective operations: 32 •action: 4 •delete: 4 •read: 19 •write: 5 •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Oracle.Database/exascaleDbStorageVaults/delete •Oracle.Database/exascaleDbStorageVaults/read •Oracle.Database/exascaleDbStorageVaults/write •Oracle.Database/Locations/*/read •Oracle.Database/Locations/*/write •Oracle.Database/networkAnchors/* •Oracle.Database/Operations/read •Oracle.Database/oracleSubscriptions/*/read •Oracle.Database/resourceAnchors/* | ||||
| 0869d06d-e3d1-4472-8764-1bb71b2bdaf7 | Oracle.Database Exascale VmCluster Administrator | Grants full access to manage Exascale VmClusters | None | False |
00040 effective control plane operations (unique) •action: 7 •delete: 3 •read: 24 •write: 6 |
Actions: 020 resolved operations: 40 effective operations: 40 •action: 7 •delete: 3 •read: 24 •write: 6 •Microsoft.Compute/sshPublicKeys/generateKeyPair/action •Microsoft.Compute/sshPublicKeys/read •Microsoft.Compute/sshPublicKeys/write •Microsoft.Network/locations/operations/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Oracle.Database/exadbVmClusters/*/action •Oracle.Database/exadbVmClusters/*/delete •Oracle.Database/exadbVmClusters/*/read •Oracle.Database/exadbVmClusters/*/write •Oracle.Database/exascaleDbStorageVaults/read •Oracle.Database/Locations/*/read •Oracle.Database/Locations/*/write •Oracle.Database/networkAnchors/* •Oracle.Database/Operations/read •Oracle.Database/oracleSubscriptions/*/read •Oracle.Database/resourceAnchors/* | ||||
| 4562aac9-b209-4bd7-a144-6d7f3bb516f4 | Oracle.Database Owner Built-in Role | Grants full access to manage all Oracle.Database resources | None | False |
00082 effective control plane operations (unique) •action: 24 •delete: 11 •read: 33 •write: 14 |
Actions: 010 resolved operations: 82 effective operations: 82 •action: 24 •delete: 11 •read: 33 •write: 14 •Microsoft.Compute/sshPublicKeys/generateKeyPair/action •Microsoft.Compute/sshPublicKeys/read •Microsoft.Compute/sshPublicKeys/write •Microsoft.Network/locations/operations/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Oracle.Database/* | ||||
| d623d097-b882-4e1e-a26f-ac60e31065a1 | Oracle.Database Reader Built-in Role | Grants read access to all Oracle.Database resources | None | False |
00034 effective control plane operations (unique) •action: 6 •delete: 1 •read: 26 •write: 1 |
Actions: 017 resolved operations: 34 effective operations: 34 •action: 6 •delete: 1 •read: 26 •write: 1 •Microsoft.Network/locations/operations/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Resources/deployments/* •Microsoft.Resources/deployments/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Oracle.Database/cloudExadataInfrastructures/*/read •Oracle.Database/cloudVmClusters/*/read •Oracle.Database/cloudVmClusters/listPrivateIpAddresses/action •Oracle.Database/exadbVmClusters/*/read •Oracle.Database/exascaleDbStorageVaults/read •Oracle.Database/Locations/*/read •Oracle.Database/networkAnchors/read •Oracle.Database/Operations/read •Oracle.Database/oracleSubscriptions/*/read •Oracle.Database/oracleSubscriptions/listCloudAccountDetails/action •Oracle.Database/resourceAnchors/read | ||||
| e9ce8739-6fa2-4123-a0a2-0ef41a67806f | Oracle.Database VmCluster Administrator Built-in Role | Grants full access to manage all VmCluster resources | None | False |
00042 effective control plane operations (unique) •action: 5 •delete: 4 •read: 25 •write: 8 |
Actions: 020 resolved operations: 42 effective operations: 42 •action: 5 •delete: 4 •read: 25 •write: 8 •Microsoft.Compute/sshPublicKeys/generateKeyPair/action •Microsoft.Compute/sshPublicKeys/read •Microsoft.Compute/sshPublicKeys/write •Microsoft.Network/locations/operations/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/subnets/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Oracle.Database/cloudExadataInfrastructures/*/read •Oracle.Database/cloudExadataInfrastructures/write •Oracle.Database/cloudVmClusters/*/delete •Oracle.Database/cloudVmClusters/*/read •Oracle.Database/cloudVmClusters/*/write •Oracle.Database/Locations/*/read •Oracle.Database/Locations/*/write •Oracle.Database/networkAnchors/* •Oracle.Database/Operations/read •Oracle.Database/oracleSubscriptions/*/read •Oracle.Database/resourceAnchors/* | ||||
| 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 | Owner | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. | Privileged | False |
16836 effective control plane operations (unique) •action: 3840 •delete: 2581 •read: 7225 •write: 3190 |
Actions: 001 resolved operations: 16836 effective operations: 16836 •action: 3840 •delete: 2581 •read: 7225 •write: 3190 •* |
count: 012 •[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) with a given tag. •[Preview]: Install Azure Backup Extension in AKS clusters (Managed Cluster) without a given tag. •Azure Arc-enabled Kubernetes clusters should have the Open Service Mesh extension installed •Azure Arc-enabled Kubernetes clusters should have the Strimzi Kafka extension installed •Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery •Configure Microsoft Defender CSPM plan •Configure Microsoft Defender CSPM to be enabled •Configure Microsoft Defender for Containers plan •Configure Microsoft Defender for Servers plan •Configure Microsoft Defender for Storage to be enabled •Configure Microsoft Defender threat protection for AI Services •Configure Synapse workspaces to have auditing enabled to Log Analytics workspace | |||
| 0c8b84dc-067c-4039-9615-fa1a4b77c726 | PlayFab Contributor | Provides contributor access to PlayFab resources | None | False |
00041 effective control plane operations (unique) •action: 4 •delete: 1 •read: 35 •write: 1 |
Actions: 006 resolved operations: 41 effective operations: 41 •action: 4 •delete: 1 •read: 35 •write: 1 •Microsoft.Authorization/*/read •Microsoft.PlayFab/*/delete •Microsoft.PlayFab/*/read •Microsoft.PlayFab/*/write •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| a9a19cc5-31f4-447c-901f-56c0bb18fcaf | PlayFab Reader | Provides read access to PlayFab resources | None | False |
00032 effective control plane operations (unique) •read: 32 |
Actions: 003 resolved operations: 32 effective operations: 32 •read: 32 •Microsoft.Authorization/*/read •Microsoft.PlayFab/*/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 285ce6d6-fa11-43bd-94ef-42a9b3740bfd | Policy Enrollments Contributor | Allows the creation and modification of policy enrollments | None | False |
00068 effective control plane operations (unique) •action: 11 •delete: 5 •read: 47 •write: 5 |
Actions: 004 resolved operations: 68 effective operations: 68 •action: 11 •delete: 5 •read: 47 •write: 5 •Microsoft.Authorization/*/read •Microsoft.Authorization/policyenrollments/* •Microsoft.PolicyInsights/* •Microsoft.Resources/deployments/* | ||||
| 66bb4e9e-b016-4a94-8249-4c0511c2be84 | Policy Insights Data Writer (Preview) | Allows read access to resource policies and write access to resource component policy events. | Management and governance | False |
00006 effective control plane and data plane operations (unique) •action: 2 •read: 4 |
Actions: 004 resolved operations: 4 effective operations: 4 •read: 4 •Microsoft.Authorization/policyassignments/read •Microsoft.Authorization/policydefinitions/read •Microsoft.Authorization/policyexemptions/read •Microsoft.Authorization/policysetdefinitions/read |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.PolicyInsights/checkDataPolicyCompliance/action •Microsoft.PolicyInsights/policyEvents/logDataEvents/action | |||
| 78eacb5e-e318-4560-85a9-e6a724ca60c9 | Portal Dashboard Writer Service Role | Can write an Azure Portal Dashboard | None | True |
00002 effective control plane operations (unique) •read: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.Portal/dashboards/read •Microsoft.Portal/dashboards/write | ||||
| c088a766-074b-43ba-90d4-1fb21feae531 | PostgreSQL Flexible Server Long Term Retention Backup Role | Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup. | Databases | False |
00007 effective control plane operations (unique) •action: 2 •read: 5 |
Actions: 007 resolved operations: 7 effective operations: 7 •action: 2 •read: 5 •Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read •Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action •Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action •Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read •Microsoft.DBforPostgreSQL/locations/operationResults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 2593f4c7-8bf4-4fff-9804-2ee069b41902 | Power Platform Account Contributor | Create, Read, Update, and Delete Power Platform Account resources | None | False |
00051 effective control plane operations (unique) •Action: 7 •Delete: 3 •read: 38 •Write: 3 |
Actions: 005 resolved operations: 51 effective operations: 51 •Action: 7 •Delete: 3 •read: 38 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.PowerPlatform/accounts/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| babe7770-cdbc-4f46-9bd7-b90b34842946 | Power Platform Enterprise Policy Contributor | Create, Read, Update, and Delete Power Platform Enterprise Policy resources | None | False |
00057 effective control plane operations (unique) •Action: 7 •Delete: 4 •read: 42 •Write: 4 |
Actions: 005 resolved operations: 57 effective operations: 57 •Action: 7 •Delete: 4 •read: 42 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.PowerPlatform/enterprisePolicies/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 53be45b2-ad40-43ab-bc1f-2c962ac99ded | PowerApps Administrator | The user has access to perform administrative actions on all PowerApps resources within the tenant. | None | False | n/a |
Actions: 001 resolved operations: n/a effective operations: n/a •Microsoft.PowerApps/actions/admin/* | ||||
| 6877c72c-edd3-4048-9b4b-cf8e514477b0 | PowerAppsReaderWithReshare | PowerAppsReadersWithReshare can use the resource and re-share it with other users, but cannot edit the resource or re-share it with edit permissions. | None | False | n/a |
Actions: 002 resolved operations: n/a effective operations: n/a •Microsoft.PowerApps/*/permissions/write •Microsoft.PowerApps/*/read |
NotActions: 002 resolved not operations: n/a effective not operations: 16836 •Microsoft.PowerApps/*/delete •Microsoft.PowerApps/*/write | |||
| b12aa53e-6015-4669-85d0-8515ebb3ae7f | Private DNS Zone Contributor | Lets you manage private DNS zone resources, but not the virtual networks they are linked to. | Networking | False |
00097 effective control plane operations (unique) •Action: 12 •Delete: 11 •read: 60 •Write: 14 |
Actions: 010 resolved operations: 97 effective operations: 97 •Action: 12 •Delete: 11 •read: 60 •Write: 14 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/privateDnsOperationResults/* •Microsoft.Network/privateDnsOperationStatuses/* •Microsoft.Network/privateDnsZones/* •Microsoft.Network/virtualNetworks/join/action •Microsoft.Network/virtualNetworks/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 001 •Configure Azure File Sync to use private DNS zones | |||
| be1a1ac2-09d3-4261-9e57-a73a6e227f53 | Procurement Contributor | Lets you manage the procurement of products and services. | None | False |
00035 effective control plane operations (unique) •action: 10 •delete: 7 •read: 10 •write: 8 |
Actions: 036 resolved operations: 35 effective operations: 35 •action: 10 •delete: 7 •read: 10 •write: 8 •Microsoft.BillingBenefits/credits/cancel/action •Microsoft.BillingBenefits/credits/read •Microsoft.BillingBenefits/credits/sources/delete •Microsoft.BillingBenefits/credits/sources/read •Microsoft.BillingBenefits/credits/sources/write •Microsoft.BillingBenefits/credits/write •Microsoft.BillingBenefits/maccs/cancel/action •Microsoft.BillingBenefits/maccs/chargeShortfall/action •Microsoft.BillingBenefits/maccs/contributors/read •Microsoft.BillingBenefits/maccs/delete •Microsoft.BillingBenefits/maccs/read •Microsoft.BillingBenefits/maccs/write •Microsoft.BillingBenefits/register/action •Microsoft.EnterpriseSupport/enterpriseSupports/delete •Microsoft.EnterpriseSupport/enterpriseSupports/read •Microsoft.EnterpriseSupport/enterpriseSupports/write •Microsoft.EnterpriseSupport/register/action •Microsoft.ProfessionalService/register/action •Microsoft.ProfessionalService/resources/delete •Microsoft.ProfessionalService/resources/read •Microsoft.ProfessionalService/resources/write •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SaaS/register/action •Microsoft.SaaS/resources/delete •Microsoft.SaaS/resources/read •Microsoft.SaaS/resources/write •Microsoft.SaaSHub/cloudservices/delete •Microsoft.SaaSHub/cloudservices/read •Microsoft.SaaSHub/cloudservices/write •Microsoft.SaaSHub/register/action •Microsoft.SoftwarePlan/register/action •Microsoft.SoftwarePlan/softwareSubscriptions/cancel/action •Microsoft.SoftwarePlan/softwareSubscriptions/delete •Microsoft.SoftwarePlan/softwareSubscriptions/listKeys/action •Microsoft.SoftwarePlan/softwareSubscriptions/read •Microsoft.SoftwarePlan/softwareSubscriptions/write | ||||
| 9ef4ef9c-a049-46b0-82ab-dd8ac094c889 | Project Babylon Data Curator | The Microsoft.ProjectBabylon data curator can create, read, modify and delete catalog data objects and establish relationships between objects. This role is in preview and subject to change. | None | False |
00003 effective control plane and data plane operations (unique) •read: 2 •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ProjectBabylon/accounts/read |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.ProjectBabylon/accounts/data/read •Microsoft.ProjectBabylon/accounts/data/write | |||
| c8d896ba-346d-4f50-bc1d-7d1c84130446 | Project Babylon Data Reader | The Microsoft.ProjectBabylon data reader can read catalog data objects. This role is in preview and subject to change. | None | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ProjectBabylon/accounts/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.ProjectBabylon/accounts/data/read | |||
| 05b7651b-dc44-475e-b74d-df3db49fae0f | Project Babylon Data Source Administrator | The Microsoft.ProjectBabylon data source administrator can manage data sources and data scans. This role is in preview and subject to change. | None | False |
00003 effective control plane and data plane operations (unique) •read: 2 •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.ProjectBabylon/accounts/read |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.ProjectBabylon/accounts/scan/read •Microsoft.ProjectBabylon/accounts/scan/write | |||
| a3ab03bc-5350-42ff-b0d5-00207672db55 | ProviderHub Contributor | Allows you to create and manage Microsoft.ProviderHub resources through the Resource Provider Platform. Does not allow you to assign roles in Azure RBAC. | None | False |
00063 effective control plane operations (unique) •Action: 10 •Delete: 5 •read: 41 •Write: 7 |
