0% found this document useful (0 votes)

241 views

Azure Role Based Access Control

Uploaded by

daniel.sosa

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

241 views

Azure Role Based Access Control

Uploaded by

daniel.sosa

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 2558

Tell us about your PDF experience.

Azure RBAC documentation

Azure role-based access control (Azure RBAC) is a system that provides fine-grained
access management of Azure resources. Using Azure RBAC, you can segregate duties
within your team and grant only the amount of access to users that they need to
perform their jobs.

About Azure RBAC

ｅ OVERVIEW

What is Azure RBAC?

Understand the different roles

ｑ VIDEO

Microsoft Ignite: Lock down access to Azure

Get started

ｆ QUICKSTART

Check access for a user

ｇ TUTORIAL

Grant a user access - Portal

Grant a group access - PowerShell

ｄ TRAINING

Secure your Azure resources with Azure RBAC

List role assignments

ｅ OVERVIEW

Understand role assignments

ｃ HOW-TO GUIDE

List role assignments

Assign roles

ｉ REFERENCE

Azure built-in roles

ｃ HOW-TO GUIDE

Portal

Portal - Subscription admin

PowerShell

Azure CLI

REST API

Bicep

Create or update custom roles

ｅ OVERVIEW

Custom roles

ｃ HOW-TO GUIDE

Create a custom role - Portal

Add ABAC conditions

ｅ OVERVIEW

What is Azure ABAC?

ｐ CONCEPT
Delegate role assignment management overview

ｃ HOW-TO GUIDE

Delegate role assignment management

What is Azure role-based access control
(Azure RBAC)?
Article • 03/12/2024

Access management for cloud resources is a critical function for any organization that is
using the cloud. Azure role-based access control (Azure RBAC) helps you manage who
has access to Azure resources, what they can do with those resources, and what areas
they have access to.

Azure RBAC is an authorization system built on Azure Resource Manager that provides
fine-grained access management to Azure resources.

This video provides a quick overview of Azure RBAC.

https://www.youtube-nocookie.com/embed/Dzhm-garKBM

What can I do with Azure RBAC?

Here are some examples of what you can do with Azure RBAC:

Allow one user to manage virtual machines in a subscription and another user to
manage virtual networks
Allow a DBA group to manage SQL databases in a subscription
Allow a user to manage all resources in a resource group, such as virtual machines,
websites, and subnets
Allow an application to access all resources in a resource group

How Azure RBAC works

The way you control access to resources using Azure RBAC is to assign Azure roles. This
is a key concept to understand – it's how permissions are enforced. A role assignment
consists of three elements: security principal, role definition, and scope.

Security principal
A security principal is an object that represents a user, group, service principal, or
managed identity that is requesting access to Azure resources. You can assign a role to
any of these security principals.
Role definition
A role definition is a collection of permissions. It's typically just called a role. A role
definition lists the actions that can be performed, such as read, write, and delete. Roles
can be high-level, like owner, or specific, like virtual machine reader.

Azure includes several built-in roles that you can use. For example, the Virtual Machine
Contributor role allows a user to create and manage virtual machines. If the built-in
roles don't meet the specific needs of your organization, you can create your own Azure
custom roles.

This video provides a quick overview of built-in roles and custom roles.
https://www.youtube-nocookie.com/embed/I1mefHptRgo

Azure has data actions that enable you to grant access to data within an object. For
example, if a user has read data access to a storage account, then they can read the
blobs or messages within that storage account.

For more information, see Understand Azure role definitions.

Scope
Scope is the set of resources that the access applies to. When you assign a role, you can
further limit the actions allowed by defining a scope. This is helpful if you want to make
someone a Website Contributor, but only for one resource group.

In Azure, you can specify a scope at four levels: management group, subscription,
resource group, or resource. Scopes are structured in a parent-child relationship. You
can assign roles at any of these levels of scope.

For more information about scope, see Understand scope.

Role assignments
A role assignment is the process of attaching a role definition to a user, group, service
principal, or managed identity at a particular scope for the purpose of granting access.
Access is granted by creating a role assignment, and access is revoked by removing a
role assignment.

The following diagram shows an example of a role assignment. In this example, the
Marketing group has been assigned the Contributor role for the pharma-sales resource
group. This means that users in the Marketing group can create or manage any Azure
resource in the pharma-sales resource group. Marketing users don't have access to
resources outside the pharma-sales resource group, unless they're part of another role
assignment.
You can assign roles using the Azure portal, Azure CLI, Azure PowerShell, Azure SDKs, or
REST APIs.

For more information, see Steps to assign an Azure role.

Groups
Role assignments are transitive for groups, which means that if a user is a member of a
group and that group is a member of another group that has a role assignment, the
user has the permissions in the role assignment.
Multiple role assignments
So what happens if you have multiple overlapping role assignments? Azure RBAC is an
additive model, so your effective permissions are the sum of your role assignments.
Consider the following example where a user is granted the Contributor role at the
subscription scope and the Reader role on a resource group. The sum of the Contributor
permissions and the Reader permissions is effectively the Contributor role for the
subscription. Therefore, in this case, the Reader role assignment has no impact.

How Azure RBAC determines if a user has

access to a resource
The following are the high-level steps that Azure RBAC uses to determine if you have
access to a resource. These steps apply to Azure Resource Manager or data plane
services integrated with Azure RBAC. This is helpful to understand if you're trying to
troubleshoot an access issue.
1. A user (or service principal) acquires a token for Azure Resource Manager.

The token includes the user's group memberships (including transitive group
memberships).

2. The user makes a REST API call to Azure Resource Manager with the token
attached.

3. Azure Resource Manager retrieves all the role assignments and deny assignments
that apply to the resource upon which the action is being taken.

4. If a deny assignment applies, access is blocked. Otherwise, evaluation continues.

5. Azure Resource Manager narrows the role assignments that apply to this user or
their group and determines what roles the user has for this resource.

6. Azure Resource Manager determines if the action in the API call is included in the
roles the user has for this resource. If the roles include Actions that have a
wildcard ( * ), the effective permissions are computed by subtracting the
NotActions from the allowed Actions . Similarly, the same subtraction is done for

any data actions.

Actions - NotActions = Effective management permissions

DataActions - NotDataActions = Effective data permissions

7. If the user doesn't have a role with the action at the requested scope, access isn't
allowed. Otherwise, any conditions are evaluated.

8. If the role assignment includes conditions, they're evaluated. Otherwise access is

allowed.

9. If conditions are met, access is allowed. Otherwise access isn't allowed.

The following diagram is a summary of the evaluation logic.

Where is Azure RBAC data stored?
Role definitions, role assignments, and deny assignments are stored globally to ensure
that you have access to your resources regardless of the region you created the
resource.

When a role assignment or any other Azure RBAC data is deleted, the data is globally
deleted. Principals that had access to a resource via Azure RBAC data will lose their
access.

Why is Azure RBAC data global?

Azure RBAC data is global to ensure that customers can timely access resources
regardless from where they're accessing. Azure RBAC is enforced by Azure Resource
Manager, which has a global endpoint and requests are routed to the nearest region for
speed and resilience. Therefore, Azure RBAC must be enforced in all regions and the
data is replicated to all regions. For more information, see Resiliency of Azure Resource
Manager.

Consider the following example. Arina creates a virtual machine in East Asia. Bob, who is
a member of Arina's team, works in the United States. Bob needs to access the virtual
machine that was created in East Asia. To grant Bob timely access to the virtual machine,
Azure needs to globally replicate the role assignment that grants Bob access to the
virtual machine from anywhere Bob is.

License requirements
Using this feature is free and included in your Azure subscription.

Next steps
Assign Azure roles using the Azure portal
Understand the different roles
Cloud Adoption Framework: Resource access management in Azure
What is Azure attribute-based access
control (Azure ABAC)?
Article • 04/01/2024

Attribute-based access control (ABAC) is an authorization system that defines access

based on attributes associated with security principals, resources, and the environment
of an access request. With ABAC, you can grant a security principal access to a resource
based on attributes. Azure ABAC refers to the implementation of ABAC for Azure.

What are role assignment conditions?

Azure role-based access control (Azure RBAC) is an authorization system that helps you
manage who has access to Azure resources, what they can do with those resources, and
what areas they have access to. In most cases, Azure RBAC will provide the access
management you need by using role definitions and role assignments. However, in
some cases you might want to provide more fine-grained access management or
simplify the management of hundreds of role assignments.

Azure ABAC builds on Azure RBAC by adding role assignment conditions based on
attributes in the context of specific actions. A role assignment condition is an additional
check that you can optionally add to your role assignment to provide more fine-grained
access control. A condition filters down permissions granted as a part of the role
definition and role assignment. For example, you can add a condition that requires an
object to have a specific tag to read the object. You cannot explicitly deny access to
specific resources using conditions.

Why use conditions?

There are three primary benefits for using role assignment conditions:

Provide more fine-grained access control - A role assignment uses a role

definition with actions and data actions to grant security principal permissions. You
can write conditions to filter down those permissions for more fine-grained access
control. You can also add conditions to specific actions. For example, you can grant
John read access to blobs in your subscription only if the blobs are tagged as
Project=Blue.
Help reduce the number of role assignments - Each Azure subscription currently
has a role assignment limit. There are scenarios that would require thousands of
role assignments. All of those role assignments would have to be managed. In
these scenarios, you could potentially add conditions to use significantly fewer role
assignments.
Use attributes that have specific business meaning - Conditions allow you to use
attributes that have specific business meaning to you in access control. Some
examples of attributes are project name, software development stage, and
classification levels. The values of these resource attributes are dynamic and
change as users move across teams and projects.

Example scenarios for conditions

There are several scenarios where you might want to add a condition to your role
assignment. Here are some examples.

Read access to blobs with the tag Project=Cascade

New blobs must include the tag Project=Cascade
Existing blobs must be tagged with at least one Project key or Program key
Existing blobs must be tagged with a Project key and Cascade, Baker, or Skagit
values
Read, write, or delete blobs in containers named blobs-example-container
Read access to blobs in containers named blobs-example-container with a path of
readonly
Write access to blobs in containers named Contosocorp with a path of
uploads/contoso
Read access to blobs with the tag Program=Alpine and a path of logs
Read access to blobs with the tag Project=Baker and the user has a matching
attribute Project=Baker
Read access to blobs during a specific date/time range.
Write access to blobs only over a private link or from a specific subnet.

For more information about how to create these examples, see Example Azure role
assignment conditions for Blob Storage.

Where can conditions be added?

Currently, conditions can be added to built-in or custom role assignments that have
blob storage or queue storage data actions. Conditions are added at the same scope as
the role assignment. Just like role assignments, you must have
Microsoft.Authorization/roleAssignments/write permissions to add a condition.

Here are some of the blob storage attributes you can use in your conditions.
Account name
Blob index tags
Blob path
Blob prefix
Container name
Encryption scope name
Is Current Version
Is hierarchical namespace enabled
Is private link
Snapshot
UTC now (the current date and time in Coordinated Universal Time)
Version ID

What does a condition look like?

You can add conditions to new or existing role assignments. Here is the Storage Blob
Data Reader role that has been assigned to a user named Chandra at a resource group
scope. A condition has also been added that only allows read access to blobs with the
tag Project=Cascade.

If Chandra tries to read a blob without the Project=Cascade tag, access will not be
allowed.
Here is what the condition looks like in the Azure portal:

Here is what the condition looks like in code:

(
(
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'}
AND NOT
SubOperationMatches{'Blob.List'})
)
OR
(

@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/ta
gs:Project<$key_case_sensitive$>] StringEqualsIgnoreCase 'Cascade'
)
)

For more information about the format of conditions, see Azure role assignment
condition format and syntax.

Status of condition features

The following table lists the status of condition features:

ﾉ Expand table

Feature Status Date

Use environment attributes in a condition GA April 2024

Add conditions using the condition editor in the Azure portal GA October
2022

Add conditions using Azure PowerShell, Azure CLI, or REST API GA October
2022

Use resource and request attributes for specific combinations of Azure GA October
storage resources, access attribute types, and storage account 2022
performance tiers. For more information, see Status of condition features
in Azure Storage.

Use custom security attributes on a principal in a condition GA November

2023

Conditions and Microsoft Entra PIM

You can also add conditions to eligible role assignments using Microsoft Entra Privileged
Identity Management (Microsoft Entra PIM) for Azure resources. With Microsoft Entra
PIM, your end users must activate an eligible role assignment to get permission to
perform certain actions. Using conditions in Microsoft Entra PIM enables you not only to
limit a user's access to a resource using fine-grained conditions, but also to use
Microsoft Entra PIM to secure it with a time-bound setting, approval workflow, audit
trail, and so on. For more information, see Assign Azure resource roles in Privileged
Identity Management.
Terminology
To better understand Azure RBAC and Azure ABAC, you can refer back to the following
list of terms.

ﾉ Expand table

Term Definition

attribute-based An authorization system that defines access based on attributes associated

access control with security principals, resources, and environment. With ABAC, you can
(ABAC) grant a security principal access to a resource based on attributes.

Azure ABAC Refers to the implementation of ABAC for Azure.

role assignment An additional check that you can optionally add to your role assignment to
condition provide more fine-grained access control.

attribute In this context, a key-value pair such as Project=Blue, where Project is the
attribute key and Blue is the attribute value. Attributes and tags are
synonymous for access control purposes.

expression A statement in a condition that evaluates to true or false. An expression has

the format of <attribute> <operator> <value>.

Limits
Here are some of the limits for conditions.

ﾉ Expand table

Resource Limit Notes

Number of expressions per condition using 5 You can add more than five expressions
the visual editor using the code editor

Known issues
Here are the known issues with conditions:

If you are using Microsoft Entra Privileged Identity Management (PIM) and custom
security attributes, Principal does not appear in Attribute source when adding a
condition.
Next steps
FAQ for Azure role assignment conditions
Example Azure role assignment conditions for Blob Storage
Tutorial: Add a role assignment condition to restrict access to blobs using the
Azure portal
Azure roles, Microsoft Entra roles, and
classic subscription administrator roles
Article • 03/15/2024

If you're new to Azure, you may find it a little challenging to understand all the different
roles in Azure. This article helps explain the following roles and when you would use
each:

Azure roles
Microsoft Entra roles
Classic subscription administrator roles

How the roles are related

To better understand roles in Azure, it helps to know some of the history. When Azure
was initially released, access to resources was managed with just three administrator
roles: Account Administrator, Service Administrator, and Co-Administrator. Later, Azure
role-based access control (Azure RBAC) was added. Azure RBAC is a newer authorization
system that provides fine-grained access management to Azure resources. Azure RBAC
includes many built-in roles, can be assigned at different scopes, and allows you to
create your own custom roles. To manage resources in Microsoft Entra ID, such as users,
groups, and domains, there are several Microsoft Entra roles.

The following diagram is a high-level view of how the Azure roles, Microsoft Entra roles,
and classic subscription administrator roles are related.


Azure roles
Azure RBAC is an authorization system built on Azure Resource Manager that provides
fine-grained access management to Azure resources, such as compute and storage.
Azure RBAC includes over 100 built-in roles. There are five fundamental Azure roles. The
first three apply to all resource types:

ﾉ Expand table

Azure role Permissions Notes

Owner Grants full access to The Service Administrator and Co-

manage all resources Administrators are assigned the
Assign roles in Azure RBAC Owner role at the subscription scope
Applies to all resource types.

Contributor Grants full access to Applies to all resource types.

manage all resources
Can't assign roles in Azure
RBAC
Can't manage assignments
in Azure Blueprints or share
image galleries

Reader View Azure resources Applies to all resource types.

Azure role Permissions Notes
Role Based Access Manage user access to
Control Azure resources
Administrator Assign roles in Azure RBAC
Assign themselves or
others the Owner role
Can't manage access using
other ways, such as Azure
Policy

User Access Manage user access to

Administrator Azure resources
Assign roles in Azure RBAC
Assign themselves or
others the Owner role

The rest of the built-in roles allow management of specific Azure resources. For
example, the Virtual Machine Contributor role allows the user to create and manage
virtual machines. For a list of all the built-in roles, see Azure built-in roles.

Only the Azure portal and the Azure Resource Manager APIs support Azure RBAC. Users,
groups, and applications that are assigned Azure roles can't use the Azure classic
deployment model APIs.

In the Azure portal, role assignments using Azure RBAC appear on the Access control
(IAM) page. This page can be found throughout the portal, such as management
groups, subscriptions, resource groups, and various resources.


When you click the Roles tab, you'll see the list of built-in and custom roles.

For more information, see Assign Azure roles using the Azure portal.

Microsoft Entra roles

Microsoft Entra roles are used to manage Microsoft Entra resources in a directory such
as create or edit users, assign administrative roles to others, reset user passwords,
manage user licenses, and manage domains. The following table describes a few of the
more important Microsoft Entra roles.

ﾉ Expand table

Microsoft Permissions Notes

Entra role

Global Manage access to all administrative The person who signs up for
Administrator features in Microsoft Entra ID, as well the Microsoft Entra tenant
as services that federate to Microsoft becomes a Global
Entra ID Administrator.
Assign administrator roles to others
Reset the password for any user and all
other administrators

User Create and manage all aspects of users

Administrator and groups
Manage support tickets
Monitor service health
Change passwords for users, Helpdesk
administrators, and other User
Administrators

Billing Make purchases

Administrator Manage subscriptions
Manage support tickets
Monitors service health

In the Azure portal, you can see the list of Microsoft Entra roles on the Roles and
administrators page. For a list of all the Microsoft Entra roles, see Administrator role
permissions in Microsoft Entra ID.


Differences between Azure roles and Microsoft

Entra roles
At a high level, Azure roles control permissions to manage Azure resources, while
Microsoft Entra roles control permissions to manage Microsoft Entra resources. The
following table compares some of the differences.

ﾉ Expand table

Azure roles Microsoft Entra roles

Manage access to Azure resources Manage access to Microsoft Entra resources

Supports custom roles Supports custom roles

Scope can be specified at multiple levels Scope can be specified at the tenant level
(management group, subscription, (organization-wide), administrative unit, or on an
resource group, resource) individual object (for example, a specific application)

Role information can be accessed in Azure Role information can be accessed in the Azure
portal, Azure CLI, Azure PowerShell, Azure portal, Microsoft Entra admin center, Microsoft 365
Resource Manager templates, REST API admin center, Microsoft Graph, Microsoft Graph
PowerShell

Do Azure roles and Microsoft Entra roles overlap?

By default, Azure roles and Microsoft Entra roles don't span Azure and Microsoft Entra
ID. However, if a Global Administrator elevates their access by choosing the Access
management for Azure resources switch in the Azure portal, the Global Administrator
will be granted the User Access Administrator role (an Azure role) on all subscriptions
for a particular tenant. The User Access Administrator role enables the user to grant
other users access to Azure resources. This switch can be helpful to regain access to a
subscription. For more information, see Elevate access to manage all Azure subscriptions
and management groups.

Several Microsoft Entra roles span Microsoft Entra ID and Microsoft 365, such as the
Global Administrator and User Administrator roles. For example, if you're a member of
the Global Administrator role, you have global administrator capabilities in Microsoft
Entra ID and Microsoft 365, such as making changes to Microsoft Exchange and
Microsoft SharePoint. However, by default, the Global Administrator doesn't have access
to Azure resources.

Classic subscription administrator roles

） Important

Classic resources and classic administrators will be retired on August 31, 2024 .
Starting April 3, 2024, you won't be able to add new Co-Administrators. This date
was recently extended. Remove unnecessary Co-Administrators and use Azure
RBAC for fine-grained access control.

Account Administrator, Service Administrator, and Co-Administrator are the three classic
subscription administrator roles in Azure. Classic subscription administrators have full
access to the Azure subscription. They can manage resources using the Azure portal,
Azure Resource Manager APIs, and the classic deployment model APIs. The account that
is used to sign up for Azure is automatically set as both the Account Administrator and
Service Administrator. Then, additional Co-Administrators can be added. The Service
Administrator and the Co-Administrators have the equivalent access of users who have
been assigned the Owner role (an Azure role) at the subscription scope. The following
table describes the differences between these three classic subscription administrative
roles.

ﾉ Expand table

Classic Limit Permissions Notes

subscription
administrator

Account 1 per Azure Can access the Azure Conceptually, the billing
Administrator account portal and manage owner of the subscription.
billing
Manage billing for all
subscriptions in the
account
Create new subscriptions
Cancel subscriptions
Change the billing for a
subscription
Change the Service
Administrator
Can't cancel subscriptions
unless they have the
Service Administrator or
subscription Owner role

Service 1 per Azure Manage services in the By default, for a new

Administrator subscription Azure portal subscription, the Account
Cancel the subscription Administrator is also the
Assign users to the Co- Service Administrator.
Administrator role The Service Administrator
has the equivalent access
of a user who is assigned
the Owner role at the
subscription scope.
The Service Administrator
has full access to the
Azure portal.

Co- 200 per Same access privileges as The Co-Administrator has

Administrator subscription the Service Administrator, the equivalent access of a
but can’t change the user who is assigned the
Classic Limit Permissions Notes
subscription
administrator

association of Owner role at the

subscriptions to Microsoft subscription scope.
Entra directories
Assign users to the Co-
Administrator role, but
can't change the Service
Administrator

In the Azure portal, you can manage Co-Administrators or view the Service
Administrator by using the Classic administrators tab.

For more information, see Azure classic subscription administrators.

Azure account and Azure subscriptions

An Azure account is used to establish a billing relationship. An Azure account is a user
identity, one or more Azure subscriptions, and an associated set of Azure resources. The
person who creates the account is the Account Administrator for all subscriptions
created in that account. That person is also the default Service Administrator for the
subscription.

Azure subscriptions help you organize access to Azure resources. They also help you
control how resource usage is reported, billed, and paid for. Each subscription can have
a different billing and payment setup, so you can have different subscriptions and
different plans by office, department, project, and so on. Every service belongs to a
subscription, and the subscription ID may be required for programmatic operations.

Each subscription is associated with a Microsoft Entra directory. To find the directory the
subscription is associated with, open Subscriptions in the Azure portal and then select a
subscription to see the directory.

Accounts and subscriptions are managed in the Azure portal .

Next steps
Assign Azure roles using the Azure portal
Assign Microsoft Entra roles to users
Roles for Microsoft 365 services in Microsoft Entra ID
Quickstart: Check access for a user to a
single Azure resource
Article • 07/18/2023

Sometimes you need to check what access a user has to an Azure resource. You check
their access by listing their assignments. A quick way to check the access for a single
user is to use the Check access feature on the Access control (IAM) page.

Step 1: Open the Azure resource

To check the access for a user, you first need to open the Azure resource you want to
check access for. Azure resources are organized into levels that are typically called the
scope. In Azure, you can specify a scope at four levels from broad to narrow:
management group, subscription, resource group, and resource.

Follow these steps to open the Azure resource that you want to check access for.

1. Open the Azure portal .

2. Open the Azure resource you want to check access for, such as Management
groups, Subscriptions, Resource groups, or a particular resource.

3. Click the specific resource in that scope.

The following shows an example resource group.

Step 2: Check access for a user
Follow these steps to check the access for a single user, group, service principal, or
managed identity to the previously selected Azure resource.

1. Click Access control (IAM).

The following shows an example of the Access control (IAM) page for a resource
group.
2. On the Check access tab, click the Check access button.

3. In the Check access pane, click User, group, or service principal.

4. In the search box, enter a string to search the directory for display names, email
addresses, or object identifiers.

5. Click the user to open the assignments pane.

On this pane, you can see the access for the selected user at this scope and
inherited to this scope. Assignments at child scopes aren't listed. You see the
following assignments:

Role assignments added with Azure RBAC.

Deny assignments added using Azure Blueprints or Azure managed apps.
Classic Service Administrator or Co-Administrator assignments for classic
deployments.
Step 3: Check your access
Follow these steps to check your access to the previously selected Azure resource.

1. Click Access control (IAM).

2. On the Check access tab, click the View my access button.

An assignments pane appears that lists your access at this scope and inherited to
this scope. Assignments at child scopes aren't listed.

Next steps
List Azure role assignments using the Azure portal
Quickstart: Assign an Azure role using
Bicep
Article • 12/01/2023

Azure role-based access control (Azure RBAC) is the way that you manage access to
Azure resources. In this quickstart, you create a resource group and grant a user access
to create and manage virtual machines in the resource group. This quickstart uses Bicep
to grant the access.

Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure
resources. It provides concise syntax, reliable type safety, and support for code reuse.
Bicep offers the best authoring experience for your infrastructure-as-code solutions in
Azure.

Prerequisites
To assign Azure roles and remove role assignments, you must have:

If you don't have an Azure subscription, create a free account before you begin.
Microsoft.Authorization/roleAssignments/write and

Microsoft.Authorization/roleAssignments/delete permissions, such as Role Based

Access Control Administrator.
To assign a role, you must specify three elements: security principal, role definition,
and scope. For this quickstart, the security principal is you or another user in your
directory, the role definition is Virtual Machine Contributor, and the scope is a
resource group that you specify.

Review the Bicep file

The Bicep file used in this quickstart is from Azure Quickstart Templates . The Bicep file
has two parameters and a resources section. In the resources section, notice that it has
the three elements of a role assignment: security principal, role definition, and scope.

Bicep

@description('Specifies the role definition ID used in the role

assignment.')
param roleDefinitionID string

@description('Specifies the principal ID assigned to the role.')

param principalId string
var roleAssignmentName= guid(principalId, roleDefinitionID,
resourceGroup().id)
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-
preview' = {
name: roleAssignmentName
properties: {
roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions',
roleDefinitionID)
principalId: principalId
}
}

The resource defined in the Bicep file is:

Microsoft.Authorization/roleAssignments

Deploy the Bicep file

1. Save the Bicep file as main.bicep to your local computer.

2. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

CLI

Azure CLI

az group create --name exampleRG --location eastus

az deployment group create --resource-group exampleRG --template-
file main.bicep --parameters roleDefinitionID=9980e02c-c2be-4d73-
94e8-173b1dc7cf3c principalId=<principal-id>

７ Note

Replace <principal-id> with the principal ID assigned to the role.

When the deployment finishes, you should see a message indicating the deployment
succeeded.

Review deployed resources

Use the Azure portal, Azure CLI, or Azure PowerShell to list the deployed resources in
the resource group.
CLI

Azure CLI

az role assignment list --resource-group exampleRG

Clean up resources
When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to remove
the role assignment. For more information, see Remove Azure role assignments.

Use the Azure portal, Azure CLI, or Azure PowerShell to delete the resource group.

CLI

Azure CLI

az group delete --name exampleRG

Next steps
Tutorial: Grant a user access to Azure resources using Azure PowerShell
Quickstart: Assign an Azure role using
an ARM template
Article • 12/01/2023

A resource manager template is a JavaScript Object Notation (JSON) file that defines the
infrastructure and configuration for your project. The template uses declarative syntax.
In declarative syntax, you describe your intended deployment without writing the
sequence of programming commands to create the deployment.

If your environment meets the prerequisites and you're familiar with using ARM
templates, select the Deploy to Azure button. The template will open in the Azure
portal.

Prerequisites
To assign Azure roles and remove role assignments, you must have:

If you don't have an Azure subscription, create a free account before you begin.
Microsoft.Authorization/roleAssignments/write and

Microsoft.Authorization/roleAssignments/delete permissions, such as Role Based

Access Control Administrator

To assign a role, you must specify three elements: security principal, role definition,
and scope. For this quickstart, the security principal is you or another user in your
directory, the role definition is Virtual Machine Contributor, and the scope is a
resource group that you specify.

Review the template

The template used in this quickstart is from Azure Quickstart Templates . The template
has two parameters and a resources section. In the resources section, notice that it has
the three elements of a role assignment: security principal, role definition, and scope.
JSON

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-
01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "15014882513681156573"
}
},
"parameters": {
"roleDefinitionID": {
"type": "string",
"metadata": {
"description": "Specifies the role definition ID used in the role
assignment."
}
},
"principalId": {
"type": "string",
"metadata": {
"description": "Specifies the principal ID assigned to the role."
}
}
},
"variables": {
"roleAssignmentName": "[guid(parameters('principalId'),
parameters('roleDefinitionID'), resourceGroup().id)]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2021-04-01-preview",
"name": "[variables('roleAssignmentName')]",
"properties": {
"roleDefinitionId": "
[resourceId('Microsoft.Authorization/roleDefinitions',
parameters('roleDefinitionID'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}

The resource defined in the template is:

Microsoft.Authorization/roleAssignments
Deploy the template
1. Sign in to the Azure portal .

2. Determine your email address that is associated with your Azure subscription. Or
determine the email address of another user in your directory.

3. Open Azure Cloud Shell for PowerShell.

4. Copy and paste the following script into Cloud Shell.

Azure PowerShell

$resourceGroupName = Read-Host -Prompt "Enter a resource group name

(i.e. ExampleGrouprg)"
$emailAddress = Read-Host -Prompt "Enter an email address for a user in
your directory"
$location = Read-Host -Prompt "Enter a location (i.e. centralus)"

$roleAssignmentName = New-Guid
$principalId = (Get-AzAdUser -Mail $emailAddress).id
$roleDefinitionId = (Get-AzRoleDefinition -name "Virtual Machine
Contributor").id
$templateUri = "https://raw.githubusercontent.com/Azure/azure-
quickstart-templates/master/quickstarts/microsoft.authorization/rbac-
builtinrole-resourcegroup/azuredeploy.json"

New-AzResourceGroup -Name $resourceGroupName -Location $location

New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -
TemplateUri $templateUri -roleDefinitionID $roleDefinitionId -
principalId $principalId

5. Enter a resource group name such as ExampleGrouprg.

6. Enter an email address for yourself or another user in your directory.

7. Enter a location for the resource group such as centralus.

8. If necessary, press Enter to run the New-AzResourceGroupDeployment command.

The New-AzResourceGroup command creates a new resource group and the New-
AzResourceGroupDeployment command deploys the template to add the role
assignment.

You should see output similar to the following:

Azure PowerShell
PS> New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName
-TemplateUri $templateUri -roleAssignmentName $roleAssignmentName -
roleDefinitionID $roleDefinitionId -principalId $principalId

DeploymentName : azuredeploy
ResourceGroupName : ExampleGrouprg
ProvisioningState : Succeeded
Timestamp : 5/22/2020 9:01:30 PM
Mode : Incremental
TemplateLink :
Uri :
https://raw.githubusercontent.com/Azure/azure-quickstart-
templates/master/quickstarts/microsoft.authorization/rbac-builtinrole-
resourcegroup/azuredeploy.json
ContentVersion : 1.0.0.0

Parameters :
Name Type
Value
====================
========================= ==========
roleDefinitionID String
9980e02c-c2be-4d73-94e8-173b1dc7cf3c
principalId String
{principalId}

Outputs :
DeploymentDebugLogLevel :

Review deployed resources

1. In the Azure portal, open the resource group you created.

2. In the left menu, click Access control (IAM).

3. Click the Role assignments tab.

4. Verify that the Virtual Machine Contributor role is assigned to the user you
specified.
Clean up resources
To remove the role assignment and resource group you created, follow these steps.

1. Copy and paste the following script into Cloud Shell.

Azure PowerShell

$emailAddress = Read-Host -Prompt "Enter the email address of the user

with the role assignment to remove"
$resourceGroupName = Read-Host -Prompt "Enter the resource group name
to remove (i.e. ExampleGrouprg)"

$principalId = (Get-AzAdUser -Mail $emailAddress).id

Remove-AzRoleAssignment -ObjectId $principalId -RoleDefinitionName

"Virtual Machine Contributor" -ResourceGroupName $resourceGroupName
Remove-AzResourceGroup -Name $resourceGroupName

2. Enter the email address of the user with the role assignment to remove.

3. Enter the resource group name to remove such as ExampleGrouprg.

4. If necessary, press Enter to run the Remove-AzResourceGroup command.

5. Enter Y to confirm that you want to remove the resource group.

Next steps
Tutorial: Grant a user access to Azure resources using Azure PowerShell
Tutorial: Grant a user access to Azure
resources using the Azure portal
Article • 07/20/2023

Azure role-based access control (Azure RBAC) is the way that you manage access to
Azure resources. In this tutorial, you grant a user access to create and manage virtual
machines in a resource group.

In this tutorial, you learn how to:

＂ Grant access for a user at a resource group scope

＂ Remove access

If you don't have an Azure subscription, create a free account before you begin.

Create a resource group

1. In the navigation list, click Resource groups.

2. Click New to open the Create a resource group page.

3. Select a subscription.

4. For Resource group name, enter example-group or another name.

5. Click Review + create and then click Create to create the resource group.

6. Click Refresh to refresh the list of resource groups.

The new resource group appears in your resource groups list.

Grant access
In Azure RBAC, to grant access, you assign an Azure role.

1. In the list of Resource groups, open the new example-group resource group.

2. In the navigation menu, click Access control (IAM).

3. Click the Role assignments tab to see the current list of role assignments.

4. Click Add > Add role assignment.

If you don't have permissions to assign roles, the Add role assignment option will
be disabled.
5. On the Role tab, select the Virtual Machine Contributor role.

6. On the Members tab, select yourself or another user.

7. On the Review + assign tab, review the role assignment settings.

8. Click Review + assign to assign the role.

After a few moments, the user is assigned the Virtual Machine Contributor role at
the example-group resource group scope.
Remove access
In Azure RBAC, to remove access, you remove a role assignment.

1. In the list of role assignments, add a checkmark next to the user with the Virtual
Machine Contributor role.

2. Click Remove.

3. In the remove role assignment message that appears, click Yes.

Clean up
1. In the navigation list, click Resource groups.

2. Click example-group to open the resource group.

3. Click Delete resource group to delete the resource group.

4. On the Are you sure you want to delete pane, type the resource group name and
then click Delete.

Next steps
Tutorial: Grant a user access to Azure resources using Azure PowerShell
Tutorial: Grant a user access to Azure
resources using Azure PowerShell
Article • 02/14/2024

Azure role-based access control (Azure RBAC) is the way that you manage access to
Azure resources. In this tutorial, you grant a user access to view everything in a
subscription and manage everything in a resource group using Azure PowerShell.

In this tutorial, you learn how to:

＂ Grant access for a user at different scopes

＂ List access
＂ Remove access

If you don't have an Azure subscription, create a free account before you begin.

７ Note

We recommend that you use the Azure Az PowerShell module to interact with
Azure. See Install Azure PowerShell to get started. To learn how to migrate to the
Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Prerequisites
To complete this tutorial, you will need:

Permissions to create users in Microsoft Entra ID (or have an existing user)

Azure Cloud Shell
Microsoft Graph PowerShell SDK

Role assignments
In Azure RBAC, to grant access, you create a role assignment. A role assignment consists
of three elements: security principal, role definition, and scope. Here are the two role
assignments you will perform in this tutorial:

ﾉ Expand table
Security principal Role definition Scope

User Reader Subscription

(RBAC Tutorial User)

User Contributor Resource group

(RBAC Tutorial User) (rbac-tutorial-resource-group)

Create a user
To assign a role, you need a user, group, or service principal. If you don't already have a
user, you can create one.

1. In Azure Cloud Shell, create a password that complies with your password
complexity requirements.

Azure PowerShell

$PasswordProfile = @{ Password = "<Password>" }

2. Create a new user for your domain using the New-MgUser command.

Azure PowerShell

New-MgUser -DisplayName "RBAC Tutorial User" -PasswordProfile

$PasswordProfile `
-UserPrincipalName "rbacuser@example.com" -AccountEnabled:$true -
MailNickName "rbacuser"

Output

DisplayName Id Mail
UserPrincipalName
----------- -- ---- ----------
-------
RBAC Tutorial User 11111111-1111-1111-1111-111111111111
rbacuser@example.com

Create a resource group

You use a resource group to show how to assign a role at a resource group scope.

1. Get a list of region locations using the Get-AzLocation command.

Azure PowerShell

Get-AzLocation | select Location

2. Select a location near you and assign it to a variable.

Azure PowerShell

$location = "westus"

3. Create a new resource group using the New-AzResourceGroup command.

Azure PowerShell

New-AzResourceGroup -Name "rbac-tutorial-resource-group" -Location

$location

Example

ResourceGroupName : rbac-tutorial-resource-group
Location : westus
ProvisioningState : Succeeded
Tags :
ResourceId : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/rbac-tutorial-resource-group

Grant access
To grant access for the user, you use the New-AzRoleAssignment command to assign a
role. You must specify the security principal, role definition, and scope.

1. Get the ID of your subscription using the Get-AzSubscription command.

Azure PowerShell

Get-AzSubscription

Example

Name : Pay-As-You-Go
Id : 00000000-0000-0000-0000-000000000000
TenantId : 22222222-2222-2222-2222-222222222222
State : Enabled

2. Save the subscription scope in a variable.

Azure PowerShell

$subScope = "/subscriptions/00000000-0000-0000-0000-000000000000"

3. Assign the Reader role to the user at the subscription scope.

Azure PowerShell

New-AzRoleAssignment -SignInName rbacuser@example.com `

-RoleDefinitionName "Reader" `
-Scope $subScope

Example

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/providers/Microsoft.Authorization/roleAssignments/44444444
-4444-4444-4444-444444444444
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000
DisplayName : RBAC Tutorial User
SignInName : rbacuser@example.com
RoleDefinitionName : Reader
RoleDefinitionId : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId : 11111111-1111-1111-1111-111111111111
ObjectType : User
CanDelegate : False

4. Assign the Contributor role to the user at the resource group scope.

Azure PowerShell

New-AzRoleAssignment -SignInName rbacuser@example.com `

-RoleDefinitionName "Contributor" `
-ResourceGroupName "rbac-tutorial-resource-group"

Example

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/rbac-tutorial-resource-
group/providers/Microsoft.Authorization/roleAssignments/33333333-3333-
3333-3333-333333333333
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/rbac-tutorial-resource-group
DisplayName : RBAC Tutorial User
SignInName : rbacuser@example.com
RoleDefinitionName : Contributor
RoleDefinitionId : b24988ac-6180-42a0-ab88-20f7382dd24c
ObjectId : 11111111-1111-1111-1111-111111111111
ObjectType : User
CanDelegate : False

List access
1. To verify the access for the subscription, use the Get-AzRoleAssignment command
to list the role assignments.

Azure PowerShell

Get-AzRoleAssignment -SignInName rbacuser@example.com -Scope $subScope

Example

In the output, you can see that the Reader role has been assigned to the RBAC
Tutorial User at the subscription scope.
2. To verify the access for the resource group, use the Get-AzRoleAssignment
command to list the role assignments.

Azure PowerShell

Get-AzRoleAssignment -SignInName rbacuser@example.com -

ResourceGroupName "rbac-tutorial-resource-group"

Example

In the output, you can see that both the Contributor and Reader roles have been
assigned to the RBAC Tutorial User. The Contributor role is at the rbac-tutorial-
resource-group scope and the Reader role is inherited at the subscription scope.

(Optional) List access using the Azure Portal

1. To see how the role assignments look in the Azure portal, view the Access control
(IAM) blade for the subscription.
2. View the Access control (IAM) blade for the resource group.

Remove access
To remove access for users, groups, and applications, use Remove-AzRoleAssignment to
remove a role assignment.

1. Use the following command to remove the Contributor role assignment for the
user at the resource group scope.

Azure PowerShell
Remove-AzRoleAssignment -SignInName rbacuser@example.com `
-RoleDefinitionName "Contributor" `
-ResourceGroupName "rbac-tutorial-resource-group"

2. Use the following command to remove the Reader role assignment for the user at
the subscription scope.

Azure PowerShell

Remove-AzRoleAssignment -SignInName rbacuser@example.com `

-RoleDefinitionName "Reader" `
-Scope $subScope

Clean up resources
To clean up the resources created by this tutorial, delete the resource group and the
user.

1. Delete the resource group using the Remove-AzResourceGroup command.

Azure PowerShell

Remove-AzResourceGroup -Name "rbac-tutorial-resource-group"

Example

Confirm
Are you sure you want to remove resource group 'rbac-tutorial-resource-
group'
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):

2. When asked to confirm, type Y. It will take a few seconds to delete.

3. Delete the user using the Remove-MgUser command.

Azure PowerShell

$User = Get-MgUser -Filter "DisplayName eq 'RBAC Tutorial User'"

Remove-MgUser -UserId $User.Id

Next steps
Assign Azure roles using Azure PowerShell
Tutorial: Grant a group access to Azure
resources using Azure PowerShell
Article • 02/27/2024

Azure role-based access control (Azure RBAC) is the way that you manage access to
Azure resources. In this tutorial, you grant a group access to view everything in a
subscription and manage everything in a resource group using Azure PowerShell.

In this tutorial, you learn how to:

＂ Grant access for a group at different scopes

＂ List access
＂ Remove access

If you don't have an Azure subscription, create a free account before you begin.

７ Note

We recommend that you use the Azure Az PowerShell module to interact with
Azure. To get started, see Install Azure PowerShell. To learn how to migrate to the
Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Prerequisites
To complete this tutorial, you will need:

Permissions to create groups in Microsoft Entra ID (or have an existing group)

Azure Cloud Shell
Microsoft Graph PowerShell SDK

ﾉ Expand table
Security principal Role definition Scope

Group Reader Subscription

(RBAC Tutorial Group)

Group Contributor Resource group

(RBAC Tutorial Group) (rbac-tutorial-resource-group)

Create a group
To assign a role, you need a user, group, or service principal. If you don't already have a
group, you can create one.

In Azure Cloud Shell, create a new group using the New-MgGroup command.