Actions: 006 resolved operations: 63 effective operations: 63 •Action: 10 •Delete: 5 •read: 41 •Write: 7 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ProviderHub/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 4d8c6f2e-3fd6-4d40-826e-93e3dc4c3fc1 | ProviderHub Reader | Allows you to view all Microsoft.ProviderHub resources created through the Resource Provider Platform, but does not allow you to make any changes to the resources. | None | False |
00036 effective control plane operations (unique) •read: 36 |
Actions: 004 resolved operations: 36 effective operations: 36 •read: 36 •Microsoft.Authorization/*/read •Microsoft.ProviderHub/*/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 8a3c2885-9b38-4fd2-9d99-91af537c1347 | Purview role 1 (Deprecated) | Deprecated role. | None | False |
00003 effective control plane and data plane operations (unique) •read: 2 •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Purview/accounts/read |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.Purview/accounts/data/read •Microsoft.Purview/accounts/data/write | |||
| 200bba9e-f0c8-430f-892b-6f0794863803 | Purview role 2 (Deprecated) | Deprecated role. | None | False |
00003 effective control plane and data plane operations (unique) •read: 2 •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Purview/accounts/read |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.Purview/accounts/scan/read •Microsoft.Purview/accounts/scan/write | |||
| ff100721-1b9d-43d8-af52-42b69c1272db | Purview role 3 (Deprecated) | Deprecated role. | None | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Purview/accounts/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Purview/accounts/data/read | |||
| c1410b24-3e69-4857-8f86-4d0a2e603250 | Quantum Workspace Data Contributor | Create, read, and modify jobs and other Workspace data. This role is in preview and subject to change. | Compute | False |
00052 effective control plane and data plane operations (unique) •Action: 7 •Delete: 2 •read: 40 •Write: 3 |
Actions: 006 resolved operations: 50 effective operations: 50 •Action: 7 •Delete: 2 •read: 39 •Write: 2 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Quantum/locations/offerings/read •Microsoft.Quantum/Workspaces/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 1 •write: 1 •Microsoft.Quantum/Workspaces/jobs/read •Microsoft.Quantum/Workspaces/jobs/write | |||
| 0e5f05e5-9ab9-446b-b98d-1e2157c94125 | Quota Request Operator | Read and create quota requests, get quota request status, and create support tickets. | Management and governance | False |
00067 effective control plane operations (unique) •action: 12 •Delete: 2 •read: 48 •write: 5 |
Actions: 014 resolved operations: 67 effective operations: 67 •action: 12 •Delete: 2 •read: 48 •write: 5 •Microsoft.Authorization/*/read •Microsoft.Capacity/register/action •Microsoft.Capacity/resourceProviders/locations/serviceLimits/read •Microsoft.Capacity/resourceProviders/locations/serviceLimits/write •Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read •Microsoft.Insights/alertRules/* •Microsoft.Quota/quotaRequests/read •Microsoft.Quota/quotas/read •Microsoft.Quota/quotas/write •Microsoft.Quota/register/action •Microsoft.Quota/usages/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| acdd72a7-3385-48ef-bd42-f606fba81ae7 | Reader | View all resources, but does not allow you to make any changes. | General | False |
07225 effective control plane operations (unique) •read: 7225 |
Actions: 001 resolved operations: 7225 effective operations: 7225 •read: 7225 •*/read |
count: 003 •[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension •[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension •Subscribe eligible Arc-enabled SQL Servers instances to Extended Security Updates. | |||
| c12c1c16-33a1-487b-954d-41c89c60f349 | Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. | Storage | False |
00003 effective control plane operations (unique) •action: 2 •read: 1 |
Actions: 003 resolved operations: 3 effective operations: 3 •action: 2 •read: 1 •Microsoft.Storage/storageAccounts/ListAccountSas/action •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/read | ||||
| e0f68234-74aa-48ed-b826-c38b57376e17 | Redis Cache Contributor | Lets you manage Redis caches, but not access to them. | Databases | False |
00100 effective control plane operations (unique) •action: 21 •delete: 11 •read: 56 •write: 12 |
Actions: 008 resolved operations: 100 effective operations: 100 •action: 21 •delete: 11 •read: 56 •write: 12 •Microsoft.Authorization/*/read •Microsoft.Cache/redis/* •Microsoft.Cache/register/action •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* |
count: 003 •Configure Azure Cache for Redis to disable non SSL ports •Configure Azure Cache for Redis to disable public network access •Configure Azure Cache for Redis with private endpoints | |||
| 3df8b902-2a6f-47c7-8cc5-360e9b272a7e | Remote Rendering Administrator | Provides user with conversion, manage session, rendering and diagnostics capabilities for Azure Remote Rendering | Mixed reality | False |
00008 effective data plane operations (unique) •action: 2 •delete: 2 •read: 4 |
DataActions: 008 resolved data operations: 8 effective data operations: 8 •action: 2 •delete: 2 •read: 4 •Microsoft.MixedReality/RemoteRenderingAccounts/convert/action •Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete •Microsoft.MixedReality/RemoteRenderingAccounts/convert/read •Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read •Microsoft.MixedReality/RemoteRenderingAccounts/render/read | ||||
| d39065c4-c120-43c9-ab0a-63eed9795f0a | Remote Rendering Client | Provides user with manage session, rendering and diagnostics capabilities for Azure Remote Rendering. | Mixed reality | False |
00005 effective data plane operations (unique) •action: 1 •delete: 1 •read: 3 |
DataActions: 005 resolved data operations: 5 effective data operations: 5 •action: 1 •delete: 1 •read: 3 •Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete •Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read •Microsoft.MixedReality/RemoteRenderingAccounts/render/read | ||||
| f7b75c60-3036-4b75-91c3-6b41c27c1689 | Reservation Purchaser | Lets you purchase reservations | Management and governance | False |
00011 effective control plane operations (unique) •action: 4 •read: 6 •write: 1 |
Actions: 011 resolved operations: 11 effective operations: 11 •action: 4 •read: 6 •write: 1 •Microsoft.Authorization/roleAssignments/read •Microsoft.Capacity/catalogs/read •Microsoft.Capacity/register/action •Microsoft.Compute/register/action •Microsoft.Consumption/register/action •Microsoft.Consumption/reservationRecommendationDetails/read •Microsoft.Consumption/reservationRecommendations/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SQL/register/action •Microsoft.Support/supporttickets/write | ||||
| a8889054-8d42-49c9-bc1c-52486c10e7cd | Reservations Administrator | Lets one read and manage all the reservations in a tenant | Privileged | False |
00042 effective control plane operations (unique) •action: 23 •delete: 1 •read: 14 •write: 4 |
Actions: 007 resolved operations: 42 effective operations: 42 •action: 23 •delete: 1 •read: 14 •write: 4 •Microsoft.Authorization/roleAssignments/delete •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleAssignments/write •Microsoft.Authorization/roleDefinitions/read •Microsoft.Capacity/*/action •Microsoft.Capacity/*/read •Microsoft.Capacity/*/write | ||||
| b4ebc951-a0c2-41f7-a3cd-a57fe27c8e3a | Reservations Contributor | Lets you read and manage reservations but cannot delegate reservation-related roles | None | False |
00040 effective control plane operations (unique) •action: 23 •read: 14 •write: 3 |
Actions: 005 resolved operations: 40 effective operations: 40 •action: 23 •read: 14 •write: 3 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.Capacity/*/action •Microsoft.Capacity/*/read •Microsoft.Capacity/*/write | ||||
| 582fc458-8989-419f-a480-75249bc5db7e | Reservations Reader | Lets one read all the reservations in a tenant | Management and governance | False |
00013 effective control plane operations (unique) •read: 13 |
Actions: 002 resolved operations: 13 effective operations: 13 •read: 13 •Microsoft.Authorization/roleAssignments/read •Microsoft.Capacity/*/read | ||||
| 36243c78-bf99-498c-9df9-86d9f8d28608 | Resource Policy Contributor | Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy. | Management and governance | False |
07272 effective control plane operations (unique) •action: 16 •delete: 15 •read: 7225 •write: 16 |
Actions: 009 resolved operations: 7272 effective operations: 7272 •action: 16 •delete: 15 •read: 7225 •write: 16 •*/read •Microsoft.Authorization/policyassignments/* •Microsoft.Authorization/policydefinitions/* •Microsoft.Authorization/policyenrollments/* •Microsoft.Authorization/policyexemptions/* •Microsoft.Authorization/policysetdefinitions/* •Microsoft.PolicyInsights/* •Microsoft.Resources/deployments/* •Microsoft.Support/* | ||||
| f58310d9-a9f6-439a-9e8d-f62e7b41a168 | Role Based Access Control Administrator | Manage access to Azure resources by assigning roles using Azure RBAC. This role does not allow you to manage access using other ways, such as Azure Policy. | Privileged | False |
07231 effective control plane operations (unique) •action: 3 •delete: 1 •read: 7225 •write: 2 |
Actions: 004 resolved operations: 7231 effective operations: 7231 •action: 3 •delete: 1 •read: 7225 •write: 2 •*/read •Microsoft.Authorization/roleAssignments/delete •Microsoft.Authorization/roleAssignments/write •Microsoft.Support/* | ||||
| e9b8712a-cbcf-4ea7-b0f7-e71b803401e6 | SaaS Hub Contributor | SaaS Hub contributor can manage SaaS Hub resource | None | False |
00004 effective control plane operations (unique) •delete: 1 •read: 2 •write: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •delete: 1 •read: 2 •write: 1 •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SaaSHub/cloudservices/delete •Microsoft.SaaSHub/cloudservices/read •Microsoft.SaaSHub/cloudservices/write | ||||
| 182a574c-b3c6-4acc-b019-48ae44cd4677 | Savings plan Administrator | Lets you read, manage savings plans and delegate savings plan-related roles | None | True |
00009 effective control plane operations (unique) •action: 1 •delete: 1 •read: 4 •write: 3 |
Actions: 010 resolved operations: 9 effective operations: 9 •action: 1 •delete: 1 •read: 4 •write: 3 •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.Authorization/roleDefinitions/read •Microsoft.BillingBenefits/savingsPlanOrders/*/action •Microsoft.BillingBenefits/savingsPlanOrders/action •Microsoft.BillingBenefits/savingsPlanOrders/read •Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read •Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write •Microsoft.BillingBenefits/savingsPlanOrders/write | ||||
| 28c0d4cd-558d-4de9-91a0-faa18e7b3266 | Savings plan Contributor | Lets you read and manage savings plans but cannot delegate savings plan-related roles | None | False |
00007 effective control plane operations (unique) •action: 1 •read: 4 •write: 2 |
Actions: 008 resolved operations: 7 effective operations: 7 •action: 1 •read: 4 •write: 2 •Microsoft.Authorization/roleAssignments/read •Microsoft.Authorization/roleDefinitions/read •Microsoft.BillingBenefits/savingsPlanOrders/*/action •Microsoft.BillingBenefits/savingsPlanOrders/action •Microsoft.BillingBenefits/savingsPlanOrders/read •Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read •Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/write •Microsoft.BillingBenefits/savingsPlanOrders/write | ||||
| 3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74 | Savings plan Purchaser | Lets you purchase savings plans | Management and governance | False |
00010 effective control plane operations (unique) •action: 2 •read: 6 •write: 2 |
Actions: 010 resolved operations: 10 effective operations: 10 •action: 2 •read: 6 •write: 2 •Microsoft.Authorization/roleAssignments/read •Microsoft.Billing/billingProperty/read •Microsoft.BIllingBenefits/register/action •Microsoft.BillingBenefits/savingsPlanOrders/write •Microsoft.Capacity/catalogs/read •Microsoft.Capacity/register/action •Microsoft.CostManagement/benefitRecommendations/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/supporttickets/write | ||||
| d534ad90-4ac5-4815-a178-b2e47397baab | Savings plan Reader | Lets you read savings plans | None | False |
00003 effective control plane operations (unique) •read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •read: 3 •Microsoft.Authorization/roleAssignments/read •Microsoft.BillingBenefits/savingsPlanOrders/read •Microsoft.BillingBenefits/savingsPlanOrders/savingsPlans/read | ||||
| 6fbca9a8-3561-41fd-8b20-6576043c1076 | Scheduled Actions Contributor | Allows users to use Scheduled Actions offered by Microsoft.ComputeSchedule | None | False |
00070 effective control plane operations (unique) •action: 27 •delete: 3 •read: 37 •write: 3 |
Actions: 026 resolved operations: 70 effective operations: 70 •action: 27 •delete: 3 •read: 37 •write: 3 •Microsoft.Authorization/*/read •Microsoft.ComputeSchedule/locations/virtualMachinesCancelOperations/action •Microsoft.ComputeSchedule/locations/virtualMachinesExecuteCreate/action •Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDeallocate/action •Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDelete/action •Microsoft.ComputeSchedule/locations/virtualMachinesExecuteHibernate/action •Microsoft.ComputeSchedule/locations/virtualMachinesExecuteStart/action •Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationErrors/action •Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationStatus/action •Microsoft.ComputeSchedule/locations/virtualMachinesSubmitDeallocate/action •Microsoft.ComputeSchedule/locations/virtualMachinesSubmitHibernate/action •Microsoft.ComputeSchedule/locations/virtualMachinesSubmitStart/action •Microsoft.ComputeSchedule/register/action •Microsoft.ComputeSchedule/scheduledActions/attachResources/action •Microsoft.ComputeSchedule/scheduledActions/cancelNextOccurrence/action •Microsoft.ComputeSchedule/scheduledActions/delete •Microsoft.ComputeSchedule/scheduledActions/detachResources/action •Microsoft.ComputeSchedule/scheduledActions/disable/action •Microsoft.ComputeSchedule/scheduledActions/enable/action •Microsoft.ComputeSchedule/scheduledActions/listResources/action •Microsoft.ComputeSchedule/scheduledActions/patchResources/action •Microsoft.ComputeSchedule/scheduledActions/triggerManualOccurrence/action •Microsoft.ComputeSchedule/scheduledActions/write •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| b67fe603-310e-4889-b9ee-8257d09d353d | Scheduled Events Contributor | Provides access to scheduled event actions | None | False |
00004 effective control plane operations (unique) •action: 1 •read: 3 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 1 •read: 3 •Microsoft.Compute/AvailabilitySets/read •Microsoft.Compute/VirtualMachines/read •Microsoft.Compute/VirtualMachineScaleSets/read •Microsoft.Maintenance/scheduledevents/acknowledge/action | ||||
| cd08ab90-6b14-449c-ad9a-8f8e549482c6 | Scheduled Patching Contributor | Provides access to manage maintenance configurations with maintenance scope InGuestPatch and corresponding configuration assignments | Management and governance | False |
00014 effective control plane operations (unique) •delete: 4 •read: 6 •write: 4 |
Actions: 014 resolved operations: 14 effective operations: 14 •delete: 4 •read: 6 •write: 4 •Microsoft.Maintenance/applyUpdates/read •Microsoft.Maintenance/configurationAssignments/delete •Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/delete •Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/read •Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatch/write •Microsoft.Maintenance/configurationAssignments/read •Microsoft.Maintenance/configurationAssignments/write •Microsoft.Maintenance/maintenanceConfigurations/delete •Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/delete •Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/read •Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPatch/write •Microsoft.Maintenance/maintenanceConfigurations/read •Microsoft.Maintenance/maintenanceConfigurations/write •Microsoft.Maintenance/updates/read | ||||
| 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 | Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. | Integration | False |
00059 effective control plane operations (unique) •Action: 10 •Delete: 2 •read: 44 •Write: 3 |
Actions: 007 resolved operations: 59 effective operations: 59 •Action: 10 •Delete: 2 •read: 44 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Scheduler/jobcollections/* •Microsoft.Support/* | ||||
| 5dffeca3-4936-4216-b2bc-10343a5abb25 | Schema Registry Contributor | Read, write, and delete Schema Registry groups and schemas. | Analytics | False |
00006 effective control plane and data plane operations (unique) •delete: 2 •read: 2 •write: 2 |
Actions: 001 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.EventHub/namespaces/schemagroups/* |
DataActions: 001 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.EventHub/namespaces/schemas/* | |||
| 2c56ea50-c6b3-40a6-83c0-9d98858bc7d2 | Schema Registry Reader | Read and list Schema Registry groups and schemas. | Analytics | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.EventHub/namespaces/schemagroups/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.EventHub/namespaces/schemas/read | |||
| 8ebe5a00-799e-43f5-93ac-243d3dce84a7 | Search Index Data Contributor | Grants full access to Azure Cognitive Search index data. | AI + machine learning | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 001 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Search/searchServices/indexes/documents/* | ||||
| 1407120a-92aa-4202-b7e9-c0e197c71c8f | Search Index Data Reader | Grants read access to Azure Cognitive Search index data. | AI + machine learning | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Search/searchServices/indexes/documents/read | ||||
| a02f7c31-354d-4106-865a-deedf37fa038 | Search Parameter Manager | Role allows user or principal access to $status and $reindex to update search parameters | None | False |
00004 effective data plane operations (unique) •action: 2 •read: 1 •write: 1 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 2 •read: 1 •write: 1 •Microsoft.HealthcareApis/workspaces/fhirservices/resources/read •Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/searchparameter/action •Microsoft.HealthcareApis/workspaces/fhirservices/resources/write | ||||
| 7ca78c08-252a-4471-8644-bb5ff32d4ba0 | Search Service Contributor | Lets you manage Search services, but not access to them. | AI + machine learning | False |
00109 effective control plane operations (unique) •Action: 20 •Delete: 14 •read: 60 •Write: 15 |
Actions: 007 resolved operations: 109 effective operations: 109 •Action: 20 •Delete: 14 •read: 60 •Write: 15 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Search/searchServices/* •Microsoft.Support/* |
count: 004 •Configure Azure AI Search services to disable local authentication •Configure Azure AI Search services to disable public network access •Configure Azure AI Search services with private endpoints •Configure Azure AI Services resources to disable local key access (disable local authentication) | |||
| 5c227a58-cff3-4b51-9fa3-51bdafb6ca55 | Secrets Store Extension Owner | Read, create and modify secretsync and secretproviderclass objects. Register and deregister the provider from the subscription. | None | False |
00059 effective control plane operations (unique) •Action: 9 •Delete: 4 •read: 41 •Write: 5 |
Actions: 015 resolved operations: 59 effective operations: 59 •Action: 9 •Delete: 4 •read: 41 •Write: 5 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SecretSyncController/azureKeyVaultSecretProviderClasses/delete •Microsoft.SecretSyncController/azureKeyVaultSecretProviderClasses/read •Microsoft.SecretSyncController/azureKeyVaultSecretProviderClasses/write •Microsoft.SecretSyncController/locations/operationStatuses/read •Microsoft.SecretSyncController/locations/operationStatuses/write •Microsoft.SecretSyncController/operations/read •Microsoft.SecretSyncController/register/action •Microsoft.SecretSyncController/secretSyncs/delete •Microsoft.SecretSyncController/secretSyncs/read •Microsoft.SecretSyncController/secretSyncs/write •Microsoft.SecretSyncController/unregister/action | ||||
| fb1c8493-542b-48eb-b624-b4c8fea62acd | Security Admin | Security Admin Role | Security | False |
01222 effective control plane operations (unique) •action: 86 •delete: 61 •read: 997 •write: 78 |
Actions: 014 resolved operations: 1222 effective operations: 1222 •action: 86 •delete: 61 •read: 997 •write: 78 •Microsoft.Authorization/*/read •Microsoft.Authorization/policyAssignments/* •Microsoft.Authorization/policyDefinitions/* •Microsoft.Authorization/policyExemptions/* •Microsoft.Authorization/policySetDefinitions/* •Microsoft.Insights/alertRules/* •Microsoft.IoTFirmwareDefense/* •Microsoft.IoTSecurity/* •Microsoft.Management/managementGroups/read •Microsoft.operationalInsights/workspaces/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/* •Microsoft.Support/* |
count: 029 •[Deprecated]: Configure Azure Defender for container registries to be enabled •[Deprecated]: Configure Azure Defender for DNS to be enabled •[Deprecated]: Configure Azure Defender for Kubernetes to be enabled •[Deprecated]: Configure Microsoft Defender for APIs should be enabled •[Deprecated]: Configure Microsoft Defender for Storage (Classic) to be enabled •[Deprecated]: Deploy Defender for Storage (Classic) on storage accounts •Configure Azure Defender for App Service to be enabled •Configure Azure Defender for Azure SQL database to be enabled •Configure Azure Defender for open-source relational databases to be enabled •Configure Azure Defender for Resource Manager to be enabled •Configure Azure Defender for Servers to be disabled for all resources (resource level) •Configure Azure Defender for Servers to be disabled for resources (resource level) with the selected tag •Configure Azure Defender for servers to be enabled •Configure Azure Defender for Servers to be enabled ('P1' subplan) for all resources (resource level) with the selected tag •Configure Azure Defender for Servers to be enabled (with 'P1' subplan) for all resources (resource level) •Configure Azure Defender for SQL servers on machines to be enabled •Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) •Configure machines to receive a vulnerability assessment provider •Configure Microsoft Defender for Azure Cosmos DB to be enabled •Configure Microsoft Defender for Containers to be enabled •Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP) •Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_EXCLUDE_LINUX...) •Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_UNIFIED_SOLUTION) •Configure Microsoft Defender for Key Vault plan •Deploy - Configure suppression rules for Azure Security Center alerts •Deploy Advanced Threat Protection for Cosmos DB Accounts •Enable Microsoft Defender for Cloud on your subscription •Enable threat protection for AI workloads •Setup subscriptions to transition to an alternative vulnerability assessment solution | |||
| 612c2aa1-cb24-443b-ac28-3ab7272de6f5 | Security Assessment Contributor | Lets you push assessments to Security Center | Security | False |
00001 effective control plane operations (unique) •write: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •write: 1 •Microsoft.Security/assessments/write | ||||
| 352470b3-6a9c-4686-b503-35deb827e500 | Security Detonation Chamber Publisher | Allowed to publish and modify platforms, workflows and toolsets to Security Detonation Chamber | None | False |
00014 effective data plane operations (unique) •action: 1 •delete: 3 •read: 7 •write: 3 |
DataActions: 014 resolved data operations: 14 effective data operations: 14 •action: 1 •delete: 3 •read: 7 •write: 3 •Microsoft.SecurityDetonation/chambers/platforms/delete •Microsoft.SecurityDetonation/chambers/platforms/metadata/read •Microsoft.SecurityDetonation/chambers/platforms/read •Microsoft.SecurityDetonation/chambers/platforms/write •Microsoft.SecurityDetonation/chambers/publishRequests/cancel/action •Microsoft.SecurityDetonation/chambers/publishRequests/read •Microsoft.SecurityDetonation/chambers/toolsets/delete •Microsoft.SecurityDetonation/chambers/toolsets/metadata/read •Microsoft.SecurityDetonation/chambers/toolsets/read •Microsoft.SecurityDetonation/chambers/toolsets/write •Microsoft.SecurityDetonation/chambers/workflows/delete •Microsoft.SecurityDetonation/chambers/workflows/metadata/read •Microsoft.SecurityDetonation/chambers/workflows/read •Microsoft.SecurityDetonation/chambers/workflows/write | ||||
| 28241645-39f8-410b-ad48-87863e2951d5 | Security Detonation Chamber Reader | Allowed to query submission info and files from Security Detonation Chamber | None | False |
00002 effective data plane operations (unique) •read: 2 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •read: 2 •Microsoft.SecurityDetonation/chambers/submissions/files/read •Microsoft.SecurityDetonation/chambers/submissions/read | ||||
| a37b566d-3efa-4beb-a2f2-698963fa42ce | Security Detonation Chamber Submission Manager | Allowed to create and manage submissions to Security Detonation Chamber | None | False |
00011 effective data plane operations (unique) •delete: 1 •read: 9 •write: 1 |
DataActions: 011 resolved data operations: 11 effective data operations: 11 •delete: 1 •read: 9 •write: 1 •Microsoft.SecurityDetonation/chambers/platforms/metadata/read •Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read •Microsoft.SecurityDetonation/chambers/submissions/adminview/read •Microsoft.SecurityDetonation/chambers/submissions/analystview/read •Microsoft.SecurityDetonation/chambers/submissions/delete •Microsoft.SecurityDetonation/chambers/submissions/files/read •Microsoft.SecurityDetonation/chambers/submissions/publicview/read •Microsoft.SecurityDetonation/chambers/submissions/read •Microsoft.SecurityDetonation/chambers/submissions/write •Microsoft.SecurityDetonation/chambers/toolsets/metadata/read •Microsoft.SecurityDetonation/chambers/workflows/metadata/read | ||||
| 0b555d9b-b4a7-4f43-b330-627f0e5be8f0 | Security Detonation Chamber Submitter | Allowed to create submissions to Security Detonation Chamber | None | False |
00008 effective data plane operations (unique) •delete: 1 •read: 6 •write: 1 |
DataActions: 008 resolved data operations: 8 effective data operations: 8 •delete: 1 •read: 6 •write: 1 •Microsoft.SecurityDetonation/chambers/platforms/metadata/read •Microsoft.SecurityDetonation/chambers/submissions/accesskeyview/read •Microsoft.SecurityDetonation/chambers/submissions/delete •Microsoft.SecurityDetonation/chambers/submissions/files/read •Microsoft.SecurityDetonation/chambers/submissions/read •Microsoft.SecurityDetonation/chambers/submissions/write •Microsoft.SecurityDetonation/chambers/toolsets/metadata/read •Microsoft.SecurityDetonation/chambers/workflows/metadata/read | ||||
| e3d13bf0-dd5a-482e-ba6b-9b8433878d10 | Security Manager (Legacy) | This is a legacy role. Please use Security Administrator instead | Security | False |
00337 effective control plane operations (unique) •Action: 43 •Delete: 39 •read: 199 •write: 56 |
Actions: 010 resolved operations: 337 effective operations: 337 •Action: 43 •Delete: 39 •read: 199 •write: 56 •Microsoft.Authorization/*/read •Microsoft.ClassicCompute/*/read •Microsoft.ClassicCompute/virtualMachines/*/write •Microsoft.ClassicNetwork/*/read •Microsoft.Insights/alertRules/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/* •Microsoft.Support/* | ||||
| 39bc4728-0917-49c7-9d2c-d95423bc2eb4 | Security Reader | Security Reader Role | Security | False |
00985 effective control plane operations (unique) •action: 5 •read: 980 |
Actions: 014 resolved operations: 985 effective operations: 985 •action: 5 •read: 980 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/read •Microsoft.IoTSecurity/*/read •Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action •Microsoft.IoTSecurity/defenderSettings/packageDownloads/action •Microsoft.Management/managementGroups/read •Microsoft.operationalInsights/workspaces/*/read •Microsoft.Resources/deployments/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/*/read •Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action •Microsoft.Security/iotDefenderSettings/packageDownloads/action •Microsoft.Security/iotSensors/downloadResetPassword/action •Microsoft.Support/*/read | ||||
| db7003cd-07a9-490c-bfa5-23e40314f8d7 | Service Connector Contributor | Can Manage Service Connector. | None | False |
00015 effective control plane operations (unique) •action: 5 •delete: 4 •read: 1 •write: 5 |
Actions: 015 resolved operations: 15 effective operations: 15 •action: 5 •delete: 4 •read: 1 •write: 5 •Microsoft.ServiceLinker/dryruns/delete •Microsoft.ServiceLinker/dryruns/write •Microsoft.ServiceLinker/linkers/delete •Microsoft.ServiceLinker/linkers/generateConfigurations/action •Microsoft.ServiceLinker/linkers/listConfigurations/action •Microsoft.ServiceLinker/linkers/read •Microsoft.ServiceLinker/linkers/validateLinker/action •Microsoft.ServiceLinker/linkers/write •Microsoft.ServiceLinker/locations/connectors/delete •Microsoft.ServiceLinker/locations/connectors/generateConfigurations/action •Microsoft.ServiceLinker/locations/connectors/validate/action •Microsoft.ServiceLinker/locations/connectors/write •Microsoft.ServiceLinker/locations/dryruns/delete •Microsoft.ServiceLinker/locations/dryruns/write •Microsoft.ServiceLinker/locations/operationStatuses/write | ||||
| b6efc156-f0da-4e90-a50a-8c000140b017 | Service Fabric Cluster Contributor | Manage your Service Fabric Cluster resources. Includes clusters, application types, application type versions, applications, and services. You will need additional permissions to deploy and manage the cluster's underlying resources such as virtual machine scale sets, storage accounts, networks, etc. |