Azure PowerShell

New-MgGroup -DisplayName "RBAC Tutorial Group" -MailEnabled:$false `

-SecurityEnabled:$true -MailNickName "NotSet"

Output

DisplayName Id MailNickname
Description GroupTypes
----------- -- ------------ -
---------- ----------
RBAC Tutorial Group 11111111-1111-1111-1111-111111111111 NotSet
{}

If you don't have permissions to create groups, you can try the Tutorial: Grant a user
access to Azure resources using Azure PowerShell instead.

Create a resource group

You use a resource group to show how to assign a role at a resource group scope.

1. Get a list of region locations using the Get-AzLocation command.

Azure PowerShell

Get-AzLocation | select Location

2. Select a location near you and assign it to a variable.

Azure PowerShell

$location = "westus"

3. Create a new resource group using the New-AzResourceGroup command.

Azure PowerShell

New-AzResourceGroup -Name "rbac-tutorial-resource-group" -Location

$location

Example

Grant access
To grant access for the group, you use the New-AzRoleAssignment command to assign
a role. You must specify the security principal, role definition, and scope.

1. Get the object ID of the group using the Get-MgGroup command.

Azure PowerShell

Get-MgGroup -Filter "DisplayName eq 'RBAC Tutorial Group'"

Output
DisplayName Id MailNickname
Description GroupTypes
----------- -- ------------ -
---------- ----------
RBAC Tutorial Group 11111111-1111-1111-1111-111111111111 NotSet
{}

2. Save the group object ID in a variable.

Azure PowerShell

$groupId = "11111111-1111-1111-1111-111111111111"

3. Get the ID of your subscription using the Get-AzSubscription command.

Azure PowerShell

Get-AzSubscription

Example

Name : Pay-As-You-Go
Id : 00000000-0000-0000-0000-000000000000
TenantId : 22222222-2222-2222-2222-222222222222
State : Enabled

4. Save the subscription scope in a variable.

Azure PowerShell

$subScope = "/subscriptions/00000000-0000-0000-0000-000000000000"

5. Assign the Reader role to the group at the subscription scope.

Azure PowerShell

New-AzRoleAssignment -ObjectId $groupId `

-RoleDefinitionName "Reader" `
-Scope $subScope

Example

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/providers/Microsoft.Authorization/roleAssignments/44444444
-4444-4444-4444-444444444444
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000
DisplayName : RBAC Tutorial Group
SignInName :
RoleDefinitionName : Reader
RoleDefinitionId : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId : 11111111-1111-1111-1111-111111111111
ObjectType : Group
CanDelegate : False

6. Assign the Contributor role to the group at the resource group scope.

Azure PowerShell

New-AzRoleAssignment -ObjectId $groupId `

-RoleDefinitionName "Contributor" `
-ResourceGroupName "rbac-tutorial-resource-group"

Example

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/rbac-tutorial-resource-
group/providers/Microsoft.Authorization/roleAssignments/33333333-3333-
3333-3333-333333333333
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/rbac-tutorial-resource-group
DisplayName : RBAC Tutorial Group
SignInName :
RoleDefinitionName : Contributor
RoleDefinitionId : b24988ac-6180-42a0-ab88-20f7382dd24c
ObjectId : 11111111-1111-1111-1111-111111111111
ObjectType : Group
CanDelegate : False

List access
1. To verify the access for the subscription, use the Get-AzRoleAssignment command
to list the role assignments.

Azure PowerShell

Get-AzRoleAssignment -ObjectId $groupId -Scope $subScope

Example

In the output, you can see that the Reader role has been assigned to the RBAC
Tutorial Group at the subscription scope.

2. To verify the access for the resource group, use the Get-AzRoleAssignment
command to list the role assignments.

Azure PowerShell

Get-AzRoleAssignment -ObjectId $groupId -ResourceGroupName "rbac-

tutorial-resource-group"

Example

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/rbac-tutorial-resource-
group/providers/Microsoft.Authorization/roleAssignments/33333333-3333-
3333-3333-333333333333
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/rbac-tutorial-resource-group
DisplayName : RBAC Tutorial Group
SignInName :
RoleDefinitionName : Contributor
RoleDefinitionId : b24988ac-6180-42a0-ab88-20f7382dd24c
ObjectId : 11111111-1111-1111-1111-111111111111
ObjectType : Group
CanDelegate : False

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/providers/Microsoft.Authorization/roleAssignments/22222222
-2222-2222-2222-222222222222
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000
DisplayName : RBAC Tutorial Group
SignInName :
RoleDefinitionName : Reader
RoleDefinitionId : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId : 11111111-1111-1111-1111-111111111111
ObjectType : Group
CanDelegate : False
In the output, you can see that both the Contributor and Reader roles have been
assigned to the RBAC Tutorial Group. The Contributor role is at the rbac-tutorial-
resource-group scope and the Reader role is inherited at the subscription scope.

(Optional) List access using the Azure Portal

1. To see how the role assignments look in the Azure portal, view the Access control
(IAM) blade for the subscription.

2. View the Access control (IAM) blade for the resource group.
Remove access
To remove access for users, groups, and applications, use Remove-AzRoleAssignment to
remove a role assignment.

1. Use the following command to remove the Contributor role assignment for the
group at the resource group scope.

Azure PowerShell

Remove-AzRoleAssignment -ObjectId $groupId `

-RoleDefinitionName "Contributor" `
-ResourceGroupName "rbac-tutorial-resource-group"

2. Use the following command to remove the Reader role assignment for the group
at the subscription scope.

Azure PowerShell

Remove-AzRoleAssignment -ObjectId $groupId `

-RoleDefinitionName "Reader" `
-Scope $subScope

Clean up resources
To clean up the resources created by this tutorial, delete the resource group and the
group.

1. Delete the resource group using the Remove-AzResourceGroup command.

Azure PowerShell

Remove-AzResourceGroup -Name "rbac-tutorial-resource-group"

Example

Confirm
Are you sure you want to remove resource group 'rbac-tutorial-resource-
group'
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):

2. When asked to confirm, type Y. It will take a few seconds to delete.

3. Delete the group using the Remove-MgGroup command.

Azure PowerShell

Remove-MgGroup -GroupID $groupId

If you receive an error when you try to delete the group, you can also delete the
group in the portal.

Next steps
Assign Azure roles using Azure PowerShell
Tutorial: Create an Azure custom role
using Azure PowerShell
Article • 12/01/2023

If the Azure built-in roles don't meet the specific needs of your organization, you can
create your own custom roles. For this tutorial, you create a custom role named Reader
Support Tickets using Azure PowerShell. The custom role allows the user to view
everything in the control plane of a subscription and also open support tickets.

In this tutorial, you learn how to:

＂ Create a custom role

＂ List custom roles
＂ Update a custom role
＂ Delete a custom role

If you don't have an Azure subscription, create a free account before you begin.

７ Note

Prerequisites
To complete this tutorial, you will need:

Permissions to create custom roles, such as User Access Administrator

Azure Cloud Shell or Azure PowerShell

Sign in to Azure PowerShell

Create a custom role

The easiest way to create a custom role is to start with a built-in role, edit it, and then
create a new role.
1. In PowerShell, use the Get-AzProviderOperation command to get the list of
operations for the Microsoft.Support resource provider. It's helpful to know the
operations that are available to create your permissions. You can also see a list of
all the operations at Azure resource provider operations.

Azure PowerShell

Get-AzProviderOperation "Microsoft.Support/*" | FT Operation,

Description -AutoSize

Output

Operation Description
--------- -----------
Microsoft.Support/register/action Registers to Support Resource
Provider
Microsoft.Support/supportTickets/read Gets Support Ticket details
(including status, severity, contact ...
Microsoft.Support/supportTickets/write Creates or Updates a Support
Ticket. You can create a Support Tic...

2. Use the Get-AzRoleDefinition command to output the Reader role in JSON format.

Azure PowerShell

Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json | Out-File

C:\CustomRoles\ReaderSupportRole.json

3. Open the ReaderSupportRole.json file in an editor.

The following shows the JSON output. For information about the different
properties, see Azure custom roles.

JSON

{
"Name": "Reader",
"Id": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"IsCustom": false,
"Description": "Lets you view everything, but not make any changes.",
"Actions": [
"*/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/"
]
}

4. Edit the JSON file to add the "Microsoft.Support/*" action to the Actions
property. Be sure to include a comma after the read action. This action will allow
the user to create support tickets.

5. Get the ID of your subscription using the Get-AzSubscription command.

Azure PowerShell

Get-AzSubscription

6. In AssignableScopes , add your subscription ID with the following format:

"/subscriptions/00000000-0000-0000-0000-000000000000"

You must add explicit subscription IDs, otherwise you won't be allowed to import
the role into your subscription.

7. Delete the Id property line and change the IsCustom property to true .

8. Change the Name and Description properties to "Reader Support Tickets" and
"View everything in the subscription and also open support tickets."

Your JSON file should look like the following:

JSON

{
"Name": "Reader Support Tickets",
"IsCustom": true,
"Description": "View everything in the subscription and also open
support tickets.",
"Actions": [
"*/read",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000"
]
}

9. To create the new custom role, use the New-AzRoleDefinition command and
specify the JSON role definition file.
Azure PowerShell

New-AzRoleDefinition -InputFile "C:\CustomRoles\ReaderSupportRole.json"

Output

Name : Reader Support Tickets

Id : 22222222-2222-2222-2222-222222222222
IsCustom : True
Description : View everything in the subscription and also open
support tickets.
Actions : {*/read, Microsoft.Support/*}
NotActions : {}
DataActions : {}
NotDataActions : {}
AssignableScopes : {/subscriptions/00000000-0000-0000-0000-
000000000000}

The new custom role is now available in the Azure portal and can be assigned to
users, groups, or service principals just like built-in roles.

List custom roles

To list all your custom roles, use the Get-AzRoleDefinition command.

Azure PowerShell

Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom

Output

Name IsCustom
---- --------
Reader Support Tickets True

You can also see the custom role in the Azure portal.
Update a custom role
To update the custom role, you can update the JSON file or use the PSRoleDefinition
object.

1. To update the JSON file, use the Get-AzRoleDefinition command to output the
custom role in JSON format.

Azure PowerShell

Get-AzRoleDefinition -Name "Reader Support Tickets" | ConvertTo-Json |

Out-File C:\CustomRoles\ReaderSupportRole2.json

2. Open the file in an editor.

3. In Actions , add the action to create and manage resource group deployments
"Microsoft.Resources/deployments/*" .

Your updated JSON file should look like the following:

JSON

{
"Name": "Reader Support Tickets",
"Id": "22222222-2222-2222-2222-222222222222",
"IsCustom": true,
"Description": "View everything in the subscription and also open
support tickets.",
"Actions": [
"*/read",
"Microsoft.Support/*",
"Microsoft.Resources/deployments/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000"
]
}

4. To update the custom role, use the Set-AzRoleDefinition command and specify the
updated JSON file.

Azure PowerShell

Set-AzRoleDefinition -InputFile
"C:\CustomRoles\ReaderSupportRole2.json"

Output

Name : Reader Support Tickets

Id : 22222222-2222-2222-2222-222222222222
IsCustom : True
Description : View everything in the subscription and also open
support tickets.
Actions : {*/read, Microsoft.Support/*,
Microsoft.Resources/deployments/*}
NotActions : {}
DataActions : {}
NotDataActions : {}
AssignableScopes : {/subscriptions/00000000-0000-0000-0000-
000000000000}

5. To use the PSRoleDefintion object to update your custom role, first use the Get-
AzRoleDefinition command to get the role.

Azure PowerShell

$role = Get-AzRoleDefinition "Reader Support Tickets"

6. Call the Add method to add the action to read diagnostic settings.

Azure PowerShell
$role.Actions.Add("Microsoft.Insights/diagnosticSettings/*/read")

7. Use the Set-AzRoleDefinition to update the role.

Azure PowerShell

Set-AzRoleDefinition -Role $role

Output

Name : Reader Support Tickets

Id : 22222222-2222-2222-2222-222222222222
IsCustom : True
Description : View everything in the subscription and also open
support tickets.
Actions : {*/read, Microsoft.Support/*,
Microsoft.Resources/deployments/*,
Microsoft.Insights/diagnosticSettings/*/read}
NotActions : {}
DataActions : {}
NotDataActions : {}
AssignableScopes : {/subscriptions/00000000-0000-0000-0000-
000000000000}

Delete a custom role

1. Use the Get-AzRoleDefinition command to get the ID of the custom role.

Azure PowerShell

Get-AzRoleDefinition "Reader Support Tickets"

2. Use the Remove-AzRoleDefinition command and specify the role ID to delete the
custom role.

Azure PowerShell

Remove-AzRoleDefinition -Id "22222222-2222-2222-2222-222222222222"

Output

Confirm
Are you sure you want to remove role definition with id '22222222-2222-
2222-2222-222222222222'.
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):

3. When asked to confirm, type Y.

Next steps
Create or update Azure custom roles using Azure PowerShell
Tutorial: Create an Azure custom role
using Azure CLI
Article • 12/01/2023

If the Azure built-in roles don't meet the specific needs of your organization, you can
create your own custom roles. For this tutorial, you create a custom role named Reader
Support Tickets using Azure CLI. The custom role allows the user to view everything in
the control plane of a subscription and also open support tickets.

In this tutorial, you learn how to:

＂ Create a custom role

＂ List custom roles
＂ Update a custom role
＂ Delete a custom role

If you don't have an Azure subscription, create a free account before you begin.

Prerequisites
To complete this tutorial, you will need:

Permissions to create custom roles, such as User Access Administrator

Azure Cloud Shell or Azure CLI

Sign in to Azure CLI

Create a custom role

The easiest way to create a custom role is to start with a JSON template, add your
changes, and then create a new role.

1. Review the list of actions for the Microsoft.Support resource provider. It's helpful to
know the actions that are available to create your permissions.

ﾉ Expand table
Action Description

Microsoft.Support/register/action Registers to Support Resource Provider

Microsoft.Support/supportTickets/read Gets Support Ticket details (including status,

severity, contact details and communications) or
gets the list of Support Tickets across
subscriptions.

Microsoft.Support/supportTickets/write Creates or Updates a Support Ticket. You can

create a Support Ticket for Technical, Billing,
Quotas or Subscription Management related
issues. You can update severity, contact details
and communications for existing support tickets.

2. Create a new file named ReaderSupportRole.json.

3. Open ReaderSupportRole.json in an editor and add the following JSON.

For information about the different properties, see Azure custom roles.

JSON

{
"Name": "",
"IsCustom": true,
"Description": "",
"Actions": [],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}"
]
}

4. Add the following actions to the Actions property. These actions allow the user to
view everything in the subscription and create support tickets.

"*/read",
"Microsoft.Support/*"

5. Get the ID of your subscription using the az account list command.

Azure CLI
az account list --output table

6. In AssignableScopes , replace {subscriptionId1} with your subscription ID.

You must add explicit subscription IDs, otherwise you won't be allowed to import
the role into your subscription.

7. Change the Name and Description properties to "Reader Support Tickets" and
"View everything in the subscription and also open support tickets."

Your JSON file should look like the following:

JSON

8. To create the new custom role, use the az role definition create command and
specify the JSON role definition file.

Azure CLI

az role definition create --role-definition

"~/CustomRoles/ReaderSupportRole.json"

Output

{
"additionalProperties": {},
"assignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000"
],
"description": "View everything in the subscription and also open
support tickets.",
"id": "/subscriptions/00000000-0000-0000-0000-
000000000000/providers/Microsoft.Authorization/roleDefinitions/22222222
-2222-2222-2222-222222222222",
"name": "22222222-2222-2222-2222-222222222222",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Support/*"
],
"additionalProperties": {},
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Reader Support Tickets",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

The new custom role is now available and can be assigned to users, groups, or
service principals just like built-in roles.

List custom roles

To list all your custom roles, use the az role definition list command with the --
custom-role-only parameter.

Azure CLI

az role definition list --custom-role-only true

Output

[
{
"additionalProperties": {},
"assignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000"
],
"description": "View everything in the subscription and also open
support tickets.",
"id": "/subscriptions/00000000-0000-0000-0000-
000000000000/providers/Microsoft.Authorization/roleDefinitions/22222222
-2222-2222-2222-222222222222",
"name": "22222222-2222-2222-2222-222222222222",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Support/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Insights/diagnosticSettings/*/read"
],
"additionalProperties": {},
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Reader Support Tickets",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
]

You can also see the custom role in the Azure portal.

Update a custom role

To update the custom role, update the JSON file and then update the custom role.

1. Open the ReaderSupportRole.json file.

2. In Actions , add the action to create and manage resource group deployments
"Microsoft.Resources/deployments/*" . Be sure to include a comma after the

previous action.

Your updated JSON file should look like the following:

JSON

{
"Name": "Reader Support Tickets",
"IsCustom": true,
"Description": "View everything in the subscription and also open
support tickets.",
"Actions": [
"*/read",
"Microsoft.Support/*",
"Microsoft.Resources/deployments/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000"
]
}

3. To update the custom role, use the az role definition update command and specify
the updated JSON file.

Azure CLI

az role definition update --role-definition

"~/CustomRoles/ReaderSupportRole.json"

Output

{
"additionalProperties": {},
"assignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000"
],
"description": "View everything in the subscription and also open
support tickets.",
"id": "/subscriptions/00000000-0000-0000-0000-
000000000000/providers/Microsoft.Authorization/roleDefinitions/22222222
-2222-2222-2222-222222222222",
"name": "22222222-2222-2222-2222-222222222222",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Support/*",
"Microsoft.Resources/deployments/*"
],
"additionalProperties": {},
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Reader Support Tickets",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Delete a custom role

Use the az role definition delete command and specify the role name or role ID to
delete the custom role.

Azure CLI

az role definition delete --name "Reader Support Tickets"

Next steps
Create or update Azure custom roles using Azure CLI
Understand Azure role definitions
Article • 02/12/2024

If you are trying to understand how an Azure role works or if you are creating your own
Azure custom role, it's helpful to understand how roles are defined. This article describes
the details of role definitions and provides some examples.

Role definition
A role definition is a collection of permissions. It's sometimes just called a role. A role
definition lists the actions that can be performed, such as read, write, and delete. It can
also list the actions that are excluded from allowed actions or actions related to
underlying data.

The following shows an example of the properties in a role definition when displayed
using Azure PowerShell:

Name
Id
IsCustom
Description
Actions []
NotActions []
DataActions []
NotDataActions []
AssignableScopes []
Condition
ConditionVersion

The following shows an example of the properties in a role definition when displayed
using the Azure CLI or REST API:

roleName
name
id
roleType
type
description
actions []
notActions []
dataActions []
notDataActions []
assignableScopes []
condition
conditionVersion
createdOn
updatedOn
createdBy
updatedBy

The following table describes what the role properties mean.

ﾉ Expand table

Property Description

Name Display name of the role.

roleName

Id Unique ID of the role. Built-in roles have the same role ID across clouds.
name

id Fully qualified unique ID of the role.

IsCustom Indicates whether this role is a custom role. Set to true or CustomRole for
roleType custom roles. Set to false or BuiltInRole for built-in roles.

type Type of object. Set to Microsoft.Authorization/roleDefinitions .

Description Description of the role.

description

Actions Array of strings that specifies the control plane actions that the role allows to
actions be performed.

NotActions Array of strings that specifies the control plane actions that are excluded from
notActions the allowed Actions .

DataActions Array of strings that specifies the data plane actions that the role allows to be
dataActions performed to your data within that object.

NotDataActions Array of strings that specifies the data plane actions that are excluded from
notDataActions the allowed DataActions .

AssignableScopes Array of strings that specifies the scopes that the role is available for
assignableScopes assignment.

Condition For built-in roles, condition statement based on one or more actions in role
condition definition.

ConditionVersion Condition version number. Defaults to 2.0 and is the only supported version.
conditionVersion
Property Description

createdOn Date and time role was created.

updatedOn Date and time role was last updated.

createdBy For custom roles, principal that created role.

updatedBy For custom roles, principal that updated role.

Actions format
Actions are specified with strings that have the following format:

{Company}.{ProviderName}/{resourceType}/{action}

The {action} portion of an action string specifies the type of actions you can perform
on a resource type. For example, you will see the following substrings in {action} :

ﾉ Expand table

Action substring Description

* The wildcard character grants access to all actions that match the string.

read Enables read actions (GET).

write Enables write actions (PUT or PATCH).

action Enables custom actions like restart virtual machines (POST).

delete Enables delete actions (DELETE).

Role definition example

Here's the Contributor role definition as displayed in Azure PowerShell and Azure CLI.
The wildcard ( * ) actions under Actions indicates that the principal assigned to this role
can perform all actions, or in other words, it can manage everything. This includes
actions defined in the future, as Azure adds new resource types. The actions under
NotActions are subtracted from Actions . In the case of the Contributor role, NotActions

removes this role's ability to manage access to resources and also manage Azure
Blueprints assignments.

Contributor role as displayed in Azure PowerShell:

JSON

{
"Name": "Contributor",
"Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"IsCustom": false,
"Description": "Grants full access to manage all resources, but does not
allow you to assign roles in Azure RBAC, manage assignments in Azure
Blueprints, or share image galleries.",
"Actions": [
"*"
],
"NotActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Purview/consents/write",
"Microsoft.Purview/consents/delete"
],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/"
],
"Condition": null,
"ConditionVersion": null
}

Contributor role as displayed in Azure CLI:

JSON

[
{
"assignableScopes": [
"/"
],
"createdBy": null,
"createdOn": "2015-02-02T21:55:09.880642+00:00",
"description": "Grants full access to manage all resources, but does not
allow you to assign roles in Azure RBAC, manage assignments in Azure
Blueprints, or share image galleries.",
"id":
"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefin
itions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"permissions": [
{
"actions": [
"*"
],
"condition": null,
"conditionVersion": null,
"dataActions": [],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Purview/consents/write",
"Microsoft.Purview/consents/delete"
],
"notDataActions": []
}
],
"roleName": "Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions",
"updatedBy": null,
"updatedOn": "2023-07-10T15:10:53.947865+00:00"
}
]

Control and data actions

Role-based access control for control plane actions is specified in the Actions and
NotActions properties of a role definition. Here are some examples of control plane

actions in Azure:

Manage access to a storage account

Create, update, or delete a blob container
Delete a resource group and all of its resources

Control plane access is not inherited to your data plane provided that the container
authentication method is set to Azure AD User Account and not Access Key. This
separation prevents roles with wildcards ( * ) from having unrestricted access to your
data. For example, if a user has a Reader role on a subscription, then they can view the
storage account, but by default they can't view the underlying data.

Previously, role-based access control was not used for data actions. Authorization for
data actions varied across resource providers. The same role-based access control
authorization model used for control plane actions has been extended to data plane
actions.
To support data plane actions, new data properties have been added to the role
definition. Data plane actions are specified in the DataActions and NotDataActions
properties. By adding these data properties, the separation between control plane and
data plane is maintained. This prevents current role assignments with wildcards ( * ) from
suddenly having accessing to data. Here are some data plane actions that can be
specified in DataActions and NotDataActions :

Read a list of blobs in a container

Write a storage blob in a container
Delete a message in a queue

Here's the Storage Blob Data Reader role definition, which includes actions in both the
Actions and DataActions properties. This role allows you to read the blob container and

also the underlying blob data.

Storage Blob Data Reader role as displayed in Azure PowerShell:

JSON

{
"Name": "Storage Blob Data Reader",
"Id": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"IsCustom": false,
"Description": "Allows for read access to Azure Storage blob containers
and data",
"Actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",

"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/ac
tion"
],
"NotActions": [],
"DataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"NotDataActions": [],
"AssignableScopes": [
"/"
],
"Condition": null,
"ConditionVersion": null
}

Storage Blob Data Reader role as displayed in Azure CLI:

JSON
[
{
"assignableScopes": [
"/"
],
"createdBy": null,
"createdOn": "2017-12-21T00:01:24.797231+00:00",
"description": "Allows for read access to Azure Storage blob containers
and data",
"id":
"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefin
itions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",

"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/ac
tion"
],
"condition": null,
"conditionVersion": null,
"dataActions": [

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions",
"updatedBy": null,
"updatedOn": "2021-11-11T20:13:55.297507+00:00"
}
]

Only data plane actions can be added to the DataActions and NotDataActions
properties. Resource providers identify which actions are data actions, by setting the
isDataAction property to true . To see a list of the actions where isDataAction is true ,

see Resource provider operations. Roles that do not have data actions are not required
to have DataActions and NotDataActions properties within the role definition.

Authorization for all control plane API calls is handled by Azure Resource Manager.
Authorization for data plane API calls is handled by either a resource provider or Azure
Resource Manager.
Data actions example
To better understand how control plane and data plane actions work, let's consider a
specific example. Alice has been assigned the Owner role at the subscription scope. Bob
has been assigned the Storage Blob Data Contributor role at a storage account scope.
The following diagram shows this example.

The Owner role for Alice and the Storage Blob Data Contributor role for Bob have the
following actions:

Owner

Actions
*

Storage Blob Data Contributor

Actions
Microsoft.Storage/storageAccounts/blobServices/containers/delete
Microsoft.Storage/storageAccounts/blobServices/containers/read

Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action

DataActions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action

Since Alice has a wildcard ( * ) action at a subscription scope, their permissions inherit
down to enable them to perform all control plane actions. Alice can read, write, and
delete containers. However, Alice cannot perform data plane actions without taking
additional steps. For example, by default, Alice cannot read the blobs inside a container.
To read the blobs, Alice would have to retrieve the storage access keys and use them to
access the blobs.

Bob's permissions are restricted to just the Actions and DataActions specified in the
Storage Blob Data Contributor role. Based on the role, Bob can perform both control
plane and data plane actions. For example, Bob can read, write, and delete containers in
the specified storage account and can also read, write, and delete the blobs.

For more information about control and data plane security for storage, see the Azure
Storage security guide.

What tools support using Azure roles for data actions?

To view and work with data actions, you must have the correct versions of the tools or
SDKs:

ﾉ Expand table

Tool Version

Azure PowerShell 1.1.0 or later

Azure CLI 2.0.30 or later

Azure for .NET 2.8.0-preview or later

Azure SDK for Go 15.0.0 or later

Azure for Java 1.9.0 or later

Azure for Python 0.40.0 or later

Azure SDK for Ruby 0.17.1 or later

To view and use the data actions in the REST API, you must set the api-version
parameter to the following version or later:

2018-07-01

Actions
The Actions permission specifies the control plane actions that the role allows to be
performed. It is a collection of strings that identify securable actions of Azure resource
providers. Here are some examples of control plane actions that can be used in Actions .

ﾉ Expand table

Action string Description

*/read Grants access to read actions for all resource

types of all Azure resource providers.

Microsoft.Compute/* Grants access to all actions for all resource

types in the Microsoft.Compute resource
provider.

Microsoft.Network/*/read Grants access to read actions for all resource

types in the Microsoft.Network resource
provider.

Microsoft.Compute/virtualMachines/* Grants access to all actions of virtual machines

and its child resource types.

microsoft.web/sites/restart/Action Grants access to restart a web app.

NotActions
The NotActions permission specifies the control plane actions that are subtracted or
excluded from the allowed Actions that have a wildcard ( * ). Use the NotActions
permission if the set of actions that you want to allow is more easily defined by
subtracting from Actions that have a wildcard ( * ). The access granted by a role
(effective permissions) is computed by subtracting the NotActions actions from the
Actions actions.

Actions - NotActions = Effective control plane permissions

The following table shows two examples of the effective control plane permissions for a
Microsoft.CostManagement wildcard action:
ﾉ Expand table

Actions NotActions Effective control plane

permissions

Microsoft.CostManagement/exp none Microsoft.CostManagement/exp

orts/* orts/action
Microsoft.CostManagement/exp
orts/read
Microsoft.CostManagement/exp
orts/write
Microsoft.CostManagement/exp
orts/delete
Microsoft.CostManagement/exp
orts/run/action

Microsoft.CostManagement/exp Microsoft.CostManagement/exp Microsoft.CostManagement/exp

orts/* orts/delete orts/action
Microsoft.CostManagement/exp
orts/read
Microsoft.CostManagement/exp
orts/write
Microsoft.CostManagement/exp
orts/run/action

７ Note

If a user is assigned a role that excludes an action in NotActions , and is assigned a

second role that grants access to the same action, the user is allowed to perform
that action. NotActions is not a deny rule – it is simply a convenient way to create a
set of allowed actions when specific actions need to be excluded.

Differences between NotActions and deny assignments

NotActions and deny assignments are not the same and serve different purposes.

NotActions are a convenient way to subtract specific actions from a wildcard ( * ) action.

Deny assignments block users from performing specific actions even if a role
assignment grants them access. For more information, see Understand Azure deny
assignments.

DataActions
The DataActions permission specifies the data plane actions that the role allows to be
performed to your data within that object. For example, if a user has read blob data
access to a storage account, then they can read the blobs within that storage account.
Here are some examples of data actions that can be used in DataActions .

ﾉ Expand table

Data action string Description

Microsoft.Storage/storageAccounts/blobServic Returns a blob or a list of blobs.

es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic Returns the result of writing a blob.

es/containers/blobs/write

Microsoft.Storage/storageAccounts/queueServi Returns a message.

ces/queues/messages/read

Microsoft.Storage/storageAccounts/queueServi Returns a message or the result of writing or

ces/queues/messages/* deleting a message.

NotDataActions
The NotDataActions permission specifies the data plane actions that are subtracted or
excluded from the allowed DataActions that have a wildcard ( * ). Use the
NotDataActions permission if the set of actions that you want to allow is more easily

defined by subtracting from DataActions that have a wildcard ( * ). The access granted
by a role (effective permissions) is computed by subtracting the NotDataActions actions
from the DataActions actions. Each resource provider provides its respective set of APIs
to fulfill data actions.

DataActions - NotDataActions = Effective data plane permissions

The following table shows two examples of the effective date plane permissions for a
Microsoft.Storage wildcard action:

ﾉ Expand table

DataActions NotDataActions Effective data plane

permissions

Microsoft.Storage/storageAcc none Microsoft.Storage/storageAcc

ounts/queueServices/queues/me ounts/queueServices/queues/me
ssages/* ssages/read
DataActions NotDataActions Effective data plane
permissions

Microsoft.Storage/storageAcc
ounts/queueServices/queues/me
ssages/write
Microsoft.Storage/storageAcc
ounts/queueServices/queues/me
ssages/delete
Microsoft.Storage/storageAcc
ounts/queueServices/queues/me
ssages/add/action
Microsoft.Storage/storageAcc
ounts/queueServices/queues/me
ssages/process/action

Microsoft.Storage/storageAcc Microsoft.Storage/storageAcc Microsoft.Storage/storageAcc

ounts/queueServices/queues/me ounts/queueServices/queues/me ounts/queueServices/queues/me
ssages/* ssages/delete ssages/read
Microsoft.Storage/storageAcc
ounts/queueServices/queues/me
ssages/write
Microsoft.Storage/storageAcc
ounts/queueServices/queues/me
ssages/add/action
Microsoft.Storage/storageAcc
ounts/queueServices/queues/me
ssages/process/action

７ Note

If a user is assigned a role that excludes a data action in NotDataActions , and is

assigned a second role that grants access to the same data action, the user is
allowed to perform that data action. NotDataActions is not a deny rule – it is simply
a convenient way to create a set of allowed data actions when specific data actions
need to be excluded.

AssignableScopes
The AssignableScopes property specifies the scopes (root, management group,
subscriptions, or resource groups) where a role definition can be assigned. You can
make a custom role available for assignment in only the management group,
subscriptions, or resource groups that require it. You must use at least one management
group, subscription, or resource group.

For example, if AssignableScopes is set to a subscription, that means that the custom
role is available for assignment at subscription scope for the specified subscription,
resource group scope for any resource group in the subscription, or resource scope for
any resource in the subscription.

Built-in roles have AssignableScopes set to the root scope ( "/" ). The root scope
indicates that the role is available for assignment in all scopes.

Examples of valid assignable scopes include:

ﾉ Expand table

Role is available for assignment Example

One subscription "/subscriptions/{subscriptionId1}"

Two subscriptions "/subscriptions/{subscriptionId1}", "/subscr

iptions/{subscriptionId2}"

Network resource group "/subscriptions/{subscriptionId1}/resourceGr

oups/Network"

One management group "/providers/Microsoft.Management/managementG

roups/{groupId1}"

Management group and a subscription "/providers/Microsoft.Management/managementG

roups/{groupId1}", "/subscriptions/{subscript
ionId1}",

All scopes (applies only to built-in roles) "/"

You can define only one management group in AssignableScopes of a custom role.

Although it's possible to create a custom role with a resource instance in

AssignableScopes using the command line, it's not recommended. Each tenant supports

a maximum of 5,000 custom roles. Using this strategy could potentially exhaust your
available custom roles. Ultimately, the level of access is determined by the custom role
assignment (scope + role permissions + security principal) and not the
AssignableScopes listed in the custom role. So, create your custom roles with
AssignableScopes of management group, subscription, or resource group, but assign

the custom roles with narrow scope, such as resource or resource group.

For more information about AssignableScopes for custom roles, see Azure custom roles.
Privileged administrator role definition
Privileged administrator roles are roles that grant privileged administrator access, such
as the ability to manage Azure resources or assign roles to other users. If a built-in or
custom role includes any of the following actions, it is considered privileged. For more
information, see List or manage privileged administrator role assignments.

ﾉ Expand table

Action string Description

* Create and manage resources of all types.

*/delete Delete resources of all types.

*/write Write resources of all types.

Microsoft.Authorization/denyAssignments/dele Delete a deny assignment at the specified

te scope.

Microsoft.Authorization/denyAssignments/writ Create a deny assignment at the specified

e scope.

Microsoft.Authorization/roleAssignments/dele Delete a role assignment at the specified scope.

Microsoft.Authorization/roleAssignments/writ Create a role assignment at the specified scope.

Microsoft.Authorization/roleDefinitions/dele Delete the specified custom role definition.

Microsoft.Authorization/roleDefinitions/writ Create or update a custom role definition with

e specified permissions and assignable scopes.

Next steps
Understand role assignments
Azure built-in roles
Azure custom roles
Azure resource provider operations
Understand Azure role assignments
Article • 08/30/2024

Role assignments enable you to grant a principal (such as a user, a group, a managed
identity, or a service principal) access to a specific Azure resource. This article describes
the details of role assignments.

Role assignment
Access to Azure resources is granted by creating a role assignment, and access is
revoked by removing a role assignment.

A role assignment has several components, including:

The principal, or who is assigned the role.

The role that they're assigned.
The scope at which the role is assigned.
The name of the role assignment, and a description that helps you to explain why
the role has been assigned.

For example, you can use Azure RBAC to assign roles like:

User Sally has owner access to the storage account contoso123 in the resource
group ContosoStorage.
Everybody in the Cloud Administrators group in Microsoft Entra ID has reader
access to all resources in the resource group ContosoStorage.
The managed identity associated with an application is allowed to restart virtual
machines within Contoso's subscription.

The following shows an example of the properties in a role assignment when displayed
using Azure PowerShell:

JSON

{
"RoleAssignmentName": "00000000-0000-0000-0000-000000000000",
"RoleAssignmentId": "/subscriptions/11111111-1111-1111-1111-
111111111111/providers/Microsoft.Authorization/roleAssignments/00000000-
0000-0000-0000-000000000000",
"Scope": "/subscriptions/11111111-1111-1111-1111-111111111111",
"DisplayName": "User Name",
"SignInName": "user@contoso.com",
"RoleDefinitionName": "Contributor",
"RoleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"ObjectId": "22222222-2222-2222-2222-222222222222",
"ObjectType": "User",
"CanDelegate": false,
"Description": null,
"ConditionVersion": null,
"Condition": null
}

The following shows an example of the properties in a role assignment when displayed
using the Azure CLI, or the REST API:

JSON

{
"canDelegate": null,
"condition": null,
"conditionVersion": null,
"description": null,
"id": "/subscriptions/11111111-1111-1111-1111-
111111111111/providers/Microsoft.Authorization/roleAssignments/00000000-
0000-0000-0000-000000000000",
"name": "00000000-0000-0000-0000-000000000000",
"principalId": "22222222-2222-2222-2222-222222222222",
"principalName": "user@contoso.com",
"principalType": "User",
"roleDefinitionId": "/subscriptions/11111111-1111-1111-1111-
111111111111/providers/Microsoft.Authorization/roleDefinitions/b24988ac-
6180-42a0-ab88-20f7382dd24c",
"roleDefinitionName": "Contributor",
"scope": "/subscriptions/11111111-1111-1111-1111-111111111111",
"type": "Microsoft.Authorization/roleAssignments"
}

The following table describes what the role assignment properties mean.

ﾉ Expand table

Property Description

RoleAssignmentName The name of the role assignment, which is a globally unique identifier
name (GUID).

RoleAssignmentId The unique ID of the role assignment, which includes the name.
id

Scope The Azure resource identifier that the role assignment is scoped to.
scope

RoleDefinitionId The unique ID of the role.

roleDefinitionId
Property Description

RoleDefinitionName The name of the role.

roleDefinitionName

ObjectId The Microsoft Entra object identifier for the principal who has the role
principalId assigned.

ObjectType The type of Microsoft Entra object that the principal represents. Valid values
principalType include User , Group , and ServicePrincipal .

DisplayName For role assignments for users, the display name of the user.

SignInName The unique principal name (UPN) of the user, or the name of the
principalName application associated with the service principal.

Description The description of the role assignment.

description

Condition Condition statement built using one or more actions from role definition
condition and attributes.

ConditionVersion The condition version number. Defaults to 2.0 and is the only supported
conditionVersion version.

CanDelegate Not implemented.

canDelegate

Scope
When you create a role assignment, you need to specify the scope at which it's applied.
The scope represents the resource, or set of resources, that the principal is allowed to
access. You can scope a role assignment to a single resource, a resource group, a
subscription, or a management group.

 Tip

Use the smallest scope that you need to meet your requirements.

For example, if you need to grant a managed identity access to a single storage
account, it's good security practice to create the role assignment at the scope of
the storage account, not at the resource group or subscription scope.

For more information about scope, see Understand scope.

Role to assign
A role assignment is associated with a role definition. The role definition specifies the
permissions that the principal should have within the role assignment's scope.

You can assign a built-in role definition or a custom role definition. When you create a
role assignment, some tooling requires that you use the role definition ID while other
tooling allows you to provide the name of the role.

For more information about role definitions, see Understand role definitions.

Principal
Principals include users, security groups, managed identities, workload identities, and
service principals. Principals are created and managed in your Microsoft Entra tenant.
You can assign a role to any principal. Use the Microsoft Entra ID object ID to identify the
principal that you want to assign the role to.

When you create a role assignment by using Azure PowerShell, the Azure CLI, Bicep, or
another infrastructure as code (IaC) technology, you specify the principal type. Principal
types include User, Group, and ServicePrincipal. It's important to specify the correct
principal type. Otherwise, you might get intermittent deployment errors, especially when
you work with service principals and managed identities.

Name
A role assignment's resource name must be a globally unique identifier (GUID).

Role assignment resource names must be unique within the Microsoft Entra tenant, even
if the scope of the role assignment is narrower.

 Tip

When you create a role assignment by using the Azure portal, Azure PowerShell, or
the Azure CLI, the creation process gives the role assignment a unique name for
you automatically.

If you create a role assignment by using Bicep or another infrastructure as code

(IaC) technology, you need to carefully plan how you name your role assignments.
For more information, see Create Azure RBAC resources by using Bicep.
Resource deletion behavior
When you delete a user, group, service principal, or managed identity from Microsoft
Entra ID, it's a good practice to delete any role assignments. They aren't deleted
automatically. Any role assignments that refer to a deleted principal ID become invalid.

If you try to reuse a role assignment's name for another role assignment, the
deployment will fail. This issue is more likely to occur when you use Bicep or an Azure
Resource Manager template (ARM template) to deploy your role assignments, because
you have to explicitly set the role assignment name when you use these tools. To work
around this behavior, you should either remove the old role assignment before you
recreate it, or ensure that you use a unique name when you deploy a new role
assignment.

Description
You can add a text description to a role assignment. While descriptions are optional, it's
a good practice to add them to your role assignments. Provide a short justification for
why the principal needs the assigned role. When somebody audits the role assignments,
descriptions can help to understand why they've been created and whether they're still
applicable.

Conditions
Some roles support role assignment conditions based on attributes in the context of
specific actions. A role assignment condition is an additional check that you can
optionally add to your role assignment to provide more fine-grained access control.

For example, you can add a condition that requires an object to have a specific tag for
the user to read the object.

You typically build conditions using a visual condition editor, but here's what an example
condition looks like in code:

((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR
(@resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/t
ags:Project<$key_case_sensitive$>] StringEqualsIgnoreCase 'Cascade'))
The preceding condition allows users to read blobs with a blob index tag key of Project
and a value of Cascade.

For more information about conditions, see What is Azure attribute-based access
control (Azure ABAC)?

Integration with Privileged Identity

Management (Preview)

） Important

Azure role assignment integration with Privileged Identity Management is currently

in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews
for legal terms that apply to Azure features that are in beta, preview, or otherwise
not yet released into general availability.

If you have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license, Microsoft

Entra Privileged Identity Management (PIM) is integrated into role assignment steps. For
example, you can assign roles to users for a limited period of time. You can also make
users eligible for role assignments so that they must activate to use the role, such as
request approval. Eligible role assignments provide just-in-time access to a role for a
limited period of time. You can't create eligible role assignments for applications, service
principals, or managed identities because they can't perform the activation steps. You
can create eligible role assignments at management group, subscription, and resource
group scope, but not at resource scope. This capability is being deployed in stages, so it
might not be available yet in your tenant or your interface might look different.