Containers | False |
00068 effective control plane operations (unique) •Action: 7 •Delete: 7 •read: 47 •Write: 7 |
Actions: 005 resolved operations: 68 effective operations: 68 •Action: 7 •Delete: 7 •read: 47 •Write: 7 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ServiceFabric/clusters/* | ||||
| 83f80186-3729-438c-ad2d-39e94d718838 | Service Fabric Managed Cluster Contributor | Deploy and manage your Service Fabric Managed Cluster resources. Includes managed clusters, node types, application types, application type versions, applications, and services. | Containers | False |
00067 effective control plane operations (unique) •Action: 7 •Delete: 8 •read: 44 •Write: 8 |
Actions: 005 resolved operations: 67 effective operations: 67 •Action: 7 •Delete: 8 •read: 44 •Write: 8 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ServiceFabric/managedclusters/* | ||||
| 4e50c84c-c78e-4e37-b47e-e60ffea0a775 | Service Group Administrator | Role Definition for administrator of a Service Group | None | True |
16834 effective control plane operations (unique) •action: 3840 •delete: 2580 •read: 7225 •write: 3189 |
Actions: 003 resolved operations: 16836 effective operations: 16834 •action: 3840 •delete: 2580 •read: 7225 •write: 3189 •* conditioned •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/write conditioned |
NotActions: 002 resolved not operations: 2 effective not operations: 2 •Microsoft.Authorization/roleAssignments/delete •Microsoft.Authorization/roleAssignments/write | |||
| 32e6a4ec-6095-4e37-b54b-12aa350ba81f | Service Group Contributor | Role Definition for contributor of a Service Group | None | False |
16834 effective control plane operations (unique) •action: 3840 •delete: 2580 •read: 7225 •write: 3189 |
Actions: 001 resolved operations: 16836 effective operations: 16834 •action: 3840 •delete: 2580 •read: 7225 •write: 3189 •* |
NotActions: 002 resolved not operations: 2 effective not operations: 2 •Microsoft.Authorization/roleAssignments/delete •Microsoft.Authorization/roleAssignments/write | |||
| de754d53-652d-4c75-a67f-1e48d8b49c97 | Service Group Reader | Role Definition for reader of a Service Group | None | False |
07225 effective control plane operations (unique) •read: 7225 |
Actions: 002 resolved operations: 7225 effective operations: 7225 •read: 7225 •*/read •Microsoft.Authorization/*/read | ||||
| 32c34659-0f83-4a4c-80f2-63a244f8ae0b | Service Health Billing Reader | Grants permissions to view billing information present in service health events | None | False |
00010 effective control plane operations (unique) •action: 2 •read: 8 |
Actions: 010 resolved operations: 10 effective operations: 10 •action: 2 •read: 8 •Microsoft.ResourceHealth/AvailabilityStatuses/current/read •Microsoft.ResourceHealth/AvailabilityStatuses/read •Microsoft.ResourceHealth/emergingissues/read •Microsoft.ResourceHealth/events/action •Microsoft.ResourceHealth/events/fetchBillingCommunicationDetails/action •Microsoft.ResourceHealth/events/impactedResources/read •Microsoft.ResourceHealth/events/read •Microsoft.ResourceHealth/metadata/read •Microsoft.ResourceHealth/Operations/read •Microsoft.ResourceHealth/potentialoutages/read |
NotActions: 002 resolved not operations: 2 effective not operations: 16826 •Microsoft.ResourceHealth/events/fetchEventDetails/action •Microsoft.ResourceHealth/events/listSecurityAdvisoryImpactedResources/action | |||
| 1a928ab0-1fee-43cf-9266-f9d8c22a8ddb | Service Health Security Reader | Grants permissions to view sensitive security information present in service health events | None | False |
00011 effective control plane operations (unique) •action: 3 •read: 8 |
Actions: 011 resolved operations: 11 effective operations: 11 •action: 3 •read: 8 •Microsoft.ResourceHealth/AvailabilityStatuses/current/read •Microsoft.ResourceHealth/AvailabilityStatuses/read •Microsoft.ResourceHealth/emergingissues/read •Microsoft.ResourceHealth/events/action •Microsoft.ResourceHealth/events/fetchEventDetails/action •Microsoft.ResourceHealth/events/impactedResources/read •Microsoft.ResourceHealth/events/listSecurityAdvisoryImpactedResources/action •Microsoft.ResourceHealth/events/read •Microsoft.ResourceHealth/metadata/read •Microsoft.ResourceHealth/Operations/read •Microsoft.ResourceHealth/potentialoutages/read |
NotActions: 001 resolved not operations: 1 effective not operations: 16825 •Microsoft.ResourceHealth/events/fetchBillingCommunicationDetails/action | |||
| 82200a5b-e217-47a5-b665-6d8765ee745b | Services Hub Operator | Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors. | Integration | False |
00047 effective control plane operations (unique) •action: 5 •delete: 2 •read: 38 •write: 2 |
Actions: 009 resolved operations: 47 effective operations: 47 •action: 5 •delete: 2 •read: 38 •write: 2 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action •Microsoft.ServicesHub/connectors/delete •Microsoft.ServicesHub/connectors/read •Microsoft.ServicesHub/connectors/write •Microsoft.ServicesHub/supportOfferingEntitlement/read •Microsoft.ServicesHub/workspaces/read | ||||
| 04165923-9d83-45d5-8227-78b77b0a687e | SignalR AccessKey Reader | Read SignalR Service Access Keys | Web and Mobile | False |
00098 effective control plane operations (unique) •action: 4 •read: 93 •write: 1 |
Actions: 005 resolved operations: 98 effective operations: 98 •action: 4 •read: 93 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SignalRService/*/read •Microsoft.SignalRService/SignalR/listkeys/action •Microsoft.Support/* | ||||
| 420fcaa2-552c-430f-98ca-3264be4806c7 | SignalR App Server | Lets your app server access SignalR Service with AAD auth options. | Web and Mobile | False |
00003 effective data plane operations (unique) •action: 1 •write: 2 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •action: 1 •write: 2 •Microsoft.SignalRService/SignalR/auth/accessKey/action •Microsoft.SignalRService/SignalR/clientConnection/write •Microsoft.SignalRService/SignalR/serverConnection/write | ||||
| fd53cd77-2268-407a-8f46-7e7863d0f521 | SignalR REST API Owner | Full access to Azure SignalR Service REST APIs | Web and Mobile | False |
00014 effective data plane operations (unique) •action: 7 •read: 3 •write: 4 |
DataActions: 005 resolved data operations: 14 effective data operations: 14 •action: 7 •read: 3 •write: 4 •Microsoft.SignalRService/SignalR/auth/clientToken/action •Microsoft.SignalRService/SignalR/clientConnection/* •Microsoft.SignalRService/SignalR/group/* •Microsoft.SignalRService/SignalR/hub/* •Microsoft.SignalRService/SignalR/user/* | ||||
| ddde6b66-c0df-4114-a159-3618637b3035 | SignalR REST API Reader | Read-only access to Azure SignalR Service REST APIs | Web and Mobile | False |
00003 effective data plane operations (unique) •read: 3 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •read: 3 •Microsoft.SignalRService/SignalR/clientConnection/read •Microsoft.SignalRService/SignalR/group/read •Microsoft.SignalRService/SignalR/user/read | ||||
| 7e4f1700-ea5a-4f59-8f37-079cfe29dce3 | SignalR Service Owner | Full access to Azure SignalR Service REST APIs | Web and Mobile | False |
00019 effective data plane operations (unique) •action: 9 •read: 4 •write: 6 |
DataActions: 001 resolved data operations: 19 effective data operations: 19 •action: 9 •read: 4 •write: 6 •Microsoft.SignalRService/SignalR/* | ||||
| 8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761 | SignalR/Web PubSub Contributor | Create, Read, Update, and Delete SignalR service resources | Web and Mobile | False |
00168 effective control plane operations (unique) •Action: 27 •Delete: 18 •read: 98 •Write: 25 |
Actions: 006 resolved operations: 168 effective operations: 168 •Action: 27 •Delete: 18 •read: 98 •Write: 25 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SignalRService/* •Microsoft.Support/* |
count: 006 •Configure Azure SignalR Service to disable local authentication •Configure Azure Web PubSub Service to disable local authentication •Configure Azure Web PubSub Service to disable public network access •Configure Azure Web PubSub Service with private endpoints •Configure private endpoints to Azure SignalR Service •Modify Azure SignalR Service resources to disable public network access | |||
| 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 | Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment | Management and governance | False |
00193 effective control plane operations (unique) •Action: 64 •Delete: 15 •read: 94 •Write: 20 |
Actions: 029 resolved operations: 193 effective operations: 193 •Action: 64 •Delete: 15 •read: 94 •Write: 20 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/locations/allocateStamp/action •Microsoft.RecoveryServices/Vaults/certificates/write •Microsoft.RecoveryServices/Vaults/extendedInformation/* •Microsoft.RecoveryServices/Vaults/monitoringAlerts/* •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/refreshContainers/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/* •Microsoft.RecoveryServices/vaults/replicationAlertSettings/* •Microsoft.RecoveryServices/vaults/replicationEvents/read •Microsoft.RecoveryServices/vaults/replicationFabrics/* •Microsoft.RecoveryServices/vaults/replicationJobs/* •Microsoft.RecoveryServices/vaults/replicationOperationStatus/read •Microsoft.RecoveryServices/vaults/replicationPolicies/* •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/* •Microsoft.RecoveryServices/vaults/replicationVaultSettings/* •Microsoft.RecoveryServices/Vaults/storageConfig/* •Microsoft.RecoveryServices/Vaults/tokenInfo/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/vaultTokens/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* |
count: 001 •[Preview]: Configure private endpoints on Azure Recovery Services vaults | |||
| 494ae006-db33-4328-bf46-533a6560a3ca | Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations | Management and governance | False |
00117 effective control plane operations (unique) •Action: 34 •Delete: 2 •read: 77 •Write: 4 |
Actions: 059 resolved operations: 117 effective operations: 117 •Action: 34 •Delete: 2 •read: 77 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/read •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/locations/allocateStamp/action •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/* •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/refreshContainers/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/vaults/replicationAlertSettings/read •Microsoft.RecoveryServices/vaults/replicationEvents/read •Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action •Microsoft.RecoveryServices/vaults/replicationFabrics/read •Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action •Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/switchprotection/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read •Microsoft.RecoveryServices/vaults/replicationJobs/* •Microsoft.RecoveryServices/vaults/replicationPolicies/read •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action •Microsoft.RecoveryServices/vaults/replicationVaultSettings/read •Microsoft.RecoveryServices/Vaults/storageConfig/read •Microsoft.RecoveryServices/Vaults/tokenInfo/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/vaultTokens/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* | ||||
| dbaa88c4-0c30-4179-9fb3-46319faa6149 | Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations | Management and governance | False |
00071 effective control plane operations (unique) •action: 3 •read: 67 •write: 1 |
Actions: 032 resolved operations: 71 effective operations: 71 •action: 3 •read: 67 •write: 1 •Microsoft.Authorization/*/read •Microsoft.RecoveryServices/locations/allocatedStamp/read •Microsoft.RecoveryServices/Vaults/extendedInformation/read •Microsoft.RecoveryServices/Vaults/monitoringAlerts/read •Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/refreshContainers/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read •Microsoft.RecoveryServices/Vaults/registeredIdentities/read •Microsoft.RecoveryServices/vaults/replicationAlertSettings/read •Microsoft.RecoveryServices/vaults/replicationEvents/read •Microsoft.RecoveryServices/vaults/replicationFabrics/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read •Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read •Microsoft.RecoveryServices/vaults/replicationJobs/read •Microsoft.RecoveryServices/vaults/replicationPolicies/read •Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read •Microsoft.RecoveryServices/vaults/replicationVaultSettings/read •Microsoft.RecoveryServices/Vaults/storageConfig/read •Microsoft.RecoveryServices/Vaults/tokenInfo/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/vaultTokens/read •Microsoft.Support/* | ||||
| 8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827 | Spatial Anchors Account Contributor | Lets you manage spatial anchors in your account, but not delete them | None | False |
00006 effective data plane operations (unique) •action: 1 •read: 4 •write: 1 |
DataActions: 006 resolved data operations: 6 effective data operations: 6 •action: 1 •read: 4 •write: 1 •Microsoft.MixedReality/SpatialAnchorsAccounts/create/action •Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read •Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read •Microsoft.MixedReality/SpatialAnchorsAccounts/query/read •Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read •Microsoft.MixedReality/SpatialAnchorsAccounts/write | ||||
| 70bbe301-9835-447d-afdd-19eb3167307c | Spatial Anchors Account Owner | Lets you manage spatial anchors in your account, including deleting them | None | False |
00007 effective data plane operations (unique) •action: 1 •delete: 1 •read: 4 •write: 1 |
DataActions: 007 resolved data operations: 7 effective data operations: 7 •action: 1 •delete: 1 •read: 4 •write: 1 •Microsoft.MixedReality/SpatialAnchorsAccounts/create/action •Microsoft.MixedReality/SpatialAnchorsAccounts/delete •Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read •Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read •Microsoft.MixedReality/SpatialAnchorsAccounts/query/read •Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read •Microsoft.MixedReality/SpatialAnchorsAccounts/write | ||||
| 5d51204f-eb77-4b1c-b86a-2ec626c49413 | Spatial Anchors Account Reader | Lets you locate and read properties of spatial anchors in your account | None | False |
00004 effective data plane operations (unique) •read: 4 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •read: 4 •Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read •Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read •Microsoft.MixedReality/SpatialAnchorsAccounts/query/read •Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read | ||||
| e9c9ed2b-2a99-4071-b2ff-5b113ebf73a1 | SpatialMapsAccounts Account Owner | Lets you manage data in your account, including deleting them | None | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.MixedReality/spatialMapsAccounts/delete •Microsoft.MixedReality/spatialMapsAccounts/read •Microsoft.MixedReality/spatialMapsAccounts/write | ||||