The assignment type options available to you might vary depending or your PIM policy.
For example, PIM policy defines whether permanent assignments can be created,
maximum duration for time-bound assignments, roles activations requirements
(approval, multifactor authentication, or Conditional Access authentication context), and
other settings. For more information, see Configure Azure resource role settings in
Privileged Identity Management.

If you don't want to use the PIM functionality, select the Active assignment type and
Permanent assignment duration options. These settings create a role assignment where
the principal always has permissions in the role.


To better understand PIM, you should review the following terms.

ﾉ Expand table

Term or Role Description

concept assignment
category

eligible Type A role assignment that requires a user to perform one or more
actions to use the role. If a user has been made eligible for a
role, that means they can activate the role when they need to
perform privileged tasks. There's no difference in the access
given to someone with a permanent versus an eligible role
assignment. The only difference is that some people don't need
that access all the time.

active Type A role assignment that doesn't require a user to perform any
action to use the role. Users assigned as active have the
privileges assigned to the role.

activate The process of performing one or more actions to use a role that
a user is eligible for. Actions might include performing a
multifactor authentication (MFA) check, providing a business
justification, or requesting approval from designated approvers.
Term or Role Description
concept assignment
category

permanent Duration A role assignment where a user is always eligible to activate the
eligible role.

permanent Duration A role assignment where a user can always use the role without
active performing any actions.

time-bound Duration A role assignment where a user is eligible to activate the role
eligible only within start and end dates.

time-bound Duration A role assignment where a user can use the role only within start
active and end dates.

just-in-time A model in which users receive temporary permissions to

(JIT) access perform privileged tasks, which prevents malicious or
unauthorized users from gaining access after the permissions
have expired. Access is granted only when users need it.

principle of A recommended security practice in which every user is provided

least privilege with only the minimum privileges needed to accomplish the
access tasks they're authorized to perform. This practice minimizes the
number of Global Administrators and instead uses specific
administrator roles for certain scenarios.

For more information, see What is Microsoft Entra Privileged Identity Management?.

Next steps
Delegate Azure access management to others
Steps to assign an Azure role

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Understand scope for Azure RBAC
Article • 06/02/2023

Scope is the set of resources that access applies to. When you assign a role, it's
important to understand scope so that you can grant a security principal just the access
that it really needs. By limiting the scope, you limit what resources are at risk if the
security principal is ever compromised.

Scope levels
In Azure, you can specify a scope at four levels: management group, subscription,
resource group, and resource. Scopes are structured in a parent-child relationship. Each
level of hierarchy makes the scope more specific. You can assign roles at any of these
levels of scope. The level you select determines how widely the role is applied. Lower
levels inherit role permissions from higher levels.

Management groups are a level of scope above subscriptions, but management groups
support more complex hierarchies. The following diagram shows an example of a
hierarchy of management groups and subscriptions that you can define. For more
information about management groups, see What are Azure management groups?.
Scope format
If you assign roles using the command line, you'll need to specify the scope. For
command-line tools, scope is a potentially long string that identifies the exact scope of
the role assignment. In the Azure portal, this scope is typically listed as the resource ID.

The scope consists of a series of identifiers separated by the slash (/) character. You can
think of this string as expressing the following hierarchy, where text without
placeholders ( {} ) are fixed identifiers:

/subscriptions
/{subscriptionId}
/resourcegroups
/{resourceGroupName}
/providers
/{providerName}
/{resourceType}
/{resourceSubType1}
/{resourceSubType2}
/{resourceName}

{subscriptionId} is the ID of the subscription to use (a GUID).

{resourcesGroupName} is the name of the containing resource group.

{providerName} is the name of the resource provider that handles the resource,
then {resourceType} and {resourceSubType*} identify further levels within that
resource provider.
{resourceName} is the last part of the string that identifies a specific resource.
Management groups are a level above subscriptions and have the broadest (least
specific) scope. Role assignments at this level apply to subscriptions within the
management group. The scope for a management group has the following format:

/providers
/Microsoft.Management
/managementGroups
/{managmentGroupName}

Scope examples
Scope Example

Management group /providers/Microsoft.Management/managementGr

oups/marketing-group

Subscription /subscriptions/00000000-0000-0000-0000-00000
0000000

Resource group /subscriptions/00000000-0000-0000-0000-00000

0000000/resourceGroups/Example-Storage-rg

/subscriptions/00000000-0000-0000-0000-00000
0000000/resourceGroups/pharma-sales

Resource /subscriptions/00000000-0000-0000-0000-00000
0000000/resourceGroups/Example-Storage-rg/pro
viders/Microsoft.Storage/storageAccounts/azur
estorage12345/blobServices/default/container
s/blob-container-01

/subscriptions/00000000-0000-0000-0000-00000
0000000/resourceGroups/MyVirtualNetworkResour
ceGroup/providers/Microsoft.Network/virtualNe
tworks/MyVirtualNetwork12345

How to determine the scope for a resource

It's fairly simple to determine the scope for a management group, subscription, or
resource group. You just need to know the name and the subscription ID. However,
determining the scope for a resource takes a little more work. Here are a couple ways
that you can determine the scope for a resource.
In the Azure portal, open the resource and then look at the properties. The
resource should list the Resource ID where you can determine the scope. For
example, here are the resource IDs for a storage account.

Another way is to use the Azure portal to assign a role temporarily at the resource
scope and then use Azure PowerShell or Azure CLI to list the role assignment. In
the output, the scope will be listed as a property.

Azure PowerShell

RoleAssignmentId :
/subscriptions/<subscriptionId>/resourceGroups/test-
rg/providers/Microsoft.Storage/storageAccounts/azurestorage12345/blobSe
rvices/default/containers/blob-container-01/pro

viders/Microsoft.Authorization/roleAssignments/<roleAssignmentId>
Scope :
/subscriptions/<subscriptionId>/resourceGroups/test-
rg/providers/Microsoft.Storage/storageAccounts/azurestorage12345/blobSe
rvices/default/containers/blob-container-01
DisplayName : User
SignInName : user@contoso.com
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId : <principalId>
ObjectType : User
CanDelegate : False
Description :
ConditionVersion :
Condition :

Azure CLI
{
"canDelegate": null,
"condition": null,
"conditionVersion": null,
"description": null,
"id": "/subscriptions/{subscriptionId}/resourceGroups/Example-
Storage-
rg/providers/Microsoft.Storage/storageAccounts/azurestorage12345/blobSe
rvices/default/containers/blob-container-
01/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}
",
"name": "{roleAssignmentId}",
"principalId": "{principalId}",
"principalName": "user@contoso.com",
"principalType": "User",
"resourceGroup": "test-rg",
"roleDefinitionId":
"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/role
Definitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"roleDefinitionName": "Storage Blob Data Reader",
"scope": "/subscriptions/{subscriptionId}/resourceGroups/Example-
Storage-
rg/providers/Microsoft.Storage/storageAccounts/azurestorage12345/blobSe
rvices/default/containers/blob-container-01",
"type": "Microsoft.Authorization/roleAssignments"
}

Scope and ARM templates

A role assignment is a special type in Azure Resource Manager called an extension
resource. An extension resource is a resource that adds to another resource's
capabilities. They always exist as an extension (like a child) of another resource. For
example, a role assignment at subscription scope is an extension resource of the
subscription. The name of a role assignment is always the name of the resource you are
extending plus /Microsoft.Authorization/roleAssignments/{roleAssignmentId} . When
assigning roles using Azure Resource Manager template (ARM template), you typically
don't need to provide the scope. The reason is that the scope field ends up always being
the ID of the resource you are extending. The scope can be determined from the ID of
the role assignment itself. The following table shows examples of a role assignment ID
and the corresponding scope:

Role assignment ID Scope

/subscriptions/{subscriptionId}/providers/Mi /subscriptions/{subscriptionId}
crosoft.Authorization/roleAssignments/{roleA
ssignmentId}
Role assignment ID Scope

/subscriptions/{subscriptionId}/resourceGrou /subscriptions/{subscriptionId}/resourceGrou
ps/Example-Storage-rg/providers/Microsoft.Au ps/Example-Storage-rg
thorization/roleAssignments/{roleAssignmentI
d}

For more information about scope and ARM templates, see Assign Azure roles using
Azure Resource Manager templates. For a full list of extension resource types, see
Resource types that extend capabilities of other resources.

Next steps
Steps to assign an Azure role
Resource providers for Azure services
What are Azure management groups?
Best practices for Azure RBAC
Article • 01/30/2024

This article describes some best practices for using Azure role-based access control
(Azure RBAC). These best practices are derived from our experience with Azure RBAC
and the experiences of customers like yourself.

Only grant the access users need

Using Azure RBAC, you can segregate duties within your team and grant only the
amount of access to users that they need to perform their jobs. Instead of giving
everybody unrestricted permissions in your Azure subscription or resources, you can
allow only certain actions at a particular scope.

When planning your access control strategy, it's a best practice to grant users the least
privilege to get their work done. Avoid assigning broader roles at broader scopes even if
it initially seems more convenient to do so. When creating custom roles, only include
the permissions users need. By limiting roles and scopes, you limit what resources are at
risk if the security principal is ever compromised.

The following diagram shows a suggested pattern for using Azure RBAC.

For information about how to assign roles, see Assign Azure roles using the Azure
portal.
Limit the number of subscription owners
You should have a maximum of 3 subscription owners to reduce the potential for breach
by a compromised owner. This recommendation can be monitored in Microsoft
Defender for Cloud. For other identity and access recommendations in Defender for
Cloud, see Security recommendations - a reference guide.

Limit privileged administrator role assignments

Some roles are identified as privileged administrator roles. Consider taking the following
actions to improve your security posture:

Remove unnecessary privileged role assignments.

Avoid assigning a privileged administrator role when a job function role can be
used instead.
If you must assign a privileged administrator role, use a narrow scope, such as
resource group or resource, instead of a broader scope, such as management
group or subscription.
If you are assigning a role with permission to create role assignments, consider
adding a condition to constrain the role assignment. For more information, see
Delegate Azure role assignment management to others with conditions.

For more information, see List or manage privileged administrator role assignments.

Use Microsoft Entra Privileged Identity

Management
To protect privileged accounts from malicious cyber-attacks, you can use Microsoft Entra
Privileged Identity Management (PIM) to lower the exposure time of privileges and
increase your visibility into their use through reports and alerts. PIM helps protect
privileged accounts by providing just-in-time privileged access to Microsoft Entra ID and
Azure resources. Access can be time bound after which privileges are revoked
automatically.

For more information, see What is Microsoft Entra Privileged Identity Management?.

Assign roles to groups, not users

To make role assignments more manageable, avoid assigning roles directly to users.
Instead, assign roles to groups. Assigning roles to groups instead of users also helps
minimize the number of role assignments, which has a limit of role assignments per
subscription.

Assign roles using the unique role ID instead of

the role name
There are a couple of times when a role name might change, for example:

You are using your own custom role and you decide to change the name.
You are using a preview role that has (Preview) in the name. When the role is
released, the role is renamed.

Even if a role is renamed, the role ID does not change. If you are using scripts or
automation to create your role assignments, it's a best practice to use the unique role ID
instead of the role name. Therefore, if a role is renamed, your scripts are more likely to
work.

For more information, see Assign a role using the unique role ID and Azure PowerShell
and Assign a role using the unique role ID and Azure CLI.

Avoid using a wildcard when creating custom

roles
When creating custom roles, you can use the wildcard ( * ) character to define
permissions. It's recommended that you specify Actions and DataActions explicitly
instead of using the wildcard ( * ) character. The additional access and permissions
granted through future Actions or DataActions might be unwanted behavior using the
wildcard. For more information, see Azure custom roles.

Next steps
Troubleshoot Azure RBAC
Delegate Azure access management to
others
Article • 08/29/2024

In Azure role-based access control (Azure RBAC), to grant access to Azure resources, you
assign Azure roles. For example, if a user needs to create and manage websites in a
subscription, you assign the Website Contributor role.

Assigning Azure roles to grant access to Azure resources is a common task. As an

administrator, you might get several requests to grant access that you want to delegate
to someone else. However, you want to make sure the delegate has just the permissions
they need to do their job. This article describes a more secure way to delegate role
assignment management to other users in your organization.

Why delegate role assignment management?

Here are some reasons why you might want to delegate role assignment management
to others:

You get several requests to assign roles in your organization.

Users are blocked waiting for the role assignment they need.
Users within their respective departments, teams, or projects have more
knowledge about who needs access.
Users have permissions to create Azure resources, but need an additional role
assignment to fully use that resource. For example:
Users with permission to create virtual machines can't immediately sign in to
the virtual machine without the Virtual Machine Administrator Login or Virtual
Machine User Login role. Instead of tracking down an administrator to assign
them a login role, it's more efficient if the user can assign the login role to
themselves.
A developer has permissions to create an Azure Kubernetes Service (AKS) cluster
and an Azure Container Registry (ACR), but needs to assign the AcrPull role to a
managed identity so that it can pull images from the ACR. Instead of tracking
down an administrator to assign the AcrPull role, it's more efficient if the
developer can assign the role themselves.

How you currently can delegate role

assignment management
The Owner and User Access Administrator roles are built-in roles that allow users to
create role assignments. Members of these roles can decide who can have write, read,
and delete permissions for any resource in a subscription. To delegate role assignment
management to another user, you can assign the Owner or User Access Administrator
role to a user.

The following diagram shows how Alice can delegate role assignment responsibilities to
Dara. For specific steps, see Assign a user as an administrator of an Azure subscription.

1. Alice assigns the User Access Administrator role to Dara.

2. Dara can now assign any role to any user, group, or service principal at the same
scope.

What are the issues with the current delegation

method?
Here are the primary issues with the current method of delegating role assignment
management to others in your organization.

Delegate has unrestricted access at the role assignment scope. This violates the
principle of least privilege, which exposes you to a wider attack surface.
Delegate can assign any role to any user within their scope, including themselves.
Delegate can assign the Owner or User Access Administrator roles to another user,
who can then assign roles to other users.

Instead of assigning the Owner or User Access Administrator roles, a more secure
method is to constrain a delegate's ability to create role assignments.

A more secure method: Delegate role

assignment management with conditions
Delegating role assignment management with conditions is a way to restrict the role
assignments a user can create. In the preceding example, Alice can allow Dara to create
some role assignments on her behalf, but not all role assignments. For example, Alice
can constrain the roles that Dara can assign and constrain the principals that Dara can
assign roles to. This delegation with conditions is sometimes referred to as constrained
delegation and is implemented using Azure attribute-based access control (Azure ABAC)
conditions.

This video provides an overview of delegating role assignment management with

conditions.
https://www.youtube-nocookie.com/embed/3eDf2thqeO4

Why delegate role assignment management

with conditions?
Here are some reasons why delegating role assignment management to others with
conditions is more secure:

You can restrict the role assignments the delegate is allowed to create.
You can prevent a delegate from allowing another user to assign roles.
You can enforce compliance of your organization's policies of least privilege.
You can automate the management of Azure resources without having to grant full
permissions to a service account.

Conditions example
Consider an example where Alice is an administrator with the User Access Administrator
role for a subscription. Alice wants to grant Dara the ability to assign specific roles for
specific groups. Alice doesn't want Dara to have any other role assignment permissions.
The following diagram shows how Alice can delegate role assignment responsibilities to
Dara with conditions.

1. Alice assigns the Role Based Access Control Administrator role to Dara. Alice adds
conditions so that Dara can only assign the Backup Contributor or Backup Reader
roles to the Marketing and Sales groups.
2. Dara can now assign the Backup Contributor or Backup Reader roles to the
Marketing and Sales groups.
3. If Dara attempts to assign other roles or assign any roles to different principals
(such as a user or managed identity), the role assignment fails.


Role Based Access Control Administrator role

The Role Based Access Control Administrator role is a built-in role that has been
designed for delegating role assignment management to others. It has fewer
permissions than User Access Administrator, which follows least privilege best practices.
The Role Based Access Control Administrator role has following permissions:

Create a role assignment at the specified scope

Delete a role assignment at the specified scope
Read resources of all types, except secrets
Create and update a support ticket

Ways to constrain role assignments

Here are the ways that role assignments can be constrained with conditions. You can
also combine these conditions to fit your scenario.

Constrain the roles that can be assigned



Constrain the roles and types of principals (users, groups, or service principals)
that can be assigned roles

Constrain the roles and specific principals that can be assigned roles


Specify different conditions for the add and remove role assignment actions

How to delegate role assignment management

with conditions
To delegate role assignment management with conditions, you assign roles as you
currently do, but you also add a condition to the role assignment.

1. Determine the permissions the delegate needs

What roles can the delegate assign?
What types of principals can the delegate assign roles to?
Which principals can the delegate assign roles to?
Can delegate remove any role assignments?

2. Start a new role assignment

3. Select the Role Based Access Control Administrator role

You can select any role that includes the

Microsoft.Authorization/roleAssignments/write action, but Role Based Access

Control Administrator has fewer permissions.

4. Select the delegate

Select the user that you want to delegate role assignment management to.

5. Add a condition

There are multiple ways that you can add a condition. For example, you can use a
condition template in the Azure portal, the advanced condition editor in the Azure
portal, Azure PowerShell, Azure CLI, Bicep, or REST API.

Template

Choose from a list of condition templates. Select Configure to specify the

roles, principal types, or principals.

For more information, see Delegate Azure role assignment management to

others with conditions.


6. Assign role with condition to delegate

Once you have specified your condition, complete the role assignment.

7. Contact the delegate

Let the delegate know that they can now assign roles with conditions.

Built-in roles with conditions

The Key Vault Data Access Administrator and Virtual Machine Data Access Administrator
(preview) roles already have a built-in condition to constrain role assignments.

The Key Vault Data Access Administrator role enables you to manage access to Key Vault
secrets, certificates, and keys. It's exclusively focused on access control without the
ability to assign privileged roles such as Owner or User Access Administrator roles. It
allows better separation of duties for scenarios like managing encryption at rest across
data services to further comply with least privilege principle. The condition constrains
role assignments to the following Azure Key Vault roles:

Key Vault Administrator

Key Vault Certificates Officer
Key Vault Crypto Officer
Key Vault Crypto Service Encryption User
Key Vault Crypto User
Key Vault Reader
Key Vault Secrets Officer
Key Vault Secrets User

If you want to further constrain the Key Vault Data Access Administrator role
assignment, you can add your own condition to constrain the types of principals (users,
groups, or service principals) or specific principals that can be assigned the Key Vault
roles.

Known issues
Here are the known issues related to delegating role assignment management with
conditions:

You can't delegate role assignment management for custom roles with conditions
using Privileged Identity Management.
You can't have a role assignment with a Microsoft.Storage data action and an
ABAC condition that uses a GUID comparison operator. For more information, see
Troubleshoot Azure RBAC.

License requirements
Using this feature is free and included in your Azure subscription.

Next steps
Delegate Azure role assignment management to others with conditions
What is Azure attribute-based access control (Azure ABAC)?
Examples to delegate Azure role assignment management with conditions

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Authorization actions and attributes
Article • 04/15/2024

Authorization actions
This section lists the supported authorization actions you can target for conditions.

Create or update role assignments

ﾉ Expand table

Property Value

Display name Create or update role assignments

Description Control plane action for creating role assignments

Action Microsoft.Authorization/roleAssignments/write

Resource attributes

Request attributes Role definition ID

Principal ID
Principal type

Examples !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
Example: Constrain roles

Delete a role assignment

ﾉ Expand table

Property Value

Display name Delete a role assignment

Description Control plane action for deleting role assignments

Action Microsoft.Authorization/roleAssignments/delete

Resource attributes Role definition ID

Principal ID
Principal type

Request attributes
Property Value

Examples !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
Example: Constrain roles

Authorization attributes
This section lists the authorization attributes you can use in your condition expressions
depending on the action you target. If you select multiple actions for a single condition,
there might be fewer attributes to choose from for your condition because the
attributes must be available across the selected actions.

Role definition ID

ﾉ Expand table

Property Value

Display name Role definition ID

Description The role definition ID used in the role assignment

Attribute Microsoft.Authorization/roleAssignments:RoleDefinitionId

Attribute Request
source Resource

Attribute GUID
type

Operators GuidEquals
GuidNotEquals
ForAnyOfAnyValues:GuidEquals
ForAnyOfAllValues:GuidNotEquals

Examples @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals {b24988ac-6180-42a0-ab88-20f7382dd24c, acdd72a7-
3385-48ef-bd42-f606fba81ae7}
Example: Constrain roles

Principal ID

ﾉ Expand table
Property Value

Display name Principal ID

Description The principal ID assigned to the role. This maps to the ID inside the Active
Directory. It can point to a user, service principal, or security group

Attribute Microsoft.Authorization/roleAssignments:PrincipalId

Attribute Request
source Resource

Attribute GUID
type

Operators GuidEquals
GuidNotEquals
ForAnyOfAnyValues:GuidEquals
ForAnyOfAllValues:GuidNotEquals

Examples @Request[Microsoft.Authorization/roleAssignments:PrincipalId]
ForAnyOfAnyValues:GuidEquals {28c35fea-2099-4cf5-8ad9-473547bc9423, 86951b8b-
723a-407b-a74a-1bca3f0c95d0}
Example: Constrain roles and specific groups

Principal type

ﾉ Expand table

Property Value

Display name Principal type

Description Principal type represents a user, group, service principal, or managed identity that
is requesting access to Azure resources. You can assign a role to any of these
security principals

Attribute Microsoft.Authorization/roleAssignments:PrincipalType

Attribute Request
source Resource

Attribute STRING
type

Values User
ServicePrincipal
Group
Property Value

Operators StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
ForAnyOfAnyValues:StringEqualsIgnoreCase
ForAnyOfAllValues:StringNotEqualsIgnoreCase

Examples @Request[Microsoft.Authorization/roleAssignments:PrincipalType]
ForAnyOfAnyValues:StringEqualsIgnoreCase {'User', 'Group'}
Example: Constrain roles and principal types

Next steps
Examples to delegate Azure role assignment management with conditions
Delegate Azure role assignment management to others with conditions
Examples to delegate Azure role
assignment management with
conditions
Article • 04/15/2024

This article lists examples of how to delegate Azure role assignment management to
other users with conditions.

Prerequisites
For information about the prerequisites to add or edit role assignment conditions, see
Conditions prerequisites.

Example: Constrain roles

This condition allows a delegate to only add or remove role assignments for the Backup
Contributor or Backup Reader roles.

You must add this condition to any role assignments for the delegate that include the
following actions.

Microsoft.Authorization/roleAssignments/write

Microsoft.Authorization/roleAssignments/delete


Template

Here are the settings to add this condition using the Azure portal and a condition
template.

ﾉ Expand table

Condition Setting

Template Constrain roles

Roles Backup Contributor

Backup Reader

Example: Constrain roles and principal types

This condition allows a delegate to only add or remove role assignments for the Backup
Contributor or Backup Reader roles. Also, the delegate can only assign these roles to
principals of type user or group.

You must add this condition to any role assignments for the delegate that include the
following actions.

Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/delete

Template

Here are the settings to add this condition using the Azure portal and a condition
template.

ﾉ Expand table

Condition Setting

Template Constrain roles and principal types

Roles Backup Contributor

Backup Reader

Principal types Users

Groups

Example: Constrain roles and specific groups

This condition allows a delegate to only add or remove role assignments for the Backup
Contributor or Backup Reader roles. Also, the delegate can only assign these roles to
specific groups named Marketing (28c35fea-2099-4cf5-8ad9-473547bc9423) or Sales
(86951b8b-723a-407b-a74a-1bca3f0c95d0).
You must add this condition to any role assignments for the delegate that include the
following actions.

Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/delete

Template

Here are the settings to add this condition using the Azure portal and a condition
template.

ﾉ Expand table

Condition Setting

Template Constrain roles and principals

Roles Backup Contributor

Backup Reader

Principals Marketing
Sales

Example: Constrain virtual machine

management
This condition allows a delegate to only add or remove role assignments for the Virtual
Machine Administrator Login or Virtual Machine User Login roles. Also, the delegate can
only assign these roles to a specific user named Dara (ea585310-c95c-4a68-af22-
49af4363bbb1).

This condition is useful when you want to allow a delegate to assign a virtual machine
login role to themselves for a virtual machine they've just created.

You must add this condition to any role assignments for the delegate that include the
following actions.

Microsoft.Authorization/roleAssignments/write

Microsoft.Authorization/roleAssignments/delete

Template

Here are the settings to add this condition using the Azure portal and a condition
template.

ﾉ Expand table

Condition Setting

Template Constrain roles and principals

Roles Virtual Machine Administrator Login

Virtual Machine User Login

Principals Dara

Example: Constrain AKS cluster management

This condition allows a delegate to only add or remove role assignments for the Azure
Kubernetes Service RBAC Admin, Azure Kubernetes Service RBAC Cluster Admin, Azure
Kubernetes Service RBAC Reader, or Azure Kubernetes Service RBAC Writer roles. Also,
the delegate can only assign these roles to a specific user named Dara (ea585310-c95c-
4a68-af22-49af4363bbb1).

This condition is useful when you want to allow a delegate to assign Azure Kubernetes
Service (AKS) cluster data plane authorization roles to themselves for a cluster they've
just created.

You must add this condition to any role assignments for the delegate that include the
following actions.

Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/delete

Template

Here are the settings to add this condition using the Azure portal and a condition
template.

ﾉ Expand table

Condition Setting

Template Constrain roles and principals

Roles Azure Kubernetes Service RBAC Admin

Azure Kubernetes Service RBAC Cluster
Admin
Condition Setting

Azure Kubernetes Service RBAC Reader

Azure Kubernetes Service RBAC Writer

Principals Dara

Example: Constrain ACR management

This condition allows a delegate to only add or remove role assignments for the AcrPull
role. Also, the delegate can only assign these roles to principals of type service principal.

This condition is useful when you want to allow a developer to assign the AcrPull role to
a managed identity themselves so that it can pull images from the Azure Container
Registry (ACR).

You must add this condition to any role assignments for the delegate that include the
following actions.

Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/delete

Template

Here are the settings to add this condition using the Azure portal and a condition
template.

ﾉ Expand table
Condition Setting

Template Constrain roles and principal types

Roles AcrPull

Principal types Service principals

Example: Constrain add role assignments

This condition allows a delegate to only add role assignments for the Backup
Contributor or Backup Reader roles. The delegate can remove any role assignments.

You must add this condition to any role assignments for the delegate that include the
following action.

Microsoft.Authorization/roleAssignments/write

Template

None
Example: Allow most roles, but don't allow
others to assign roles
This condition allows a delegate to add or remove role assignments for all roles except
the Owner, Role Based Access Control Administrator, and User Access Administrator
roles.

This condition is useful when you want to allow a delegate to assign most roles, but not
allow the delegate to allow others to assign roles.

７ Note

This condition should be used with caution. If a new built-in or custom role is later
added that includes the permission to create role assignments, this condition
would not prevent the delegate from assigning roles. The condition would have to
be updated to include the new built-in or custom role.

You must add this condition to any role assignments for the delegate that include the
following actions.

Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/delete


Template

Here are the settings to add this condition using the Azure portal and a condition
template.

ﾉ Expand table

Condition Setting

Template Allow all except specific roles

Exclude roles Owner

Role Based Access Control Administrator
User Access Administrator

Next steps
Authorization actions and attributes
Azure role assignment condition format and syntax
Troubleshoot Azure role assignment conditions
Azure role assignment condition format
and syntax
Article • 04/01/2024

A condition is an additional check that you can optionally add to your role assignment
to provide more fine-grained access control. For example, you can add a condition that
requires an object to have a specific tag to read the object. This article describes the
format and syntax of role assignment conditions.

Condition format
To better understand role assignment conditions, it helps to look at the format.

Simple condition
The most basic condition consists of a targeted action and an expression. An action is an
operation that a user can perform on a resource type. An expression is a statement that
evaluates to true or false, which determines whether the action is allowed to be
performed.

The following shows the format of a simple condition.

(
(
!(ActionMatches{'<action>'})
)
OR
(
<attribute> <operator> <value>
)
)
The following condition has an action of "Read a blob". The expression checks whether
the container name is blobs-example-container.

(
(
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})
)
OR
(

@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container'
)
)

How a condition is evaluated

If a user tries to perform an action in the role assignment that is not <action> , !
(ActionMatches) evaluates to true and the overall condition evaluates to true to allow

the action to be performed.

If a user tries to perform <action> in the role assignment, !(ActionMatches) evaluates

to false, so the expression is evaluated. If the expression evaluates to true, the overall
condition evaluates to true to allow <action> to be performed. Otherwise, <action> is
not allowed to be performed.

The following pseudo code shows another way that you can read this condition.

if a user tries to perform an action in the role assignment that does not
match <action>
{
Allow action to be performed
}
else
{
if <attribute> <operator> <value> is true
{
Allow <action> to be performed
}
else
{
Do not allow <action> to be performed
}
}

Suboperations
Some actions have suboperations. For example, the
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read data action

has the suboperation "List blobs". Conditions with suboperations have the following
format.

(
(
!(ActionMatches{'<action>'}
AND
SubOperationMatches{'<subOperation>'})

)
OR
(
<attribute> <operator> <value>
)
)

Multiple actions
A condition can include multiple actions that you want to allow if the condition is true. If
you select multiple actions for a single condition, there might be fewer attributes to
choose from for your condition because the attributes must be available across the
selected actions.

(
(
!(ActionMatches{'<action>'})
AND
!(ActionMatches{'<action>'})
)
OR
(
<attribute> <operator> <value>
)
)

Multiple expressions
A condition can include multiple expressions. Depending on the operator, attributes can
be checked against multiple values.
(
(
!(ActionMatches{'<action>'})
)
OR
(
<attribute> <operator> <value>
AND | OR
<attribute> <operator> {<value>, <value>, <value>}
AND | OR
<attribute> <operator> <value>
)
)

Multiple conditions
You can also combine conditions to target multiple actions.

(
(
!(ActionMatches{'<action>'})
)
OR
(
<attribute> <operator> <value>
AND | OR
<attribute> <operator> {<value>, <value>, <value>}
AND | OR
<attribute> <operator> <value>
)
)
AND
(
(
!(ActionMatches{'<action>'})
)
OR
(
<attribute> <operator> <value>
AND | OR
<attribute> <operator> <value>
)
)

Condition syntax
The following shows the syntax for a role assignment condition.

(
(
!(ActionMatches{'<action>'} AND
SubOperationMatches{'<subOperation>'})
AND
!(ActionMatches{'<action>'} AND
SubOperationMatches{'<subOperation>'})
AND
...
)
OR
(
<attribute> <operator> {<value, <value>, ...}
AND | OR
<attribute> <operator> {<value>, <value>, ...}
AND | OR
...
)
)
AND
(
(
!(ActionMatches{'<action>'} AND
SubOperationMatches{'<subOperation>'})
AND
!(ActionMatches{'<action>'} AND
SubOperationMatches{'<subOperation>'})
AND
...
)
OR
(
<attribute> <operator> {<value, <value>, ...}
AND | OR
<attribute> <operator> {<value>, <value>, ...}
AND | OR
...
)
)
AND
...

Actions
Currently, conditions can be added to built-in or custom role assignments that have
blob storage or queue storage data actions. These include the following built-in roles:

Storage Blob Data Contributor

Storage Blob Data Owner
Storage Blob Data Reader
Storage Queue Data Contributor
Storage Queue Data Message Processor
Storage Queue Data Message Sender
Storage Queue Data Reader

For a list of the storage actions you can use in conditions, see:

Actions and attributes for Azure role assignment conditions for Azure Blob Storage
Actions and attributes for Azure role assignment conditions for Azure Queue
Storage.

Attributes
Depending on the selected actions, the attribute might be found in different places. If
you select multiple actions for a single condition, there might be fewer attributes to
choose from for your condition because the attributes must be available across all of the
selected actions. To specify an attribute, you must include the source as a prefix.
ﾉ Expand table

Attribute source Description Code

Environment Attribute is associated with the @Environment

environment of the request,
such as the network origin of
the request or the current date
and time.

Principal Attribute is a custom security @Principal

attribute assigned to the
principal, such as a user or
enterprise application (service
principal).

Request Attribute is part of the action @Request

request, such as setting the
blob index tag.

Resource Attribute is a property of the @Resource

resource, such as a container
name.

For a complete list of the storage attributes you can use in conditions, see:

Azure Blob Storage attributes

Azure Queue Storage attributes

Environment attributes

Environment attributes are associated with the circumstances under which the access
request is made, such as the date and time of day or the network environment. The
network environment might be whether access is over a specific private endpoint or a
virtual network subnet, or perhaps over any private link.

The following table lists the supported environment attributes for conditions.

ﾉ Expand table

Display Description Attribute Type

name

Is private Use this attribute in isPrivateLink Boolean

link1 conditions to require
access over any private
link.
Display Description Attribute Type
name

Private Use this attribute in Microsoft.Network/privateEndpoints String

endpoint1,2 conditions to restrict
access over a specific
private endpoint.

Subnet1,3 Use this attribute in Microsoft.Network/virtualNetworks/subnets String

conditions to restrict
access from a specific
subnet.

UTC now Use this attribute in UtcNow DateTime

conditions to restrict
access to objects during
specific time periods.

1
For copy operations, the Is private link , Private endpoint , and Subnet attributes
only apply to the destination, such a storage account, not the source. For more
information about the copy operations this applies to, select each attribute in the table
to see more details.
2
You can only use the Private endpoint attribute if you currently have at least one
private endpoint configured in your subscription.
3
You can only use the Subnet attribute if you currently have at least one virtual network
subnet using service endpoints configured in your subscription.

Principal attributes
Principal attributes are custom security attributes assigned to the security principal
requesting access to a resource. The security principal can be a user or an enterprise
application (service principal).

To use principal attributes, you must have the following:

Microsoft Entra permissions for the signed-in user, such as the Attribute
Assignment Administrator role
Custom security attributes defined in Microsoft Entra ID

For more information about custom security attributes, see:

Add or deactivate custom security attributes in Microsoft Entra ID

Allow read access to blobs based on tags and custom security attributes
Principal does not appear in Attribute source
Request attributes
Request attributes are associated with the criteria specified in an access request, such as
the specified prefix of blobs to be listed.

Resource attributes
Resource attributes are associated with the object to which access is being requested,
such as the storage account name, container name, or whether hierarchical namespace
is enabled for the storage account.

Function operators
This section lists the function operators that are available to construct conditions.

ActionMatches

ﾉ Expand table

Property Value

Operator ActionMatches

Description Checks if the current action matches the specified action pattern.

Examples ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs
/read'}
If the action being checked equals
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", then true

ActionMatches{'Microsoft.Authorization/roleAssignments/*'}
If the action being checked equals
"Microsoft.Authorization/roleAssignments/write", then true

ActionMatches{'Microsoft.Authorization/roleDefinitions/*'}
If the action being checked equals
"Microsoft.Authorization/roleAssignments/write", then false

SubOperationMatches

ﾉ Expand table
Property Value

Operator SubOperationMatches

Description Checks if the current suboperation matches the specified suboperation pattern.

Examples SubOperationMatches{'Blob.List'}

Exists

ﾉ Expand table

Property Value

Operator Exists

Description Checks if the specified attribute exists.

Examples Exists
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs
:snapshot]

Attributes Encryption scope name

support 1 Snapshot
Version ID

1 The Exists operator is supported for only these attributes in the visual ABAC
condition builder in the Azure portal. You can add the Exists operator to any attribute
using other tools, such as PowerShell, the Azure CLI, the REST API, and the condition
code editor in the Azure portal.

Logical operators
This section lists the logical operators that are available to construct conditions.

And

ﾉ Expand table

Property Value

Operators AND
&&
Property Value

Description And operator.

Examples !
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs
/read'} AND NOT SubOperationMatches{'Blob.List'})

ﾉ Expand table

Property Value

Operators OR
||

Description Or operator.

Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versi
onId] DateTimeEquals '2022-06-01T00:00:00.0Z' OR NOT Exists
@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versio
nId

Not

ﾉ Expand table

Property Value

Operators NOT
!

Description Not or negation operator.

Examples NOT Exists

@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versio
nId]

Boolean comparison operators

This section lists the Boolean comparison operators that are available to construct
conditions.
ﾉ Expand table

Property Value

Operators BoolEquals
BoolNotEquals

Description Boolean comparison.

Examples @Resource[Microsoft.Storage/storageAccounts:isHnsEnabled] BoolEquals true

String comparison operators

This section lists the string comparison operators that are available to construct
conditions.

StringEquals

ﾉ Expand table

Property Value

Operators StringEquals
StringEqualsIgnoreCase

Description Case-sensitive (or case-insensitive) matching. The values must exactly match the
string.

Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:
Project<$key_case_sensitive$>] StringEquals 'Cascade'

StringNotEquals

ﾉ Expand table

Property Value

Operators StringNotEquals
StringNotEqualsIgnoreCase

Description Negation of StringEquals (or StringEqualsIgnoreCase ) operator.

StringStartsWith
ﾉ Expand table

Property Value

Operators StringStartsWith
StringStartsWithIgnoreCase

Description Case-sensitive (or case-insensitive) matching. The values start with the string.

StringNotStartsWith

ﾉ Expand table

Property Value

Operators StringNotStartsWith
StringNotStartsWithIgnoreCase

Description Negation of StringStartsWith (or StringStartsWithIgnoreCase ) operator.

StringLike

ﾉ Expand table

Property Value

Operators StringLike
StringLikeIgnoreCase

Description Case-sensitive (or case-insensitive) matching. The values can include a multi-
character match wildcard ( * ) or a single-character match wildcard ( ? ) anywhere in
the string. If needed, these characters can be escaped by add a backslash \* and
\? .

Examples @Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:path
] StringLike 'readonly/*'

Resource[name1] StringLike 'a*c?'

If Resource[name1] equals "abcd", then true

Resource[name1] StringLike 'A*C?'

If Resource[name1] equals "abcd", then false

Resource[name1] StringLike 'a*c'

If Resource[name1] equals "abcd", then false
StringNotLike

ﾉ Expand table

Property Value

Operators StringNotLike
StringNotLikeIgnoreCase

Description Negation of StringLike (or StringLikeIgnoreCase ) operator.

Numeric comparison operators

This section lists the numeric comparison operators that are available to construct
conditions.

ﾉ Expand table

Property Value

Operators NumericEquals
NumericNotEquals
NumericGreaterThan
NumericGreaterThanEquals
NumericLessThan
NumericLessThanEquals

Description Number matching. Only integers are supported.

DateTime comparison operators

This section lists the date/time comparison operators that are available to construct
conditions.

ﾉ Expand table

Property Value

Operators DateTimeEquals
DateTimeNotEquals
DateTimeGreaterThan
DateTimeGreaterThanEquals
DateTimeLessThan
DateTimeLessThanEquals
Property Value

Description Full-precision check with the format: yyyy-mm-ddThh:mm:ss.mmmmmmmZ . Used for blob
version ID, blob snapshot, and UTC now.

Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versi
onId] DateTimeEquals '2022-06-01T00:00:00.0Z'

GUID comparison operators

This section lists the globally unique identifier (GUID) comparison operators that are
available to construct conditions.

ﾉ Expand table

Property Value

Operators GuidEquals
GuidNotEquals

Description Case-insensitive matching with the format: 00000000-0000-0000-0000-000000000000 .

Used to identify a resource, such as principal ID or role definition ID.

Examples

Cross product comparison operators

This section lists the cross product comparison operators that are available to construct
conditions.

ForAnyOfAnyValues

ﾉ Expand table

Property Value

Operators ForAnyOfAnyValues:StringEquals
ForAnyOfAnyValues:StringEqualsIgnoreCase
ForAnyOfAnyValues:StringNotEquals
ForAnyOfAnyValues:StringNotEqualsIgnoreCase
ForAnyOfAnyValues:StringLike
ForAnyOfAnyValues:StringLikeIgnoreCase
ForAnyOfAnyValues:StringNotLike
ForAnyOfAnyValues:StringNotLikeIgnoreCase
Property Value

ForAnyOfAnyValues:NumericEquals
ForAnyOfAnyValues:NumericNotEquals
ForAnyOfAnyValues:NumericGreaterThan
ForAnyOfAnyValues:NumericGreaterThanEquals
ForAnyOfAnyValues:NumericLessThan
ForAnyOfAnyValues:NumericLessThanEquals
ForAnyOfAnyValues:GuidEquals
ForAnyOfAnyValues:GuidNotEquals

Description If at least one value on the left-hand side satisfies the comparison to at least one
value on the right-hand side, then the expression evaluates to true. Has the format:
ForAnyOfAnyValues:<BooleanFunction> . Supports multiple strings and numbers.

Examples @Resource[Microsoft.Storage/storageAccounts/encryptionScopes:name]
ForAnyOfAnyValues:StringEquals {'validScope1', 'validScope2'}
If encryption scope name equals validScope1 or validScope2 , then true.

{'red', 'blue'} ForAnyOfAnyValues:StringEquals {'blue', 'green'}

true

{'red', 'blue'} ForAnyOfAnyValues:StringEquals {'orange', 'green'}

false

ForAllOfAnyValues

ﾉ Expand table

Property Value

Operators ForAllOfAnyValues:StringEquals
ForAllOfAnyValues:StringEqualsIgnoreCase
ForAllOfAnyValues:StringNotEquals
ForAllOfAnyValues:StringNotEqualsIgnoreCase
ForAllOfAnyValues:StringLike
ForAllOfAnyValues:StringLikeIgnoreCase
ForAllOfAnyValues:StringNotLike
ForAllOfAnyValues:StringNotLikeIgnoreCase
ForAllOfAnyValues:NumericEquals
ForAllOfAnyValues:NumericNotEquals
ForAllOfAnyValues:NumericGreaterThan
ForAllOfAnyValues:NumericGreaterThanEquals
ForAllOfAnyValues:NumericLessThan
ForAllOfAnyValues:NumericLessThanEquals
ForAllOfAnyValues:GuidEquals
ForAllOfAnyValues:GuidNotEquals
Property Value

Description If every value on the left-hand side satisfies the comparison to at least one value on
the right-hand side, then the expression evaluates to true. Has the format:
ForAllOfAnyValues:<BooleanFunction> . Supports multiple strings and numbers.

Examples @Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:
Project<$key_case_sensitive$>] ForAllOfAnyValues:StringEquals {'Cascade',
'Baker', 'Skagit'}

{'red', 'blue'} ForAllOfAnyValues:StringEquals {'orange', 'red', 'blue'}

true

{'red', 'blue'} ForAllOfAnyValues:StringEquals {'red', 'green'}

false

ForAnyOfAllValues

ﾉ Expand table

Property Value

Operators ForAnyOfAllValues:StringEquals
ForAnyOfAllValues:StringEqualsIgnoreCase
ForAnyOfAllValues:StringNotEquals
ForAnyOfAllValues:StringNotEqualsIgnoreCase
ForAnyOfAllValues:StringLike
ForAnyOfAllValues:StringLikeIgnoreCase
ForAnyOfAllValues:StringNotLike
ForAnyOfAllValues:StringNotLikeIgnoreCase
ForAnyOfAllValues:NumericEquals
ForAnyOfAllValues:NumericNotEquals
ForAnyOfAllValues:NumericGreaterThan
ForAnyOfAllValues:NumericGreaterThanEquals
ForAnyOfAllValues:NumericLessThan
ForAnyOfAllValues:NumericLessThanEquals
ForAnyOfAllValues:GuidEquals
ForAnyOfAllValues:GuidNotEquals

Description If at least one value on the left-hand side satisfies the comparison to every value on
the right-hand side, then the expression evaluates to true. Has the format:
ForAnyOfAllValues:<BooleanFunction> . Supports multiple strings and numbers.

Examples {10, 20} ForAnyOfAllValues:NumericLessThan {15, 18}

true
ForAllOfAllValues

ﾉ Expand table

Property Value

Operators ForAllOfAllValues:StringEquals
ForAllOfAllValues:StringEqualsIgnoreCase
ForAllOfAllValues:StringNotEquals
ForAllOfAllValues:StringNotEqualsIgnoreCase
ForAllOfAllValues:StringLike
ForAllOfAllValues:StringLikeIgnoreCase
ForAllOfAllValues:StringNotLike
ForAllOfAllValues:StringNotLikeIgnoreCase
ForAllOfAllValues:NumericEquals
ForAllOfAllValues:NumericNotEquals
ForAllOfAllValues:NumericGreaterThan
ForAllOfAllValues:NumericGreaterThanEquals
ForAllOfAllValues:NumericLessThan
ForAllOfAllValues:NumericLessThanEquals
ForAllOfAllValues:GuidEquals
ForAllOfAllValues:GuidNotEquals

Description If every value on the left-hand side satisfies the comparison to every value on the
right-hand side, then the expression evaluates to true. Has the format:
ForAllOfAllValues:<BooleanFunction> . Supports multiple strings and numbers.

Examples {10, 20} ForAllOfAllValues:NumericLessThan {5, 15, 18}

false

{10, 20} ForAllOfAllValues:NumericLessThan {25, 30}

true

{10, 20} ForAllOfAllValues:NumericLessThan {15, 25, 30}

false

Special characters
ﾉ Expand table

Character Description

* An asterisk (*) represents a multi-character wildcard match that can be used with
Like operators. If needed, you can escape an asterisk by adding a backslash \* .
Character Description

? A question mark (?) represents a single-character wildcard match that can be used
with Like operators. If needed, you can escape a question mark by adding a
backslash \? .

$ A dollar sign ($) is used to help delineate tag keys. In Azure PowerShell, if a string
enclosed in double quotes (") includes a dollar sign, you must prefix it with a backtick
(`). For example: tags:Project<`$key_case_sensitive`$> .

Grouping and precedence

If you have three or more expressions for a targeted action with different operators
between the expressions, the evaluation order is ambiguous. You use parentheses () to
group expressions and specify the order that the expressions are evaluated. Expressions
enclosed in parentheses have higher precedence. For example, if you have the following
expression:

a AND b OR c

You must add parentheses in one of the following ways:

(a AND b) OR c

a AND (b OR c)

Next steps
Example Azure role assignment conditions for Blob Storage
Add or edit Azure role assignment conditions using the Azure portal
Prerequisites for Azure role assignment
conditions
Article • 02/08/2024

To add or edit Azure role assignment conditions, you must have the following
prerequisites.

Storage accounts
For conditions that use blob index tags, you must use a storage account that is
compatible with the blob index feature. For example, only General Purpose v2 (GPv2)
storage accounts with hierarchical namespace (HNS) disabled are currently supported.
For more information, see Manage and find Azure Blob data with blob index tags

Azure PowerShell
When using Azure PowerShell to add or update conditions, you must use the following
versions:

Az module 5.5.0 or later

Az.Resources module 3.2.1 or later
Included with Az module v5.5.0 and later, but can be manually installed through
PowerShell Gallery
Az.Storage preview module 2.5.2-preview or later

Azure CLI
When using Azure CLI to add or update conditions, you must use the following versions:

Azure CLI 2.18 or later

REST API
When using the REST API to add or update conditions, you must use the following
versions:

2020-03-01-preview or later
2020-04-01-preview or later if you want to utilize the description property for role

assignments
2022-04-01 is the first stable version

For more information, see API versions of Azure RBAC REST APIs.

Permissions
Just like role assignments, to add or update conditions, you must be signed in to Azure
with a user that has the Microsoft.Authorization/roleAssignments/write and
Microsoft.Authorization/roleAssignments/delete permissions, such as Role Based

Access Control Administrator.

Principal attributes
To use principal attributes (custom security attributes in Microsoft Entra ID), you must
have the following:

Attribute Assignment Administrator at attribute set or tenant scope

Custom security attributes defined in Microsoft Entra ID

For more information about custom security attributes, see:

Principal does not appear in Attribute source

Add or deactivate custom security attributes in Microsoft Entra ID

Environment attributes
To use the Private endpoint attribute, you must have at least one private endpoint
configured in your subscription.

To use the Subnet attribute, you must have at least one virtual network subnet using
service endpoints configured in your subscription.

Next steps
Example Azure role assignment conditions for Blob Storage
Tutorial: Add a role assignment condition to restrict access to blobs using the
Azure portal
FAQ for Azure role assignment
conditions
Article • 05/12/2023

Frequently asked questions

Can you pick the storage container names or blob path in the visual ABAC condition
builder in the Azure portal?

You must write the storage container name, blob path, tag name, or values in the
condition. There is no picking experience for the attribute values.

Can you check for the existence of an attribute from a condition?

You can use the Exists operator with any ABAC attribute, but it is only supported in the
visual ABAC condition builder for a few of them. You can add the Exists operator to
any attribute using other tools, such as PowerShell, the Azure CLI, the REST API, and the
condition code editor in the Azure portal. For a list of attributes for which it is supported
in the visual condition builder, see the Exists function operator. To add the exists
operator to an attribute when building an expression in a condition, select the
supported source and attribute, then select the box next to Exists under it. See Build
expressions in the portal for more details.

Can you group expressions?

If you add three or more expressions for a targeted action, you must define the logical
grouping of those expressions in the code editor, Azure PowerShell, or Azure CLI. A
logical grouping of a AND b OR c can be either (a AND b) OR c or a AND (b OR c ) .

Are conditions supported via Azure AD Privileged Identity Management (Azure AD

PIM) for Azure resources?

Yes, for specific roles. For more information, see Assign Azure resource roles in
Privileged Identity Management.

Are conditions supported for classic administrators?

No.

Can you add conditions to custom role assignments?

Yes, as long as the custom role includes actions that support conditions.
Do the conditions increase latency for access to storage blobs?

No, based on our benchmark tests, conditions are not expected to add any user
perceivable latency.

What new properties have been introduced in the role assignment schema to support
conditions?

Here are the new condition properties:

condition : Condition statement built using one or more actions from role
definition and attributes.
conditionVersion : A condition version number. Defaults to 2.0 and is the only
publicly supported version.

There is also a new description property for role assignments:

description : The description for the role assignment that can be used to describe
the condition.

Is a condition applied to the entire role assignment or specific actions?

A condition is only applied to the specific targeted actions.

What are the limits for a condition?

A condition can be up to 8 KB long.

What are the limits for a description?

A description can be up to 2 KB long.

Is it possible to create a role assignment with and without a condition, but using the
same tuple of security principal, role definition, and scope?

No, if you try to create this role assignment, an error is displayed.

Are conditions in role assignments offering an explicit deny effect?

No, conditions in role assignments do not have an explicit deny effect. Conditions in role
assignments filter down access granted in a role assignment, which can result in access
not allowed. Explicit deny effect is part of deny assignments.

Next steps
Azure role assignment condition format and syntax
Troubleshoot Azure role assignment conditions
Scale the management of Azure role
assignments by using conditions and
custom security attributes
Article • 11/15/2023

Azure role-based access control (Azure RBAC) has a limit of role assignments per
subscription. If you need to create hundreds or even thousands of Azure role
assignments, you might encounter this limit. Managing hundreds or thousands of role
assignments can be difficult. Depending on your scenario, you might be able to reduce
the number of role assignments and make it easier to manage access.

This article describes a solution to scale the management of role assignments by using
Azure attribute-based access control (Azure ABAC) conditions and Microsoft Entra
custom security attributes for principals.

Example scenario
Consider a company named Contoso with thousands of customers that wants to set up
the following configuration:

Distribute customer data across 128 storage accounts for security and
performance reasons.
Add 2,000 containers to each storage account where there is a container for each
customer.
Represent each customer by a unique Microsoft Entra service principal.
Allow each customer to access objects in their container, but not other containers.

This configuration could potentially require 256,000 Storage Blob Data Owner role
assignments in a subscription, which is well beyond the role assignments limit. Having
this many role assignments would be difficult, if not impossible, to maintain.
Example solution
A way to handle this scenario in a maintainable manner is to use role assignment
conditions. The following diagram shows a solution to reduce the 256,000 role
assignments to just one role assignment by using a condition. The role assignment is at
a higher resource group scope and a condition helps controls access to the containers.
The condition checks whether the container name matches the custom security attribute
on the service principal for the customer.

Here is the expression in the condition that makes this solution work:
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals

@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Contosocustomer_n
ame]

The full condition would be similar to the following. The list of actions could be adjusted
to just the actions you need.

(
(
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/delete'})
AND
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})
AND
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/write'})
AND
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/add/action'})
AND
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/deleteBlobVersion/action'})
AND
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/manageOwnership/action'})
AND
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/modifyPermissions/action'})
AND
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/move/action'})
AND
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/permanentDelete/action'})
AND
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/runAsSuperUser/action'})
AND
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/tags/read'})
AND
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/tags/write'})
)
OR
(
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals
@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Contosocustomer_n
ame]
)
)

Why use this solution?

There are several access control mechanisms that you could use to provide access to
data plane resources.

Access keys are a common way to provide access to data plane resources. Access keys
provide read, write, and delete permissions to whoever possesses the access key. This
means attackers can get access to your sensitive data if they can get your access keys.
Access keys do not have identity binding, do not have an expiration, and are a security
risk to store.

Like access keys, shared access signature (SAS) tokens do not have identity binding, but
expire on a regular basis. The lack of identity binding represents the same security risks
as access keys do. You must manage the expiration to ensure that clients do not get
errors. SAS tokens require additional code to manage and operate daily and can be a
significant overhead for a DevOps team.

Azure RBAC provides centralized fine-grained access control. Azure RBAC has identity
binding that reduces your security risk. Using conditions you can potentially scale the
management of role assignments and make access control easier to maintain because
access is based on flexible and dynamic attributes.

Here are some of the benefits of this solution:

Centralized access control

Easier to maintain
Does not rely on access keys or SAS tokens
Does not require you to manage access on each object
Can potentially improve your security posture

Can you use this solution?

If you have a similar scenario, follow these steps to see if you could potentially use this
solution.

Step 1: Determine if you meet the prerequisites

To use this solution, you must have:

Multiple built-in or custom role assignments that have blob storage data actions.
These include the following built-in roles:
Storage Blob Data Contributor
Storage Blob Data Owner
Storage Blob Data Reader

Step 2: Identify the attributes you could use in your condition

There are several attributes you could use in your condition, such as the following:

Container name
Blob path
Blob index tags [Keys]
Blob index tags [Values in key]

You can also define your own custom security attributes for users, enterprise
applications, and managed identities.

For more information, see Azure role assignment condition format and syntax and What
are custom security attributes in Microsoft Entra ID?.

Step 3: Create a condition at a higher scope

Create one or more role assignments that use a condition at a higher scope to manage
access. For more information, see Add or edit Azure role assignment conditions using
the Azure portal.

Next steps
What is Azure attribute-based access control (Azure ABAC)?
What are custom security attributes in Microsoft Entra ID?
Allow read access to blobs based on tags and custom security attributes (Preview)
Azure Policy Regulatory Compliance
controls for Azure RBAC
Article • 02/06/2024

Azure Policy can enforce rules for your Azure resources so that your infrastructure is
compliant with business standards. Regulatory Compliance in Azure Policy provides
Microsoft created and managed initiative definitions, known as built-ins, for the
compliance domains and security controls related to different compliance standards.
This page lists the compliance domains and security controls for Azure role-based
access control (Azure RBAC). You can assign the built-ins for a security control
individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure
portal. Use the link in the Policy Version column to view the source on the Azure Policy
GitHub repo .

） Important

Each control is associated with one or more Azure Policy definitions. These policies
might help you assess compliance with the control. However, there often isn't a
one-to-one or complete match between a control and one or more policies. As
such, Compliant in Azure Policy refers only to the policies themselves. This doesn't
ensure that you're fully compliant with all requirements of a control. In addition, the
compliance standard includes controls that aren't addressed by any Azure Policy
definitions at this time. Therefore, compliance in Azure Policy is only a partial view
of your overall compliance status. The associations between controls and Azure
Policy Regulatory Compliance definitions for these compliance standards can
change over time.

CIS Microsoft Azure Foundations Benchmark

2.0.0
To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance details for CIS v2.0.0. For
more information about this compliance standard, see CIS Microsoft Azure Foundations
Benchmark .
ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

1 1.23 Ensure That No Custom Subscription Audit usage of 1.0.1

Administrator Roles Exist custom RBAC roles

CMMC Level 3
To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For
more information about this compliance standard, see Cybersecurity Maturity Model
Certification (CMMC) .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Access AC.3.018 Prevent non-privileged users from Audit usage of 1.0.1

Control executing privileged functions and capture custom RBAC
the execution of such functions in audit roles
logs.

FedRAMP High
To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For
more information about this compliance standard, see FedRAMP High .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Access AC-2 Account Management Audit usage of custom RBAC 1.0.1

Control roles

Access AC-2 (7) Role-Based Schemes Audit usage of custom RBAC 1.0.1
Control roles
Domain Control Control title Policy Policy
ID (Azure portal) version
(GitHub)

Access AC-6 Least Privilege Audit usage of custom RBAC 1.0.1

Control roles

Access AC-6 (7) Review Of User Audit usage of custom RBAC 1.0.1
Control Privileges roles

FedRAMP Moderate
To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate.
For more information about this compliance standard, see FedRAMP Moderate .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Access AC-2 Account Audit usage of custom RBAC 1.0.1

Control Management roles

Access AC-2 (7) Role-Based Audit usage of custom RBAC 1.0.1

Control Schemes roles

Access AC-6 Least Privilege Audit usage of custom RBAC 1.0.1

Control roles

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For
more information about this compliance standard, see HIPAA HITRUST 9.2 .

ﾉ Expand table

Domain Control ID Control title Policy Policy

(Azure version
portal) (GitHub)

11 Access 1148.01c2System.78-01.c 1148.01c2System.78-01.c Audit 1.0.1

Control 01.02 Authorized Access to usage of
Domain Control ID Control title Policy Policy
(Azure version
portal) (GitHub)

Information Systems custom

RBAC
roles

12 Audit 1230.09c2Organizational.1- 1230.09c2Organizational.1- Audit 1.0.1

Logging & 09.c 09.c 09.01 Documented usage of
Monitoring Operating Procedures custom
RBAC
roles

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September
2016. For more information about this compliance standard, see IRS 1075 September
2016 .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Access 9.3.1.2 Account Management Audit usage of custom 1.0.1

Control (AC-2) RBAC roles

ISO 27001:2013
To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For
more information about this compliance standard, see ISO 27001:2013 .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Access 9.2.3 Management of privileged Audit usage of custom 1.0.1

Control access rights RBAC roles
Microsoft cloud security benchmark
The Microsoft cloud security benchmark provides recommendations on how you can
secure your cloud solutions on Azure. To see how this service completely maps to the
Microsoft cloud security benchmark, see the Azure Security Benchmark mapping files .

To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - Microsoft cloud security
benchmark.

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Privileged PA-7 Follow just enough Audit usage of custom RBAC 1.0.1
Access administration (least roles
privilege) principle

Logging and LT-1 Enable threat detection SQL server-targeted 1.0.0

Threat capabilities autoprovisioning should be
Detection enabled for SQL servers on
machines plan

Logging and LT-2 Enable threat detection SQL server-targeted 1.0.0

Threat for identity and access autoprovisioning should be
Detection management enabled for SQL servers on
machines plan

Incident IR-3 Detection and analysis - SQL server-targeted 1.0.0

Response create incidents based autoprovisioning should be
on high-quality alerts enabled for SQL servers on
machines plan

Incident IR-3 Detection and analysis - SQL server-targeted 1.0.0

Response create incidents based autoprovisioning should be
on high-quality alerts enabled for SQL servers on
machines plan

Incident AIR-5 Detection and analysis - SQL server-targeted 1.0.0

Response prioritize incidents autoprovisioning should be
enabled for SQL servers on
machines plan

Incident AIR-5 Detection and analysis - SQL server-targeted 1.0.0

Response prioritize incidents autoprovisioning should be
Domain Control Control title Policy Policy
ID (Azure portal) version
(GitHub)

enabled for SQL servers on

machines plan

NIST SP 800-171 R2
To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For
more information about this compliance standard, see NIST SP 800-171 R2 .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Access 3.1.1 Limit system access to authorized users, Audit usage of 1.0.1
Control processes acting on behalf of authorized custom RBAC
users, and devices (including other roles
systems).

Access 3.1.2 Limit system access to the types of Audit usage of 1.0.1
Control transactions and functions that authorized custom RBAC
users are permitted to execute. roles

Access 3.1.5 Employ the principle of least privilege, Audit usage of 1.0.1
Control including for specific security functions and custom RBAC
privileged accounts. roles

NIST SP 800-53 Rev. 4

To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4.
For more information about this compliance standard, see NIST SP 800-53 Rev. 4 .

ﾉ Expand table
Domain Control Control title Policy Policy
ID (Azure portal) version
(GitHub)

Access AC-2 Account Management Audit usage of custom RBAC 1.0.1

Control roles

Access AC-2 (7) Role-Based Schemes Audit usage of custom RBAC 1.0.1
Control roles

Access AC-6 Least Privilege Audit usage of custom RBAC 1.0.1

Control roles

Access AC-6 (7) Review Of User Audit usage of custom RBAC 1.0.1
Control Privileges roles

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5.
For more information about this compliance standard, see NIST SP 800-53 Rev. 5 .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Access AC-2 Account Audit usage of custom RBAC 1.0.1

Control Management roles

Access AC-2 (7) Privileged User Audit usage of custom RBAC 1.0.1
Control Accounts roles

Access AC-6 Least Privilege Audit usage of custom RBAC 1.0.1

Control roles

Access AC-6 (7) Review of User Audit usage of custom RBAC 1.0.1
Control Privileges roles

NL BIO Cloud Theme

To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance details for NL BIO Cloud
Theme. For more information about this compliance standard, see Baseline Information
Security Government Cybersecurity - Digital Government (digitaleoverheid.nl) .
ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

U.07.3 Data U.07.3 U.07.3 - The privileges to view or Audit usage 1.0.1
separation - modify CSC data and/or encryption of custom
Management keys are granted in a controlled RBAC roles
features manner and use is logged.

U.10.2 Access to IT U.10.2 Under the responsibility of the CSP, Audit usage 1.0.1
services and data - access is granted to administrators. of custom
Users RBAC roles

U.10.3 Access to IT U.10.3 Only users with authenticated Audit usage 1.0.1
services and data - equipment can access IT services of custom
Users and data. RBAC roles

U.10.5 Access to IT U.10.5 Access to IT services and data is Audit usage 1.0.1
services and data - limited by technical measures and of custom
Competent has been implemented. RBAC roles

PCI DSS 3.2.1

To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see PCI DSS 3.2.1. For more information about this compliance
standard, see PCI DSS 3.2.1 .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Requirement 3.2 PCI DSS requirement Audit usage of custom 1.0.1

3 3.2 RBAC roles

Requirement 7.2.1 PCI DSS requirement Audit usage of custom 1.0.1

7 7.2.1 RBAC roles

Requirement 8.3.1 PCI DSS requirement Audit usage of custom 1.0.1

8 8.3.1 RBAC roles

PCI DSS v4.0

To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance details for PCI DSS v4.0.
For more information about this compliance standard, see PCI DSS v4.0 .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Requirement 03: Protect 3.3.3 Sensitive authentication Audit usage 1.0.1

Stored Account Data data (SAD) is not stored of custom
after authorization RBAC roles

Requirement 07: Restrict 7.3.1 Access to system Audit usage 1.0.1

Access to System components and data is of custom
Components and Cardholder managed via an access RBAC roles
Data by Business Need to control system(s)
Know

Requirement 08: Identify 8.4.1 Multi-factor authentication Audit usage 1.0.1

Users and Authenticate (MFA) is implemented to of custom
Access to System secure access into the CDE RBAC roles
Components

Reserve Bank of India - IT Framework for NBFC

To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India -
IT Framework for NBFC. For more information about this compliance standard, see
Reserve Bank of India - IT Framework for NBFC .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Information and 3.1.a Identification and Audit usage of 1.0.1

Cyber Security Classification of Information custom RBAC
Assets-3.1 roles

Information and 3.1.f Maker-checker-3.1 Audit usage of 1.0.1

Cyber Security custom RBAC
roles
Reserve Bank of India IT Framework for Banks
v2016
To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For
more information about this compliance standard, see RBI ITF Banks v2016 (PDF) .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

User Access Control / User Access Control / Audit usage of 1.0.1

Management Management-8.1 custom RBAC roles

User Access Control / User Access Control / Audit usage of 1.0.1

Management Management-8.5 custom RBAC roles

User Access Control / User Access Control / Audit usage of 1.0.1

Management Management-8.8 custom RBAC roles

RMIT Malaysia
To review how the available Azure Policy built-ins for all Azure services map to this
compliance standard, see Azure Policy Regulatory Compliance - RMIT Malaysia. For
more information about this compliance standard, see RMIT Malaysia .

ﾉ Expand table

Domain Control Control title Policy Policy

ID (Azure portal) version
(GitHub)

Access 10.55 Access Control - Audit usage of custom RBAC 1.0.1

Control 10.55 roles

Access 10.60 Access Control - Audit usage of custom RBAC 1.0.1

Control 10.60 roles

Access 10.62 Access Control - Audit usage of custom RBAC 1.0.1

Control 10.62 roles

Next steps
Learn more about Azure Policy Regulatory Compliance.
See the built-ins on the Azure Policy GitHub repo .
List Azure role definitions
Article • 10/11/2023

A role definition is a collection of permissions that can be performed, such as read,

write, and delete. It's typically just called a role. Azure role-based access control (Azure
RBAC) has over 120 built-in roles or you can create your own custom roles. This article
describes how to list the built-in and custom roles that you can use to grant access to
Azure resources.

To see the list of administrator roles for Microsoft Entra ID, see Administrator role
permissions in Microsoft Entra ID.

Azure portal

List all roles

Follow these steps to list all roles in the Azure portal.

1. In the Azure portal, click All services and then select any scope. For example, you
can select Management groups, Subscriptions, Resource groups, or a resource.

2. Click the specific resource.

3. Click Access control (IAM).

4. Click the Roles tab to see a list of all the built-in and custom roles.
5. To see the permissions for a particular role, in the Details column, click the View
link.

A permissions pane appears.

6. Click the Permissions tab to view and search the permissions for the selected role.

Azure PowerShell

List all roles

To list all roles in Azure PowerShell, use Get-AzRoleDefinition.

Azure PowerShell

Get-AzRoleDefinition | FT Name, Description

Example

AcrImageSigner acr image signer

AcrQuarantineReader acr quarantine data reader
AcrQuarantineWriter acr quarantine data writer
API Management Service Contributor Can manage service and the
APIs
API Management Service Operator Role Can manage service but not
the APIs
API Management Service Reader Role Read-only access to
service and APIs
Application Insights Component Contributor Can manage Application
Insights components
Application Insights Snapshot Debugger Gives user permission to
use Application Insights Snapshot Debugge...
Automation Job Operator Create and Manage Jobs
using Automation Runbooks.
Automation Operator Automation Operators are
able to start, stop, suspend, and resume ...
...

List a role definition

To list the details of a specific role, use Get-AzRoleDefinition.

Azure PowerShell

Get-AzRoleDefinition <role_name>

Example

PS C:\> Get-AzRoleDefinition "Contributor"

Name : Contributor
Id : b24988ac-6180-42a0-ab88-20f7382dd24c
IsCustom : False
Description : Lets you manage everything except access to resources.
Actions : {*}
NotActions : {Microsoft.Authorization/*/Delete,
Microsoft.Authorization/*/Write,
Microsoft.Authorization/elevateAccess/Action}
DataActions : {}
NotDataActions : {}
AssignableScopes : {/}

List a role definition in JSON format

To list a role in JSON format, use Get-AzRoleDefinition.

Azure PowerShell

Get-AzRoleDefinition <role_name> | ConvertTo-Json

Example

PS C:\> Get-AzRoleDefinition "Contributor" | ConvertTo-Json

{
"Name": "Contributor",
"Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"IsCustom": false,
"Description": "Lets you manage everything except access to resources.",
"Actions": [
"*"
],
"NotActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/"
]
}

List permissions of a role definition

To list the permissions for a specific role, use Get-AzRoleDefinition.

Azure PowerShell

Get-AzRoleDefinition <role_name> | FL Actions, NotActions

Example

PS C:\> Get-AzRoleDefinition "Contributor" | FL Actions, NotActions

Actions : {*}
NotActions : {Microsoft.Authorization/*/Delete,
Microsoft.Authorization/*/Write,
Microsoft.Authorization/elevateAccess/Action,
Microsoft.Blueprint/blueprintAssignments/write...}

Azure PowerShell

(Get-AzRoleDefinition <role_name>).Actions

Example

PS C:\> (Get-AzRoleDefinition "Virtual Machine Contributor").Actions

Microsoft.Authorization/*/read
Microsoft.Compute/availabilitySets/*
Microsoft.Compute/locations/*
Microsoft.Compute/virtualMachines/*
Microsoft.Compute/virtualMachineScaleSets/*
Microsoft.DevTestLab/schedules/*
Microsoft.Insights/alertRules/*
Microsoft.Network/applicationGateways/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/join/action
...

Azure CLI

List all roles

To list all roles in Azure CLI, use az role definition list.

Azure CLI

az role definition list

The following example lists the name and description of all available role definitions:

Azure CLI

az role definition list --output json --query '[].{roleName:roleName,

description:description}'

JSON

[
{
"description": "Can manage service and the APIs",
"roleName": "API Management Service Contributor"
},
{
"description": "Can manage service but not the APIs",
"roleName": "API Management Service Operator Role"
},
{
"description": "Read-only access to service and APIs",
"roleName": "API Management Service Reader Role"
},

...

]
The following example lists all of the built-in roles.

Azure CLI

az role definition list --custom-role-only false --output json --query '[].

{roleName:roleName, description:description, roleType:roleType}'

JSON

[
{
"description": "Can manage service and the APIs",
"roleName": "API Management Service Contributor",
"roleType": "BuiltInRole"
},
{
"description": "Can manage service but not the APIs",
"roleName": "API Management Service Operator Role",
"roleType": "BuiltInRole"
},
{
"description": "Read-only access to service and APIs",
"roleName": "API Management Service Reader Role",
"roleType": "BuiltInRole"
},

...

List a role definition

To list details of a role, use az role definition list.

Azure CLI

az role definition list --name {roleName}

The following example lists the Contributor role definition:

Azure CLI

az role definition list --name "Contributor"

JSON
[
{
"assignableScopes": [
"/"
],
"description": "Lets you manage everything except access to resources.",
"id":
"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefin
itions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"permissions": [
{
"actions": [
"*"
],
"dataActions": [],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"notDataActions": []
}
],
"roleName": "Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
]

List permissions of a role definition

The following example lists just the actions and notActions of the Contributor role.

Azure CLI

az role definition list --name "Contributor" --output json --query '[].

{actions:permissions[0].actions, notActions:permissions[0].notActions}'

JSON

[
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
]
}
]

The following example lists just the actions of the Virtual Machine Contributor role.

Azure CLI

az role definition list --name "Virtual Machine Contributor" --output json -

-query '[].permissions[0].actions'

JSON

[
[
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.DevTestLab/schedules/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",

...

"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
]
]

REST API

Prerequisites
You must use the following version:

2015-07-01 or later
For more information, see API versions of Azure RBAC REST APIs.

List all role definitions

To list role definitions in a tenant, use the Role Definitions - List REST API.

The following example lists all role definitions in a tenant:

Request

HTTP

GET
https://management.azure.com/providers/Microsoft.Authorization/roleDefi
nitions?api-version=2022-04-01

Response

JSON

{
"value": [
{
"properties": {
"roleName": "Billing Reader Plus",
"type": "CustomRole",
"description": "Read billing data and download
invoices",
"assignableScopes": [
"/subscriptions/473a4f86-11e3-48cb-9358-
e13c220a2f15"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Billing/*/read",
"Microsoft.Commerce/*/read",
"Microsoft.Consumption/*/read",

"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read",

"Microsoft.Billing/invoices/download/action",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Microsoft.CostManagement/exports/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2021-05-22T21:57:23.5764138Z",
"updatedOn": "2021-05-22T21:57:23.5764138Z",
"createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70",
"updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70"
},
"id":
"/providers/Microsoft.Authorization/roleDefinitions/17adabda-4bf1-4f4e-
8c97-1f0cab6dea1c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c"
},
{
"properties": {
"roleName": "AcrPush",
"type": "BuiltInRole",
"description": "acr push",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [

"Microsoft.ContainerRegistry/registries/pull/read",

"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2018-10-29T17:52:32.5201177Z",
"updatedOn": "2021-11-11T20:13:07.4993029Z",
"createdBy": null,
"updatedBy": null
},
"id":
"/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-
b61a-304f252e45ec",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec"
}
]
}

List role definitions

To list role definitions, use the Role Definitions - List REST API. To refine your results, you
specify a scope and an optional filter.
1. Start with the following request:

HTTP

GET
https://management.azure.com/{scope}/providers/Microsoft.Authorization/
roleDefinitions?$filter={$filter}&api-version=2022-04-01

For a tenant-level scope, you can use this request:

HTTP

GET
https://management.azure.com/providers/Microsoft.Authorization/roleDefi
nitions?filter={$filter}&api-version=2022-04-01

2. Within the URI, replace {scope} with the scope for which you want to list the role
definitions.

Scope Type

providers/Microsoft.Management/management Management group

Groups/{groupId1}

subscriptions/{subscriptionId1} Subscription

subscriptions/{subscriptionId1}/resourceG Resource group

roups/myresourcegroup1

subscriptions/{subscriptionId1}/resourceG Resource
roups/myresourcegroup1/providers/Microsof
t.Web/sites/mysite1

In the previous example, microsoft.web is a resource provider that refers to an App

Service instance. Similarly, you can use any other resource providers and specify
the scope. For more information, see Azure Resource providers and types and
supported Azure resource provider operations.

3. Replace {filter} with the condition that you want to apply to filter the role definition
list.

Filter Description

$filter=type+eq+'{type}' Lists role definitions of the specified type.

Type of role can be CustomRole or BuiltInRo
le .
The following example lists all custom roles in a tenant:

Request

HTTP

GET
https://management.azure.com/providers/Microsoft.Authorization/roleDefi
nitions?$filter=type+eq+'CustomRole'&api-version=2022-04-01

Response

JSON

"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read",

List a role definition

To list the details of a specific role, use the Role Definitions - Get or Role Definitions -
Get By ID REST API.

1. Start with the following request:

HTTP

GET
https://management.azure.com/{scope}/providers/Microsoft.Authorization/
roleDefinitions/{roleDefinitionId}?api-version=2022-04-01

For a tenant-level role definition, you can use this request:

HTTP

GET
https://management.azure.com/providers/Microsoft.Authorization/roleDefi
nitions/{roleDefinitionId}?api-version=2022-04-01

2. Within the URI, replace {scope} with the scope for which you want to list the role
definition.

Scope Type

providers/Microsoft.Management/management Management group

Groups/{groupId1}

subscriptions/{subscriptionId1} Subscription

subscriptions/{subscriptionId1}/resourceG Resource group

roups/myresourcegroup1

subscriptions/{subscriptionId1}/resourceG Resource
roups/myresourcegroup1/providers/Microsof
t.Web/sites/mysite1
3. Replace {roleDefinitionId} with the role definition identifier.

The following example lists the Reader role definition:

Request

HTTP

GET
https://management.azure.com/providers/Microsoft.Authorization/roleDefi
nitions/acdd72a7-3385-48ef-bd42-f606fba81ae7?api-version=2022-04-01

Response

JSON

{
"properties": {
"roleName": "Reader",
"type": "BuiltInRole",
"description": "View all resources, but does not allow you to
make any changes.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2015-02-02T21:55:09.8806423Z",
"updatedOn": "2021-11-11T20:13:47.8628684Z",
"createdBy": null,
"updatedBy": null
},
"id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-
3385-48ef-bd42-f606fba81ae7",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "acdd72a7-3385-48ef-bd42-f606fba81ae7"
}

Next steps
Azure built-in roles
Azure custom roles
List Azure role assignments using the Azure portal
Assign Azure roles using the Azure portal
List Azure role assignments using the
Azure portal
Article • 01/30/2024

Azure role-based access control (Azure RBAC) is the authorization system you use to
manage access to Azure resources. To determine what resources users, groups, service
principals, or managed identities have access to, you list their role assignments. This
article describes how to list role assignments using the Azure portal.

７ Note

If your organization has outsourced management functions to a service provider

who uses Azure Lighthouse, role assignments authorized by that service provider
won't be shown here. Similarly, users in the service provider tenant won't see role
assignments for users in a customer's tenant, regardless of the role they've been
assigned.

List role assignments for a user or group

A quick way to see the roles assigned to a user or group in a subscription is to use the
Azure role assignments pane.

1. In the Azure portal, select All services from the Azure portal menu.

2. Select Microsoft Entra ID and then select Users or Groups.

3. Click the user or group you want list the role assignments for.

4. Click Azure role assignments.

You see a list of roles assigned to the selected user or group at various scopes such
as management group, subscription, resource group, or resource. This list includes
all role assignments you have permission to read.
5. To change the subscription, click the Subscriptions list.

List owners of a subscription

Users that have been assigned the Owner role for a subscription can manage everything
in the subscription. Follow these steps to list the owners of a subscription.

1. In the Azure portal, click All services and then Subscriptions.

2. Click the subscription you want to list the owners of.

3. Click Access control (IAM).

4. Click the Role assignments tab to view all the role assignments for this
subscription.

5. Scroll to the Owners section to see all the users that have been assigned the
Owner role for this subscription.
List or manage privileged administrator role
assignments
On the Role assignments tab, you can list and see the count of privileged administrator
role assignments at the current scope. For more information, see Privileged
administrator roles.

1. In the Azure portal, click All services and then select the scope. For example, you
can select Management groups, Subscriptions, Resource groups, or a resource.

2. Click the specific resource.

3. Click Access control (IAM).

4. Click the Role assignments tab and then click the Privileged tab to list the
privileged administrator role assignments at this scope.


5. To see the count of privileged administrator role assignments at this scope, see the
Privileged card.

6. To manage privileged administrator role assignments, see the Privileged card and
click View assignments.

On the Manage privileged role assignments page, you can add a condition to
constrain the privileged role assignment or remove the role assignment. For more
information, see Delegate Azure role assignment management to others with
conditions.


List role assignments at a scope
1. In the Azure portal, click All services and then select the scope. For example, you
can select Management groups, Subscriptions, Resource groups, or a resource.

2. Click the specific resource.

3. Click Access control (IAM).

4. Click the Role assignments tab to view all the role assignments at this scope.

On the Role assignments tab, you can see who has access at this scope. Notice that
some roles are scoped to This resource while others are (Inherited) from another
scope. Access is either assigned specifically to this resource or inherited from an
assignment to the parent scope.

List role assignments for a user at a scope

To list access for a user, group, service principal, or managed identity, you list their role
assignments. Follow these steps to list the role assignments for a single user, group,
service principal, or managed identity at a particular scope.

1. In the Azure portal, click All services and then select the scope. For example, you
can select Management groups, Subscriptions, Resource groups, or a resource.

2. Click the specific resource.

3. Click Access control (IAM).

4. On the Check access tab, click the Check access button.

5. In the Check access pane, click User, group, or service principal or Managed
identity.

6. In the search box, enter a string to search the directory for display names, email
addresses, or object identifiers.

7. Click the security principal to open the assignments pane.

On this pane, you can see the access for the selected security principal at this
scope and inherited to this scope. Assignments at child scopes are not listed. You
see the following assignments:

Role assignments added with Azure RBAC.

Deny assignments added using Azure Blueprints or Azure managed apps.
Classic Service Administrator or Co-Administrator assignments for classic
deployments.

List role assignments for a managed identity

You can list role assignments for system-assigned and user-assigned managed identities
at a particular scope by using the Access control (IAM) blade as described earlier. This
section describes how to list role assignments for just the managed identity.

System-assigned managed identity

1. In the Azure portal, open a system-assigned managed identity.

2. In the left menu, click Identity.

3. Under Permissions, click Azure role assignments.

You see a list of roles assigned to the selected system-assigned managed identity
at various scopes such as management group, subscription, resource group, or
resource. This list includes all role assignments you have permission to read.

4. To change the subscription, click the Subscription list.

User-assigned managed identity

1. In the Azure portal, open a user-assigned managed identity.

2. Click Azure role assignments.

You see a list of roles assigned to the selected user-assigned managed identity at
various scopes such as management group, subscription, resource group, or
resource. This list includes all role assignments you have permission to read.

3. To change the subscription, click the Subscription list.

List number of role assignments

You can have up to 4000 role assignments in each subscription. This limit includes role
assignments at the subscription, resource group, and resource scopes. To help you keep
track of this limit, the Role assignments tab includes a chart that lists the number of role
assignments for the current subscription.

If you are getting close to the maximum number and you try to add more role
assignments, you'll see a warning in the Add role assignment pane. For ways that you
can reduce the number of role assignments, see Troubleshoot Azure RBAC limits.
Download role assignments
You can download role assignments at a scope in CSV or JSON formats. This can be
helpful if you need to inspect the list in a spreadsheet or take an inventory when
migrating a subscription.

When you download role assignments, you should keep in mind the following criteria:

If you don't have permissions to read the directory, such as the Directory Readers
role, the DisplayName, SignInName, and ObjectType columns will be blank.
Role assignments whose security principal has been deleted are not included.
Access granted to classic administrators are not included.

Follow these steps to download role assignments at a scope.

1. In the Azure portal, click All services and then select the scope where you want to
download the role assignments. For example, you can select Management groups,
Subscriptions, Resource groups, or a resource.

2. Click the specific resource.

3. Click Access control (IAM).

4. Click Download role assignments to open the Download role assignments pane.
5. Use the check boxes to select the role assignments you want to include in the
downloaded file.

Inherited - Include inherited role assignments for the current scope.

At current scope - Include role assignments for the current scope.
Children - Include role assignments at levels below the current scope. This
check box is disabled for management group scope.

6. Select the file format, which can be comma-separated values (CSV) or JavaScript
Object Notation (JSON).

7. Specify the file name.

8. Click Start to start the download.

The following show examples of the output for each file format.
Next steps
Assign Azure roles using the Azure portal
Troubleshoot Azure RBAC
List Azure role assignments using Azure
PowerShell
Article • 05/11/2023

７ Note

If your organization has outsourced management functions to a service provider

who uses Azure Lighthouse, role assignments authorized by that service provider
won't be shown here.

Prerequisites
PowerShell in Azure Cloud Shell or Azure PowerShell

List role assignments for the current

subscription
The easiest way to get a list of all the role assignments in the current subscription
(including inherited role assignments from root and management groups) is to use Get-
AzRoleAssignment without any parameters.