| 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec | SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. | Databases | False |
00293 effective control plane operations (unique) •Action: 31 •Delete: 10 •read: 228 •Write: 24 |
Actions: 011 resolved operations: 330 effective operations: 293 •Action: 31 •Delete: 10 •read: 228 •Write: 24 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metricDefinitions/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Sql/locations/*/read •Microsoft.Sql/servers/databases/* •Microsoft.Sql/servers/read •Microsoft.Support/* |
NotActions: 024 resolved not operations: 66 effective not operations: 16543 •Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* •Microsoft.Sql/managedInstances/databases/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* •Microsoft.Sql/managedInstances/securityAlertPolicies/* •Microsoft.Sql/managedInstances/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/auditingSettings/* •Microsoft.Sql/servers/databases/auditRecords/read •Microsoft.Sql/servers/databases/currentSensitivityLabels/* •Microsoft.Sql/servers/databases/dataMaskingPolicies/* •Microsoft.Sql/servers/databases/extendedAuditingSettings/* •Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action •Microsoft.Sql/servers/databases/ledgerDigestUploads/write •Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/servers/databases/securityAlertPolicies/* •Microsoft.Sql/servers/databases/securityMetrics/* •Microsoft.Sql/servers/databases/sensitivityLabels/* •Microsoft.Sql/servers/databases/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* •Microsoft.Sql/servers/vulnerabilityAssessments/* |
count: 001 •Deploy SQL DB transparent data encryption | ||
| 4939a1f6-9ae0-4e48-a1e0-f2cbe897382d | SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can't give access to others. | Databases | False |
00398 effective control plane operations (unique) •Action: 64 •Delete: 31 •read: 254 •Write: 49 |
Actions: 015 resolved operations: 400 effective operations: 398 •Action: 64 •Delete: 31 •read: 254 •Write: 49 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metricDefinitions/read •Microsoft.Insights/metrics/read •Microsoft.Network/networkSecurityGroups/* •Microsoft.Network/routeTables/* •Microsoft.Network/virtualNetworks/* •Microsoft.Network/virtualNetworks/subnets/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Sql/locations/*/read •Microsoft.Sql/locations/instanceFailoverGroups/* •Microsoft.Sql/managedInstances/* •Microsoft.Support/* |
NotActions: 002 resolved not operations: 2 effective not operations: 16438 •Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete •Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write | |||
| 056cd41c-7e88-42e1-933e-88ba6a50c9c3 | SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. | Databases | False |
00200 effective control plane operations (unique) •Action: 24 •Delete: 18 •read: 115 •Write: 43 |
Actions: 073 resolved operations: 200 effective operations: 200 •Action: 24 •Delete: 18 •read: 115 •Write: 43 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Security/sqlVulnerabilityAssessments/* •Microsoft.Sql/locations/administratorAzureAsyncOperation/read •Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read •Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read •Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read •Microsoft.Sql/managedInstances/administrators/read •Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read •Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read •Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write •Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write •Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* •Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read •Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read •Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write •Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write •Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* •Microsoft.Sql/managedInstances/databases/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* •Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* •Microsoft.Sql/managedInstances/read •Microsoft.Sql/managedInstances/securityAlertPolicies/* •Microsoft.Sql/managedInstances/serverConfigurationOptions/read •Microsoft.Sql/managedInstances/serverConfigurationOptions/write •Microsoft.Sql/managedInstances/vulnerabilityAssessments/* •Microsoft.Sql/servers/administrators/read •Microsoft.Sql/servers/advancedThreatProtectionSettings/read •Microsoft.Sql/servers/advancedThreatProtectionSettings/read •Microsoft.Sql/servers/advancedThreatProtectionSettings/write •Microsoft.Sql/servers/advancedThreatProtectionSettings/write •Microsoft.Sql/servers/auditingSettings/* •Microsoft.Sql/servers/azureADOnlyAuthentications/* •Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read •Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read •Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write •Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write •Microsoft.Sql/servers/databases/auditingSettings/* •Microsoft.Sql/servers/databases/auditRecords/read •Microsoft.Sql/servers/databases/currentSensitivityLabels/* •Microsoft.Sql/servers/databases/dataMaskingPolicies/* •Microsoft.Sql/servers/databases/extendedAuditingSettings/read •Microsoft.Sql/servers/databases/ledgerDigestUploads/* •Microsoft.Sql/servers/databases/read •Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/read •Microsoft.Sql/servers/databases/schemas/tables/columns/read •Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/tables/read •Microsoft.Sql/servers/databases/securityAlertPolicies/* •Microsoft.Sql/servers/databases/securityMetrics/* •Microsoft.Sql/servers/databases/sensitivityLabels/* •Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/* •Microsoft.Sql/servers/databases/transparentDataEncryption/* •Microsoft.Sql/servers/databases/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* •Microsoft.Sql/servers/devOpsAuditingSettings/* •Microsoft.Sql/servers/extendedAuditingSettings/read •Microsoft.Sql/servers/externalPolicyBasedAuthorizations/* •Microsoft.Sql/servers/firewallRules/* •Microsoft.Sql/servers/read •Microsoft.Sql/servers/securityAlertPolicies/* •Microsoft.Sql/servers/sqlvulnerabilityAssessments/* •Microsoft.Sql/servers/vulnerabilityAssessments/* •Microsoft.Support/* |
count: 008 •Configure Azure Defender to be enabled on SQL managed instances •Configure Azure Defender to be enabled on SQL servers •Configure Azure SQL database servers diagnostic settings to Log Analytics workspace •Configure Microsoft Defender for SQL to be enabled on Synapse workspaces •Configure SQL servers to have auditing enabled •Configure SQL servers to have auditing enabled to Log Analytics workspace •Configure Synapse workspaces to have auditing enabled •Deploy Advanced Data Security on SQL servers | |||
| 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 | SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. | Databases | False |
00444 effective control plane operations (unique) •Action: 51 •Delete: 34 •read: 298 •Write: 61 |
Actions: 010 resolved operations: 496 effective operations: 444 •Action: 51 •Delete: 34 •read: 298 •Write: 61 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/metricDefinitions/read •Microsoft.Insights/metrics/read •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Sql/locations/*/read •Microsoft.Sql/servers/* •Microsoft.Support/* |
NotActions: 030 resolved not operations: 78 effective not operations: 16392 •Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* •Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* •Microsoft.Sql/managedInstances/databases/sensitivityLabels/* •Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* •Microsoft.Sql/managedInstances/securityAlertPolicies/* •Microsoft.Sql/managedInstances/vulnerabilityAssessments/* •Microsoft.Sql/servers/auditingSettings/* •Microsoft.Sql/servers/azureADOnlyAuthentications/delete •Microsoft.Sql/servers/azureADOnlyAuthentications/write •Microsoft.Sql/servers/databases/auditingSettings/* •Microsoft.Sql/servers/databases/auditRecords/read •Microsoft.Sql/servers/databases/currentSensitivityLabels/* •Microsoft.Sql/servers/databases/dataMaskingPolicies/* •Microsoft.Sql/servers/databases/extendedAuditingSettings/* •Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* •Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* •Microsoft.Sql/servers/databases/securityAlertPolicies/* •Microsoft.Sql/servers/databases/securityMetrics/* •Microsoft.Sql/servers/databases/sensitivityLabels/* •Microsoft.Sql/servers/databases/vulnerabilityAssessments/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* •Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* •Microsoft.Sql/servers/devOpsAuditingSettings/* •Microsoft.Sql/servers/extendedAuditingSettings/* •Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete •Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write •Microsoft.Sql/servers/securityAlertPolicies/* •Microsoft.Sql/servers/vulnerabilityAssessments/* | |||
| 189207d4-bb67-4208-a635-b06afe8b2c57 | SqlDb Migration Role | Role for SqlDb migration | None | False |
00024 effective control plane operations (unique) •action: 7 •delete: 3 •read: 10 •write: 4 |
Actions: 024 resolved operations: 24 effective operations: 24 •action: 7 •delete: 3 •read: 10 •write: 4 •Microsoft.DataMigration/databaseMigrations/cancel/action •Microsoft.DataMigration/databaseMigrations/cutover/action •Microsoft.DataMigration/databaseMigrations/delete •Microsoft.DataMigration/databaseMigrations/read •Microsoft.DataMigration/databaseMigrations/write •Microsoft.DataMigration/locations/operationResults/read •Microsoft.DataMigration/locations/operationStatuses/read •Microsoft.DataMigration/locations/sqlMigrationServiceOperationResults/read •Microsoft.DataMigration/operations/read •Microsoft.DataMigration/register/action •Microsoft.DataMigration/sqlMigrationServices/delete •Microsoft.DataMigration/sqlMigrationServices/deleteNode/action •Microsoft.DataMigration/sqlMigrationServices/listAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/listMigrations/read •Microsoft.DataMigration/sqlMigrationServices/listMonitoringData/action •Microsoft.DataMigration/sqlMigrationServices/MonitoringData/read •Microsoft.DataMigration/sqlMigrationServices/read •Microsoft.DataMigration/sqlMigrationServices/regenerateAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/write •Microsoft.Sql/servers/databases/delete •Microsoft.Sql/servers/databases/read •Microsoft.Sql/servers/databases/write •Microsoft.Sql/servers/read •Microsoft.Sql/servers/write | ||||
| 1d335eef-eee1-47fe-a9e0-53214eba8872 | SqlMI Migration Role | Role for SqlMI migration | None | False |
00030 effective control plane operations (unique) •action: 8 •delete: 3 •read: 14 •write: 5 |
Actions: 030 resolved operations: 30 effective operations: 30 •action: 8 •delete: 3 •read: 14 •write: 5 •Microsoft.DataMigration/databaseMigrations/cancel/action •Microsoft.DataMigration/databaseMigrations/cutover/action •Microsoft.DataMigration/databaseMigrations/delete •Microsoft.DataMigration/databaseMigrations/read •Microsoft.DataMigration/databaseMigrations/write •Microsoft.DataMigration/locations/operationResults/read •Microsoft.DataMigration/locations/operationStatuses/read •Microsoft.DataMigration/locations/sqlMigrationServiceOperationResults/read •Microsoft.DataMigration/operations/read •Microsoft.DataMigration/register/action •Microsoft.DataMigration/sqlMigrationServices/delete •Microsoft.DataMigration/sqlMigrationServices/deleteNode/action •Microsoft.DataMigration/sqlMigrationServices/listAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/listMigrations/read •Microsoft.DataMigration/sqlMigrationServices/listMonitoringData/action •Microsoft.DataMigration/sqlMigrationServices/MonitoringData/read •Microsoft.DataMigration/sqlMigrationServices/read •Microsoft.DataMigration/sqlMigrationServices/regenerateAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/write •Microsoft.Sql/managedInstances/databases/delete •Microsoft.Sql/managedInstances/databases/read •Microsoft.Sql/managedInstances/databases/write •Microsoft.Sql/managedInstances/metrics/read •Microsoft.Sql/managedInstances/read •Microsoft.Sql/managedInstances/write •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/write •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/read | ||||
| ae8036db-e102-405b-a1b9-bae082ea436d | SqlVM Migration Role | Role for SqlVM migration | None | False |
00026 effective control plane operations (unique) •action: 8 •delete: 2 •read: 12 •write: 4 |
Actions: 026 resolved operations: 26 effective operations: 26 •action: 8 •delete: 2 •read: 12 •write: 4 •Microsoft.DataMigration/databaseMigrations/cancel/action •Microsoft.DataMigration/databaseMigrations/cutover/action •Microsoft.DataMigration/databaseMigrations/delete •Microsoft.DataMigration/databaseMigrations/read •Microsoft.DataMigration/databaseMigrations/write •Microsoft.DataMigration/locations/operationResults/read •Microsoft.DataMigration/locations/operationStatuses/read •Microsoft.DataMigration/locations/sqlMigrationServiceOperationResults/read •Microsoft.DataMigration/operations/read •Microsoft.DataMigration/register/action •Microsoft.DataMigration/sqlMigrationServices/delete •Microsoft.DataMigration/sqlMigrationServices/deleteNode/action •Microsoft.DataMigration/sqlMigrationServices/listAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/listMigrations/read •Microsoft.DataMigration/sqlMigrationServices/listMonitoringData/action •Microsoft.DataMigration/sqlMigrationServices/MonitoringData/read •Microsoft.DataMigration/sqlMigrationServices/read •Microsoft.DataMigration/sqlMigrationServices/regenerateAuthKeys/action •Microsoft.DataMigration/sqlMigrationServices/write •Microsoft.SqlVirtualMachine/sqlVirtualMachines/read •Microsoft.SqlVirtualMachine/sqlVirtualMachines/write •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/write •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/read | ||||
| fc6e3395-6a8c-4527-bb4c-d0abd41e8e74 | SSH PublicKeys Contributor Role | This is the role created for SSH PublicKeys Contributor | None | False |
00004 effective control plane operations (unique) •action: 1 •delete: 1 •read: 1 •write: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 1 •delete: 1 •read: 1 •write: 1 •Microsoft.Compute/sshpublickeys/delete •Microsoft.Compute/sshpublickeys/generatekeypair/action •Microsoft.Compute/sshpublickeys/read •Microsoft.Compute/sshpublickeys/write | ||||
| 31ef6312-5b0c-4ce9-8c5d-587a91344fe7 | SSH PublicKeys Reader Role | This is the role created for SSH PublicKeys Reader | None | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Compute/sshpublickeys/read | ||||
| 39fcb0de-8844-4706-b050-c28ddbe3ff83 | Standby Container Group Pool Contributor | Allows users to manage standby container group pool resources. | None | False |