Azure PowerShell

Get-AzRoleAssignment

Example
PS C:\> Get-AzRoleAssignment

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/providers/Microsoft.Authorization/roleAssignments/11111111-
1111-1111-1111-111111111111
Scope : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName : Alain
SignInName : alain@example.com
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId : 44444444-4444-4444-4444-444444444444
ObjectType : User
CanDelegate : False

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-
sales/providers/Microsoft.Authorization/roleAssignments/33333333-3333-3333-
3333-333333333333
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales
DisplayName : Marketing
SignInName :
RoleDefinitionName : Contributor
RoleDefinitionId : b24988ac-6180-42a0-ab88-20f7382dd24c
ObjectId : 22222222-2222-2222-2222-222222222222
ObjectType : Group
CanDelegate : False

...

List role assignments for a subscription

To list all role assignments at a subscription scope, use Get-AzRoleAssignment. To get
the subscription ID, you can find it on the Subscriptions blade in the Azure portal or you
can use Get-AzSubscription.

Azure PowerShell

Get-AzRoleAssignment -Scope /subscriptions/<subscription_id>

Example

PS C:\> Get-AzRoleAssignment -Scope /subscriptions/00000000-0000-0000-0000-

000000000000

List role assignments for a user

To list all the roles that are assigned to a specified user, use Get-AzRoleAssignment.

Azure PowerShell

Get-AzRoleAssignment -SignInName <email_or_userprincipalname>

Example

PS C:\> Get-AzRoleAssignment -SignInName isabella@example.com | FL

DisplayName, RoleDefinitionName, Scope

DisplayName : Isabella Simonsen

RoleDefinitionName : BizTalk Contributor
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales

To list all the roles that are assigned to a specified user and the roles that are assigned
to the groups to which the user belongs, use Get-AzRoleAssignment.

Azure PowerShell

Get-AzRoleAssignment -SignInName <email_or_userprincipalname> -

ExpandPrincipalGroups

Example

Get-AzRoleAssignment -SignInName isabella@example.com -ExpandPrincipalGroups

| FL DisplayName, RoleDefinitionName, Scope

List role assignments for a resource group

To list all role assignments at a resource group scope, use Get-AzRoleAssignment.

Azure PowerShell

Get-AzRoleAssignment -ResourceGroupName <resource_group_name>

Example

PS C:\> Get-AzRoleAssignment -ResourceGroupName pharma-sales | FL

DisplayName, RoleDefinitionName, Scope

DisplayName : Alain Charon

RoleDefinitionName : Backup Operator
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales

DisplayName : Isabella Simonsen

RoleDefinitionName : BizTalk Contributor
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales

DisplayName : Alain Charon

RoleDefinitionName : Virtual Machine Contributor
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales

List role assignments for a management group

To list all role assignments at a management group scope, use Get-AzRoleAssignment.
To get the management group ID, you can find it on the Management groups blade in
the Azure portal or you can use Get-AzManagementGroup.

Azure PowerShell

Get-AzRoleAssignment -Scope
/providers/Microsoft.Management/managementGroups/<group_id>

Example

PS C:\> Get-AzRoleAssignment -Scope

/providers/Microsoft.Management/managementGroups/marketing-group

List role assignments for a resource

To list role assignments for a specific resource, use Get-AzRoleAssignment and the -
Scope parameter. The scope will be different depending on the resource. To get the

scope, you can run Get-AzRoleAssignment without any parameters to list all of the role
assignments and then find the scope you want to list.

Azure PowerShell

Get-AzRoleAssignment -Scope
"/subscriptions/<subscription_id>/resourcegroups/<resource_group_name>/provi
ders/<provider_name>/<resource_type>/<resource>

This following example shows how to list the role assignments for a storage account.
Note that this command also lists role assignments at higher scopes, such as resource
groups and subscriptions, that apply to this storage account.

Example

PS C:\> Get-AzRoleAssignment -Scope "/subscriptions/00000000-0000-0000-0000-

000000000000/resourcegroups/storage-test-
rg/providers/Microsoft.Storage/storageAccounts/storagetest0122"

If you want to just list role assignments that are assigned directly on a resource, you can
use the Where-Object command to filter the list.

Example

PS C:\> Get-AzRoleAssignment | Where-Object {$_.Scope -eq

"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/storage-
test-rg/providers/Microsoft.Storage/storageAccounts/storagetest0122"}

List role assignments for classic service

administrator and co-administrators
To list role assignments for the classic subscription administrator and co-administrators,
use Get-AzRoleAssignment.

Azure PowerShell

Get-AzRoleAssignment -IncludeClassicAdministrators

List role assignments for a managed identity

1. Get the object ID of the system-assigned or user-assigned managed identity.

To get the object ID of a user-assigned managed identity, you can use Get-
AzADServicePrincipal.

Azure PowerShell

Get-AzADServicePrincipal -DisplayNameBeginsWith "<name> or <vmname>"

2. To list the role assignments, use Get-AzRoleAssignment.

Azure PowerShell
Get-AzRoleAssignment -ObjectId <objectid>

Next steps
Assign Azure roles using Azure PowerShell
List Azure role assignments using Azure
CLI
Article • 01/02/2024

７ Note

If your organization has outsourced management functions to a service provider

Prerequisites
Bash in Azure Cloud Shell or Azure CLI

List role assignments for a user

To list the role assignments for a specific user, use az role assignment list:

Azure CLI

az role assignment list --assignee {assignee}

By default, only role assignments for the current subscription will be displayed. To view
role assignments for the current subscription and below, add the --all parameter. To
include role assignments at parent scopes, add the --include-inherited parameter. To
include role assignments for groups of which the user is a member transitively, add the
--include-groups parameter.

The following example lists the role assignments that are assigned directly to the
patlong@contoso.com user:
Azure CLI

az role assignment list --all --assignee patlong@contoso.com --output json -

-query '[].{principalName:principalName,
roleDefinitionName:roleDefinitionName, scope:scope}'

JSON

[
{
"principalName": "patlong@contoso.com",
"roleDefinitionName": "Backup Operator",
"scope": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales"
},
{
"principalName": "patlong@contoso.com",
"roleDefinitionName": "Virtual Machine Contributor",
"scope": "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales"
}
]

List role assignments for a resource group

To list the role assignments that exist at a resource group scope, use az role assignment
list:

Azure CLI

az role assignment list --resource-group {resourceGroup}

The following example lists the role assignments for the pharma-sales resource group:

Azure CLI

az role assignment list --resource-group pharma-sales --output json --query

'[].{principalName:principalName, roleDefinitionName:roleDefinitionName,
scope:scope}'

JSON

...

List role assignments for a subscription

To list all role assignments at a subscription scope, use az role assignment list. To get the
subscription ID, you can find it on the Subscriptions blade in the Azure portal or you
can use az account list.

Azure CLI

az role assignment list --scope "/subscriptions/{subscriptionId}"

Example:

Azure CLI

az role assignment list --scope "/subscriptions/00000000-0000-0000-0000-

000000000000" --output json --query '[].{principalName:principalName,
roleDefinitionName:roleDefinitionName, scope:scope}'

JSON

[
{
"principalName": "admin@contoso.com",
"roleDefinitionName": "Owner",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000"
},
{
"principalName": "Subscription Admins",
"roleDefinitionName": "Owner",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000"
},
{
"principalName": "alain@contoso.com",
"roleDefinitionName": "Reader",
"scope": "/subscriptions/00000000-0000-0000-0000-000000000000"
},

...

List role assignments for a management group

To list all role assignments at a management group scope, use az role assignment list. To
get the management group ID, you can find it on the Management groups blade in the
Azure portal or you can use az account management-group list.

Azure CLI

az role assignment list --scope

/providers/Microsoft.Management/managementGroups/{groupId}

Example:

Azure CLI

az role assignment list --scope

/providers/Microsoft.Management/managementGroups/sales-group --output json -
-query '[].{principalName:principalName,
roleDefinitionName:roleDefinitionName, scope:scope}'

JSON

[
{
"principalName": "admin@contoso.com",
"roleDefinitionName": "Owner",
"scope": "/providers/Microsoft.Management/managementGroups/sales-group"
},
{
"principalName": "alain@contoso.com",
"roleDefinitionName": "Reader",
"scope": "/providers/Microsoft.Management/managementGroups/sales-group"
}
]

List role assignments for a managed identity

1. Get the principal ID of the system-assigned or user-assigned managed identity.
To get the principal ID of a user-assigned managed identity, you can use az ad sp
list or az identity list.

Azure CLI

az ad sp list --display-name "{name}" --query [].id --output tsv

To get the principal ID of a system-assigned managed identity, you can use az ad

sp list.

Azure CLI

az ad sp list --display-name "{vmname}" --query [].id --output tsv

2. To list the role assignments, use az role assignment list.

By default, only role assignments for the current subscription will be displayed. To
view role assignments for the current subscription and below, add the --all
parameter. To view inherited role assignments, add the --include-inherited
parameter.

Azure CLI

az role assignment list --assignee {objectId}

Next steps
Assign Azure roles using Azure CLI
List Azure role assignments using the
REST API
Article • 09/19/2024

７ Note

If your organization has outsourced management functions to a service provider

７ Note

For information about viewing or deleting personal data, see General Data Subject
Requests for the GDPR, Azure Data Subject Requests for the GDPR, or Windows
Data Subject Requests for the GDPR, depending on your specific area and needs.
For more information about GDPR, see the GDPR section of the Microsoft Trust
Center and the GDPR section of the Service Trust portal .

Prerequisites
You must use the following version:

2015-07-01 or later

2022-04-01 or later to include conditions

For more information, see API versions of Azure RBAC REST APIs.

List role assignments

In Azure RBAC, to list access, you list the role assignments. To list role assignments, use
one of the Role Assignments Get or List REST APIs. To refine your results, you specify a
scope and an optional filter.

1. Start with the following request:

HTTP

GET
https://management.azure.com/{scope}/providers/Microsoft.Authorization/
roleAssignments?api-version=2022-04-01&$filter={filter}

2. Within the URI, replace {scope} with the scope for which you want to list the role
assignments.

ﾉ Expand table

Scope Type

providers/Microsoft.Management/management Management group

Groups/{groupId1}

subscriptions/{subscriptionId1} Subscription

subscriptions/{subscriptionId1}/resourceG Resource group

roups/myresourcegroup1

subscriptions/{subscriptionId1}/resourceG Resource
roups/myresourcegroup1/providers/Microsof
t.Web/sites/mysite1

In the previous example, microsoft.web is a resource provider that refers to an App

3. Replace {filter} with the condition that you want to apply to filter the role
assignment list.

ﾉ Expand table

Filter Description

$filter=atScope() Lists role assignments for only the specified

scope, not including the role assignments at
subscopes.

$filter=assignedTo('{objectId}') Lists role assignments for a specified user or

service principal.
Filter Description

If the user is a member of a group that has a

role assignment, that role assignment is also
listed. This filter is transitive for groups
which means that if the user is a member of
a group and that group is a member of
another group that has a role assignment,
that role assignment is also listed.
This filter only accepts an object ID for a
user or a service principal. You cannot pass
an object ID for a group.

$filter=atScope()+and+assignedTo('{object Lists role assignments for the specified user

Id}') or service principal and at the specified
scope.

$filter=principalId+eq+'{objectId}' Lists role assignments for a specified user,

group, or service principal.

The following request lists all role assignments for the specified user at subscription
scope:

HTTP

GET
https://management.azure.com/subscriptions/{subscriptionId1}/providers/Micro
soft.Authorization/roleAssignments?api-version=2022-04-
01&$filter=atScope()+and+assignedTo('{objectId1}')

The following shows an example of the output:

JSON

{
"value": [
{
"properties": {
"roleDefinitionId":
"/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefi
nitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"principalId": "{objectId1}",
"principalType": "User",
"scope": "/subscriptions/{subscriptionId1}",
"condition": null,
"conditionVersion": null,
"createdOn": "2022-01-15T21:08:45.4904312Z",
"updatedOn": "2022-01-15T21:08:45.4904312Z",
"createdBy": "{createdByObjectId1}",
"updatedBy": "{updatedByObjectId1}",
"delegatedManagedIdentityResourceId": null,
"description": null
},
"id":
"/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleAssi
gnments/{roleAssignmentId1}",
"type": "Microsoft.Authorization/roleAssignments",
"name": "{roleAssignmentId1}"
}
]
}

Next steps
Assign Azure roles using the REST API
Azure REST API Reference

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Steps to assign an Azure role
Article • 09/30/2024

Azure role-based access control (Azure RBAC) is the authorization system you use to
manage access to Azure resources. To grant access, you assign roles to users, groups,
service principals, or managed identities at a particular scope. This article describes the
high-level steps to assign Azure roles using the Azure portal, Azure PowerShell, Azure
CLI, or the REST API.

Step 1: Determine who needs access

You first need to determine who needs access. You can assign a role to a user, group,
service principal, or managed identity. This is also called a security principal.

User - An individual who has a profile in Microsoft Entra ID. You can also assign
roles to users in other tenants. For information about users in other organizations,
see Microsoft Entra B2B.
Group - A set of users created in Microsoft Entra ID. When you assign a role to a
group, all users within that group have that role.
Service principal - A security identity used by applications or services to access
specific Azure resources. You can think of it as a user identity (username and
password or certificate) for an application.
Managed identity - An identity in Microsoft Entra ID that is automatically managed
by Azure. You typically use managed identities when developing cloud applications
to manage the credentials for authenticating to Azure services.

Step 2: Select the appropriate role

Permissions are grouped together into a role definition. It's typically just called a role.
You can select from a list of several built-in roles. If the built-in roles don't meet the
specific needs of your organization, you can create your own custom roles.
Roles are organized into job function roles and privileged administrator roles.

Job function roles

Job function roles allow management of specific Azure resources. For example, the
Virtual Machine Contributor role allows a user to create and manage virtual machines.
To select the appropriate job function role, use these steps:

1. Begin with the comprehensive article, Azure built-in roles. The table at the top of
the article is an index into the details later in the article.

2. In that article, navigate to the service category (such as compute, storage, and
databases) for the resource to which you want to grant permissions. The easiest
way to find what your looking for is typically to search the page for a relevant
keyword, like "blob", "virtual machine", and so on.

3. Review the roles listed for the service category and identify the specific actions you
need. Again, always start with the most restrictive role.

For example, if a security principal needs to read blobs in an Azure storage

account, but doesn't need write access, then choose Storage Blob Data Reader
rather than Storage Blob Data Contributor (and definitely not the administrator-
level Storage Blob Data Owner role). You can always update the role assignments
later as needed.

4. If you don't find a suitable role, you can create a custom role.

Privileged administrator roles

Privileged administrator roles are roles that grant privileged administrator access, such
as the ability to manage Azure resources or assign roles to other users. The following
roles are considered privileged and apply to all resource types.

ﾉ Expand table

Azure role Permissions

Owner Grants full access to manage all resources

Assign roles in Azure RBAC

Contributor Grants full access to manage all resources

Can't assign roles in Azure RBAC
Can't manage assignments in Azure Blueprints or share
image galleries

Reservations Administrator Manage all the reservations in a tenant

Assign roles in Azure RBAC for reservations

Role Based Access Control Manage user access to Azure resources

Administrator Assign roles in Azure RBAC
Assign themselves or others the Owner role
Can't manage access using other ways, such as Azure
Policy

User Access Administrator Manage user access to Azure resources

Assign roles in Azure RBAC
Assign themselves or others the Owner role

For best practices when using privileged administrator role assignments, see Best
practices for Azure RBAC. For more information, see Privileged administrator role
definition.

Step 3: Identify the needed scope

Scope is the set of resources that the access applies to. In Azure, you can specify a scope
at four levels: management group, subscription, resource group, and resource. Scopes
are structured in a parent-child relationship. Each level of hierarchy makes the scope
more specific. You can assign roles at any of these levels of scope. The level you select
determines how widely the role is applied. Lower levels inherit role permissions from
higher levels.
When you assign a role at a parent scope, those permissions are inherited to the child
scopes. For example:

If you assign the Reader role to a user at the management group scope, that user
can read everything in all subscriptions in the management group.
If you assign the Billing Reader role to a group at the subscription scope, the
members of that group can read billing data for every resource group and
resource in the subscription.
If you assign the Contributor role to an application at the resource group scope, it
can manage resources of all types in that resource group, but not other resource
groups in the subscription.

It's a best practice to grant security principals the least privilege they need to perform
their job. Avoid assigning broader roles at broader scopes even if it initially seems more
convenient. By limiting roles and scopes, you limit what resources are at risk if the
security principal is ever compromised. For more information, see Understand scope.

Step 4: Check your prerequisites

To assign roles, you must be signed in with a user that is assigned a role that has role
assignments write permission, such as Role Based Access Control Administrator at the
scope you are trying to assign the role. Similarly, to remove a role assignment, you must
have the role assignments delete permission.

Microsoft.Authorization/roleAssignments/write

Microsoft.Authorization/roleAssignments/delete

If your user account doesn't have permission to assign a role within your subscription,
you see an error message that your account "does not have authorization to perform
action 'Microsoft.Authorization/roleAssignments/write'." In this case, contact the
administrators of your subscription as they can assign the permissions on your behalf.

If you are using a service principal to assign roles, you might get the error "Insufficient
privileges to complete the operation." This error is likely because Azure is attempting to
look up the assignee identity in Microsoft Entra ID and the service principal cannot read
Microsoft Entra ID by default. In this case, you need to grant the service principal
permissions to read data in the directory. Alternatively, if you are using Azure CLI, you
can create the role assignment by using the assignee object ID to skip the Microsoft
Entra lookup. For more information, see Troubleshoot Azure RBAC.

Step 5: Assign role

Once you know the security principal, role, and scope, you can assign the role. You can
assign roles using the Azure portal, Azure PowerShell, Azure CLI, Azure SDKs, or REST
APIs.

You can have up to 4000 role assignments in each subscription. This limit includes role
assignments at the subscription, resource group, and resource scopes. Eligible role
assignments and role assignments scheduled in the future do not count towards this
limit. You can have up to 500 role assignments in each management group. For more
information, see Troubleshoot Azure RBAC limits.

Check out the following articles for detailed steps for how to assign roles.

Assign Azure roles using the Azure portal

Assign Azure roles using Azure PowerShell
Assign Azure roles using Azure CLI
Assign Azure roles using the REST API

Next steps
Tutorial: Grant a user access to Azure resources using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Assign Azure roles using the Azure
portal
Article • 01/30/2024

If you need to assign administrator roles in Microsoft Entra ID, see Assign Microsoft
Entra roles to users.

Prerequisites
To assign Azure roles, you must have:

Microsoft.Authorization/roleAssignments/write permissions, such as Role Based

Access Control Administrator or User Access Administrator

Step 1: Identify the needed scope

When you assign roles, you must specify a scope. Scope is the set of resources the
access applies to. In Azure, you can specify a scope at four levels from broad to narrow:
management group, subscription, resource group, and resource. For more information,
see Understand scope.

1. Sign in to the Azure portal .

2. In the Search box at the top, search for the scope you want to grant access to. For
example, search for Management groups, Subscriptions, Resource groups, or a
specific resource.

3. Click the specific resource for that scope.

The following shows an example resource group.

Step 2: Open the Add role assignment page

Access control (IAM) is the page that you typically use to assign roles to grant access to
Azure resources. It's also known as identity and access management (IAM) and appears
in several locations in the Azure portal.

1. Click Access control (IAM).

The following shows an example of the Access control (IAM) page for a resource
group.
2. Click the Role assignments tab to view the role assignments at this scope.

3. Click Add > Add role assignment.

If you don't have permissions to assign roles, the Add role assignment option will
be disabled.

The Add role assignment page opens.

Step 3: Select the appropriate role

1. On the Role tab, select a role that you want to use.

You can search for a role by name or by description. You can also filter roles by
type and category.
2. If you want to assign a privileged administrator role, select the Privileged
administrator roles tab to select the role.

For best practices when using privileged administrator role assignments, see Best
practices for Azure RBAC.

3. In the Details column, click View to get more details about a role.
4. Click Next.

Step 4: Select who needs access

1. On the Members tab, select User, group, or service principal to assign the
selected role to one or more Microsoft Entra users, groups, or service principals
(applications).

2. Click Select members.

3. Find and select the users, groups, or service principals.

You can type in the Select box to search the directory for display name or email
address.
4. Click Select to add the users, groups, or service principals to the Members list.

5. To assign the selected role to one or more managed identities, select Managed
identity.

6. Click Select members.

7. In the Select managed identities pane, select whether the type is user-assigned
managed identity or system-assigned managed identity.

8. Find and select the managed identities.

For system-assigned managed identities, you can select managed identities by

Azure service instance.
9. Click Select to add the managed identities to the Members list.

10. In the Description box enter an optional description for this role assignment.

Later you can show this description in the role assignments list.

11. Click Next.

Step 5: (Optional) Add condition

If you selected a role that supports conditions, a Conditions tab will appear and you
have the option to add a condition to your role assignment. A condition is an additional
check that you can optionally add to your role assignment to provide more fine-grained
access control.

The Conditions tab will look different depending on the role you selected.
Delegate condition

） Important

Delegating Azure role assignment management with conditions is currently in

PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews
for legal terms that apply to Azure features that are in beta, preview, or
otherwise not yet released into general availability.

If you selected one of the following privileged roles, follow the steps in this section.

Owner
Role Based Access Control Administrator
User Access Administrator

1. On the Conditions tab under What user can do, select the Allow user to only
assign selected roles to selected principals (fewer privileges) option.

2. Click Select roles and principals to add a condition that constrains the roles
and principals this user can assign roles to.

3. Follow the steps in Delegate Azure role assignment management to others

with conditions.

Step 6: Assign role

1. On the Review + assign tab, review the role assignment settings.
2. Click Review + assign to assign the role.

After a few moments, the security principal is assigned the role at the selected
scope.

3. If you don't see the description for the role assignment, click Edit columns to add
the Description column.

Next steps
Assign a user as an administrator of an Azure subscription
Remove Azure role assignments
Troubleshoot Azure RBAC
Assign Azure roles to a managed
identity (Preview)
Article • 08/21/2022

You can assign a role to a managed identity by using the Access control (IAM) page as
described in Assign Azure roles using the Azure portal. When you use the Access control
(IAM) page, you start with the scope and then select the managed identity and role. This
article describes an alternate way to assign roles for a managed identity. Using these
steps, you start with the managed identity and then select the scope and role.

） Important

Assign a role to a managed identity using these alternate steps is currently in

preview. This preview version is provided without a service level agreement, and it's
not recommended for production workloads. Certain features might not be
supported or might have constrained capabilities. For more information, see
Supplemental Terms of Use for Microsoft Azure Previews .

Prerequisites
To assign Azure roles, you must have:

Microsoft.Authorization/roleAssignments/write permissions, such as User Access

Administrator or Owner

System-assigned managed identity

Follow these steps to assign a role to a system-assigned managed identity by starting
with the managed identity.

1. In the Azure portal, open a system-assigned managed identity.

2. In the left menu, click Identity.

3. Under Permissions, click Azure role assignments.

If roles are already assigned to the selected system-assigned managed identity,

you see the list of role assignments. This list includes all role assignments you have
permission to read.

4. To change the subscription, click the Subscription list.

5. Click Add role assignment (Preview).

6. Use the drop-down lists to select the set of resources that the role assignment
applies to such as Subscription, Resource group, or resource.

If you don't have role assignment write permissions for the selected scope, an
inline message will be displayed.
7. In the Role drop-down list, select a role such as Virtual Machine Contributor.

8. Click Save to assign the role.

After a few moments, the managed identity is assigned the role at the selected
scope.

User-assigned managed identity

Follow these steps to assign a role to a user-assigned managed identity by starting with
the managed identity.

1. In the Azure portal, open a user-assigned managed identity.

2. In the left menu, click Azure role assignments.

If roles are already assigned to the selected user-assigned managed identity, you
see the list of role assignments. This list includes all role assignments you have
permission to read.
3. To change the subscription, click the Subscription list.

4. Click Add role assignment (Preview).

5. Use the drop-down lists to select the set of resources that the role assignment
applies to such as Subscription, Resource group, or resource.

If you don't have role assignment write permissions for the selected scope, an
inline message will be displayed.

6. In the Role drop-down list, select a role such as Virtual Machine Contributor.

7. Click Save to assign the role.

After a few moments, the managed identity is assigned the role at the selected
scope.

Next steps
What are managed identities for Azure resources?
Assign Azure roles using the Azure portal
List Azure role assignments using the Azure portal
Assign Azure roles to external users
using the Azure portal
Article • 02/28/2024

Azure role-based access control (Azure RBAC) allows better security management for
large organizations and for small and medium-sized businesses working with external
collaborators, vendors, or freelancers that need access to specific resources in your
environment, but not necessarily to the entire infrastructure or any billing-related
scopes. You can use the capabilities in Microsoft Entra B2B to collaborate with external
users and you can use Azure RBAC to grant just the permissions that external users need
in your environment.

Prerequisites
To assign Azure roles or remove role assignments, you must have:

Microsoft.Authorization/roleAssignments/write and
Microsoft.Authorization/roleAssignments/delete permissions, such as User Access

Administrator or Owner

When would you invite external users?

Here are a couple example scenarios when you might invite users to your organization
and grant permissions:

Allow an external self-employed vendor that only has an email account to access
your Azure resources for a project.
Allow an external partner to manage certain resources or an entire subscription.
Allow support engineers not in your organization (such as Microsoft support) to
temporarily access your Azure resource to troubleshoot issues.

Permission differences between member users

and guest users
Users of a directory with member type (member users) have different permissions by
default than users invited from another directory as a B2B collaboration guest (guest
users). For example, member users can read almost all directory information while guest
users have restricted directory permissions. For more information about member users
and guest users, see What are the default user permissions in Microsoft Entra ID?.

Invite an external user to your directory

Follow these steps to invite an external user to your directory in Microsoft Entra ID.

1. Sign in to the Azure portal .

2. Make sure your organization's external collaboration settings are configured such
that you're allowed to invite external users. For more information, see Configure
external collaboration settings.

3. Select Microsoft Entra ID > Users.

4. Select New user > Invite external user.

5. Follow the steps to invite an external user. For more information, see Add
Microsoft Entra B2B collaboration users in the Azure portal.

After you invite an external user to the directory, you can either send the external user a
direct link to a shared app, or the external user can select the accept invitation link in the
invitation email.

For the external user to be able to access your directory, they must complete the
invitation process.


For more information about the invitation process, see Microsoft Entra B2B
collaboration invitation redemption.

Assign a role to an external user

In Azure RBAC, to grant access, you assign a role. To assign a role to an external user,
you follow same steps as you would for a member user, group, service principal, or
managed identity. Follow these steps assign a role to an external user at different
scopes.

1. Sign in to the Azure portal .

2. In the Search box at the top, search for the scope you want to grant access to. For
example, search for Management groups, Subscriptions, Resource groups, or a
specific resource.

3. Select the specific resource for that scope.

4. Select Access control (IAM).

The following shows an example of the Access control (IAM) page for a resource
group.


5. Select the Role assignments tab to view the role assignments at this scope.

6. Select Add > Add role assignment.

If you don't have permissions to assign roles, the Add role assignment option will
be disabled.

The Add role assignment page opens.

7. On the Role tab, select a role such as Virtual Machine Contributor.



8. On the Members tab, select User, group, or service principal.

9. Select Select members.

10. Find and select the external user. If you don't see the user in the list, you can type
in the Select box to search the directory for display name or email address.

You can type in the Select box to search the directory for display name or email
address.


11. Select Select to add the external user to the Members list.

12. On the Review + assign tab, select Review + assign.

After a few moments, the external user is assigned the role at the selected scope.


Assign a role to an external user not yet in your
directory
To assign a role to an external user, you follow same steps as you would for a member
user, group, service principal, or managed identity.

If the external user is not yet in your directory, you can invite the user directly from the
Select members pane.

1. Sign in to the Azure portal .

2. In the Search box at the top, search for the scope you want to grant access to. For
example, search for Management groups, Subscriptions, Resource groups, or a
specific resource.

3. Select the specific resource for that scope.

4. Select Access control (IAM).

5. Select Add > Add role assignment.

If you don't have permissions to assign roles, the Add role assignment option will
be disabled.

The Add role assignment page opens.

6. On the Role tab, select a role such as Virtual Machine Contributor.

7. On the Members tab, select User, group, or service principal.



8. Select Select members.

9. In the Select box, type the email address of the person you want to invite and
select that person.


10. Select Select to add the external user to the Members list.

11. On the Review + assign tab, select Review + assign to add the external user to
your directory, assign the role, and send an invite.

After a few moments, you'll see a notification of the role assignment and
information about the invite.


12. To manually invite the external user, right-click and copy the invitation link in the
notification. Don't select the invitation link because it starts the invitation process.

The invitation link will have the following format:

https://login.microsoftonline.com/redeem?

rd=https%3a%2f%2finvitations.microsoft.com%2fredeem%2f%3ftenant%3d0000...

13. Send the invitation link to the external user to complete the invitation process.

For more information about the invitation process, see Microsoft Entra B2B
collaboration invitation redemption.

Remove an external user from your directory

Before you remove an external user from a directory, you should first remove any role
assignments for that external user. Follow these steps to remove an external user from a
directory.
1. Open Access control (IAM) at a scope, such as management group, subscription,
resource group, or resource, where the external user has a role assignment.

2. Select the Role assignments tab to view all the role assignments.

3. In the list of role assignments, add a check mark next to the external user with the
role assignment you want to remove.

4. Select Remove.

5. In the remove role assignment message that appears, select Yes.

6. Select the Classic administrators tab.

7. If the external user has a Co-Administrator assignment, add a check mark next to
the external user and select Remove.

8. In the left navigation bar, select Microsoft Entra ID > Users.

9. Select the external user you want to remove.

10. Select Delete.



11. In the delete message that appears, select Yes.

Troubleshoot

External user cannot browse the directory

External users have restricted directory permissions. For example, external users can't
browse the directory and can't search for groups or applications. For more information,
see What are the default user permissions in Microsoft Entra ID?.

If an external user needs additional privileges in the directory, you can assign a
Microsoft Entra role to the external user. If you really want an external user to have full
read access to your directory, you can add the external user to the Directory Readers
role in Microsoft Entra ID. For more information, see Add Microsoft Entra B2B
collaboration users in the Azure portal.


External user cannot browse users, groups, or service

principals to assign roles
External users have restricted directory permissions. Even if an external user is an Owner
at a scope, if they try to assign a role to grant someone else access, they can't browse
the list of users, groups, or service principals.


If the external user knows someone's exact sign-in name in the directory, they can grant
access. If you really want an external user to have full read access to your directory, you
can add the external user to the Directory Readers role in Microsoft Entra ID. For more
information, see Add Microsoft Entra B2B collaboration users in the Azure portal.

External user cannot register applications or create

service principals
External users have restricted directory permissions. If an external user needs to be able
to register applications or create service principals, you can add the external user to the
Application Developer role in Microsoft Entra ID. For more information, see Add
Microsoft Entra B2B collaboration users in the Azure portal.

External user does not see the new directory

If an external user has been granted access to a directory, but they don't see the new
directory listed in the Azure portal when they try to switch in their Directories page,
make sure the external user has completed the invitation process. For more information
about the invitation process, see Microsoft Entra B2B collaboration invitation
redemption.

External user does not see resources

If an external user has been granted access to a directory, but they don't see the
resources they have been granted access to in the Azure portal, make sure the external
user has selected the correct directory. An external user might have access to multiple
directories. To switch directories, in the upper left, select Settings > Directories, and
then select the appropriate directory.

Next steps
Add Microsoft Entra B2B collaboration users in the Azure portal
Properties of a Microsoft Entra B2B collaboration user
The elements of the B2B collaboration invitation email - Microsoft Entra ID
Assign Azure roles using Azure
PowerShell
Article • 12/01/2023

７ Note

Prerequisites
To assign roles, you must have:

Microsoft.Authorization/roleAssignments/write permissions, such as Role Based

Access Control Administrator

PowerShell in Azure Cloud Shell or Azure PowerShell
The account you use to run the PowerShell command must have the Microsoft
Graph Directory.Read.All permission.

Steps to assign an Azure role

To assign a role consists of three elements: security principal, role definition, and scope.

Step 1: Determine who needs access

You can assign a role to a user, group, service principal, or managed identity. To assign a
role, you might need to specify the unique ID of the object. The ID has the format:
11111111-1111-1111-1111-111111111111 . You can get the ID using the Azure portal or
Azure PowerShell.

User
For a Microsoft Entra user, get the user principal name, such as patlong@contoso.com or
the user object ID. To get the object ID, you can use Get-AzADUser.

Azure PowerShell

Get-AzADUser -StartsWith <userName>

(Get-AzADUser -DisplayName <userName>).id

Group

For a Microsoft Entra group, you need the group object ID. To get the object ID, you can
use Get-AzADGroup.

Azure PowerShell

Get-AzADGroup -SearchString <groupName>

(Get-AzADGroup -DisplayName <groupName>).id

Service principal

For a Microsoft Entra service principal (identity used by an application), you need the
service principal object ID. To get the object ID, you can use Get-AzADServicePrincipal.
For a service principal, use the object ID and not the application ID.

Azure PowerShell

Get-AzADServicePrincipal -SearchString <principalName>

(Get-AzADServicePrincipal -DisplayName <principalName>).id

Managed identity

For a system-assigned or a user-assigned managed identity, you need the object ID. To
get the object ID, you can use Get-AzADServicePrincipal.

Azure PowerShell

Get-AzADServicePrincipal -SearchString <principalName>

(Get-AzADServicePrincipal -DisplayName <principalName>).id

Step 2: Select the appropriate role

Permissions are grouped together into roles. You can select from a list of several Azure
built-in roles or you can use your own custom roles. It's a best practice to grant access
with the least privilege that is needed, so avoid assigning a broader role.
To list roles and get the unique role ID, you can use Get-AzRoleDefinition.

Azure PowerShell

Get-AzRoleDefinition | Format-Table -Property Name, IsCustom, Id

Here's how to list the details of a particular role.

Azure PowerShell

Get-AzRoleDefinition -Name <roleName>

For more information, see List Azure role definitions.

Step 3: Identify the needed scope

Azure provides four levels of scope: resource, resource group, subscription, and
management group. It's a best practice to grant access with the least privilege that is
needed, so avoid assigning a role at a broader scope. For more information about
scope, see Understand scope.

Resource scope

For resource scope, you need the resource ID for the resource. You can find the resource
ID by looking at the properties of the resource in the Azure portal. A resource ID has the
following format.

/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers
/<providerName>/<resourceType>/<resourceSubType>/<resourceName>

Resource group scope

For resource group scope, you need the name of the resource group. You can find the
name on the Resource groups page in the Azure portal or you can use Get-
AzResourceGroup.

Azure PowerShell

Get-AzResourceGroup

Subscription scope
For subscription scope, you need the subscription ID. You can find the ID on the
Subscriptions page in the Azure portal or you can use Get-AzSubscription.

Azure PowerShell

Get-AzSubscription

Management group scope

For management group scope, you need the management group name. You can find
the name on the Management groups page in the Azure portal or you can use Get-
AzManagementGroup.

Azure PowerShell

Get-AzManagementGroup

Step 4: Assign role

To assign a role, use the New-AzRoleAssignment command. Depending on the scope,
the command typically has one of the following formats.

Resource scope

Azure PowerShell

New-AzRoleAssignment -ObjectId <objectId> `

-RoleDefinitionName <roleName> `
-Scope
/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers
/<providerName>/<resourceType>/<resourceSubType>/<resourceName>

Azure PowerShell

New-AzRoleAssignment -ObjectId <objectId> `

-RoleDefinitionId <roleId> `
-ResourceName <resourceName> `
-ResourceType <resourceType> `
-ResourceGroupName <resourceGroupName>

Resource group scope

Azure PowerShell
New-AzRoleAssignment -SignInName <emailOrUserprincipalname> `
-RoleDefinitionName <roleName> `
-ResourceGroupName <resourceGroupName>

Azure PowerShell

New-AzRoleAssignment -ObjectId <objectId> `

-RoleDefinitionName <roleName> `
-ResourceGroupName <resourceGroupName>

Subscription scope

Azure PowerShell

New-AzRoleAssignment -SignInName <emailOrUserprincipalname> `

-RoleDefinitionName <roleName> `
-Scope /subscriptions/<subscriptionId>

Azure PowerShell

New-AzRoleAssignment -ObjectId <objectId> `

-RoleDefinitionName <roleName> `
-Scope /subscriptions/<subscriptionId>

Management group scope

Azure PowerShell

New-AzRoleAssignment -SignInName <emailOrUserprincipalname> `

-RoleDefinitionName <roleName> `
-Scope /providers/Microsoft.Management/managementGroups/<groupName>

Azure PowerShell

New-AzRoleAssignment -ObjectId <objectId> `

-RoleDefinitionName <roleName> `
-Scope /providers/Microsoft.Management/managementGroups/<groupName>

Assign role examples

Assign a role for all blob containers in a storage account resource

scope
Assigns the Storage Blob Data Contributor role to a service principal with object ID
55555555-5555-5555-5555-555555555555 and Application ID 66666666-6666-6666-
6666-666666666666 at a resource scope for a storage account named storage12345.

Azure PowerShell

PS C:\> New-AzRoleAssignment -ApplicationId 66666666-6666-6666-6666-

666666666666 `
-RoleDefinitionName "Storage Blob Data Contributor" `
-Scope "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/Example-Storage-
rg/providers/Microsoft.Storage/storageAccounts/storage12345"

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/Example-Storage-
rg/providers/Microsoft.Storage/storageAccounts/storage12345/providers/Micros
oft.Authorization/roleAssignments/cccccccc-cccc-cccc-cccc-cccccccccccc
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/Example-Storage-
rg/providers/Microsoft.Storage/storageAccounts/storage12345
DisplayName : example-identity
SignInName :
RoleDefinitionName : Storage Blob Data Contributor
RoleDefinitionId : ba92f5b4-2d11-453d-a403-e96b0029c9fe
ObjectId : 55555555-5555-5555-5555-555555555555
ObjectType : ServicePrincipal
CanDelegate : False

Assign a role for a specific blob container resource scope

Assigns the Storage Blob Data Contributor role to a service principal with object ID
55555555-5555-5555-5555-555555555555 and Application ID 66666666-6666-6666-
6666-666666666666 at a resource scope for a blob container named blob-container-01.

Azure PowerShell

PS C:\> New-AzRoleAssignment -ApplicationId 66666666-6666-6666-6666-

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/Example-Storage-
rg/providers/Microsoft.Storage/storageAccounts/storage12345/blobServices/def
ault/containers/blob-container-
01/providers/Microsoft.Authorization/roleAssignm
ents/dddddddd-dddd-dddd-dddd-dddddddddddd
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/Example-Storage-
rg/providers/Microsoft.Storage/storageAccounts/storage12345/blobServices/def
ault/containers/blob-container-01
DisplayName : example-identity
SignInName :
RoleDefinitionName : Storage Blob Data Contributor
RoleDefinitionId : ba92f5b4-2d11-453d-a403-e96b0029c9fe
ObjectId : 55555555-5555-5555-5555-555555555555
ObjectType : ServicePrincipal
CanDelegate : False

Assign a role for a group in a specific virtual network resource

scope

Assigns the Virtual Machine Contributor role to the Pharma Sales Admins group with ID
aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa at a resource scope for a virtual network
named pharma-sales-project-network.

Azure PowerShell

PS C:\> New-AzRoleAssignment -ObjectId aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa

`
-RoleDefinitionName "Virtual Machine Contributor" `
-ResourceName pharma-sales-project-network `
-ResourceType Microsoft.Network/virtualNetworks `
-ResourceGroupName MyVirtualNetworkResourceGroup

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyVirtualNetworkResourceGroup
/providers/Microsoft.Network/virtualNetworks/pharma-
sales-project-network/providers/Microsoft.Authorizat
ion/roleAssignments/bbbbbbbb-bbbb-bbbb-bbbb-
bbbbbbbbbbbb
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/MyVirtualNetworkResourceGroup
/providers/Microsoft.Network/virtualNetworks/pharma-
sales-project-network
DisplayName : Pharma Sales Admins
SignInName :
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId : aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa
ObjectType : Group
CanDelegate : False

Assign a role for a user at a resource group scope

Assigns the Virtual Machine Contributor role to patlong@contoso.com user at the
pharma-sales resource group scope.

Azure PowerShell

PS C:\> New-AzRoleAssignment -SignInName patlong@contoso.com `

-RoleDefinitionName "Virtual Machine Contributor" `
-ResourceGroupName pharma-sales

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales/pr

oviders/Microsoft.Authorization/roleAssignments/55555555-5555-5555-5555-
555555555555
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales
DisplayName : Pat Long
SignInName : patlong@contoso.com
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId : 44444444-4444-4444-4444-444444444444
ObjectType : User
CanDelegate : False

Alternately, you can specify the fully qualified resource group with the -Scope
parameter:

Azure PowerShell

PS C:\> New-AzRoleAssignment -SignInName patlong@contoso.com `

-RoleDefinitionName "Virtual Machine Contributor" `
-Scope "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales"

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-
sales/providers/Microsoft.Authorization/roleAssignments/55555555-5555-5555-
5555-555555555555
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales
DisplayName : Pat Long
SignInName : patlong@contoso.com
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId : 44444444-4444-4444-4444-444444444444
ObjectType : User
CanDelegate : False
Assign a role for a user using the unique role ID at a resource
group scope

There are a couple of times when a role name might change, for example:

You are using your own custom role and you decide to change the name.
You are using a preview role that has (Preview) in the name. When the role is
released, the role is renamed.

The following example assigns the Virtual Machine Contributor role to the
patlong@contoso.com user at the pharma-sales resource group scope.