00056 effective control plane operations (unique) •Action: 7 •Delete: 3 •read: 43 •Write: 3 |
Actions: 012 resolved operations: 56 effective operations: 56 •Action: 7 •Delete: 3 •read: 43 •Write: 3 •Microsoft.Authorization/*/read •Microsoft.ContainerInstance/containerGroupProfiles/read •Microsoft.ContainerInstance/containerGroupProfiles/revisions/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.StandbyPool/Locations/OperationStatuses/read •Microsoft.StandbyPool/Operations/read •Microsoft.StandbyPool/standbyContainerGroupPools/delete •Microsoft.StandbyPool/standbyContainerGroupPools/read •Microsoft.StandbyPool/standbyContainerGroupPools/runtimeViews/read •Microsoft.StandbyPool/standbyContainerGroupPools/write | ||||
| e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1 | Storage Account Backup Contributor | Lets you perform backup and restore operations using Azure Backup on the storage account. | Storage | False |
00047 effective control plane operations (unique) •action: 1 •delete: 2 •read: 39 •write: 5 |
Actions: 018 resolved operations: 47 effective operations: 47 •action: 1 •delete: 2 •read: 39 •write: 5 •Microsoft.Authorization/*/read •Microsoft.Authorization/locks/delete •Microsoft.Authorization/locks/read •Microsoft.Authorization/locks/write •Microsoft.Features/features/read •Microsoft.Features/providers/features/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/operations/read •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write •Microsoft.Storage/storageAccounts/blobServices/read •Microsoft.Storage/storageAccounts/blobServices/write •Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete •Microsoft.Storage/storageAccounts/objectReplicationPolicies/read •Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write •Microsoft.Storage/storageAccounts/objectReplicationPolicies/write •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/restoreBlobRanges/action | ||||
| 17d1049b-9a84-46fb-8f53-869881c3d3ab | Storage Account Contributor | Lets you manage storage accounts, including accessing storage account keys which provide full access to storage account data. | Storage | False |
00198 effective control plane operations (unique) •Action: 52 •Delete: 20 •read: 90 •Write: 36 |
Actions: 009 resolved operations: 198 effective operations: 198 •Action: 52 •Delete: 20 •read: 90 •Write: 36 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/diagnosticSettings/* •Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/storageAccounts/* •Microsoft.Support/* |
count: 014 •[Preview]: Configure backup for Azure Files Shares with a given tag to a new recovery services vault with a new policy •[Preview]: Configure backup for Azure Files Shares with a given tag to an existing recovery services vault in the same location •[Preview]: Configure backup for Azure Files Shares without a given tag to a new recovery services vault with a new policy •[Preview]: Configure backup for Azure Files Shares without a given tag to an existing recovery services vault in the same location •Configure secure transfer of data on a storage account •Configure SQL servers to have auditing enabled •Configure Storage account to use a private link connection •Configure storage accounts to disable public network access •Configure Storage Accounts to restrict network access through network ACL bypass configuration only. •Configure Synapse workspaces to have auditing enabled •Configure your Storage account public access to be disallowed •Deploy Advanced Data Security on SQL servers •Deploy Diagnostic Settings for Network Security Groups •Modify - Configure your Storage account to enable blob versioning | |||
| a316ed6d-1efe-48ac-ac08-f7995a9c26fb | Storage Account Encryption Scope Contributor Role | Allows management of Encryption Scopes on a Storage Account | None | False |
00002 effective control plane operations (unique) •read: 1 •write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/encryptionScopes/read •Microsoft.Storage/storageAccounts/encryptionScopes/write | ||||
| 81a9662b-bebf-436f-a333-f67b29880f12 | Storage Account Key Operator Service Role | Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts | Storage | False |
00002 effective control plane operations (unique) •action: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 2 •Microsoft.Storage/storageAccounts/listkeys/action •Microsoft.Storage/storageAccounts/regeneratekey/action | ||||
| ba92f5b4-2d11-453d-a403-e96b0029c9fe | Storage Blob Data Contributor | Allows for read, write and delete access to Azure Storage blob containers and data | Storage | False |
00009 effective control plane and data plane operations (unique) •action: 3 •delete: 2 •read: 2 •write: 2 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 1 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/delete •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action |
DataActions: 005 resolved data operations: 5 effective data operations: 5 •action: 2 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | |||
| b7e6dc6d-f1e8-4753-8033-0f276bb0955b | Storage Blob Data Owner | Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control. | Storage | False |
00029 effective control plane and data plane operations (unique) •action: 18 •delete: 3 •read: 4 •write: 4 |
Actions: 002 resolved operations: 15 effective operations: 15 •action: 9 •delete: 2 •read: 2 •write: 2 •Microsoft.Storage/storageAccounts/blobServices/containers/* •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action |
DataActions: 001 resolved data operations: 14 effective data operations: 14 •action: 9 •delete: 1 •read: 2 •write: 2 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/* | |||
| 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 | Storage Blob Data Reader | Allows for read access to Azure Storage blob containers and data | Storage | False |
00003 effective control plane and data plane operations (unique) •action: 1 •read: 2 |
Actions: 002 resolved operations: 2 effective operations: 2 •action: 1 •read: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | |||
| db58b8e5-c6ad-4a2a-8342-4190687cbf4a | Storage Blob Delegator | Allows for generation of a user delegation key which can be used to sign SAS tokens | Storage | False |
00001 effective control plane operations (unique) •action: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •action: 1 •Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action | ||||
| 69566ab7-960f-475b-8e7c-b3118f30c6bd | Storage File Data Privileged Contributor | Customer has read, write, delete and modify NTFS permission access on Azure Storage file shares. | Storage | False |
00006 effective data plane operations (unique) •action: 3 •delete: 1 •read: 1 •write: 1 |
DataActions: 006 resolved data operations: 6 effective data operations: 6 •action: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write •Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action •Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action | ||||
| b8eda974-7b85-4f76-af95-65846b26df6d | Storage File Data Privileged Reader | Customer has read access on Azure Storage file shares. | Storage | False |
00002 effective data plane operations (unique) •action: 1 •read: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read •Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/action | ||||
| 0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb | Storage File Data SMB Share Contributor | Allows for read, write, and delete access in Azure Storage file shares over SMB | Storage | False |
00003 effective data plane operations (unique) •delete: 1 •read: 1 •write: 1 |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | ||||
| a7264617-510b-434b-a828-9731dc254ea7 | Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB | Storage | False |
00004 effective data plane operations (unique) •action: 1 •delete: 1 •read: 1 •write: 1 |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 1 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write | ||||
| aba4ae5f-2193-4029-9191-0cb91df5e314 | Storage File Data SMB Share Reader | Allows for read access to Azure File Share over SMB | Storage | False |
00001 effective data plane operations (unique) •read: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read | ||||
| 765a04e0-5de8-4bb2-9bf6-b2a30bc03e91 | Storage File Delegator | Allows for generation of a user delegation key, which can then be used to create a shared access signature for a file or Azure file share that is signed with Entra ID credentials. | None | False |
00001 effective control plane operations (unique) •action: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •action: 1 •Microsoft.Storage/storageAccounts/fileServices/generateUserDelegationKey/action | ||||
| 974c5e8b-45b9-4653-ba55-5f855dd0fb88 | Storage Queue Data Contributor | Allows for read, write, and delete access to Azure Storage queues and queue messages | Storage | False |
00007 effective control plane and data plane operations (unique) •action: 1 •delete: 2 •read: 2 •write: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/delete •Microsoft.Storage/storageAccounts/queueServices/queues/read •Microsoft.Storage/storageAccounts/queueServices/queues/write |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 1 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete •Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action •Microsoft.Storage/storageAccounts/queueServices/queues/messages/read •Microsoft.Storage/storageAccounts/queueServices/queues/messages/write | |||
| 8a0f0c08-91a1-4084-bc3d-661d67233fed | Storage Queue Data Message Processor | Allows for peek, receive, and delete access to Azure Storage queue messages | Storage | False |
00002 effective data plane operations (unique) •action: 1 •read: 1 |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 1 •read: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action •Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | ||||
| c6a89b2d-59bc-44d0-9896-0f6e12d7b80a | Storage Queue Data Message Sender | Allows for sending of Azure Storage queue messages | Storage | False |
00001 effective data plane operations (unique) •action: 1 |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action | ||||
| 19e7f393-937e-4f77-808e-94535e297925 | Storage Queue Data Reader | Allows for read access to Azure Storage queues and queue messages | Storage | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/queueServices/queues/messages/read | |||
| 7ee386e9-84f0-448e-80a6-f185f6533131 | Storage Queue Delegator | Allows for generation of a user delegation key, which can then be used to create a shared access signature for an Azure Storage queue that is signed with Entra ID credentials. | None | False |
00001 effective control plane operations (unique) •action: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •action: 1 •Microsoft.Storage/storageAccounts/queueServices/generateUserDelegationKey/action | ||||
| 0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3 | Storage Table Data Contributor | Allows for read, write and delete access to Azure Storage tables and entities | Storage | False |
00008 effective control plane and data plane operations (unique) •action: 2 •delete: 2 •read: 2 •write: 2 |
Actions: 003 resolved operations: 3 effective operations: 3 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/tableServices/tables/delete •Microsoft.Storage/storageAccounts/tableServices/tables/read •Microsoft.Storage/storageAccounts/tableServices/tables/write |
DataActions: 005 resolved data operations: 5 effective data operations: 5 •action: 2 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action •Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete •Microsoft.Storage/storageAccounts/tableServices/tables/entities/read •Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action •Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | |||
| 76199698-9eea-4c19-bc75-cec21354c6b6 | Storage Table Data Reader | Allows for read access to Azure Storage tables and entities | Storage | False |
00002 effective control plane and data plane operations (unique) •read: 2 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/tableServices/tables/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •read: 1 •Microsoft.Storage/storageAccounts/tableServices/tables/entities/read | |||
| 965033a5-c8eb-4f35-b82f-fef460a3606d | Storage Table Delegator | Allows for generation of a user delegation key, which can then be used to create a shared access signature for an Azure Storage table that is signed with Entra ID credentials. | None | False |
00001 effective control plane operations (unique) •action: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •action: 1 •Microsoft.Storage/storageAccounts/tableServices/generateUserDelegationKey/action | ||||
| 6e0c8711-85a0-4490-8365-8ec13c4560b4 | Stream Analytics Contributor | Contributor access to Clusters and Streaming Jobs | None | False |
00104 effective control plane operations (unique) •Action: 27 •Delete: 9 •read: 58 •Write: 10 |
Actions: 005 resolved operations: 104 effective operations: 104 •Action: 27 •Delete: 9 •read: 58 •Write: 10 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.StreamAnalytics/* | ||||
| 1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf | Stream Analytics Query Tester | Lets you perform query testing without creating a stream analytics job first | Analytics | False |
00004 effective control plane operations (unique) •action: 3 •Read: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 3 •Read: 1 •Microsoft.StreamAnalytics/locations/CompileQuery/action •Microsoft.StreamAnalytics/locations/OperationResults/read •Microsoft.StreamAnalytics/locations/SampleInput/action •Microsoft.StreamAnalytics/locations/TestQuery/action | ||||
| 1dfc38e8-6ce7-447f-807c-029c65262c5f | Stream Analytics Reader | Read-only access to Clusters and Streaming Jobs | None | False |
00054 effective control plane operations (unique) •action: 1 •read: 53 |
Actions: 009 resolved operations: 54 effective operations: 54 •action: 1 •read: 53 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.StreamAnalytics/clusters/*/Read •Microsoft.StreamAnalytics/clusters/ListStreamingJobs/action •Microsoft.StreamAnalytics/clusters/Read •Microsoft.StreamAnalytics/locations/*/Read •Microsoft.StreamAnalytics/operations/Read •Microsoft.StreamAnalytics/streamingjobs/*/Read •Microsoft.StreamAnalytics/streamingjobs/Read | ||||
| cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e | Support Request Contributor | Lets you create and manage Support requests | Management and governance | False |
00042 effective control plane operations (unique) •action: 3 •read: 38 •write: 1 |
Actions: 003 resolved operations: 42 effective operations: 42 •action: 3 •read: 38 •write: 1 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 4a9ae827-6dc8-4573-8ac7-8239d42aa03f | Tag Contributor | Lets you manage tags on entities, without providing access to the entities themselves. | Management and governance | False |