Azure PowerShell

PS C:\> New-AzRoleAssignment -ObjectId 44444444-4444-4444-4444-444444444444

`
-RoleDefinitionId 9980e02c-c2be-4d73-94e8-173b1dc7cf3c `
-Scope "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales"

Assign a role for an application at a resource group scope

Assigns the Virtual Machine Contributor role to an application with service principal
object ID 77777777-7777-7777-7777-777777777777 at the pharma-sales resource
group scope.

Azure PowerShell
PS C:\> New-AzRoleAssignment -ObjectId 77777777-7777-7777-7777-777777777777
`
-RoleDefinitionName "Virtual Machine Contributor" `
-ResourceGroupName pharma-sales

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/providers/Microsoft.Authorization/roleAssignments/66666666-
6666-6666-6666-666666666666
Scope : /subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/pharma-sales
DisplayName : MyApp1
SignInName :
RoleDefinitionName : Virtual Machine Contributor
RoleDefinitionId : 9980e02c-c2be-4d73-94e8-173b1dc7cf3c
ObjectId : 77777777-7777-7777-7777-777777777777
ObjectType : ServicePrincipal
CanDelegate : False

Assign a role for a user at a subscription scope

Assigns the Reader role to the annm@example.com user at a subscription scope.

Azure PowerShell

PS C:\> New-AzRoleAssignment -SignInName annm@example.com `

-RoleDefinitionName "Reader" `
-Scope "/subscriptions/00000000-0000-0000-0000-000000000000"

RoleAssignmentId : /subscriptions/00000000-0000-0000-0000-
000000000000/providers/Microsoft.Authorization/roleAssignments/66666666-
6666-6666-6666-666666666666
Scope : /subscriptions/00000000-0000-0000-0000-000000000000
DisplayName : Ann M
SignInName : annm@example.com
RoleDefinitionName : Reader
RoleDefinitionId : acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId : 77777777-7777-7777-7777-777777777777
ObjectType : ServicePrincipal
CanDelegate : False

Assign a role for a user at a management group scope

Assigns the Billing Reader role to the alain@example.com user at a management group
scope.

Azure PowerShell
PS C:\> New-AzRoleAssignment -SignInName alain@example.com `
-RoleDefinitionName "Billing Reader" `
-Scope "/providers/Microsoft.Management/managementGroups/marketing-group"

RoleAssignmentId :
/providers/Microsoft.Management/managementGroups/marketing-
group/providers/Microsoft.Authorization/roleAssignments/22222222-2222-2222-
2222-222222222222
Scope :
/providers/Microsoft.Management/managementGroups/marketing-group
DisplayName : Alain Charon
SignInName : alain@example.com
RoleDefinitionName : Billing Reader
RoleDefinitionId : fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64
ObjectId : 44444444-4444-4444-4444-444444444444
ObjectType : User
CanDelegate : False

Next steps
List Azure role assignments using Azure PowerShell
Tutorial: Grant a group access to Azure resources using Azure PowerShell
Manage resources with Azure PowerShell
Assign Azure roles using Azure CLI
Article • 01/02/2024

Prerequisites
To assign roles, you must have:

Microsoft.Authorization/roleAssignments/write permissions, such as Role Based

Access Control Administrator

Bash in Azure Cloud Shell or Azure CLI

Steps to assign an Azure role

To assign a role consists of three elements: security principal, role definition, and scope.

Step 1: Determine who needs access

Azure CLI.

User

For a Microsoft Entra user, get the user principal name, such as patlong@contoso.com or
the user object ID. To get the object ID, you can use az ad user show.

Azure CLI

az ad user show --id "{principalName}" --query "id" --output tsv

Group

For a Microsoft Entra group, you need the group object ID. To get the object ID, you can
use az ad group show or az ad group list.
Azure CLI

az ad group show --group "{groupName}" --query "id" --output tsv

Service principal

For a Microsoft Entra service principal (identity used by an application), you need the
service principal object ID. To get the object ID, you can use az ad sp list. For a service
principal, use the object ID and not the application ID.

Azure CLI

az ad sp list --all --query "[].{displayName:displayName, id:id}" --output

tsv
az ad sp list --display-name "{displayName}"

Managed identity

For a system-assigned or a user-assigned managed identity, you need the object ID. To
get the object ID, you can use az ad sp list.

Azure CLI

az ad sp list --all --filter "servicePrincipalType eq 'ManagedIdentity'"

To just list user-assigned managed identities, you can use az identity list.

Azure CLI

az identity list

Step 2: Select the appropriate role

To list roles and get the unique role ID, you can use az role definition list.

Azure CLI

az role definition list --query "[].{name:name, roleType:roleType,

roleName:roleName}" --output tsv
Here's how to list the details of a particular role.

Azure CLI

az role definition list --name "{roleName}"

For more information, see List Azure role definitions.

Step 3: Identify the needed scope

Resource scope

For resource scope, you need the resource ID for the resource. You can find the resource
ID by looking at the properties of the resource in the Azure portal. A resource ID has the
following format.

/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers
/{providerName}/{resourceType}/{resourceSubType}/{resourceName}

Resource group scope

For resource group scope, you need the name of the resource group. You can find the
name on the Resource groups page in the Azure portal or you can use az group list.

Azure CLI

az group list --query "[].{name:name}" --output tsv

Subscription scope

For subscription scope, you need the subscription ID. You can find the ID on the
Subscriptions page in the Azure portal or you can use az account list.

Azure CLI

az account list --query "[].{name:name, id:id}" --output tsv

Management group scope

For management group scope, you need the management group name. You can find
the name on the Management groups page in the Azure portal or you can use az
account management-group list.

Azure CLI

az account management-group list --query "[].{name:name, id:id}" --output

tsv

Step 4: Assign role

To assign a role, use the az role assignment create command. Depending on the scope,
the command typically has one of the following formats.

Resource scope

Azure CLI

az role assignment create --assignee "{assignee}" \

--role "{roleNameOrId}" \
--scope
"/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/provider
s/{providerName}/{resourceType}/{resourceSubType}/{resourceName}"

Resource group scope

Azure CLI

az role assignment create --assignee "{assignee}" \

--role "{roleNameOrId}" \
--scope "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"

Subscription scope

Azure CLI

az role assignment create --assignee "{assignee}" \

--role "{roleNameOrId}" \
--scope "/subscriptions/{subscriptionId}"

Management group scope

Azure CLI
az role assignment create --assignee "{assignee}" \
--role "{roleNameOrId}" \
--scope
"/providers/Microsoft.Management/managementGroups/{managementGroupName}"

The following shows an example of the output when you assign the Virtual Machine
Contributor role to a user at a resource group scope.

Azure CLI

{
"canDelegate": null,
"id":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/provider
s/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
"name": "{roleAssignmentId}",
"principalId": "{principalId}",
"principalType": "User",
"resourceGroup": "{resourceGroupName}",
"roleDefinitionId":
"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefin
itions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"scope":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}",
"type": "Microsoft.Authorization/roleAssignments"
}

Assign role examples

Assign a role for all blob containers in a storage account resource

scope
Assigns the Storage Blob Data Contributor role to a service principal with object ID
55555555-5555-5555-5555-555555555555 at a resource scope for a storage account
named storage12345.

Azure CLI

az role assignment create --assignee "55555555-5555-5555-5555-555555555555"

\
--role "Storage Blob Data Contributor" \
--scope "/subscriptions/00000000-0000-0000-0000-
000000000000/resourceGroups/Example-Storage-
rg/providers/Microsoft.Storage/storageAccounts/storage12345"
Assign a role for a specific blob container resource scope
Assigns the Storage Blob Data Contributor role to a service principal with object ID
55555555-5555-5555-5555-555555555555 at a resource scope for a blob container
named blob-container-01.

Azure CLI

az role assignment create --assignee "55555555-5555-5555-5555-555555555555"

Assign a role for a group in a specific virtual network resource

scope
Assigns the Virtual Machine Contributor role to the Ann Mack Team group with ID
22222222-2222-2222-2222-222222222222 at a resource scope for a virtual network
named pharma-sales-project-network.

Azure CLI

az role assignment create --assignee "22222222-2222-2222-2222-222222222222"

\
--role "Virtual Machine Contributor" \
--scope "/subscriptions/00000000-0000-0000-0000-
000000000000/resourcegroups/pharma-
sales/providers/Microsoft.Network/virtualNetworks/pharma-sales-project-
network"

Assign a role for a user at a resource group scope

Assigns the Virtual Machine Contributor role to patlong@contoso.com user at the
pharma-sales resource group scope.

Azure CLI

az role assignment create --assignee "patlong@contoso.com" \

--role "Virtual Machine Contributor" \
--scope "/subscriptions/00000000-0000-0000-0000-
000000000000/resourcegroups/pharma-sales"
Assign a role for a user using the unique role ID at a resource
group scope

There are a couple of times when a role name might change, for example:

You are using your own custom role and you decide to change the name.
You are using a preview role that has (Preview) in the name. When the role is
released, the role is renamed.

The following example assigns the Virtual Machine Contributor role to the
patlong@contoso.com user at the pharma-sales resource group scope.

Azure CLI

az role assignment create --assignee "patlong@contoso.com" \

--role "9980e02c-c2be-4d73-94e8-173b1dc7cf3c" \
--scope "/subscriptions/00000000-0000-0000-0000-
000000000000/resourcegroups/pharma-sales"

Assign a role for all blob containers at a resource group scope

Assigns the Storage Blob Data Contributor role to a service principal with object ID
55555555-5555-5555-5555-555555555555 at the Example-Storage-rg resource group
scope.

Azure CLI

az role assignment create --assignee "55555555-5555-5555-5555-555555555555"

\
--role "Storage Blob Data Contributor" \
--scope "/subscriptions/00000000-0000-0000-0000-
000000000000/resourcegroups/Example-Storage-rg"

Assign a role for an application at a resource group scope

Assigns the Virtual Machine Contributor role to an application with service principal
object ID 44444444-4444-4444-4444-444444444444 at the pharma-sales resource
group scope.
Azure CLI

az role assignment create --assignee "44444444-4444-4444-4444-444444444444"

\
--role "Virtual Machine Contributor" \
--scope "/subscriptions/00000000-0000-0000-0000-
000000000000/resourcegroups/pharma-sales"

Assign a role for a new service principal at a resource group scope

If you create a new service principal and immediately try to assign a role to that service
principal, that role assignment can fail in some cases. For example, if you use a script to
create a new managed identity and then try to assign a role to that service principal, the
role assignment might fail. The reason for this failure is likely a replication delay. The
service principal is created in one region; however, the role assignment might occur in a
different region that hasn't replicated the service principal yet. To address this scenario,
you should specify the principal type when creating the role assignment.

To assign a role, use az role assignment create, specify a value for --assignee-object-id ,
and then set --assignee-principal-type to ServicePrincipal .

Azure CLI

az role assignment create --assignee-object-id "{assigneeObjectId}" \

--assignee-principal-type "{assigneePrincipalType}" \
--role "{roleNameOrId}" \
--scope "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"

The following example assigns the Virtual Machine Contributor role to the msi-test
managed identity at the pharma-sales resource group scope:

Azure CLI

az role assignment create --assignee-object-id "33333333-3333-3333-3333-

333333333333" \
--assignee-principal-type "ServicePrincipal" \
--role "Virtual Machine Contributor" \
--scope "/subscriptions/00000000-0000-0000-0000-
000000000000/resourcegroups/pharma-sales"

Assign a role for a user at a subscription scope

Assigns the Reader role to the annm@example.com user at a subscription scope.
Azure CLI

az role assignment create --assignee "annm@example.com" \

--role "Reader" \
--scope "/subscriptions/00000000-0000-0000-0000-000000000000"

Assign a role for a group at a subscription scope

Assigns the Reader role to the Ann Mack Team group with ID 22222222-2222-2222-
2222-222222222222 at a subscription scope.

Azure CLI

az role assignment create --assignee "22222222-2222-2222-2222-222222222222"

\
--role "Reader" \
--scope "/subscriptions/00000000-0000-0000-0000-000000000000"

Assign a role for all blob containers at a subscription scope

Assigns the Storage Blob Data Reader role to the alain@example.com user at a
subscription scope.

Azure CLI

az role assignment create --assignee "alain@example.com" \

--role "Storage Blob Data Reader" \
--scope "/subscriptions/00000000-0000-0000-0000-000000000000"

Assign a role for a user at a management group scope

Assigns the Billing Reader role to the alain@example.com user at a management group
scope.

Azure CLI

az role assignment create --assignee "alain@example.com" \

--role "Billing Reader" \
--scope "/providers/Microsoft.Management/managementGroups/marketing-group"

Next steps
List Azure role assignments using Azure CLI
Use the Azure CLI to manage Azure resources and resource groups
Assign Azure roles using the REST API
Article • 12/01/2023

Prerequisites
To assign Azure roles, you must have:

Microsoft.Authorization/roleAssignments/write permissions, such as User Access

Administrator or Owner

You must use the following versions:

2015-07-01 or later to assign an Azure role

2018-09-01-preview or later to assign an Azure role to a new service principal

For more information, see API versions of Azure RBAC REST APIs.

Assign an Azure role

To assign a role, use the Role Assignments - Create REST API and specify the security
principal, role definition, and scope. To call this API, you must have access to the
Microsoft.Authorization/roleAssignments/write action, such as Role Based Access

Control Administrator.

1. Use the Role Definitions - List REST API or see Built-in roles to get the identifier for
the role definition you want to assign.

2. Use a GUID tool to generate a unique identifier that will be used for the role
assignment identifier. The identifier has the format: 00000000-0000-0000-0000-
000000000000

3. Start with the following request and body:

HTTP

PUT
https://management.azure.com/{scope}/providers/Microsoft.Authorization/
roleAssignments/{roleAssignmentId}?api-version=2022-04-01

JSON

{
"properties": {
"roleDefinitionId":
"/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefini
tionId}",
"principalId": "{principalId}"
}
}

4. Within the URI, replace {scope} with the scope for the role assignment.

ﾉ Expand table

Scope Type

providers/Microsoft.Management/management Management group

Groups/{groupId1}

subscriptions/{subscriptionId1} Subscription

subscriptions/{subscriptionId1}/resourceG Resource group

roups/myresourcegroup1

subscriptions/{subscriptionId1}/resourceG Resource
roups/myresourcegroup1/providers/microsof
t.web/sites/mysite1

In the previous example, microsoft.web is a resource provider that refers to an App

5. Replace {roleAssignmentId} with the GUID identifier of the role assignment.

6. Within the request body, replace {scope} with the same scope as in the URI.

7. Replace {roleDefinitionId} with the role definition identifier.

8. Replace {principalId} with the object identifier of the user, group, or service
principal that will be assigned the role.

The following request and body assigns the Backup Reader role to a user at subscription
scope:
HTTP

PUT
https://management.azure.com/subscriptions/{subscriptionId1}/providers/Micro
soft.Authorization/roleAssignments/{roleAssignmentId1}?api-version=2022-04-
01

JSON

{
"properties": {
"roleDefinitionId":
"/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefi
nitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
"principalId": "{objectId1}"
}
}

The following shows an example of the output:

JSON

{
"properties": {
"roleDefinitionId":
"/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefi
nitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
"principalId": "{objectId1}",
"principalType": "User",
"scope": "/subscriptions/{subscriptionId1}",
"condition": null,
"conditionVersion": null,
"createdOn": "2022-05-06T23:55:23.7679147Z",
"updatedOn": "2022-05-06T23:55:23.7679147Z",
"createdBy": null,
"updatedBy": "{updatedByObjectId1}",
"delegatedManagedIdentityResourceId": null,
"description": null
},
"id":
"/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleAssi
gnments/{roleAssignmentId1}",
"type": "Microsoft.Authorization/roleAssignments",
"name": "{roleAssignmentId1}"
}

New service principal

To address this scenario, use the Role Assignments - Create REST API and set the
principalType property to ServicePrincipal . You must also set the apiVersion to 2018-
09-01-preview or later. 2022-04-01 is the first stable version.

HTTP

PUT
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleA
ssignments/{roleAssignmentId}?api-version=2022-04-01

JSON

{
"properties": {
"roleDefinitionId":
"/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionI
d}",
"principalId": "{principalId}",
"principalType": "ServicePrincipal"
}
}

Next steps
List Azure role assignments using the REST API
Deploy resources with Resource Manager templates and Resource Manager REST
API
Azure REST API Reference
Create or update Azure custom roles using the REST API
Assign Azure roles using Azure Resource
Manager templates
Article • 04/13/2023

Azure role-based access control (Azure RBAC) is the authorization system you use to
manage access to Azure resources. To grant access, you assign roles to users, groups,
service principals, or managed identities at a particular scope. In addition to using Azure
PowerShell or the Azure CLI, you can assign roles using Azure Resource Manager
templates. Templates can be helpful if you need to deploy resources consistently and
repeatedly. This article describes how to assign roles using templates.

７ Note

Bicep is a new language for defining your Azure resources. It has a simpler
authoring experience than JSON, along with other features that help improve the
quality of your infrastructure as code. We recommend that anyone new to
infrastructure as code on Azure use Bicep instead of JSON.

To learn about how to define role assignments by using Bicep, see Create Azure
RBAC resources by using Bicep. For a quickstart example, see Quickstart: Assign
an Azure role using Bicep.

Prerequisites
To assign Azure roles, you must have:

Microsoft.Authorization/roleAssignments/write permissions, such as User Access

Administrator or Owner

You must use the following versions:

2018-09-01-preview or later to assign an Azure role to a new service principal

2020-04-01-preview or later to assign an Azure role at resource scope

2022-04-01 is the first stable version

For more information, see API versions of Azure RBAC REST APIs.

Get object IDs

To assign a role, you need to specify the ID of the user, group, or application you want
to assign the role to. The ID has the format: 11111111-1111-1111-1111-111111111111 . You
can get the ID using the Azure portal, Azure PowerShell, or Azure CLI.

User
To get the ID of a user, you can use the Get-AzADUser or az ad user show commands.

Azure PowerShell

$objectid = (Get-AzADUser -DisplayName "{name}").id

Azure CLI

objectid=$(az ad user show --id "{email}" --query id --output tsv)

Group
To get the ID of a group, you can use the Get-AzADGroup or az ad group show
commands.

Azure PowerShell

$objectid = (Get-AzADGroup -DisplayName "{name}").id

Azure CLI

objectid=$(az ad group show --group "{name}" --query id --output tsv)

Managed identities
To get the ID of a managed identity, you can use Get-AzAdServiceprincipal or az ad sp
commands.

Azure PowerShell

$objectid = (Get-AzADServicePrincipal -DisplayName <Azure resource name>).id

Azure CLI
objectid=$(az ad sp list --display-name <Azure resource name> --query [].id
--output tsv)

Application
To get the ID of a service principal (identity used by an application), you can use the
Get-AzADServicePrincipal or az ad sp list commands. For a service principal, use the
object ID and not the application ID.

Azure PowerShell

$objectid = (Get-AzADServicePrincipal -DisplayName "{name}").id

Azure CLI

objectid=$(az ad sp list --display-name "{name}" --query [].id --output tsv)

Assign an Azure role

In Azure RBAC, to grant access, you assign a role.

Resource group scope (without parameters)

The following template shows a basic way to assign a role. Some values are specified
within the template. The following template demonstrates:

How to assign the Reader role to a user, group, or application at a resource group
scope

To use the template, you must do the following:

Create a new JSON file and copy the template

Replace <your-principal-id> with the ID of a user, group, managed identity, or
application to assign the role to

JSON

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-
01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(resourceGroup().id)]",
"properties": {
"roleDefinitionId": "[concat('/subscriptions/',
subscription().subscriptionId,
'/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-
bd42-f606fba81ae7')]",
"principalId": "<your-principal-id>"
}
}
]
}

Here are example New-AzResourceGroupDeployment and az deployment group create

commands for how to start the deployment in a resource group named ExampleGroup.

Azure PowerShell

New-AzResourceGroupDeployment -ResourceGroupName ExampleGroup -TemplateFile

rbac-test.json

Azure CLI

az deployment group create --resource-group ExampleGroup --template-file

rbac-test.json

The following shows an example of the Reader role assignment to a user for a resource
group after deploying the template.

Resource group or subscription scope

The previous template isn't very flexible. The following template uses parameters and
can be used at different scopes. The following template demonstrates:

How to assign a role to a user, group, or application at either a resource group or

subscription scope
How to specify the Owner, Contributor, and Reader roles as a parameter

To use the template, you must specify the following inputs:

The ID of a user, group, managed identity, or application to assign the role to

A unique ID that will be used for the role assignment, or you can use the default ID

JSON

{
"$schema": "https://schema.management.azure.com/schemas/2015-01-
01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "The principal to assign the role to"
}
},
"builtInRoleType": {
"type": "string",
"allowedValues": [
"Owner",
"Contributor",
"Reader"
],
"metadata": {
"description": "Built-in role to assign"
}
},
"roleNameGuid": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "A new GUID used to identify the role
assignment"
}
}
},
"variables": {
"Owner": "[concat('/subscriptions/', subscription().subscriptionId,
'/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-
a75c-2fe8c4bcb635')]",
"Contributor": "[concat('/subscriptions/',
subscription().subscriptionId,
'/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-
ab88-20f7382dd24c')]",
"Reader": "[concat('/subscriptions/', subscription().subscriptionId,
'/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-
bd42-f606fba81ae7')]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[parameters('roleNameGuid')]",
"properties": {
"roleDefinitionId": "
[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}

７ Note

This template is not idempotent unless the same roleNameGuid value is provided as
a parameter for each deployment of the template. If no roleNameGuid is provided,
by default a new GUID is generated on each deployment and subsequent
deployments will fail with a Conflict: RoleAssignmentExists error.

The scope of the role assignment is determined from the level of the deployment. Here
are example New-AzResourceGroupDeployment and az deployment group create
commands for how to start the deployment at a resource group scope.

Azure PowerShell

New-AzResourceGroupDeployment -ResourceGroupName ExampleGroup -TemplateFile

rbac-test.json -principalId $objectid -builtInRoleType Reader

Azure CLI

az deployment group create --resource-group ExampleGroup --template-file

rbac-test.json --parameters principalId=$objectid builtInRoleType=Reader

Here are example New-AzDeployment and az deployment sub create commands for
how to start the deployment at a subscription scope and specify the location.

Azure PowerShell
New-AzDeployment -Location centralus -TemplateFile rbac-test.json -
principalId $objectid -builtInRoleType Reader

Azure CLI

az deployment sub create --location centralus --template-file rbac-test.json

--parameters principalId=$objectid builtInRoleType=Reader

Resource scope
If you need to assign a role at the level of a resource, set the scope property on the role
assignment to the name of the resource.

The following template demonstrates:

How to create a new storage account

How to assign a role to a user, group, or application at the storage account scope
How to specify the Owner, Contributor, and Reader roles as a parameter

To use the template, you must specify the following inputs:

The ID of a user, group, managed identity, or application to assign the role to

JSON

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-
01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "The principal to assign the role to"
}
},
"builtInRoleType": {
"type": "string",
"allowedValues": [
"Owner",
"Contributor",
"Reader"
],
"metadata": {
"description": "Built-in role to assign"
}
},
"roleNameGuid": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "A new GUID used to identify the role
assignment"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
}
},
"variables": {
"Owner": "[concat('/subscriptions/', subscription().subscriptionId,
'/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-
a75c-2fe8c4bcb635')]",
"Contributor": "[concat('/subscriptions/',
subscription().subscriptionId,
'/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-
ab88-20f7382dd24c')]",
"Reader": "[concat('/subscriptions/', subscription().subscriptionId,
'/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-
bd42-f606fba81ae7')]",
"storageName": "[concat('storage',
uniqueString(resourceGroup().id))]"
},
"resources": [
{
"apiVersion": "2019-04-01",
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('storageName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"properties": {}
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[parameters('roleNameGuid')]",
"scope": "[concat('Microsoft.Storage/storageAccounts', '/',
variables('storageName'))]",
"dependsOn": [
"[variables('storageName')]"
],
"properties": {
"roleDefinitionId": "
[variables(parameters('builtInRoleType'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}
To deploy the previous template, you use the resource group commands. Here are
example New-AzResourceGroupDeployment and az deployment group create
commands for how to start the deployment at a resource scope.

Azure PowerShell

New-AzResourceGroupDeployment -ResourceGroupName ExampleGroup -TemplateFile

rbac-test.json -principalId $objectid -builtInRoleType Contributor

Azure CLI

az deployment group create --resource-group ExampleGroup --template-file

rbac-test.json --parameters principalId=$objectid
builtInRoleType=Contributor

The following shows an example of the Contributor role assignment to a user for a
storage account after deploying the template.

New service principal

If you create a new service principal and immediately try to assign a role to that service
principal, that role assignment can fail in some cases. For example, if you create a new
managed identity and then try to assign a role to that service principal in the same
Azure Resource Manager template, the role assignment might fail. The reason for this
failure is likely a replication delay. The service principal is created in one region;
however, the role assignment might occur in a different region that hasn't replicated the
service principal yet.
To address this scenario, you should set the principalType property to
ServicePrincipal when creating the role assignment. You must also set the apiVersion
of the role assignment to 2018-09-01-preview or later. 2022-04-01 is the first stable
version.

The following template demonstrates:

How to create a new managed identity service principal

How to specify the principalType
How to assign the Contributor role to that service principal at a resource group
scope

To use the template, you must specify the following inputs:

The base name of the managed identity, or you can use the default string

JSON

{
"$schema": "http://schema.management.azure.com/schemas/2015-01-
01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"baseName": {
"type": "string",
"defaultValue": "msi-test"
}
},
"variables": {
"identityName": "[concat(parameters('baseName'), '-bootstrap')]",
"bootstrapRoleAssignmentId": "[guid(concat(resourceGroup().id,
'contributor'))]",
"contributorRoleDefinitionId": "[concat('/subscriptions/',
subscription().subscriptionId,
'/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-
ab88-20f7382dd24c')]"
},
"resources": [
{
"type": "Microsoft.ManagedIdentity/userAssignedIdentities",
"name": "[variables('identityName')]",
"apiVersion": "2018-11-30",
"location": "[resourceGroup().location]"
},
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[variables('bootstrapRoleAssignmentId')]",
"dependsOn": [
"
[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities',
variables('identityName'))]"
],
"properties": {
"roleDefinitionId": "
[variables('contributorRoleDefinitionId')]",
"principalId": "
[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities',
variables('identityName')), '2018-11-30').principalId]",
"principalType": "ServicePrincipal"
}
}
]
}

Here are example New-AzResourceGroupDeployment and az deployment group create

commands for how to start the deployment at a resource group scope.

Azure PowerShell

New-AzResourceGroupDeployment -ResourceGroupName ExampleGroup2 -TemplateFile

rbac-test.json

Azure CLI

az deployment group create --resource-group ExampleGroup2 --template-file

rbac-test.json

The following shows an example of the Contributor role assignment to a new managed
identity service principal after deploying the template.

Next steps
Quickstart: Create and deploy ARM templates by using the Azure portal
Understand the structure and syntax of ARM templates
Create resource groups and resources at the subscription level
Azure Quickstart Templates
Activate eligible Azure role assignments
(Preview)
Article • 06/28/2024

） Important

Azure role assignment integration with Privileged Identity Management is currently

Eligible Azure role assignments provide just-in-time access to a role for a limited period
of time. Microsoft Entra Privileged Identity Management (PIM) role activation has been
integrated into the Access control (IAM) page in the Azure portal. If you have been
made eligible for an Azure role, you can activate that role using the Azure portal. This
capability is being deployed in stages, so it might not be available yet in your tenant or
your interface might look different.

Prerequisites
Microsoft Entra ID P2 license or Microsoft Entra ID Governance license
Eligible role assignment
Microsoft.Authorization/roleAssignments/read permission, such as Reader

Activate group membership (if needed)

If you have been made eligible for a group (PIM for Groups) and this group has an
eligible role assignment, you must first activate your group membership before you can
see the eligible role assignment for the group. For this scenario, you must activate twice
- first for the group and then for the role.

For steps on how to activate your group membership, see Activate your group
membership or ownership in Privileged Identity Management.

Activate role using the Azure portal

These steps describe how to activate an eligible role assignment using the Azure portal.
1. Sign in to the Azure portal .

2. Click All services and then select the scope. For example, you can select
Management groups, Subscriptions, Resource groups, or a resource.

3. Click the specific resource.

4. Click Access control (IAM).

5. Click Activate role.

The assignments pane appears and lists your eligible role assignments.

6. Add a check mark next to a role you want to activate and then click Activate role.

The Activate pane appears with activate settings.

7. On the Activate tab, specify the start time, duration, and reason. If you want to
customize the activation start time, check the Custom activation start time box.


8. (Optional) Click the Scope tab to specify the scope for the role assignment.

If your eligible role assignment was defined at a higher scope, you can select a
lower scope to narrow your access. For example, if you have an eligible role
assignment at subscription scope, you can choose resource groups in the
subscription to narrow your scope.


9. When finished, click the Activate button to activate the role with the selected
settings.

Progress messages appear to indicate the status of the activation.



When activation is complete, you see a message that the role was successfully
activated.

Once an eligible role assignment has been activated, it will be listed as an active
time-bound role assignment on the Role assignments tab. For more information,
see List Azure role assignments using the Azure portal.

Next steps
Integration with Privileged Identity Management (Preview)
Activate my Azure resource roles in Privileged Identity Management

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Assign a user as an administrator of an
Azure subscription with conditions
Article • 01/30/2024

To make a user an administrator of an Azure subscription, you assign them the Owner
role at the subscription scope. The Owner role gives the user full access to all resources
in the subscription, including the permission to grant access to others. Since the Owner
role is a highly privileged role, Microsoft recommends you add a condition to constrain
the role assignment. For example, you can allow a user to only assign the Virtual
Machine Contributor role to service principals.

This article describes how to assign a user as an administrator of an Azure subscription

with conditions. These steps are the same as any other role assignment.

Prerequisites
To assign Azure roles, you must have:

Microsoft.Authorization/roleAssignments/write permissions, such as Role Based

Access Control Administrator or User Access Administrator

Step 1: Open the subscription

1. Sign in to the Azure portal .

2. In the Search box at the top, search for subscriptions.

3. Click the subscription you want to use.

The following shows an example subscription.

Step 2: Open the Add role assignment page
Access control (IAM) is the page that you typically use to assign roles to grant access to
Azure resources. It's also known as identity and access management (IAM) and appears
in several locations in the Azure portal.

1. Click Access control (IAM).

The following shows an example of the Access control (IAM) page for a
subscription.
2. Click the Role assignments tab to view the role assignments at this scope.

3. Click Add > Add role assignment.

If you don't have permissions to assign roles, the Add role assignment option will
be disabled.

The Add role assignment page opens.

Step 3: Select the Owner role

The Owner role grant full access to manage all resources, including the ability to assign
roles in Azure RBAC. You should have a maximum of 3 subscription owners to reduce
the potential for breach by a compromised owner.

1. On the Role tab, select the Privileged administrator roles tab.

2. Select the Owner role.

3. Click Next.

Step 4: Select who needs access

1. On the Members tab, select User, group, or service principal.
2. Click Select members.

3. Find and select the user.

You can type in the Select box to search the directory for display name or email
address.

4. Click Save to add the user to the Members list.

5. In the Description box enter an optional description for this role assignment.

Later you can show this description in the role assignments list.

6. Click Next.

Step 5: Add a condition

Since the Owner role is a highly privileged role, Microsoft recommends you add a
condition to constrain the role assignment.
1. On the Conditions tab under What user can do, select the Allow user to only
assign selected roles to selected principals (fewer privileges) option.

2. Select Select roles and principals.

The Add role assignment condition page appears with a list of condition templates.

3. Select a condition template and then select Configure.

ﾉ Expand table

Condition template Select this template to

Constrain roles Allow user to only assign roles you select

Constrain roles and Allow user to only assign roles you select
principal types Allow user to only assign these roles to principal types you
Condition template Select this template to

select (users, groups, or service principals)

Constrain roles and Allow user to only assign roles you select
principals Allow user to only assign these roles to principals you select

 Tip

If you want to allow most role assignments, but don't allow specific role
assignments, you can use the advanced condition editor and manually add a
condition. For an example, see Example: Allow most roles, but don't allow
others to assign roles.

4. In the configure pane, add the required configurations.

5. Select Save to add the condition to the role assignment.

Step 6: Assign role
1. On the Review + assign tab, review the role assignment settings.

2. Click Review + assign to assign the role.

After a few moments, the user is assigned the Owner role for the subscription.

Next steps
Assign Azure roles using the Azure portal
Organize your resources with Azure management groups
Alert on privileged Azure role assignments
Delegate Azure role assignment
management to others with conditions
Article • 04/16/2024

As an administrator, you might get several requests to grant access to Azure resources
that you want to delegate to someone else. You could assign a user the Owner or User
Access Administrator roles, but these are highly privileged roles. This article describes a
more secure way to delegate role assignment management to other users in your
organization, but add restrictions for those role assignments. For example, you can
constrain the roles that can be assigned or constrain the principals the roles can be
assigned to.

The following diagram shows how a delegate with conditions can only assign the
Backup Contributor or Backup Reader roles to only the Marketing or Sales groups.

Prerequisites
To assign Azure roles, you must have:

Microsoft.Authorization/roleAssignments/write permissions, such as Role Based

Access Control Administrator or User Access Administrator

Step 1: Determine the permissions the delegate

needs
To help determine the permissions the delegate needs, answer the following questions:
What roles can the delegate assign?
What types of principals can the delegate assign roles to?
Which principals can the delegate assign roles to?
Can delegate remove any role assignments?

Once you know the permissions that delegate needs, you use the following steps to add
a condition to the delegate's role assignment. For example conditions, see Examples to
delegate Azure role assignment management with conditions.

Step 2: Start a new role assignment

1. Sign in to the Azure portal .

2. Follow the steps to open the Add role assignment page.

3. On the Roles tab, select the Privileged administrator roles tab.

4. Select the Role Based Access Control Administrator role.

The Conditions tab appears.

You can select any role that includes the

Microsoft.Authorization/roleAssignments/write or
Microsoft.Authorization/roleAssignments/delete actions, such as User Access

Administrator, but Role Based Access Control Administrator has fewer permissions.

5. On the Members tab, find and select the delegate.

Step 3: Add a condition

There are two ways that you can add a condition. You can use a condition template or
you can use an advanced condition editor.

Template

1. On the Conditions tab under What user can do, select the Allow user to only
assign selected roles to selected principals (fewer privileges) option.


2. Select Select roles and principals.

The Add role assignment condition page appears with a list of condition
templates.

3. Select a condition template and then select Configure.

ﾉ Expand table

Condition template Select this template to

Constrain roles Allow user to only assign roles you select

Condition template Select this template to

Constrain roles and Allow user to only assign roles you select
principal types Allow user to only assign these roles to principal types you
select (users, groups, or service principals)

Constrain roles and Allow user to only assign roles you select
principals Allow user to only assign these roles to principals you select

Allow all except specific Allow user to assign all roles except the roles you select
roles

4. In the configure pane, add the required configurations.

5. Select Save to add the condition to the role assignment.

Step 4: Assign role with condition to delegate

1. On the Review + assign tab, review the role assignment settings.
2. Select Review + assign to assign the role.

After a few moments, the delegate is assigned the Role Based Access Control
Administrator role with your role assignment conditions.

Step 5: Delegate assigns roles with conditions

Delegate can now follow steps to assign roles.

When the delegate tries to assign roles in the Azure portal, the list of roles will be
filtered to just show the roles they can assign.

If there is a condition for principals, the list of principals available for assignment
are also filtered.


If the delegate attempts to assign a role that is outside the conditions using an
API, the role assignment fails with an error. For more information, see Symptom -
Unable to assign a role.

Edit a condition
There are two ways that you can edit a condition. You can use the condition template or
you can use the condition editor.

1. In the Azure portal, open Access control (IAM) page for the role assignment that
has a condition that you want to view, edit, or delete.

2. Select the Role assignments tab and find the role assignment.

3. In the Condition column, select View/Edit.

If you don't see the View/Edit link, be sure you're looking at the same scope as the
role assignment.


The Add role assignment condition page appears. This page will look different
depending on whether the condition matches an existing template.

4. If the condition matches an existing template, select Configure to edit the

condition.

5. If the condition doesn't match an existing template, use the advanced condition
editor to edit the condition.
For example, to edit a condition, scroll down to the build expression section and
update the attributes, operator, or values.

To edit the condition directly, select the Code editor type and then edit the code
for the condition.

6. When finished, click Save to update the condition.

Next steps
Delegate Azure access management to others
Authorization actions and attributes
Add or edit Azure role assignment
conditions using the Azure portal
Article • 04/01/2024

An Azure role assignment condition is an optional check that you can add to your role
assignment to provide more fine-grained access control. For example, you can add a
condition that requires an object to have a specific tag to read the object. This article
describes how to add, edit, view, or delete conditions for your role assignments using
the Azure portal.

Prerequisites
For information about the prerequisites to add or edit role assignment conditions, see
Conditions prerequisites.

Step 1: Determine the condition you need

To get some ideas about conditions that could be useful to you, review the examples in
Example Azure role assignment conditions for Blob Storage.

Currently, conditions can be added to built-in or custom role assignments that have
blob storage data actions or queue storage data actions. These include the following
built-in roles:

Storage Blob Data Contributor

Storage Blob Data Owner
Storage Blob Data Reader
Storage Queue Data Contributor
Storage Queue Data Message Processor
Storage Queue Data Message Sender
Storage Queue Data Reader

Step 2: Choose how to add condition

There are two ways that you can add a condition. You can add a condition when you
add a new role assignment or you can add a condition to an existing role assignment.

New role assignment

1. Follow the steps to Assign Azure roles using the Azure portal.

2. On the Conditions (optional) tab, click Add condition.

If you don't see the Conditions (optional) tab, be sure you selected a role that
supports conditions.

The Add role assignment condition page appears.

Existing role assignment

1. In the Azure portal, open Access control (IAM) at the scope where you want to
add a condition. For example, you can open a subscription, resource group, or a
resource.

Currently, you can't use the Azure portal to add, view, edit, or delete a condition
add at a management group scope.

2. Click the Role assignments tab to view all the role assignments at this scope.

3. Find a role assignment that has storage data actions that you want to add a
condition to.

4. In the Condition column, click Add.

If you don't see the Add link, be sure you're looking at the same scope as the role
assignment.
The Add role assignment condition page appears.

Step 3: Review basics

Once you have the Add role assignment condition page open, you can review the basics
of the condition. Role indicates the role that the condition will be added to.

1. For the Editor type option, leave the default Visual selected.

Once you add a condition, you can toggle between Visual and Code.

2. (Optional) If the Description box appears, enter a description.

Depending on how you chose to add a condition, you might not see the
Description box. A description can help you understand and remember the
purpose of the condition.
Step 4: Add actions
1. In the Add action section, click Add action.

The Select an action pane appears. This pane is a filtered list of data actions based
on the role assignment that will be the target of your condition. For more
information, see Azure role assignment condition format and syntax.

2. Select the actions you want to allow if the condition is true.

If you select multiple actions for a single condition, there might be fewer attributes
to choose from for your condition because the attributes must be available across
the selected actions.

3. Click Select.

The selected actions appear in the action list.

Step 5: Build expressions

1. In the Build expression section, click Add expression.

The Expressions section expands.

2. In the Attribute source list, select where the attribute can be found.

Environment indicates that the attribute is associated with the network

environment over which the resource is accessed such as a private link, or the
current date and time.
Resource indicates that the attribute is on the resource, such as container
name.
Request indicates that the attribute is part of the action request, such as
setting the blob index tag.
Principal indicates that the attribute is a Microsoft Entra custom security
attribute principal, such as a user, enterprise application (service principal), or
managed identity.

3. In the Attribute list, select an attribute for the left side of the expression.

For more information about supported attribute sources and individual attributes,
see Attributes.

Depending on the attribute you select, boxes might be added to specify additional
attribute details or operators. For example, some attributes support the Exists
function operator, which you can use to test whether the attribute is currently
associated with the resource such as an encryption scope.

4. In the Operator list, select an operator.

For more information, see Azure role assignment condition format and syntax.

5. In the Value box, enter a value for the right side of the expression.
6. Add more expressions as needed.

If you add three or more expressions, you might need to group them with
parentheses so the connecting logical operators are evaluated correctly. Add check
marks next to the expressions you want to group and then select Group. To
remove grouping, select Ungroup.
Step 6: Review and add condition
1. Scroll up to Editor type and click Code.

The condition is displayed as code. You can make changes to the condition in this
code editor. The code editor can be useful for pasting sample code, or for adding
more operators or logic to build more complex conditions. To go back to the visual
editor, click Visual.

2. Click Save to add the condition to the role assignment.

View, edit, or delete a condition

1. In the Azure portal, open Access control (IAM) for the role assignment that has a
condition that you want to view, edit, or delete.

2. Click the Role assignments tab and find the role assignment.

3. In the Condition column, click View/Edit.

If you don't see the View/Edit link, be sure you're looking at the same scope as the
role assignment.
The Add role assignment condition page appears.

4. Use the editor to view or edit the condition.

5. When finished, click Save. To delete the entire condition, click Delete condition.
Deleting the condition does not remove the role assignment.

Next steps
Example Azure role assignment conditions for Blob Storage
Tutorial: Add a role assignment condition to restrict access to blobs using the
Azure portal
Troubleshoot Azure role assignment conditions
Add or edit Azure role assignment
conditions using Azure PowerShell
Article • 04/16/2024

An Azure role assignment condition is an additional check that you can optionally add
to your role assignment to provide more fine-grained access control. For example, you
can add a condition that requires an object to have a specific tag to read the object. This
article describes how to add, edit, list, or delete conditions for your role assignments
using Azure PowerShell.

Prerequisites
For information about the prerequisites to add or edit role assignment conditions, see
Conditions prerequisites.

Add a condition
To add a role assignment condition, use New-AzRoleAssignment. The New-
AzRoleAssignment command includes the following parameters related to conditions.

ﾉ Expand table

Parameter Type Description

Condition String Condition under which the user can be granted permission.

ConditionVersion String Version of the condition syntax. Must be set to 2.0. If Condition is
specified, ConditionVersion must also be specified.

The following example shows how to initialize the variables to assign the Storage Blob
Data Reader role with a condition. The condition checks whether container name equals
'blobs-example-container'.

Azure PowerShell

$subscriptionId = "<subscriptionId>"
$resourceGroup = "<resourceGroup>"
$roleDefinitionName = "Storage Blob Data Reader"
$roleDefinitionId = "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1"
$userObjectId = "<userObjectId>"
$scope = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup"
$description = "Read access if container name equals blobs-example-
container"
$condition = "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container'))"
$conditionVersion = "2.0"

Use New-AzRoleAssignment to assign the role with a condition.

Azure PowerShell

New-AzRoleAssignment -ObjectId $userObjectId -Scope $scope -RoleDefinitionId

$roleDefinitionId -Description $description -Condition $condition -
ConditionVersion $conditionVersion

Here's an example of the output:

Azure PowerShell

RoleAssignmentId :
/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Mic
rosoft.Authorization/roleAssignments/<roleAssignmentId>
Scope :
/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>
DisplayName : User1
SignInName : user1@contoso.com
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId : <userObjectId>
ObjectType : User
CanDelegate : False
Description : Read access if container name equals blobs-example-
container
ConditionVersion : 2.0
Condition : ((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container'))

In PowerShell, if your condition includes a dollar sign ($), you must prefix it with a
backtick (`). For example, the following condition uses dollar signs to delineate the tag
key name. For more information about rules for quotation marks in PowerShell, see
About Quoting Rules.

Azure PowerShell
$condition = "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/t
ags:Project<`$key_case_sensitive`$>] StringEquals 'Cascade'))"

Edit a condition
To edit an existing role assignment condition, use Set-AzRoleAssignment. Only the
Condition , ConditionVersion , and Description properties can be edited. The -PassThru

parameter causes Set-AzRoleAssignment to return the updated role assignment, which

allows visualization or storage in a variable for further use.

There are two ways to edit a condition. You can use the PSRoleAssignment object or a
JSON file.

Edit a condition using the PSRoleAssignment object

1. Use Get-AzRoleAssignment to get the existing role assignment with a condition as
a PSRoleAssignment object.

Azure PowerShell

$testRa = Get-AzRoleAssignment -Scope $scope -RoleDefinitionName

$roleDefinitionName -ObjectId $userObjectId

2. Edit the condition.

Azure PowerShell

$condition = "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containe
rs/blobs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:na
me] StringEquals 'blobs-example-container' OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:nam
e] StringEquals 'blobs-example-container2'))"

3. Initialize the condition and description.

Azure PowerShell

$testRa.Condition = $condition
$testRa.Description = "Read access if container name equals blobs-
example-container or blobs-example-container2"

4. Use Set-AzRoleAssignment to update the condition for the role assignment.

Azure PowerShell

Set-AzRoleAssignment -InputObject $testRa -PassThru

Here's an example of the output:

Azure PowerShell

RoleAssignmentId :
/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/provider
s/Microsoft.Authorization/roleAssignments/<roleAssignmentId>
Scope :
/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>
DisplayName : User1
SignInName : user1@contoso.com
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId : <userObjectId>
ObjectType : User
CanDelegate : False
Description : Read access if container name equals blobs-
example-container or blobs-example-container2
ConditionVersion : 2.0
Condition : ((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containe
rs/blobs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:na
me] StringEquals 'blobs-example-container' OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:nam
e] StringEquals 'blobs-example-container2'))

Edit a condition using a JSON file

To edit a condition, you can also provide a JSON file as input. The following shows an
example JSON file where Condition and Description are updated. You must specify all
the properties in the JSON file to update a condition.

JSON

{
"RoleDefinitionId": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"ObjectId": "<userObjectId>",
"ObjectType": "User",
"Scope":
"/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>",
"Condition": "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container' OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container2'))",
"ConditionVersion": "2.0",
"CanDelegate": false,
"Description": "Read access if container name equals blobs-example-
container or blobs-example-container2",
"RoleAssignmentId":
"/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Mi
crosoft.Authorization/roleAssignments/<roleAssignmentId>"
}

Use Set-AzRoleAssignment to update the condition for the role assignment.

Azure PowerShell

Set-AzRoleAssignment -InputFile "C:\path\roleassignment.json" -PassThru

Here's an example of the output:

Azure PowerShell

RoleAssignmentId :
/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Mic
rosoft.Authorization/roleAssignments/<roleAssignmentId>
Scope :
/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>
DisplayName : User1
SignInName : user1@contoso.com
RoleDefinitionName : Storage Blob Data Reader
RoleDefinitionId : 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
ObjectId : <userObjectId>
ObjectType : User
CanDelegate : False
Description : Read access if container name equals blobs-example-
container or blobs-example-container2
ConditionVersion : 2.0
Condition : ((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container' OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container2'))
Edit conditions in multiple role assignments
If you need to make the same update to multiple role assignments, you can use a loop.
The following commands perform the following task:

Finds role assignments in a subscription with <find-condition-string-1> or <find-

condition-string-2> strings in the condition.

Azure PowerShell

$tenantId = "<your-tenant-id>"
$subscriptionId = "<your-subscription-id>";
$scope = "/subscriptions/$subscriptionId"
$findConditionString1 = "<find-condition-string-1>"
$findConditionString2 = "<find-condition-string-2>"
Connect-AzAccount -TenantId $tenantId -SubscriptionId $subscriptionId
$roleAssignments = Get-AzRoleAssignment -Scope $scope
$foundRoleAssignments = $roleAssignments | Where-Object { ($_.Condition
-Match $findConditionString1) -Or ($_.Condition -Match
$findConditionString2) }

The following commands perform the following tasks:

In the condition of the found role assignments, replaces <condition-string> with

<replace-condition-string> .

Updates the role assignments with the changes.

Azure PowerShell

$conditionString = "<condition-string>"
$conditionStringReplacement = "<condition-string-replacement>"
$updatedRoleAssignments = $foundRoleAssignments | ForEach-Object {
$_.Condition = $_.Condition -replace $conditionString,
$conditionStringReplacement; $_ }
$updatedRoleAssignments | ForEach-Object { Set-AzRoleAssignment -
InputObject $_ -PassThru }

If strings include special characters, such as square brackets ([ ]), you'll need to escape
these characters with a backslash (\).

List a condition
To list a role assignment condition, use Get-AzRoleAssignment. For more information,
see List Azure role assignments using Azure PowerShell.
Delete a condition
To delete a role assignment condition, edit the role assignment condition and set both
the Condition and ConditionVersion properties to either an empty string ( "" ) or $null .

Alternatively, if you want to delete both the role assignment and the condition, you can
use the Remove-AzRoleAssignment command. For more information, see Remove Azure
role assignments.

Next steps
Example Azure role assignment conditions for Blob Storage
Tutorial: Add a role assignment condition to restrict access to blobs using Azure
PowerShell
Troubleshoot Azure role assignment conditions
Add or edit Azure role assignment
conditions using Azure CLI
Article • 01/02/2024

Prerequisites
For information about the prerequisites to add or edit role assignment conditions, see
Conditions prerequisites.

Add a condition
To add a role assignment condition, use az role assignment create. The az role
assignment create command includes the following parameters related to conditions.

ﾉ Expand table

Parameter Type Description

condition String Condition under which the user can be granted permission.

condition- String Version of the condition syntax. If --condition is specified without --

version condition-version , the version is set to the default value of 2.0.

The following example shows how to assign the Storage Blob Data Reader role with a
condition. The condition checks whether container name equals 'blobs-example-
container'.

Azure CLI

az role assignment create --role "Storage Blob Data Reader" --scope

/subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName --
assignee "user1@contoso.com" \
--description "Read access if container name equals blobs-example-container"
\
--condition "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container'))" \
--condition-version "2.0"

The following shows an example of the output:

Azure CLI

{
"canDelegate": null,
"condition": "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container'))",
"conditionVersion": "2.0",
"description": "Read access if container name equals blobs-example-
container",
"id":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Mi
crosoft.Authorization/roleAssignments/{roleAssignmentId}",
"name": "{roleAssignmentId}",
"principalId": "{userObjectId}",
"principalType": "User",
"resourceGroup": "{resourceGroup}",
"roleDefinitionId":
"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefin
itions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"scope":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
"type": "Microsoft.Authorization/roleAssignments"
}

Edit a condition
To edit an existing role assignment condition, use az role assignment update and a
JSON file as input. The following shows an example JSON file where condition and
description are updated. Only the condition , conditionVersion , and description
properties can be edited. You must specify all the properties to update the role
assignment condition.

JSON

{
"canDelegate": null,
"condition": "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container' OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container2'))",
"conditionVersion": "2.0",
"description": "Read access if container name equals blobs-example-
container or blobs-example-container2",
"id":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Mi
crosoft.Authorization/roleAssignments/{roleAssignmentId}",
"name": "{roleAssignmentId}",
"principalId": "{userObjectId}",
"principalType": "User",
"resourceGroup": "{resourceGroup}",
"roleDefinitionId":
"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefin
itions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"scope":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
"type": "Microsoft.Authorization/roleAssignments"
}

Use az role assignment update to update the condition for the role assignment.

Azure CLI

az role assignment update --role-assignment "./path/roleassignment.json"

The following shows an example of the output:

Azure CLI

{
"canDelegate": null,
"condition": "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container' OR
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container2'))",
"conditionVersion": "2.0",
"description": "Read access if container name equals blobs-example-
container or blobs-example-container2",
"id":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Mi
crosoft.Authorization/roleAssignments/{roleAssignmentId}",
"name": "{roleAssignmentId}",
"principalId": "{userObjectId}",
"principalType": "User",
"resourceGroup": "{resourceGroup}",
"roleDefinitionId":
"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefin
itions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"scope":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
"type": "Microsoft.Authorization/roleAssignments"
}

List a condition
To list a role assignment condition, use az role assignment list. For more information,
see List Azure role assignments using Azure CLI.

Delete a condition
To delete a role assignment condition, edit the role assignment condition and set both
the condition and condition-version properties to either an empty string ( "" ) or null .

Alternatively, if you want to delete both the role assignment and the condition, you can
use the az role assignment delete command. For more information, see Remove Azure
role assignments.

Next steps
Example Azure role assignment conditions for Blob Storage
Tutorial: Add a role assignment condition to restrict access to blobs using Azure
CLI
Troubleshoot Azure role assignment conditions
Add or edit Azure role assignment
conditions using the REST API
Article • 10/24/2022

Prerequisites
You must use the following versions:

2020-03-01-preview or later
2020-04-01-preview or later if you want to utilize the description property for role

assignments
2022-04-01 is the first stable version

For more information about the prerequisites to add or edit role assignment conditions,
see Conditions prerequisites.

Add a condition
To add a role assignment condition, use the Role Assignments - Create REST API. Role
Assignments - Create includes the following parameters related to conditions.

Parameter Type Description

condition String Condition under which the user can be granted permission.

conditionVersion String Version of the condition syntax. If condition is specified without

conditionVersion , the version is set to the default value of 2.0.

Use the following request and body:

HTTP

PUT
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleA
ssignments/{roleAssignmentId}?api-version=2022-04-01
JSON

{
"properties": {
"roleDefinitionId":
"/{scope}/providers/Microsoft.Authorization/roleDefinitions/{roleDefinitionI
d}",
"principalId": "{principalId}",
"condition": "{condition}",
"conditionVersion": "2.0",
"description": "{description}"
}
}

The following example shows how to assign the Storage Blob Data Reader role with a
condition. The condition checks whether container name equals 'blobs-example-
container'.

HTTP

PUT
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{
resourceGroupName}/providers/Microsoft.Authorization/roleAssignments/{roleAs
signmentId}?api-version=2022-04-01

JSON

{
"properties": {
"roleDefinitionId":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/provider
s/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-
a410df84e7d1",
"principalId": "{principalId}",
"condition": "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container'))",
"conditionVersion": "2.0",
"description": "Read access if container name equals blobs-example-
container"
}
}

The following shows an example of the output:

JSON
{
"properties": {
"roleDefinitionId":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/provider
s/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-
a410df84e7d1",
"principalId": "{principalId}",
"principalType": "User",
"scope":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}",
"condition": "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container'))",
"conditionVersion": "2.0",
"createdOn": "2022-07-20T06:20:44.0205560Z",
"updatedOn": "2022-07-20T06:20:44.2955371Z",
"createdBy": null,
"updatedBy": "{updatedById}",
"delegatedManagedIdentityResourceId": null,
"description": "Read access if container name equals blobs-example-
container"
},
"id":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/provider
s/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
"type": "Microsoft.Authorization/roleAssignments",
"name": "{roleAssignmentId}"
}

Edit a condition
To edit an existing role assignment condition, use the same Role Assignments - Create
REST API as you used to add the role assignment condition. The following shows an
example JSON where condition and description are updated. Only the condition ,
conditionVersion , and description properties can be edited. You must specify the

other properties to match the existing role assignment.

HTTP

PUT
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{
resourceGroupName}/providers/Microsoft.Authorization/roleAssignments/{roleAs
signmentId}?api-version=2022-04-01

List a condition
To list a role assignment condition, use the Role Assignments Get or List REST API. For
more information, see List Azure role assignments using the REST API.

Delete a condition
To delete a role assignment condition, edit the role assignment condition and set both
the condition and condition version to either an empty string or null.

Alternatively, if you want to delete both the role assignment and the condition, you can
use the Role Assignments - Delete API. For more information, see Remove Azure role
assignments.

Next steps
Example Azure role assignment conditions for Blob Storage
Tutorial: Add a role assignment condition to restrict access to blobs using the
Azure portal
Troubleshoot Azure role assignment conditions
Add Azure role assignment conditions
using Azure Resource Manager
templates
Article • 04/13/2023

An Azure role assignment condition is an additional check that you can optionally add
to your role assignment to provide more fine-grained access control. For example, you
can add a condition that requires an object to have a specific tag to read the object. This
article describes how to add conditions for your role assignments using Azure Resource
Manager templates.

Prerequisites
You must use the following versions:

2020-03-01-preview or later

2020-04-01-preview or later if you want to utilize the description property for role
assignments
2022-04-01 is the first stable version

For more information about the prerequisites to add role assignment conditions, see
Conditions prerequisites.

Add a condition
The following template shows how to assign the Storage Blob Data Reader role with a
condition. The condition checks whether the container name equals 'blobs-example-
container'.

To use the template, you must specify the following input:

The ID of a user, group, managed identity, or application to assign the role to.
The type of principal, such as User , Group , or ServicePrincipal . For more
information, see New service principal.

JSON

{
"$schema": "https://schema.management.azure.com/schemas/2019-04-
01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "Principal ID to assign the role to"
}
},
"principalType": {
"type": "string",
"metadata": {
"description": "Type of principal"
}
},
"roleAssignmentGuid": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "New GUID used to identify the role
assignment"
}
}
},
"variables": {
"StorageBlobDataReader": "[concat(subscription().Id,
'/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-
a410df84e7d1')]" // ID for Storage Blob Data Reader role, but can be any
valid role ID
},
"resources": [
{
"name": "[parameters('roleAssignmentGuid')]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01", // API version to call the role
assignment PUT.
"properties": {
"roleDefinitionId": "[variables('StorageBlobDataReader')]",
"principalId": "[parameters('principalId')]",
"principalType": "[parameters('principalType')]",
"description": "Role assignment condition created with an
ARM template",
"condition": "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name]
StringEquals 'blobs-example-container'))", // Role assignment condition
"conditionVersion": "2.0"
}
}
]
}
The scope of the role assignment is determined from the level of the deployment. Here
are example New-AzResourceGroupDeployment and az deployment group create
commands for how to start the deployment at a resource group scope.

Azure PowerShell

New-AzResourceGroupDeployment -ResourceGroupName example-group -TemplateFile

rbac-test.json -principalId $principalId -principalType "User"

Azure CLI

az deployment group create --resource-group example-group --template-file

rbac-test.json --parameters principalId=$principalId principalType="User"

Next steps
Example Azure role assignment conditions for Blob Storage
Troubleshoot Azure role assignment conditions
Assign Azure roles using Azure Resource Manager templates
Example Azure role assignment
conditions for Blob Storage
Article • 04/01/2024

This article lists some examples of role assignment conditions for controlling access to
Azure Blob Storage.

） Important

Azure attribute-based access control (Azure ABAC) is generally available (GA) for
controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure
Queues using request , resource , environment , and principal attributes in both
the standard and premium storage account performance tiers. Currently, the
container metadata resource attribute and the list blob include request attribute
are in PREVIEW. For complete feature status information of ABAC for Azure Storage,
see Status of condition features in Azure Storage.

See the Supplemental Terms of Use for Microsoft Azure Previews for legal
terms that apply to Azure features that are in beta, preview, or otherwise not yet
released into general availability.

Prerequisites
For information about the prerequisites to add or edit role assignment conditions, see
Conditions prerequisites.

Summary of examples in this article

Use the following table to quickly locate an example that fits your ABAC scenario. The
table includes a brief description of the scenario, plus a list of attributes used in the
example by source (environment, principal, request and resource).

ﾉ Expand table

Example Environment Principal Request Resource

Read blobs with a blob index tag tags

Example Environment Principal Request Resource

New blobs must include a blob tags

index tag

Existing blobs must have blob tags

index tag keys

Existing blobs must have a blob tags

index tag key and values

Read, write, or delete blobs in container name

named containers

Read blobs in named containers container name

with a path blob path

Read or list blobs in named blob container name

containers with a path prefix blob path

Write blobs in named containers container name

with a path blob path

Read blobs with a blob index tag tags

and a path blob path

Read blobs in container with container

specific metadata metadata

Write or delete blobs in container container

with specific metadata metadata

Read only current blob versions isCurrentVersion

Read current blob versions and a versionId isCurrentVersion

specific blob version

Delete old blob versions versionId

Read current blob versions and any snapshot isCurrentVersion

blob snapshots

Allow list blob operation to include list blob

blob metadata, snapshots, or include
versions

Restrict list blob operation to not list blob

include blob metadata include

Read only storage accounts with isHnsEnabled

hierarchical namespace enabled
Example Environment Principal Request Resource

Read blobs with specific encryption Encryption scope

scopes name

Read or write blobs in named Storage account

storage account with specific name
encryption scope Encryption scope
name

Read or write blobs based on blob ID tags tags

index tags and custom security
attributes

Read blobs based on blob index ID tags

tags and multi-value custom
security attributes

Allow read access to blobs after a UtcNow container name

specific date and time

Allow access to blobs in specific Subnet container name

containers from a specific subnet

Require private link access to read isPrivateLink tags

blobs with high sensitivity

Allow access to a container only Private container name

from a specific private endpoint endpoint

Example: Allow read access to Private ID tags

highly sensitive blob data only from endpoint
a specific private endpoint and by
users tagged for access

Blob index tags

This section includes examples involving blob index tags.

） Important

Although the Read content from a blob with tag conditions suboperation is
currently supported for compatibility with conditions implemented during the
ABAC feature preview, it has been deprecated and Microsoft recommends using
the Read a blob action instead.
When configuring ABAC conditions in the Azure portal, you might see
DEPRECATED: Read content from a blob with tag conditions. Microsoft
recommends removing the operation and replacing it with the Read a blob action.

If you are authoring your own condition where you want to restrict read access by
tag conditions, please refer to Example: Read blobs with a blob index tag.

Example: Read blobs with a blob index tag

This condition allows users to read blobs with a blob index tag key of Project and a
value of Cascade. Attempts to access blobs without this key-value tag isn't allowed.

For this condition to be effective for a security principal, you must add it to all role
assignments for them that include the following actions:

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.

The condition can be added to a role assignment using either the Azure portal or Azure
PowerShell. The portal has two tools for building ABAC conditions - the visual editor and
the code editor. You can switch between the two editors in the Azure portal to see your
conditions in different views. Switch between the Visual editor tab and the Code editor
tabs to view the examples for your preferred portal editor.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal visual editor.

ﾉ Expand table

Condition #1 Setting

Actions Read a blob

Attribute source Resource

Attribute Blob index tags [Values in key]

Key {keyName}

Operator StringEquals

Value {keyValue}

Example: New blobs must include a blob index tag

This condition requires that any new blobs must include a blob index tag key of Project
and a value of Cascade.

There are two actions that allow you to create new blobs, so you must target both. You
must add this condition to any role assignments that include one of the following
actions:

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/write

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/add/action

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Write to a blob with blob index tags

Write to a blob with blob index tags
Condition #1 Setting

Attribute source Request

Attribute Blob index tags [Values in key]

Key {keyName}

Operator StringEquals

Value {keyValue}

Example: Existing blobs must have blob index tag keys

This condition requires that any existing blobs be tagged with at least one of the
allowed blob index tag keys: Project or Program. This condition is useful for adding
governance to existing blobs.

There are two actions that allow you to update tags on existing blobs, so you must
target both. You must add this condition to any role assignments that include one of the
following actions:
ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/write

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/tags/write

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Write to a blob with blob index tags

Write blob index tags

Attribute source Request

Attribute Blob index tags [Keys]

Operator ForAllOfAnyValues:StringEquals
Condition #1 Setting

Value {keyName1}
{keyName2}

Example: Existing blobs must have a blob index tag key

and values
This condition requires that any existing blobs to have a blob index tag key of Project
and values of Cascade, Baker, or Skagit. This condition is useful for adding governance
to existing blobs.

There are two actions that allow you to update tags on existing blobs, so you must
target both. You must add this condition to any role assignments that include one of the
following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/write
Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/tags/write

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Write to a blob with blob index tags

Write blob index tags

Attribute source Request

Attribute Blob index tags [Keys]

Operator ForAnyOfAnyValues:StringEquals

Value {keyName}

Operator And

Expression 2
Condition #1 Setting

Attribute source Request

Attribute Blob index tags [Values in key]

Key {keyName}

Operator ForAllOfAnyValues:StringEquals

Value {keyValue1}
{keyValue2}
{keyValue3}

Blob container names or paths

This section includes examples showing how to restrict access to objects based on
container name or blob path.
Example: Read, write, or delete blobs in named containers
This condition allows users to read, write, or delete blobs in storage containers named
blobs-example-container. This condition is useful for sharing specific storage containers
with other users in a subscription.

There are five actions for read, write, and delete of existing blobs. You must add this
condition to any role assignments that include one of the following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/delete

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/write

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/add/action

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.
Add if the storage accounts included in this
condition have hierarchical namespace enabled
or might be enabled in the future.

Suboperations aren't used in this condition because the suboperation is needed only
when conditions are authored based on tags.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Delete a blob

Read a blob
Write to a blob
Create a blob or snapshot, or append data
All data operations for accounts with
hierarchical namespace enabled (if
applicable)

Attribute source Resource

Attribute Container name

Operator StringEquals

Value {containerName}


Example: Read blobs in named containers with a path

This condition allows read access to storage containers named blobs-example-container
with a blob path of readonly/*. This condition is useful for sharing specific parts of
storage containers for read access with other users in the subscription.

You must add this condition to any role assignments that include the following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.
Add if the storage accounts included in this
condition have hierarchical namespace enabled
or might be enabled in the future.
The condition can be added to a role assignment using either the Azure portal or Azure
PowerShell. The portal has two tools for building ABAC conditions - the visual editor and
the code editor. You can switch between the two editors in the Azure portal to see your
conditions in different views. Switch between the Visual editor tab and the Code editor
tabs to view the examples for your preferred portal editor.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Read a blob

All data operations for accounts with
hierarchical namespace enabled (if
applicable)

Attribute source Resource

Attribute Container name

Operator StringEquals

Value {containerName}

Expression 2

Operator And

Attribute source Resource

Attribute Blob path

Condition #1 Setting

Operator StringLike

Value {pathString}

Example: Read or list blobs in named containers with a

path
This condition allows read access and also list access to storage containers named
blobs-example-container with a blob path of readonly/*. Condition #1 applies to read
actions excluding list blobs. Condition #2 applies to list blobs. This condition is useful for
sharing specific parts of storage containers for read or list access with other users in the
subscription.

You must add this condition to any role assignments that include the following actions.

ﾉ Expand table
Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.
Add if the storage accounts included in this
condition have hierarchical namespace enabled
or might be enabled in the future.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

７ Note

The Azure portal uses prefix='' to list blobs from container's root directory.
After the condition is added with the list blobs operation using prefix
StringStartsWith 'readonly/', targeted users won't be able to list blobs from
container's root directory in the Azure portal.

ﾉ Expand table
Condition #1 Setting

Actions Read a blob

All data operations for accounts with
hierarchical namespace enabled (if
applicable)

Attribute source Resource

Attribute Container name

Operator StringEquals

Value {containerName}

Expression 2

Operator And

Attribute source Resource

Attribute Blob path

Operator StringStartsWith

Value {pathString}

ﾉ Expand table

Condition #2 Setting

Actions List blobs

All data operations for accounts with
hierarchical namespace enabled (if
applicable)

Attribute source Resource

Attribute Container name

Operator StringEquals

Value {containerName}

Expression 2

Operator And

Attribute source Request

Attribute Blob prefix

Condition #2 Setting

Operator StringStartsWith

Value {pathString}

Example: Write blobs in named containers with a path

This condition allows a partner (a Microsoft Entra guest user) to drop files into storage
containers named Contosocorp with a path of uploads/contoso/*. This condition is
useful for allowing other users to put data in storage containers.

You must add this condition to any role assignments that include the following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/write

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/add/action

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Write to a blob

Create a blob or snapshot, or append data
All data operations for accounts with
hierarchical namespace enabled (if
applicable)

Attribute source Resource

Attribute Container name

Operator StringEquals

Value {containerName}

Expression 2

Operator And

Attribute source Resource

Attribute Blob path

Operator StringLike

Value {pathString}


Example: Read blobs with a blob index tag and a path

This condition allows a user to read blobs with a blob index tag key of Program, a value
of Alpine, and a blob path of logs*. The blob path of logs* also includes the blob name.

You must add this condition to any role assignments that include the following action.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.
The condition can be added to a role assignment using either the Azure portal or Azure
PowerShell. The portal has two tools for building ABAC conditions - the visual editor and
the code editor. You can switch between the two editors in the Azure portal to see your
conditions in different views. Switch between the Visual editor tab and the Code editor
tabs to view the examples for your preferred portal editor.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Read a blob

Attribute source Resource

Attribute Blob index tags [Values in key]

Key {keyName}

Operator StringEquals

Value {keyValue}


ﾉ Expand table

Condition #2 Setting

Actions Read a blob

Attribute source Resource

Attribute Blob path

Operator StringLike

Value {pathString}


Blob container metadata

Example: Read blobs in container with specific metadata

This condition allows users to read blobs in blob containers with a specific metadata
key/value pair.

You must add this condition to any role assignments that include the following action.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Read a blob

Attribute source Resource

Attribute Container metadata

Operator StringEquals

Value {containerName}

Example: Write or delete blobs in container with specific

metadata
This condition allows users to write or delete blobs in blob containers with a specific
metadata key/value pair.

You must add this condition to any role assignments that include the following action.
ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/write

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/delete

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Write to a blob

Delete a blob

Attribute source Resource

Attribute Container metadata

Operator StringEquals

Value {containerName}


Blob versions or blob snapshots

This section includes examples showing how to restrict access to objects based on the
blob version or snapshot.

Example: Read only current blob versions

This condition allows a user to only read current blob versions. The user can't read other
blob versions.

You must add this condition to any role assignments that include the following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Read a blob

All data operations for accounts with
hierarchical namespace enabled (if
applicable)

Attribute source Resource

Attribute Is Current Version

Operator BoolEquals

Value True

Example: Read current blob versions and a specific blob

version
This condition allows a user to read current blob versions as well as read blobs with a
version ID of 2022-06-01T23:38:32.8883645Z. The user can't read other blob versions.
The Version ID attribute is available only for storage accounts where hierarchical
namespace isn't enabled.

You must add this condition to any role assignments that include the following action.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Read a blob

Condition #1 Setting

Attribute source Request

Attribute Version ID

Operator DateTimeEquals

Value <blobVersionId>

Expression 2

Operator Or

Attribute source Resource

Attribute Is Current Version

Operator BoolEquals

Value True

Example: Delete old blob versions

This condition allows a user to delete versions of a blob that are older than 06/01/2022
to perform cleanup. The Version ID attribute is available only for storage accounts where
hierarchical namespace isn't enabled.

You must add this condition to any role assignments that include the following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/delete

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/deleteBlobVersion/action
The condition can be added to a role assignment using either the Azure portal or Azure
PowerShell. The portal has two tools for building ABAC conditions - the visual editor and
the code editor. You can switch between the two editors in the Azure portal to see your
conditions in different views. Switch between the Visual editor tab and the Code editor
tabs to view the examples for your preferred portal editor.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Delete a blob

Delete a version of a blob

Attribute source Request

Attribute Version ID

Operator DateTimeLessThan

Value <blobVersionId>

Example: Read current blob versions and any blob

snapshots
This condition allows a user to read current blob versions and any blob snapshots. The
Version ID attribute is available only for storage accounts where hierarchical namespace
isn't enabled. The Snapshot attribute is available for storage accounts where hierarchical
namespace isn't enabled and currently in preview for storage accounts where
hierarchical namespace is enabled.

You must add this condition to any role assignments that include the following action.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table
Condition #1 Setting

Actions Read a blob

All data operations for accounts with
hierarchical namespace enabled (if
applicable)

Attribute source Request

Attribute Snapshot

Exists Checked

Expression 2

Operator Or

Attribute source Resource

Attribute Is Current Version

Operator BoolEquals

Value True

Example: Allow list blob operation to include blob

metadata, snapshots, or versions
This condition allows a user to list blobs in a container and include metadata, snapshot,
and version information. The List blobs include attribute is available for storage accounts
where hierarchical namespace isn't enabled.

７ Note

List blobs include is a request attribute, and works by allowing or restricting values
in the include parameter when calling the List Blobs operation. The values in the
include parameter are compared against the values specified in the condition

using cross product comparison operators. If the comparison evaluates to true, the
List Blobs request is allowed. If the comparison evaluates to false, the List Blobs

request is denied.

You must add this condition to any role assignments that include the following action.

ﾉ Expand table
Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions List blobs

Attribute source Request

Attribute List blobs include

Operator ForAllOfAnyValues:StringEqualsIgnoreCase

Value {'metadata', 'snapshots', 'versions'}



Example: Restrict list blob operation to not include blob

metadata
This condition restricts a user from listing blobs when metadata is included in the
request. The List blobs include attribute is available for storage accounts where
hierarchical namespace isn't enabled.

７ Note

using cross product comparison operators. If the comparison evaluates to true, the
List Blobs request is allowed. If the comparison evaluates to false, the List Blobs

request is denied.

You must add this condition to any role assignments that include the following action.

ﾉ Expand table
Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions List blobs

Attribute source Request

Attribute List blobs include

Operator ForAllOfAllValues:StringNotEquals

Value {'metadata'}


Hierarchical namespace
This section includes examples showing how to restrict access to objects based on
whether hierarchical namespace is enabled for a storage account.

Example: Read only storage accounts with hierarchical

namespace enabled
This condition allows a user to only read blobs in storage accounts with hierarchical
namespace enabled. This condition is applicable only at resource group scope or higher.

You must add this condition to any role assignments that include the following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Read a blob

All data operations for accounts with
hierarchical namespace enabled (if
applicable)

Attribute source Resource

Attribute Is hierarchical namespace enabled

Operator BoolEquals

Value True

Encryption scope
This section includes examples showing how to restrict access to objects with an
approved encryption scope.

Example: Read blobs with specific encryption scopes

This condition allows a user to read blobs encrypted with encryption scope validScope1
or validScope2 .

You must add this condition to any role assignments that include the following action.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Read a blob

Attribute source Resource

Attribute Encryption scope name

Operator ForAnyOfAnyValues:StringEquals
Condition #1 Setting

Value <scopeName>

Example: Read or write blobs in named storage account

with specific encryption scope
This condition allows a user to read or write blobs in a storage account named
sampleaccount and encrypted with encryption scope ScopeCustomKey1 . If blobs aren't

encrypted or decrypted with ScopeCustomKey1 , the request returns forbidden.

You must add this condition to any role assignments that include the following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/write

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/add/action

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.

７ Note

Since encryption scopes for different storage accounts could be different, it's
recommended to use the storageAccounts:name attribute with the
encryptionScopes:name attribute to restrict the specific encryption scope to be

allowed.
The condition can be added to a role assignment using either the Azure portal or Azure
PowerShell. The portal has two tools for building ABAC conditions - the visual editor and
the code editor. You can switch between the two editors in the Azure portal to see your
conditions in different views. Switch between the Visual editor tab and the Code editor
tabs to view the examples for your preferred portal editor.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Read a blob

Write to a blob
Create a blob or snapshot, or append data

Attribute source Resource

Attribute Account name

Operator StringEquals

Value <accountName>

Expression 2

Operator And

Attribute source Resource

Attribute Encryption scope name

Operator ForAnyOfAnyValues:StringEquals

Value <scopeName>
Principal attributes
This section includes examples showing how to restrict access to objects based on
custom security principals.

Example: Read or write blobs based on blob index tags

and custom security attributes
This condition allows read or write access to blobs if the user has a custom security
attribute that matches the blob index tag.

For example, if Brenda has the attribute Project=Baker , she can only read or write blobs
with the Project=Baker blob index tag. Similarly, Chandra can only read or write blobs
with Project=Cascade .

You must add this condition to any role assignments that include the following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/write

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/add/action

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.

For more information, see Allow read access to blobs based on tags and custom security
attributes.
The condition can be added to a role assignment using either the Azure portal or Azure
PowerShell. The portal has two tools for building ABAC conditions - the visual editor and
the code editor. You can switch between the two editors in the Azure portal to see your
conditions in different views. Switch between the Visual editor tab and the Code editor
tabs to view the examples for your preferred portal editor.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Read a blob conditions

Attribute source Principal

Attribute <attributeset>_<key>

Operator StringEquals

Option Attribute

Attribute source Resource

Attribute Blob index tags [Values in key]

Key <key>

ﾉ Expand table

Condition #2 Setting

Actions Write to a blob with blob index tags

Condition #2 Setting

Write to a blob with blob index tags

Attribute source Principal

Attribute <attributeset>_<key>

Operator StringEquals

Option Attribute

Attribute source Request

Attribute Blob index tags [Values in key]

Key <key>

Example: Read blobs based on blob index tags and multi-

value custom security attributes
This condition allows read access to blobs if the user has a custom security attribute
with any values that matches the blob index tag.

For example, if Chandra has the Project attribute with the values Baker and Cascade, she
can only read blobs with the Project=Baker or Project=Cascade blob index tag.

You must add this condition to any role assignments that include the following action.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.

Portal: Visual editor

Here are the settings to add this condition using the Azure portal.

ﾉ Expand table

Condition #1 Setting

Actions Read a blob conditions

Attribute source Resource

Attribute Blob index tags [Values in key]

Key <key>

Operator ForAnyOfAnyValues:StringEquals

Option Attribute

Attribute source Principal

Attribute <attributeset>_<key>

Environment attributes
This section includes examples showing how to restrict access to objects based on the
network environment or the current date and time.

Example: Allow read access to blobs after a specific date

and time
This condition allows read access to blob container container1 only after 1 PM on May
1, 2023 Universal Coordinated Time (UTC).

There are two potential actions for reading existing blobs. To make this condition
effective for principals that have multiple role assignments, you must add this condition
to all role assignments that include any of the following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServic
es/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServic Add if role definition includes this action, such

es/containers/blobs/runAsSuperUser/action as Storage Blob Data Owner.

Portal: Visual editor

Add action

Select Add action, then select only the Read a blob suboperation as shown in the
following table.

ﾉ Expand table

Action Suboperation

All read operations Read a blob

Don't select the top-level All read operations action or any other suboperations as
shown in the following image:

Build expression

Use the values in the following table to build the expression portion of the
condition:

ﾉ Expand table

Setting Value

Attribute source Resource

Attribute Container name

Operator StringEquals

Value container1

Logical operator 'AND'

Attribute source Environment

Attribute UtcNow
Setting Value

Operator DateTimeGreaterThan

Value 2023-05-01T13:00:00.000Z

The following image shows the condition after the settings are entered into the
Azure portal. You must group expressions to ensure correct evaluation.

Example: Allow access to blobs in specific containers from

a specific subnet
This condition allows read, write, add and delete access to blobs in container1 only
from subnet default on virtual network virtualnetwork1 . To use the Subnet attribute in
this example, the subnet must have service endpoints enabled for Azure Storage.

There are five potential actions for read, write, add and delete access to existing blobs.
To make this condition effective for principals that have multiple role assignments, you
must add this condition to all role assignments that include any of the following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action Add if
role
definition
includes
this
action,
such as
Storage
Blob
Data
Owner.

Portal: Visual editor

Add action

Select Add action, then select only the top-level actions shown in the following
table.

ﾉ Expand table

Action Suboperation

All read operations n/a

Action Suboperation

Write to a blob n/a

Create a blob or snapshot, or append data n/a

Delete a blob n/a

Don't select any individual suboperations as shown in the following image:

Build expression
Use the values in the following table to build the expression portion of the
condition:

ﾉ Expand table

Setting Value

Attribute Resource
source

Attribute Container name

Operator StringEquals
Setting Value

Value container1

Logical 'AND'
operator

Attribute Environment
source

Attribute Subnet

Operator StringEqualsIgnoreCase

Value /subscriptions/<your subscription id>/resourceGroups/<resource group

name>/providers/Microsoft.Network/virtualNetworks/virtualnetwork1/subnets/default

The following image shows the condition after the settings are entered into the
Azure portal. You must group expressions to ensure correct evaluation.

Example: Require private link access to read blobs with

high sensitivity
This condition requires requests to read blobs where blob index tag sensitivity has a
value of high to be over a private link (any private link). This means all attempts to read
highly sensitive blobs from the public internet won't be allowed. Users can read blobs
from the public internet that have sensitivity set to some value other than high .

A truth table for this ABAC sample condition follows:

ﾉ Expand table

Action Sensitivity Private link Access

Read a blob high Yes Allowed

Read a blob high No Not Allowed

Read a blob NOT high Yes Allowed

Read a blob NOT high No Allowed

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action Add if
role
definition
includes
this
action,
such as
Storage
Blob
Data
Owner.

Here are the settings to add this condition using the visual condition editor in the
Azure portal.

Add action
Select Add action, then select only the Read a blob suboperation as shown in the
following table.

ﾉ Expand table

Action Suboperation

All read operations Read a blob

Don't select the top-level All read operations action of any other suboperations as
shown in the following image:

Build expression

Use the values in the following table to build the expression portion of the
condition:
ﾉ Expand table

Group Setting Value

Group #1

Attribute source Resource

Attribute Blob index tags [Values in key]

Key sensitivity

Operator StringEquals

Value high

Logical operator 'AND'

Attribute source Environment

Attribute Is private link

Operator BoolEquals

Value True

End of Group #1

Logical operator 'OR'

Attribute source Resource

Attribute Blob index tags [Values in key]

Key sensitivity

Operator StringNotEquals

Value high

The following image shows the condition after the settings are entered into the
Azure portal. You must group expressions to ensure correct evaluation.


Example: Allow access to a container only from a specific

private endpoint
This condition requires that all read, write, add and delete operations for blobs in a
storage container named container1 be made through a private endpoint named
privateendpoint1 . For all other containers not named container1 , access doesn't need

to be through the private endpoint.

There are five potential actions for read, write and delete of existing blobs. To make this
condition effective for principals that have multiple role assignments, you must add this
condition to all role assignments that include any of the following actions.

ﾉ Expand table

Action Notes

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
Action Notes

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action Add if role

definition
includes
this action,
such as
Storage
Blob Data
Owner.
Add if the
storage
accounts
included in
this
condition
have
hierarchical
namespace
enabled or
might be
enabled in
the future.

Portal: Visual editor

Here are the settings to add this condition using the visual condition editor in the
Azure portal.

Add action

Select Add action, then select only the top-level actions shown in the following
table.

ﾉ Expand table
Action Suboperation

All read operations n/a

Write to a blob n/a

Create a blob or snapshot, or append data n/a

Delete a blob n/a

Don't select any individual suboperations as shown in the following image:

Build expression
Use the values in the following table to build the expression portion of the
condition:

ﾉ Expand table

Group Setting Value

Group
#1

Attribute Resource
Group Setting Value

source

Attribute Container name

Operator StringEquals

Value container1

Logical 'AND'
operator

Attribute Environment
source

Attribute Private endpoint

Operator StringEqualsIgnoreCase

Value /subscriptions/<your subscription id>/resourceGroups/<resource

group
name>/providers/Microsoft.Network/privateEndpoints/privateendpoint1

End of
Group
#1

Logical 'OR'
operator

Attribute Resource
source

Attribute Container name

Operator StringNotEquals

Value container1

The following image shows the condition after the settings are entered into the
Azure portal. You must group expressions to ensure correct evaluation.