00063 effective control plane operations (unique) •Action: 10 •Delete: 3 •read: 46 •Write: 4 |
Actions: 008 resolved operations: 63 effective operations: 63 •Action: 10 •Delete: 3 •read: 46 •Write: 4 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/subscriptions/resourceGroups/resources/read •Microsoft.Resources/subscriptions/resources/read •Microsoft.Resources/tags/* •Microsoft.Support/* |
count: 002 •Add a tag to subscriptions •Add or replace a tag on subscriptions | |||
| 1c9b6475-caf0-4164-b5a1-2142a7116f4b | Template Spec Contributor | Allows full access to Template Spec operations at the assigned scope. | Management and governance | False |
00047 effective control plane operations (unique) •action: 4 •delete: 3 •read: 37 •write: 3 |
Actions: 004 resolved operations: 47 effective operations: 47 •action: 4 •delete: 3 •read: 37 •write: 3 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Resources/templateSpecs/* | ||||
| 392ae280-861d-42bd-9ea5-08ee6d83b80e | Template Spec Reader | Allows read access to Template Specs at the assigned scope. | Management and governance | False |
00001 effective control plane operations (unique) •read: 1 |
Actions: 001 resolved operations: 1 effective operations: 1 •read: 1 •Microsoft.Resources/templateSpecs/*/read | ||||
| 15e0f5a1-3450-4248-8e25-e2afe88a9e85 | Test Base Reader | Let you view and download packages and test results. | None | False |
00005 effective control plane operations (unique) •action: 3 •delete: 1 •write: 1 |
Actions: 006 resolved operations: 5 effective operations: 5 •action: 3 •delete: 1 •write: 1 •Microsoft.TestBase/*/read •Microsoft.TestBase/testBaseAccounts/customerEvents/delete •Microsoft.TestBase/testBaseAccounts/customerEvents/write •Microsoft.TestBase/testBaseAccounts/packages/getDownloadUrl/action •Microsoft.TestBase/testBaseAccounts/packages/testResults/getDownloadUrl/action •Microsoft.TestBase/testBaseAccounts/packages/testResults/getVideoDownloadUrl/action | ||||
| 2ccf8795-8983-4912-8036-1c45212c95e8 | ToolchainOrchestrator Admin Role | Grant full access to manage all Toolchain orchestrator resources. | None | False |
00053 effective control plane operations (unique) •Action: 6 •Delete: 13 •Read: 19 •Write: 15 |
Actions: 006 resolved operations: 53 effective operations: 53 •Action: 6 •Delete: 13 •Read: 19 •Write: 15 •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ToolchainOrchestrator/* | ||||
| c5826735-177b-4a0d-a9a3-d0e4b4bda107 | ToolchainOrchestrator Viewer Role | Grant access to view all Toolchain orchestrator resources. | None | False |
00025 effective control plane operations (unique) •Action: 3 •Delete: 1 •Read: 19 •Write: 2 |
Actions: 006 resolved operations: 25 effective operations: 25 •Action: 3 •Delete: 1 •Read: 19 •Write: 2 •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.ToolchainOrchestrator/*/read | ||||
| a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 | Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. | Networking | False |
00076 effective control plane operations (unique) •Action: 10 •Delete: 6 •read: 52 •Write: 8 |
Actions: 007 resolved operations: 76 effective operations: 76 •Action: 10 •Delete: 6 •read: 52 •Write: 8 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Network/trafficManagerProfiles/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 8ad4d0ee-9bfb-49e8-93fc-01abb8db6240 | Transparency Logs Owner | Grants full access to manage Transparency Log resources. | None | False |
00043 effective control plane operations (unique) •action: 4 •delete: 2 •read: 35 •write: 2 |
Actions: 003 resolved operations: 43 effective operations: 43 •action: 4 •delete: 2 •read: 35 •write: 2 •Microsoft.Authorization/*/read •Microsoft.Resources/deployments/* •Microsoft.Sovereign/transparencyLogs/* | ||||
| 2837e146-70d7-4cfd-ad55-7efa6464f958 | Trusted Signing Certificate Profile Signer | Sign files with a certificate profile. This role is in preview and subject to change. | None | False |
00047 effective control plane and data plane operations (unique) •action: 5 •delete: 1 •read: 40 •write: 1 |
Actions: 004 resolved operations: 46 effective operations: 46 •action: 4 •delete: 1 •read: 40 •write: 1 •Microsoft.Authorization/*/read •Microsoft.CodeSigning/*/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read |
DataActions: 001 resolved data operations: 1 effective data operations: 1 •action: 1 •Microsoft.CodeSigning/certificateProfiles/Sign/action | |||
| 4339b7cf-9826-4e41-b4ed-c7f4505dac08 | Trusted Signing Identity Verifier | Manage identity or business verification requests. This role is in preview and subject to change. | None | False |
00008 effective control plane and data plane operations (unique) •Delete: 1 •Read: 6 •Write: 1 |
Actions: 001 resolved operations: 5 effective operations: 5 •Read: 5 •Microsoft.CodeSigning/*/read |
DataActions: 003 resolved data operations: 3 effective data operations: 3 •Delete: 1 •Read: 1 •Write: 1 •Microsoft.CodeSigning/IdentityVerification/Delete •Microsoft.CodeSigning/IdentityVerification/Read •Microsoft.CodeSigning/IdentityVerification/Write | |||
| 33cdeeac-0940-4f85-9317-7e2432c17289 | Usage Billing Contributor | Contributor access to Accounts | None | False |
00081 effective control plane operations (unique) •Action: 9 •Delete: 11 •read: 50 •Write: 11 |
Actions: 005 resolved operations: 81 effective operations: 81 •Action: 9 •Delete: 11 •read: 50 •Write: 11 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.UsageBilling/* | ||||
| 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 | User Access Administrator | Lets you manage user access to Azure resources. | Privileged | False |
07275 effective control plane operations (unique) •action: 12 •delete: 17 •read: 7225 •write: 21 |
Actions: 003 resolved operations: 7275 effective operations: 7275 •action: 12 •delete: 17 •read: 7225 •write: 21 •*/read •Microsoft.Authorization/* •Microsoft.Support/* |
count: 004 •[Preview]: Add user-assigned managed identity to enable Guest Configuration assignments on virtual machines •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets •[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines •[Preview]: Enable system-assigned identity to SQL VM | |||
| a2c4a527-7dc0-4ee3-897b-403ade70fafb | Video Indexer Restricted Viewer | Has access to view and search through all video's insights and transcription in the Video Indexer portal. No access to model customization, embedding of widget, downloading videos, or sharing the account. | None | False |
00011 effective control plane operations (unique) •action: 4 •read: 7 |
Actions: 002 resolved operations: 12 effective operations: 11 •action: 4 •read: 7 •Microsoft.VideoIndexer/*/read •Microsoft.VideoIndexer/accounts/*/action |
NotActions: 003 resolved not operations: 6 effective not operations: 16825 •Microsoft.VideoIndexer/*/delete •Microsoft.VideoIndexer/*/write •Microsoft.VideoIndexer/accounts/generateAccessToken/action | |||
| 1abf4029-2200-4343-800c-e4c4c01eddbd | Virtual Enclave Owner Role | Virtual Enclave Owner Role to access the resources of Microsoft.Mission stored with RPSAAS. | None | False |
00010 effective control plane operations (unique) •delete: 2 •read: 5 •write: 3 |
Actions: 010 resolved operations: 10 effective operations: 10 •delete: 2 •read: 5 •write: 3 •Microsoft.Mission/communities/read •Microsoft.Mission/Locations/OperationStatuses/read •Microsoft.Mission/Locations/OperationStatuses/write •Microsoft.Mission/Operations/read •Microsoft.Mission/virtualEnclaves/delete •Microsoft.Mission/virtualEnclaves/read •Microsoft.Mission/virtualEnclaves/workloads/delete •Microsoft.Mission/virtualEnclaves/workloads/read •Microsoft.Mission/virtualEnclaves/workloads/write •Microsoft.Mission/virtualEnclaves/write | ||||
| 1c0163c0-47e6-4577-8991-ea5c82e286e4 | Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator | Compute | False |
00028 effective control plane and data plane operations (unique) •action: 5 •read: 23 |
Actions: 007 resolved operations: 24 effective operations: 24 •action: 1 •read: 23 •Microsoft.Compute/virtualMachines/*/read •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridConnectivity/endpoints/listCredentials/action •Microsoft.Network/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 4 •Microsoft.Compute/virtualMachines/login/action •Microsoft.Compute/virtualMachines/loginAsAdmin/action •Microsoft.HybridCompute/machines/login/action •Microsoft.HybridCompute/machines/loginAsAdmin/action | |||
| 9980e02c-c2be-4d73-94e8-173b1dc7cf3c | Virtual Machine Contributor | Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | Compute | False |
00376 effective control plane operations (unique) •action: 141 •delete: 22 •read: 178 •write: 35 |
Actions: 045 resolved operations: 376 effective operations: 376 •action: 141 •delete: 22 •read: 178 •write: 35 •Microsoft.Authorization/*/read •Microsoft.Compute/availabilitySets/* •Microsoft.Compute/cloudServices/* •Microsoft.Compute/disks/delete •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Compute/hostgroups/hosts/write •Microsoft.Compute/hostgroups/write •Microsoft.Compute/locations/* •Microsoft.Compute/virtualMachines/* •Microsoft.Compute/virtualMachineScaleSets/* •Microsoft.DevTestLab/schedules/* •Microsoft.Insights/alertRules/* •Microsoft.Network/applicationGateways/backendAddressPools/join/action •Microsoft.Network/loadBalancers/backendAddressPools/join/action •Microsoft.Network/loadBalancers/inboundNatPools/join/action •Microsoft.Network/loadBalancers/inboundNatRules/join/action •Microsoft.Network/loadBalancers/probes/join/action •Microsoft.Network/loadBalancers/read •Microsoft.Network/locations/* •Microsoft.Network/networkInterfaces/* •Microsoft.Network/networkSecurityGroups/join/action •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.RecoveryServices/locations/* •Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read •Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write •Microsoft.RecoveryServices/Vaults/backupPolicies/read •Microsoft.RecoveryServices/Vaults/backupPolicies/write •Microsoft.RecoveryServices/Vaults/read •Microsoft.RecoveryServices/Vaults/usages/read •Microsoft.RecoveryServices/Vaults/write •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.SerialConsole/serialPorts/connect/action •Microsoft.SqlVirtualMachine/* •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Support/* |
count: 043 •[Deprecated]: Configure supported Linux virtual machine scale sets to automatically install the Azure Security agent •[Deprecated]: Configure supported Linux virtual machines to automatically install the Azure Security agent •[Deprecated]: Configure supported Windows machines to automatically install the Azure Security agent •[Deprecated]: Configure supported Windows virtual machine scale sets to automatically install the Azure Security agent •[Deprecated]: Deploy Log Analytics extension for Linux virtual machine scale sets. See deprecation notice below •[Preview]: Configure supported Linux virtual machine scale sets to automatically install the Guest Attestation extension •[Preview]: Configure supported Linux virtual machines to automatically enable Secure Boot •[Preview]: Configure supported Linux virtual machines to automatically install the Guest Attestation extension •[Preview]: Configure supported virtual machines to automatically enable vTPM •[Preview]: Configure supported Windows virtual machine scale sets to automatically install the Guest Attestation extension •[Preview]: Configure supported Windows virtual machines to automatically enable Secure Boot •[Preview]: Configure supported Windows virtual machines to automatically install the Guest Attestation extension •[Preview]: Configure system-assigned managed identity to enable Azure Monitor assignments on VMs •[Preview]: Configure VMs created with Shared Image Gallery images to install the Guest Attestation extension •[Preview]: Configure VMSS created with Shared Image Gallery images to install the Guest Attestation extension •Assign System Assigned identity to SQL Virtual Machines •Configure backup on virtual machines with a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines with a given tag to an existing recovery services vault in the same location •Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy •Configure backup on virtual machines without a given tag to an existing recovery services vault in the same location •Configure ChangeTracking Extension for Linux virtual machine scale sets •Configure ChangeTracking Extension for Linux virtual machines •Configure ChangeTracking Extension for Windows virtual machine scale sets •Configure ChangeTracking Extension for Windows virtual machines •Configure Linux virtual machine scale sets to run Azure Monitor Agent with system-assigned managed identity-based authentication •Configure Linux virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication •Configure Linux virtual machines to run Azure Monitor Agent with system-assigned managed identity-based authentication •Configure Linux virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication •Configure Linux VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity •Configure Linux VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity •Configure SQL Virtual Machines to automatically install Azure Monitor Agent •Configure Windows virtual machine scale sets to run Azure Monitor Agent using system-assigned managed identity •Configure Windows virtual machine scale sets to run Azure Monitor Agent with user-assigned managed identity-based authentication •Configure Windows virtual machines to run Azure Monitor Agent using system-assigned managed identity •Configure Windows virtual machines to run Azure Monitor Agent with user-assigned managed identity-based authentication •Configure Windows VMs to install AMA for ChangeTracking and Inventory with user-assigned managed identity •Configure Windows VMSS to install AMA for ChangeTracking and Inventory with user-assigned managed identity •Deploy - Configure Dependency agent to be enabled on Windows virtual machine scale sets •Deploy - Configure Log Analytics extension to be enabled on Windows virtual machine scale sets •Deploy default Microsoft IaaSAntimalware extension for Windows Server •Deploy Dependency agent for Linux virtual machine scale sets •Deploy Dependency agent for Linux virtual machine scale sets with Azure Monitoring Agent settings •Deploy Dependency agent to be enabled on Windows virtual machine scale sets with Azure Monitoring Agent settings | |||
| 66f75aeb-eabe-4b70-9f1e-c350c4c9ad04 | Virtual Machine Data Access Administrator (preview) | Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments. | Compute | True |
00078 effective control plane operations (unique) •action: 7 •delete: 2 •read: 66 •write: 3 |
Actions: 014 resolved operations: 78 effective operations: 78 •action: 7 •delete: 2 •read: 66 •write: 3 •Microsoft.Authorization/*/read •Microsoft.Authorization/roleAssignments/delete conditioned •Microsoft.Authorization/roleAssignments/write conditioned •Microsoft.Compute/virtualMachines/*/read •Microsoft.HybridCompute/machines/*/read •Microsoft.Management/managementGroups/read •Microsoft.Network/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/read •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* | ||||
| 602da2ba-a5c2-41da-b01d-5360126ab525 | Virtual Machine Local User Login | View Virtual Machines in the portal and login as a local user configured on the arc server | Compute | False |
00009 effective control plane operations (unique) •action: 1 •read: 8 |
Actions: 002 resolved operations: 9 effective operations: 9 •action: 1 •read: 8 •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridConnectivity/endpoints/listCredentials/action | ||||
| fb879df8-f326-4884-b1cf-06f3ad86be52 | Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. | Compute | False |
00026 effective control plane and data plane operations (unique) •action: 3 •read: 23 |
Actions: 007 resolved operations: 24 effective operations: 24 •action: 1 •read: 23 •Microsoft.Compute/virtualMachines/*/read •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridConnectivity/endpoints/listCredentials/action •Microsoft.Network/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read |
DataActions: 002 resolved data operations: 2 effective data operations: 2 •action: 2 •Microsoft.Compute/virtualMachines/login/action •Microsoft.HybridCompute/machines/login/action | |||
| dfce8971-25e3-42e3-ba33-6055438e3080 | VM Restore Operator | Create and Delete resources during VM Restore. This role is in preview and subject to change. | Compute | False |
00089 effective control plane and data plane operations (unique) •action: 14 •delete: 9 •read: 56 •write: 10 |
Actions: 041 resolved operations: 85 effective operations: 85 •action: 13 •delete: 8 •read: 55 •write: 9 •Microsoft.Authorization/*/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/disks/delete •Microsoft.Compute/disks/endGetAccess/action •Microsoft.Compute/disks/read •Microsoft.Compute/disks/write •Microsoft.Compute/locations/diskOperations/read •Microsoft.Compute/virtualMachines/delete •Microsoft.Compute/virtualMachines/extensions/delete •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/extensions/write •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/write •Microsoft.Insights/alertRules/* •Microsoft.Network/locations/operationResults/read •Microsoft.Network/locations/operations/read •Microsoft.Network/locations/usages/read •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/networkInterfaces/ipconfigurations/read •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/publicIPAddresses/delete •Microsoft.Network/publicIPAddresses/join/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/publicIPAddresses/write •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Storage/checkNameAvailability/read •Microsoft.Storage/storageAccounts/blobServices/containers/delete •Microsoft.Storage/storageAccounts/blobServices/containers/read •Microsoft.Storage/storageAccounts/blobServices/containers/write •Microsoft.Storage/storageAccounts/listKeys/action •Microsoft.Storage/storageAccounts/read •Microsoft.Storage/storageAccounts/write |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •action: 1 •delete: 1 •read: 1 •write: 1 •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read •Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | |||
| d24ecba3-c1f4-40fa-a7bb-4588a071e8fd | VM Scanner Operator | Role that provides access to disk snapshot for security analysis. | None | False |
00010 effective control plane operations (unique) •action: 1 •read: 9 |
Actions: 010 resolved operations: 10 effective operations: 10 •action: 1 •read: 9 •Microsoft.Compute/diskEncryptionSets/read •Microsoft.Compute/disks/beginGetAccess/action •Microsoft.Compute/disks/read •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachineScaleSets/instanceView/read •Microsoft.Compute/virtualMachineScaleSets/read •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read •Microsoft.Resources/subscriptions/resourceGroups/read | ||||
| 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b | Web Plan Contributor | Lets you manage the web plans for websites, but not access to them. | Web and Mobile | False |
00108 effective control plane operations (unique) •Action: 20 •Delete: 8 •read: 68 •Write: 12 |
Actions: 009 resolved operations: 108 effective operations: 108 •Action: 20 •Delete: 8 •read: 68 •Write: 12 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/autoscalesettings/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/hostingEnvironments/Join/Action •Microsoft.Web/serverFarms/* | ||||
| 12cf5a90-567b-43ae-8102-96cf46c7d9b4 | Web PubSub Service Owner | Full access to Azure Web PubSub Service REST APIs | Web and Mobile | False |
00014 effective data plane operations (unique) •action: 7 •read: 4 •write: 3 |
DataActions: 001 resolved data operations: 14 effective data operations: 14 •action: 7 •read: 4 •write: 3 •Microsoft.SignalRService/WebPubSub/* | ||||
| bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf | Web PubSub Service Reader | Read-only access to Azure Web PubSub Service REST APIs | Web and Mobile | False |
00004 effective data plane operations (unique) •read: 4 |
DataActions: 001 resolved data operations: 4 effective data operations: 4 •read: 4 •Microsoft.SignalRService/WebPubSub/*/read | ||||
| de139f84-1756-47ae-9be6-808fbbe84772 | Website Contributor | Lets you manage websites (not web plans), but not access to them. | Web and Mobile | False |
00507 effective control plane operations (unique) •Action: 116 •Delete: 65 •read: 253 •Write: 73 |
Actions: 013 resolved operations: 507 effective operations: 507 •Action: 116 •Delete: 65 •read: 253 •Write: 73 •Microsoft.Authorization/*/read •Microsoft.Insights/alertRules/* •Microsoft.Insights/components/* •Microsoft.ResourceHealth/availabilityStatuses/read •Microsoft.Resources/deployments/* •Microsoft.Resources/subscriptions/resourceGroups/read •Microsoft.Support/* •Microsoft.Web/certificates/* •Microsoft.Web/listSitesAssignedToHostName/read •Microsoft.Web/register/action •Microsoft.Web/serverFarms/join/action •Microsoft.Web/serverFarms/read •Microsoft.Web/sites/* |
count: 021 •[Deprecated]: Configure App Services to disable public network access •Configure App Service app slots to disable local authentication for FTP deployments •Configure App Service app slots to disable local authentication for SCM sites •Configure App Service app slots to disable public network access •Configure App Service app slots to only be accessible over HTTPS •Configure App Service app slots to turn off remote debugging •Configure App Service app slots to use the latest TLS version •Configure App Service apps to disable local authentication for FTP deployments •Configure App Service apps to disable local authentication for SCM sites •Configure App Service apps to disable public network access •Configure App Service apps to only be accessible over HTTPS •Configure App Service apps to turn off remote debugging •Configure App Service apps to use the latest TLS version •Configure Function app slots to disable public network access •Configure Function app slots to only be accessible over HTTPS •Configure Function app slots to turn off remote debugging •Configure Function app slots to use the latest TLS version •Configure Function apps to disable public network access •Configure Function apps to only be accessible over HTTPS •Configure Function apps to turn off remote debugging •Configure Function apps to use the latest TLS version | |||
| 1f135831-5bbe-4924-9016-264044c00788 | Windows 365 Network Interface Contributor | This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces. | Compute | False |
00015 effective control plane operations (unique) •action: 3 •delete: 2 •read: 8 •write: 2 |
Actions: 015 resolved operations: 15 effective operations: 15 •action: 3 •delete: 2 •read: 8 •write: 2 •Microsoft.Network/locations/operationResults/read •Microsoft.Network/locations/operations/read •Microsoft.Network/locations/usages/read •Microsoft.Network/networkInterfaces/delete •Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action •Microsoft.Network/networkInterfaces/effectiveRouteTable/action •Microsoft.Network/networkInterfaces/join/action •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkInterfaces/write •Microsoft.Resources/deployments/delete •Microsoft.Resources/deployments/operations/read •Microsoft.Resources/deployments/operationstatuses/read •Microsoft.Resources/deployments/read •Microsoft.Resources/deployments/write •Microsoft.Resources/subscriptions/resourcegroups/read | ||||
| 7eabc9a4-85f7-4f71-b8ab-75daaccc1033 | Windows 365 Network User | This role is used by Windows 365 to read virtual networks and join the designated virtual networks. | Compute | False |
00004 effective control plane operations (unique) •action: 1 •read: 3 |
Actions: 004 resolved operations: 4 effective operations: 4 •action: 1 •read: 3 •Microsoft.Network/virtualNetworks/read •Microsoft.Network/virtualNetworks/subnets/join/action •Microsoft.Network/virtualNetworks/subnets/read •Microsoft.Network/virtualNetworks/usages/read | ||||
| a6333a3e-0164-44c3-b281-7a577aff287f | Windows Admin Center Administrator Login | Let's you manage the OS of your resource via Windows Admin Center as an administrator. | Compute | False |
00053 effective control plane and data plane operations (unique) •Action: 7 •Delete: 2 •Read: 38 •Write: 6 |
Actions: 041 resolved operations: 49 effective operations: 49 •action: 3 •Delete: 2 •Read: 38 •Write: 6 •Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete •Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read •Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write •Microsoft.AzureStackHCI/Clusters/ArcSettings/Read •Microsoft.AzureStackHCI/Clusters/Read •Microsoft.AzureStackHCI/Operations/Read •Microsoft.Compute/diskAccesses/read •Microsoft.Compute/galleries/images/read •Microsoft.Compute/images/read •Microsoft.Compute/locations/publishers/artifacttypes/types/read •Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read •Microsoft.Compute/virtualMachines/extensions/read •Microsoft.Compute/virtualMachines/instanceView/read •Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read •Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read •Microsoft.Compute/virtualMachines/patchInstallationResults/read •Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read •Microsoft.Compute/virtualMachines/read •Microsoft.Compute/virtualMachines/runCommands/read •Microsoft.Compute/virtualMachines/vmSizes/read •Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read •Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write •Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read •Microsoft.HybridCompute/machines/*/read •Microsoft.HybridCompute/machines/extensions/* •Microsoft.HybridCompute/machines/upgradeExtensions/action •Microsoft.HybridCompute/operations/read •Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action •Microsoft.HybridConnectivity/endpoints/read •Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read •Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write •Microsoft.HybridConnectivity/endpoints/write •Microsoft.Network/loadBalancers/read •Microsoft.Network/networkInterfaces/read •Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read •Microsoft.Network/networkSecurityGroups/read •Microsoft.Network/networkSecurityGroups/securityRules/read •Microsoft.Network/networkSecurityGroups/securityRules/write •Microsoft.Network/networkWatchers/securityGroupView/action •Microsoft.Network/publicIPAddresses/read •Microsoft.Network/virtualNetworks/read |
DataActions: 004 resolved data operations: 4 effective data operations: 4 •Action: 4 •Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action •Microsoft.Compute/virtualMachines/WACloginAsAdmin/action •Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action •Microsoft.HybridCompute/machines/WACLoginAsAdmin/action | |||
| 3d55a8f6-4133-418d-8051-facdb1735758 | Windows365SubscriptionReader | Read subscriptions, images, azure firewalls. This role is used in Windows365 scenarios. | None | False |
00033 effective control plane operations (unique) •read: 33 |
Actions: 003 resolved operations: 33 effective operations: 33 •read: 33 •Microsoft.Authorization/*/read •Microsoft.Resources/subscriptions/operationresults/read •Microsoft.Resources/subscriptions/read | ||||
| e8ddcd69-c73f-4f9f-9844-4100522f16ad | Workbook Contributor | Can save shared workbooks. | Monitor | False |
00007 effective control plane operations (unique) •Delete: 2 •Read: 3 •Write: 2 |
Actions: 007 resolved operations: 7 effective operations: 7 •Delete: 2 •Read: 3 •Write: 2 •Microsoft.Insights/workbooks/delete •Microsoft.Insights/workbooks/read •Microsoft.Insights/workbooks/revisions/read •Microsoft.Insights/workbooks/write •Microsoft.Insights/workbooktemplates/delete •Microsoft.Insights/workbooktemplates/read •Microsoft.Insights/workbooktemplates/write | ||||
| b279062a-9be3-42a0-92ae-8b3cf002ec4d | Workbook Reader | Can read workbooks. | Monitor | False |
00003 effective control plane operations (unique) •Read: 3 |
Actions: 003 resolved operations: 3 effective operations: 3 •Read: 3 •microsoft.insights/workbooks/read •microsoft.insights/workbooks/revisions/read •microsoft.insights/workbooktemplates/read | ||||
| 63304235-eaf4-4c15-8e93-46c483611231 | Workload Orchestration IT Admin | Grants you access to manage the IT Admin operations for Workload Orchestration | None | False |
00004 effective control plane operations (unique) •delete: 1 •read: 2 •write: 1 |
Actions: 004 resolved operations: 4 effective operations: 4 •delete: 1 •read: 2 •write: 1 •Microsoft.Edge/contexts/eventGridFilters/delete •Microsoft.Edge/contexts/eventGridFilters/read •Microsoft.Edge/contexts/eventGridFilters/write •Microsoft.Edge/contexts/read | ||||
| db9875ba-bd2b-4e98-934d-0daa549a07f0 | Workload Orchestration Solution External Validator | Grants you access to fetch targets, solution templates, solutions and update the external validation status | None | False |
00005 effective control plane operations (unique) •action: 1 •read: 4 |
Actions: 005 resolved operations: 5 effective operations: 5 •action: 1 •read: 4 •Microsoft.Edge/solutionTemplates/read •Microsoft.Edge/solutionTemplates/versions/read •Microsoft.Edge/targets/read •Microsoft.Edge/targets/solutions/versions/read •Microsoft.Edge/targets/updateExternalValidationStatus/action | ||||
| d17ce0a2-0697-43bc-aac5-9113337ab61c | WorkloadBuilder Migration Agent Role | WorkloadBuilder Migration Agent Role. | None | False |
00002 effective control plane operations (unique) •Read: 1 •Write: 1 |
Actions: 002 resolved operations: 2 effective operations: 2 •Read: 1 •Write: 1 •Microsoft.WorkloadBuilder/migrationAgents/Read •Microsoft.WorkloadBuilder/migrationAgents/Write |