Example: Allow read access to highly sensitive blob data

only from a specific private endpoint and by users tagged
for access
This condition requires that blobs with index tag sensitivity set to high can be read only
by users that have a matching value for their sensitivity security attribute. Additionally,
they must be accessed over a private endpoint named privateendpoint1 . Blobs that
have a different value for the sensitivity tag can be accessed over other endpoints or
the Internet.

ﾉ Expand table
Action Notes

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read

Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action Add if
role
definition
includes
this
action,
such as
Storage
Blob
Data
Owner.

Portal: Visual editor

Here are the settings to add this condition using the visual condition editor in the
Azure portal.

Add action
Select Add action, then select only the Read a blob suboperation as shown in the
following table.

ﾉ Expand table

Action Suboperation

All read operations Read a blob

Don't select the top-level action as shown in the following image:



Build expression

Use the values in the following table to build the expression portion of the
condition:

ﾉ Expand table

Group Setting Value

Group
#1

Attribute Principal
source

Attribute <attributeset>_<key>

Operator StringEquals

Option Attribute

Logical 'AND'
operator

Attribute Resource
source
Group Setting Value

Attribute Blob index tags [Values in key]

Key <key>

Logical 'AND'
operator

Attribute Environment
source

Attribute Private endpoint

Operator StringEqualsIgnoreCase

Value /subscriptions/<your subscription id>/resourceGroups/<resource

group
name>/providers/Microsoft.Network/privateEndpoints/privateendpoint1

End of
Group
#1

Logical 'OR'
operator

Attribute Resource
source

Attribute Blob index tags [Values in key]

Key sensitivity

Operator StringNotEquals

Value high

The following image shows the condition after the settings are entered into the
Azure portal. You must group expressions to ensure correct evaluation.


Next steps
Tutorial: Add a role assignment condition to restrict access to blobs using the
Azure portal
Actions and attributes for Azure role assignment conditions for Azure Blob Storage
Azure role assignment condition format and syntax
Troubleshoot Azure role assignment conditions
Allow read access to blobs based on
tags and custom security attributes
Article • 12/01/2023

In this article, you learn how to allow read access to blobs based on blob index tags and
custom security attributes by using attribute-based access control (ABAC) conditions.
This can make it easier to manage access to blobs.

Prerequisites
To assign custom security attributes and add role assignments conditions in your
Microsoft Entra tenant, you need:

Attribute Definition Administrator and Attribute Assignment Administrator

Role Based Access Control Administrator

） Important

By default, Global Administrator and other administrator roles do not have

permissions to read, define, or assign custom security attributes. If you do not meet
these prerequisites, you won't see the principal/user attributes in the condition
editor.

Condition
In this article, you allow read access to blobs if the user has a custom security attribute
that matches the blob index tag. This is accomplished by adding a condition to the role
assignment.
For example, if Brenda has the attribute Project=Baker , she can only read blobs with the
Project=Baker blob index tag. Similarly, Chandra can only read blobs with

Project=Cascade .

Here is what the condition looks like in code:

(
(
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(

@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_Proje
ct] StringEquals
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/ta
gs:Project<$key_case_sensitive$>]
)
)

For more information about conditions, see What is Azure attribute-based access
control (Azure ABAC)?.

Step 1: Add a new custom security attribute

1. Sign in to the Azure portal .

2. Click Microsoft Entra ID > Custom security attributes.

3. Add an attribute named Project with values of Baker and Cascade . Or use an
existing attribute. For more information, see Add or deactivate custom security
attributes in Microsoft Entra ID.

Step 2: Assign the custom security attribute to

a user
1. In Microsoft Entra ID, create a security group.

2. Add a user as a member of the group.

3. Assign the Project attribute with a value of Cascade to the user. For more
information, see Assign, update, list, or remove custom security attributes for a
user.

4. Be sure to click Save to save your assignment.

Step 3: Set up storage and blob index tags

1. Create a storage account that is compatible with the blob index tags feature. For
more information, see Manage and find Azure Blob data with blob index tags.
2. Create a new container within the storage account and set the Public access level
to Private (no anonymous access).

3. Set the authentication type to Azure AD User Account.

4. Upload text files to the container and set the following blob index tags.

ﾉ Expand table

File Key Value

Baker text file Project Baker

Cascade text file Project Cascade

 Tip

For information about the characters that are allowed for blob index tags, see
Setting blob index tags.

Step 4: Assign Storage Blob Data Reader role

with a condition
1. Open a new tab and sign in to the Azure portal .

2. Open the resource group that has the storage account.

3. Click Access control (IAM).

4. Click the Role assignments tab to view the role assignments at this scope.

5. Click Add > Add role assignment.

6. On the Role tab, select the Storage Blob Data Reader role.

7. On the Members tab, select the security group you created earlier.

8. (Optional) In the Description box, enter Read access to blobs if the user has a
custom security attribute that matches the blob index tag.

9. On the Conditions (optional) tab, click Add condition.

The Add role assignment condition page appears.

10. In the Add action section, click Add action.

The Select an action pane appears. This pane is a filtered list of data actions based
on the role assignment that will be the target of your condition.

11. Click Read a blob and then click Select.

12. In the Build expression section, click Add.

13. Enter the following settings:

ﾉ Expand table

Setting Value

Attribute source Principal

Attribute <attributeset>_Project

Operator StringEquals

Option Attribute

Attribute source Resource

Attribute Blob index tags [Values in key]

Key Project

７ Note

If Principal is not listed as an option in Attribute source, make sure you have
defined custom security attribute as described earlier in Step 1: Add a new
custom security attribute.
14. Scroll up to Editor type and click Code.

Your condition should look similar to the following:

(
(
!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containe
rs/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})
)
OR
(

@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering_
Project] StringEquals
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blo
bs/tags:Project<$key_case_sensitive$>]
)
)

15. Click Save to save the condition.

16. On the Review + assign tab, click Review + assign to assign the Storage Blob Data
Reader role with a condition.

Step 5: Assign Reader role

Repeat the previous steps to assign the Reader role for the security group at
resource group scope.

７ Note

You typically don't need to assign the Reader role. However, this is done so
that you can test the condition using the Azure portal.

Step 6: Test the condition

1. In a new window, open the Azure portal .

2. Sign in as the user you created with the Project=Cascade custom security attribute.

3. Open the storage account and container you created.

4. Ensure that the authentication method is set to Azure AD User Account and not
Access key.

5. Click the Baker text file.

You should NOT be able to view or download the blob and an authorization failed
message should be displayed.

6. Click Cascade text file.

You should be able to view and download the blob.

Azure PowerShell
You can also use Azure PowerShell to add role assignment conditions. The following
commands show how to add conditions. For information, see Tutorial: Add a role
assignment condition to restrict access to blobs using Azure PowerShell.

Add a condition
1. Use the Connect-AzAccount command and follow the instructions that appear to
sign in to your directory as Role Based Access Control Administrator.

PowerShell

Connect-AzAccount

2. Use Get-AzRoleAssignment to get the role assignment you assigned to the security
group.

PowerShell

$groupRoleAssignment = Get-AzRoleAssignment -ObjectId <groupObjectId> -

Scope <scope>

3. Set the Condition property of the role assignment object. Be sure to use your
attribute set name.

PowerShell

$groupRoleAssignment.Condition="((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containe
rs/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR
(@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering
_Project] StringEquals
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blo
bs/tags:Project<`$key_case_sensitive`$>]))"

4. Set the ConditionVersion property of the role assignment object.

PowerShell

$groupRoleAssignment.ConditionVersion = "2.0"

5. Use Set-AzRoleAssignment to update the role assignment.

PowerShell

Set-AzRoleAssignment -InputObject $groupRoleAssignment

Test the condition

1. In a new PowerShell window, use the Connect-AzAccount command to sign in as a
member of the security group.

PowerShell

Connect-AzAccount

2. Use New-AzStorageContext to set the context for the storage account.

PowerShell

$bearerCtx = New-AzStorageContext -StorageAccountName <accountName>

3. Use Get-AzStorageBlob to try to read the Baker file.

PowerShell

Get-AzStorageBlob -Container <containerName> -Blob <blobNameBaker> -

Context $bearerCtx

You should NOT be able to read the blob and an authorization failed message
should be displayed.

PowerShell

Get-AzStorageBlob : This request is not authorized to perform this

operation using this permission. HTTP Status Code:
403 - HTTP Error Message: This request is not authorized to perform
this operation using this permission.
...

4. Use Get-AzStorageBlob to try to read the Cascade file.

PowerShell

Get-AzStorageBlob -Container <containerName> -Blob <blobNameCascade> -

Context $bearerCtx
You should be able to read the blob.
AccountName: <storageAccountName>, ContainerName: <containerName>

Name BlobType Length ContentType

LastModified AccessTier SnapshotT

ime
---- -------- ------ -----------
------------ ---------- ---------
CascadeFile.txt BlockBlob 7 text/plain
2021-04-24 05:35:24Z Hot

Azure CLI
You can also use Azure CLI to add role assignments conditions. The following
commands show how to add conditions. For information, see Tutorial: Add a role
assignment condition to restrict access to blobs using Azure CLI.

Add a condition
1. Use the az login command and follow the instructions that appear to sign in to
your directory as Role Based Access Control Administrator.

Azure CLI

az login

2. Use az role assignment list to get the role assignment you assigned to the security
group.

Azure CLI

az role assignment list --assignee <groupObjectId> --scope <scope>

3. Create a JSON file with the following format.

Azure CLI

{
"canDelegate": null,
"condition": "",
"conditionVersion": "",
"description": "",
"id":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/provide
rs/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
"name": "{roleAssignmentId}",
"principalId": "{groupObjectId}",
"principalName": "{principalName}",
"principalType": "Group",
"resourceGroup": "{resourceGroup}",
"roleDefinitionId":
"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/role
Definitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"roleDefinitionName": "Storage Blob Data Reader",
"scope":
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}",
"type": "Microsoft.Authorization/roleAssignments"
}

4. Update the condition property. Be sure to use your attribute set name.

Azure CLI

"condition": "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containe
rs/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR
(@Principal[Microsoft.Directory/CustomSecurityAttributes/Id:Engineering
_Project] StringEquals
@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blo
bs/tags:Project<$key_case_sensitive$>]))",

5. Update the conditionVersion property.

Azure CLI

"conditionVersion": "2.0",

6. Use az role assignment update to add the condition to the role assignment.

Azure CLI

az role assignment update --role-assignment

"./path/roleassignment.json"

Test the condition

1. In a new command window, use the az login command to sign in as a member of
the security group.

Azure CLI

az login
2. Use az storage blob show to try to read the properties for the Baker file.

Azure CLI

az storage blob show --account-name <storageAccountName> --container-

name <containerName> --name <blobNameBaker> --auth-mode login

You should NOT be able to read the blob and an authorization failed message
should be displayed.

Azure CLI

You do not have the required permissions needed to perform this

operation.
...

3. Use az storage blob show to try to read the properties for the Cascade file.

Azure CLI

az storage blob show --account-name <storageAccountName> --container-

name <containerName> --name <blobNameCascade> --auth-mode login
You should be able to read the blob.
{
"container": "<containerName>",
"content": "",
"deleted": false,
"encryptedMetadata": null,
"encryptionKeySha256": null,
"encryptionScope": null,
...
}

Next steps
What are custom security attributes in Microsoft Entra ID?
Azure role assignment condition format and syntax
Example Azure role assignment conditions for Blob Storage
Remove Azure role assignments
Article • 04/16/2024

Azure role-based access control (Azure RBAC) is the authorization system you use to
manage access to Azure resources. To remove access from an Azure resource, you
remove a role assignment. This article describes how to remove roles assignments using
the Azure portal, Azure PowerShell, Azure CLI, and REST API.

Prerequisites
To remove role assignments, you must have:

Microsoft.Authorization/roleAssignments/delete permissions, such as Role Based

Access Control Administrator

For the REST API, you must use the following version:

2015-07-01 or later

For more information, see API versions of Azure RBAC REST APIs.

Azure portal
1. Open Access control (IAM) at a scope, such as management group, subscription,
resource group, or resource, where you want to remove access.

2. Click the Role assignments tab to view all the role assignments at this scope.

3. In the list of role assignments, add a checkmark next to the security principal with
the role assignment you want to remove.
4. Click Remove.

5. In the remove role assignment message that appears, click Yes.

If you see a message that inherited role assignments cannot be removed, you are
trying to remove a role assignment at a child scope. You should open Access
control (IAM) at the scope where the role was assigned and try again. A quick way
to open Access control (IAM) at the correct scope is to look at the Scope column
and click the link next to (Inherited).
Azure PowerShell
In Azure PowerShell, you remove a role assignment by using Remove-
AzRoleAssignment.

The following example removes the Virtual Machine Contributor role assignment from
the patlong@contoso.com user on the pharma-sales resource group:

Azure PowerShell

PS C:\> Remove-AzRoleAssignment -SignInName patlong@contoso.com `

-RoleDefinitionName "Virtual Machine Contributor" `
-ResourceGroupName pharma-sales

Removes the Reader role from the Ann Mack Team group with ID 22222222-2222-2222-
2222-222222222222 at a subscription scope.

Azure PowerShell

PS C:\> Remove-AzRoleAssignment -ObjectId 22222222-2222-2222-2222-

222222222222 `
-RoleDefinitionName "Reader" `
-Scope "/subscriptions/00000000-0000-0000-0000-000000000000"

Removes the Billing Reader role from the alain@example.com user at the management
group scope.

Azure PowerShell

PS C:\> Remove-AzRoleAssignment -SignInName alain@example.com `

-RoleDefinitionName "Billing Reader" `
-Scope "/providers/Microsoft.Management/managementGroups/marketing-group"
Removes the User Access Administrator role with ID 18d7d88d-d35e-4fb5-a5c3-
7773c20a72d9 from the principal with ID 33333333-3333-3333-3333-333333333333 at
subscription scope with ID 00000000-0000-0000-0000-000000000000.

Azure PowerShell

PS C:\> Remove-AzRoleAssignment -ObjectId 33333333-3333-3333-3333-

333333333333 `
-RoleDefinitionId 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 `
-Scope /subscriptions/00000000-0000-0000-0000-000000000000

If you get the error message: "The provided information does not map to a role
assignment", make sure that you also specify the -Scope or -ResourceGroupName
parameters. For more information, see Troubleshoot Azure RBAC.

Azure CLI
In Azure CLI, you remove a role assignment by using az role assignment delete.

The following example removes the Virtual Machine Contributor role assignment from
the patlong@contoso.com user on the pharma-sales resource group:

Azure CLI

az role assignment delete --assignee "patlong@contoso.com" \

--role "Virtual Machine Contributor" \
--resource-group "pharma-sales"

Removes the Reader role from the Ann Mack Team group with ID 22222222-2222-2222-
2222-222222222222 at a subscription scope.

Azure CLI

az role assignment delete --assignee "22222222-2222-2222-2222-222222222222"

\
--role "Reader" \
--scope "/subscriptions/00000000-0000-0000-0000-000000000000"

Removes the Billing Reader role from the alain@example.com user at the management
group scope.

Azure CLI

az role assignment delete --assignee "alain@example.com" \

--role "Billing Reader" \
--scope "/providers/Microsoft.Management/managementGroups/marketing-group"

REST API
In the REST API, you remove a role assignment by using Role Assignments - Delete.

1. Get the role assignment identifier (GUID). This identifier is returned when you first
create the role assignment or you can get it by listing the role assignments.

2. Start with the following request:

HTTP

DELETE
https://management.azure.com/{scope}/providers/Microsoft.Authorization/
roleAssignments/{roleAssignmentId}?api-version=2022-04-01

3. Within the URI, replace {scope} with the scope for removing the role assignment.

ﾉ Expand table

Scope Type

providers/Microsoft.Management/management Management group

Groups/{groupId1}

subscriptions/{subscriptionId1} Subscription

subscriptions/{subscriptionId1}/resourceG Resource group

roups/myresourcegroup1

subscriptions/{subscriptionId1}/resourceG Resource
roups/myresourcegroup1/providers/microsof
t.web/sites/mysite1

4. Replace {roleAssignmentId} with the GUID identifier of the role assignment.

The following request removes the specified role assignment at subscription scope:

HTTP

DELETE
https://management.azure.com/subscriptions/{subscriptionId1}/providers/micro
soft.authorization/roleassignments/{roleAssignmentId1}?api-version=2022-04-
01
The following shows an example of the output:

JSON

{
"properties": {
"roleDefinitionId":
"/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefi
nitions/a795c7a0-d4a2-40c1-ae25-d81f01202912",
"principalId": "{objectId1}",
"principalType": "User",
"scope": "/subscriptions/{subscriptionId1}",
"condition": null,
"conditionVersion": null,
"createdOn": "2022-05-06T23:55:24.5379478Z",
"updatedOn": "2022-05-06T23:55:24.5379478Z",
"createdBy": "{createdByObjectId1}",
"updatedBy": "{updatedByObjectId1}",
"delegatedManagedIdentityResourceId": null,
"description": null
},
"id":
"/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleAssi
gnments/{roleAssignmentId1}",
"type": "Microsoft.Authorization/roleAssignments",
"name": "{roleAssignmentId1}"
}

ARM template
There isn't a way to remove a role assignment using an Azure Resource Manager
template (ARM template). To remove a role assignment, you must use other tools such
as the Azure portal, Azure PowerShell, Azure CLI, or REST API.

Next steps
List Azure role assignments using the Azure portal
List Azure role assignments using Azure PowerShell
Troubleshoot Azure RBAC
List Azure deny assignments
Article • 03/12/2024

Similar to a role assignment, a deny assignment attaches a set of deny actions to a user,
group, or service principal at a particular scope for the purpose of denying access. Deny
assignments block users from performing specific Azure resource actions even if a role
assignment grants them access.

This article describes how to list deny assignments.

） Important

You can't directly create your own deny assignments. Deny assignments are created
and managed by Azure.

How deny assignments are created

Deny assignments are created and managed by Azure to protect resources. You can't
directly create your own deny assignments. However, you can specify deny settings
when creating a deployment stack, which creates a deny assignment that is owned by
the deployment stack resources. Deployment stacks is currently in preview. For more
information, see Protect managed resources against deletion.

Compare role assignments and deny

assignments
Deny assignments follow a similar pattern as role assignments, but also have some
differences.

ﾉ Expand table

Capability Role assignment Deny assignment

Grant access ✅

Deny access ✅

Can be directly created ✅

Apply at a scope ✅ ✅
Capability Role assignment Deny assignment

Exclude principals ✅

Prevent inheritance to child scopes ✅

Apply to classic subscription administrator assignments ✅

Deny assignment properties

A deny assignment has the following properties:

ﾉ Expand table

Property Required Type Description

DenyAssignmentName Yes String The display name of

the deny assignment.
Names must be
unique for a given
scope.

Description No String The description of the

deny assignment.

Permissions.Actions At least one Actions String[] An array of strings

or one DataActions that specify the
control plane actions
to which the deny
assignment blocks
access.

Permissions.NotActio No String[] An array of strings

ns that specify the
control plane action
to exclude from the
deny assignment.

Permissions.DataActi At least one Actions String[] An array of strings

ons or one DataActions that specify the data
plane actions to which
the deny assignment
blocks access.

Permissions.NotDataA No String[] An array of strings

ctions that specify the data
plane actions to
Property Required Type Description

exclude from the deny

assignment.

Scope No String A string that specifies

the scope that the
deny assignment
applies to.

DoNotApplyToChildSco No Boolean Specifies whether the

pes deny assignment
applies to child
scopes. Default value
is false.

Principals[i].Id Yes String[] An array of Microsoft

Entra principal object
IDs (user, group,
service principal, or
managed identity) to
which the deny
assignment applies.
Set to an empty GUID
00000000-0000-0000-0
000-000000000000 to
represent all
principals.

Principals[i].Type No String[] An array of object

types represented by
Principals[i].Id. Set to
SystemDefined to
represent all
principals.

ExcludePrincipals No String[] An array of Microsoft

[i].Id Entra principal object
IDs (user, group,
service principal, or
managed identity) to
which the deny
assignment does not
apply.

ExcludePrincipals No String[] An array of object

[i].Type types represented by
ExcludePrincipals[i].Id.

IsSystemProtected No Boolean Specifies whether this

deny assignment was
Property Required Type Description

created by Azure and

cannot be edited or
deleted. Currently, all
deny assignments are
system protected.

The All Principals principal

To support deny assignments, a system-defined principal named All Principals has been
introduced. This principal represents all users, groups, service principals, and managed
identities in a Microsoft Entra directory. If the principal ID is a zero GUID 00000000-0000-
0000-0000-000000000000 and the principal type is SystemDefined , the principal represents

all principals. In Azure PowerShell output, All Principals looks like the following:

Azure PowerShell

Principals : {
DisplayName: All Principals
ObjectType: SystemDefined
ObjectId: 00000000-0000-0000-0000-000000000000
}

All Principals can be combined with ExcludePrincipals to deny all principals except
some users. All Principals has the following constraints:

Can be used only in Principals and cannot be used in ExcludePrincipals .

Principals[i].Type must be set to SystemDefined .

List deny assignments

Follow these steps to list deny assignments.

） Important

You can't directly create your own deny assignments. Deny assignments are created
and managed by Azure. For more information, see Protect managed resources
against deletion.

Azure portal
Prerequisites
To get information about a deny assignment, you must have:

Microsoft.Authorization/denyAssignments/read permission, which is included

in most Azure built-in roles.

List deny assignments in the Azure portal

Follow these steps to list deny assignments at the subscription or management
group scope.

1. In the Azure portal, open the selected scope, such as resource group or
subscription.

2. Select Access control (IAM).

3. Select the Deny assignments tab (or select the View button on the View deny
assignments tile).

If there are any deny assignments at this scope or inherited to this scope,
they'll be listed.

4. To display additional columns, select Edit Columns.



ﾉ Expand table

Column Description

Name Name of the deny assignment.

Principal type User, group, system-defined group, or service principal.

Denied Name of the security principal that is included in the deny

assignment.

Id Unique identifier for the deny assignment.

Excluded principals Whether there are security principals that are excluded from
the deny assignment.

Does not apply to Whether the deny assignment is inherited to subscopes.

children

System protected Whether the deny assignment is managed by Azure.

Currently, always Yes.

Scope Management group, subscription, resource group, or

resource.

5. Add a checkmark to any of the enabled items and then select OK to display
the selected columns.

List details about a deny assignment

Follow these steps to list additional details about a deny assignment.

1. Open the Deny assignments pane as described in the previous section.

2. Select the deny assignment name to open the Users page.

The Users page includes the following two sections.

ﾉ Expand table

Deny setting Description

Deny assignment applies Security principals that the deny assignment applies to.
to

Deny assignment Security principals that are excluded from the deny
excludes assignment.

System-Defined Principal represents all users, groups, service principals, and

managed identities in an Azure AD directory.

3. To see a list of the permissions that are denied, select Denied Permissions.


ﾉ Expand table

Action type Description

Actions Denied control plane actions.

NotActions Control plane actions excluded from denied control plane actions.

DataActions Denied data plane actions.

NotDataActions Data plane actions excluded from denied data plane actions.

For the example shown in the previous screenshot, the following are the
effective permissions:

All storage actions on the data plane are denied except for compute
actions.

4. To see the properties for a deny assignment, select Properties.



On the Properties page, you can see the deny assignment name, ID,
description, and scope. The Does not apply to children switch indicates
whether the deny assignment is inherited to subscopes. The System protected
switch indicates whether this deny assignment is managed by Azure.
Currently, this is Yes in all cases.

Next steps
Deployment stacks
Azure custom roles
Article • 02/22/2024

If the Azure built-in roles don't meet the specific needs of your organization, you can
create your own custom roles. Just like built-in roles, you can assign custom roles to
users, groups, and service principals at management group, subscription, and resource
group scopes.

Custom roles can be shared between subscriptions that trust the same Microsoft Entra
tenant. There is a limit of 5,000 custom roles per tenant. (For Microsoft Azure operated
by 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using the
Azure portal, Azure PowerShell, Azure CLI, or the REST API.

Steps to create a custom role

Here are the basic steps to create a custom role.

1. Determine the permissions you need.

When you create a custom role, you need to know the actions that are available to
define your permissions. Typically, you start with an existing built-in role and then
modify it for your needs. You will add the actions to the Actions or NotActions
properties of the role definition. If you have data actions, you will add those to the
DataActions or NotDataActions properties.

For more information, see the next section How to determine the permissions you
need.

2. Decide how you want to create the custom role.

You can create custom roles using Azure portal, Azure PowerShell, Azure CLI, or the
REST API.

3. Create the custom role.

The easiest way is to use the Azure portal. For steps on how to create a custom
role using the Azure portal, see Create or update Azure custom roles using the
Azure portal.

4. Test the custom role.

Once you have your custom role, you have to test it to verify that it works as you
expect. If you need to make adjustments later, you can update the custom role.
How to determine the permissions you need
Azure has thousands of permissions that you can potentially include in your custom
role. Here are some methods that can help you determine the permissions you will want
to add to your custom role:

Look at existing built-in roles.

You might want to modify an existing role or combine permissions used in multiple
roles.

List the Azure services you want to grant access to.

Determine the resource providers that map to the Azure services.

Azure services expose their functionality and permissions through resource

providers. For example, the Microsoft.Compute resource provider supplies virtual
machine resources and the Microsoft.Billing resource provider supplies
subscription and billing resources. Knowing the resource providers can help you
narrow down and determine the permissions you need for your custom role.

When you create a custom role using the Azure portal, you can also determine the
resource providers by searching for keywords. This search functionality is described
in Create or update Azure custom roles using the Azure portal.

Search the available permissions to find permissions you want to include.

When you create a custom role using the Azure portal, you can search for
permissions by keyword. For example, you can search for virtual machine or billing
permissions. You can also download all of the permissions as a CSV file and then
search this file. This search functionality is described in Create or update Azure
custom roles using the Azure portal.
Custom role example
The following shows what a custom role looks like as displayed using Azure PowerShell
in JSON format. This custom role can be used for monitoring and restarting virtual
machines.

JSON

{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/providers/Microsoft.Management/managementGroups/{groupId1}"
]
}

The following shows the same custom role as displayed using Azure CLI.

JSON

[
{
"assignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/providers/Microsoft.Management/managementGroups/{groupId1}"
],
"description": "Can monitor and restart virtual machines.",
"id":
"/subscriptions/{subscriptionId1}/providers/Microsoft.Authorization/roleDefi
nitions/88888888-8888-8888-8888-888888888888",
"name": "88888888-8888-8888-8888-888888888888",
"permissions": [
{
"actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Virtual Machine Operator",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
]
Custom role properties
The following table describes what the custom role properties mean.

ﾉ Expand table

Property Required Type Description

Name Yes String The display name of the custom role. While a role
roleName definition is a management group or subscription-level
resource, a role definition can be used in multiple
subscriptions that share the same Microsoft Entra
tenant. This display name must be unique at the scope
of the Microsoft Entra tenant. Can include letters,
numbers, spaces, and special characters. Maximum
number of characters is 512.

Id Yes String The unique ID of the custom role. For Azure PowerShell
name and Azure CLI, this ID is automatically generated when
you create a new role.

IsCustom Yes String Indicates whether this is a custom role. Set to true or
roleType CustomRole for custom roles. Set to false or
BuiltInRole for built-in roles.

Description Yes String The description of the custom role. Can include letters,
description numbers, spaces, and special characters. Maximum
number of characters is 2048.

Actions Yes String[] An array of strings that specifies the control plane
actions actions that the role allows to be performed. For more
information, see Actions.

NotActions No String[] An array of strings that specifies the control plane

notActions actions that are excluded from the allowed Actions . For
more information, see NotActions.

DataActions No String[] An array of strings that specifies the data plane actions
dataActions that the role allows to be performed to your data within
that object. If you create a custom role with
DataActions , that role can't be assigned at
management group scope. For more information, see
DataActions.

NotDataActions No String[] An array of strings that specifies the data plane actions
notDataActions that are excluded from the allowed DataActions . For
more information, see NotDataActions.

AssignableScopes Yes String[] An array of strings that specifies the scopes that the
assignableScopes custom role is available for assignment. Maximum
Property Required Type number of AssignableScopes is 2,000. For more
Description
information, see AssignableScopes.

Permission strings are case-insensitive. When you create your custom roles, the
convention is to match the case that you see for permissions in Azure resource provider
operations.

Wildcard permissions
Actions , NotActions , DataActions , and NotDataActions support wildcards ( * ) to define

permissions. A wildcard ( * ) extends a permission to everything that matches the action

string you provide. For example, suppose that you wanted to add all the permissions
related to Azure Cost Management and exports. You could add all of these action
strings:

Microsoft.CostManagement/exports/action
Microsoft.CostManagement/exports/read
Microsoft.CostManagement/exports/write
Microsoft.CostManagement/exports/delete
Microsoft.CostManagement/exports/run/action

Instead of adding all of these strings, you could just add a wildcard string. For example,
the following wildcard string is equivalent to the previous five strings. This would also
include any future export permissions that might be added.

Microsoft.CostManagement/exports/*

７ Note

It's recommended that you specify Actions and DataActions explicitly instead of
using the wildcard ( * ) character. The additional access and permissions granted
through future Actions or DataActions may be unwanted behavior using the
wildcard.

Who can create, delete, update, or view a

custom role
Just like built-in roles, the AssignableScopes property specifies the scopes that the role
is available for assignment. The AssignableScopes property for a custom role also
controls who can create, delete, update, or view the custom role.

ﾉ Expand table

Task Action Description

Create/delete a Microsoft.Authorization/ Users that are granted this action on all the
custom role roleDefinitions/write AssignableScopes of the custom role can create
(or delete) custom roles for use in those scopes.
For example, Owners and User Access
Administrators of management groups,
subscriptions, and resource groups.

Update a Microsoft.Authorization/ Users that are granted this action on all the
custom role roleDefinitions/write AssignableScopes of the custom role can update
custom roles in those scopes. For example,
Owners and User Access Administrators of
management groups, subscriptions, and
resource groups.

View a custom Microsoft.Authorization/ Users that are granted this action at a scope can
role roleDefinitions/read view the custom roles that are available for
assignment at that scope. All built-in roles allow
custom roles to be available for assignment.

Find role assignments to delete a custom role

Before you can delete a custom role, you must remove any role assignments that use
the custom role. If you try to delete a custom role with role assignments, you get the
message: There are existing role assignments referencing role (code:
RoleDefinitionHasAssignments) .

Here are steps to help find the role assignments before deleting a custom role:

List the custom role definition.

In the AssignableScopes section, get the management groups, subscriptions, and
resource groups.
Iterate over the AssignableScopes and list the role assignments.
Remove the role assignments that use the custom role.
If you are using Microsoft Entra Privileged Identity Management, remove eligible
custom role assignments.
Delete the custom role.
For information about how to find unused custom roles, see Symptom - No more role
definitions can be created.

Custom role limits

The following list describes the limits for custom roles.

Each tenant can have up to 5000 custom roles.

Microsoft Azure operated by 21Vianet can have up to 2000 custom roles for each
tenant.
You cannot set AssignableScopes to the root scope ( "/" ).
You cannot use wildcards ( * ) in AssignableScopes . This wildcard restriction helps
ensure a user can't potentially obtain access to a scope by updating the role
definition.
You can have only one wildcard in an action string.
You can define only one management group in AssignableScopes of a custom role.
Azure Resource Manager doesn't validate the management group's existence in
the role definition's AssignableScopes .
Custom roles with DataActions can't be assigned at the management group scope.
You can create a custom role with DataActions and one management group in
AssignableScopes . You can't assign the custom role at the management group

scope itself; however, you can assign the custom role at the scope of the
subscriptions within the management group. This can be helpful if you need to
create a single custom role with DataActions that needs to be assigned in multiple
subscriptions, instead of creating a separate custom role for each subscription.

For more information about custom roles and management groups, see What are Azure
management groups?.

Input and output formats

To create a custom role using the command line, you typically use JSON to specify the
properties you want for the custom role. Depending on the tools you use, the input and
output formats will look slightly different. This section lists the input and output formats
depending on the tool.

Azure PowerShell
To create a custom role using Azure PowerShell, you must provide following input.
JSON

{
"Name": "",
"Description": "",
"Actions": [],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": []
}

To update a custom role using Azure PowerShell, you must provide the following input.
Note that the Id property has been added.

JSON

{
"Name": "",
"Id": "",
"Description": "",
"Actions": [],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": []
}

The following shows an example of the output when you list a custom role using Azure
PowerShell and the ConvertTo-Json command.

JSON

{
"Name": "",
"Id": "",
"IsCustom": true,
"Description": "",
"Actions": [],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": []
}

Azure CLI
To create or update a custom role using Azure CLI, you must provide following input.
This format is the same format when you create a custom role using Azure PowerShell.

JSON

{
"Name": "",
"Description": "",
"Actions": [],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": []
}

The following shows an example of the output when you list a custom role using Azure
CLI.

JSON

[
{
"assignableScopes": [],
"description": "",
"id": "",
"name": "",
"permissions": [
{
"actions": [],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
]

REST API
To create or update a custom role using the REST API, you must provide following input.
This format is the same format that gets generated when you create a custom role using
the Azure portal.

JSON
{
"properties": {
"roleName": "",
"description": "",
"assignableScopes": [],
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}

The following shows an example of the output when you list a custom role using the
REST API.

JSON

{
"properties": {
"roleName": "",
"type": "CustomRole",
"description": "",
"assignableScopes": [],
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "",
"updatedOn": "",
"createdBy": "",
"updatedBy": ""
},
"id": "",
"type": "Microsoft.Authorization/roleDefinitions",
"name": ""
}

Next steps
Tutorial: Create an Azure custom role using Azure PowerShell
Tutorial: Create an Azure custom role using Azure CLI
Understand Azure role definitions
Troubleshoot Azure RBAC
Create or update Azure custom roles
using the Azure portal
Article • 04/05/2023

If the Azure built-in roles don't meet the specific needs of your organization, you can
create your own Azure custom roles. Just like built-in roles, you can assign custom roles
to users, groups, and service principals at management group, subscription and
resource group scopes. Custom roles are stored in an Azure Active Directory (Azure AD)
directory and can be shared across subscriptions. Each directory can have up to 5000
custom roles. Custom roles can be created using the Azure portal, Azure PowerShell,
Azure CLI, or the REST API. This article describes how to create custom roles using the
Azure portal.

Prerequisites
To create custom roles, you need:

Permissions to create custom roles, such as Owner or User Access Administrator

Step 1: Determine the permissions you need

Azure has thousands of permissions that you can potentially include in your custom
role. Here are some methods that can help you determine the permissions you will want
to add to your custom role:

Look at existing built-in roles.

List the Azure services you want to grant access to.
Determine the resource providers that map to the Azure services. A search method
is described later in Step 4: Permissions.
Search the available permissions to find permissions you want to include. A search
method is described later in Step 4: Permissions.

Step 2: Choose how to start

There are three ways that you can start to create a custom role. You can clone an
existing role, start from scratch, or start with a JSON file. The easiest way is to find an
existing role that has most of the permissions you need and then clone and modify it for
your scenario.
Clone a role
If an existing role does not quite have the permissions you need, you can clone it and
then modify the permissions. Follow these steps to start cloning a role.

1. In the Azure portal, open a management group, subscription, or resource group

where you want the custom role to be assignable and then open Access control
(IAM).

The following screenshot shows the Access control (IAM) page opened for a
subscription.

2. Click the Roles tab to see a list of all the built-in and custom roles.

3. Search for a role you want to clone such as the Billing Reader role.

4. At the end of the row, click the ellipsis (...) and then click Clone.
This opens the custom roles editor with the Clone a role option selected.

5. Proceed to Step 3: Basics.

Start from scratch

If you prefer, you can follow these steps to start a custom role from scratch.

1. In the Azure portal, open a management group, subscription, or resource group

where you want the custom role to be assignable and then open Access control
(IAM).

2. Click Add and then click Add custom role.

This opens the custom roles editor with the Start from scratch option selected.

3. Proceed to Step 3: Basics.

Start from JSON

If you prefer, you can specify most of your custom role values in a JSON file. You can
open the file in the custom roles editor, make additional changes, and then create the
custom role. Follow these steps to start with a JSON file.

1. Create a JSON file that has the following format:

JSON

{
"properties": {
"roleName": "",
"description": "",
"assignableScopes": [],
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}

2. In the JSON file, specify values for the various properties. Here's an example with
some values added. For information about the different properties, see Understand
Azure role definitions.

JSON

{
"properties": {
"roleName": "Billing Reader Plus",
"description": "Read billing data and download invoices",
"assignableScopes": [
"/subscriptions/11111111-1111-1111-1111-111111111111"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Billing/*/read",
"Microsoft.Commerce/*/read",
"Microsoft.Consumption/*/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}

3. In the Azure portal, open the Access control (IAM) page.

4. Click Add and then click Add custom role.

This opens the custom roles editor.

5. On the Basics tab, in Baseline permissions, select Start from JSON.

6. Next to the Select a file box, click the folder button to open the Open dialog box.

7. Select your JSON file and then click Open.

8. Proceed to Step 3: Basics.

Step 3: Basics
On the Basics tab, you specify the name, description, and baseline permissions for your
custom role.

1. In the Custom role name box, specify a name for the custom role. The name must
be unique for the Azure AD directory. The name can include letters, numbers,
spaces, and special characters.

2. In the Description box, specify an optional description for the custom role. This will
become the tooltip for the custom role.

The Baseline permissions option should already be set based on the previous step,
but you can change.
Step 4: Permissions
On the Permissions tab, you specify the permissions for your custom role. Depending
on whether you cloned a role or if you started with JSON, the Permissions tab might
already list some permissions.
Add or remove permissions
Follow these steps to add or remove permissions for your custom role.

1. To add permissions, click Add permissions to open the Add permissions pane.

This pane lists all available permissions grouped into different categories in a card
format. Each category represents a resource provider, which is a service that
supplies Azure resources.

2. In the Search for a permission box, type a string to search for permissions. For
example, search for invoice to find permissions related to invoice.

A list of resource provider cards will be displayed based on your search string. For
a list of how resource providers map to Azure services, see Resource providers for
Azure services.
3. Click a resource provider card that might have the permissions you want to add to
your custom role, such as Microsoft Billing.

A list of the management permissions for that resource provider is displayed based
on your search string.

4. If you are looking for permissions that apply to the data plane, click Data Actions.
Otherwise, leave the actions toggle set to Actions to list permissions that apply to
the control plane. For more information, about the differences between the control
plane and data plane, see Control and data actions.
5. If necessary, update the search string to further refine your search.

6. Once you find one or more permissions you want to add to your custom role, add
a check mark next to the permissions. For example, add a check mark next to
Other : Download Invoice to add the permission to download invoices.

7. Click Add to add the permission to your permission list.

The permission gets added as an Actions or a DataActions .

8. To remove permissions, click the delete icon at the end of the row. In this example,
since a user will not need the ability to create support tickets, the
Microsoft.Support/* permission can be deleted.

Add wildcard permissions

Depending on how you chose to start, you might have permissions with wildcards ( * ) in
your list of permissions. A wildcard ( * ) extends a permission to everything that matches
the action string you provide. For example, the following wildcard string adds all
permissions related to Azure Cost Management and exports. This would also include
any future export permissions that might be added.

Microsoft.CostManagement/exports/*
If you want to add a new wildcard permission, you can't add it using the Add
permissions pane. To add a wildcard permission, you have to add it manually using the
JSON tab. For more information, see Step 6: JSON.

７ Note

Exclude permissions
If your role has a wildcard ( * ) permission and you want to exclude or subtract specific
permissions from that wildcard permission, you can exclude them. For example, let's say
that you have the following wildcard permission:

Microsoft.CostManagement/exports/*

If you don't want to allow an export to be deleted, you could exclude the following
delete permission:

Microsoft.CostManagement/exports/delete

When you exclude a permission, it is added as a NotActions or NotDataActions . The

effective management permissions are computed by adding all of the Actions and then
subtracting all of the NotActions . The effective data permissions are computed by
adding all of the DataActions and then subtracting all of the NotDataActions .

７ Note

Excluding a permission is not the same as a deny. Excluding permissions is simply a

convenient way to subtract permissions from a wildcard permission.

1. To exclude or subtract a permission from an allowed wildcard permission, click

Exclude permissions to open the Exclude permissions pane.
On this pane, you specify the management or data permissions that are excluded
or subtracted.

2. Once you find one or more permissions that you want to exclude, add a check
mark next to the permissions and then click the Add button.

The permission gets added as a NotActions or NotDataActions .

Step 5: Assignable scopes

On the Assignable scopes tab, you specify where your custom role is available for
assignment, such as management group, subscriptions, or resource groups. Depending
on how you chose to start, this tab might already list the scope where you opened the
Access control (IAM) page.

You can define only one management group in assignable scopes. Setting assignable
scope to root scope ("/") is not supported.

1. Click Add assignable scopes to open the Add assignable scopes pane.

2. Click one or more scopes that you want to use, typically your subscription.

3. Click the Add button to add your assignable scope.

Step 6: JSON
On the JSON tab, you see your custom role formatted in JSON. If you want, you can
directly edit the JSON.
1. To edit the JSON, click Edit.

2. Make changes to the JSON.

If the JSON is not formatted correctly, you will see a red jagged line and an
indicator in the vertical gutter.

3. When finished editing, click Save.

Step 7: Review + create

On the Review + create tab, you can review your custom role settings.

1. Review your custom role settings.

2. Click Create to create your custom role.

After a few moments, a message box appears indicating your custom role was
successfully created.
If any errors are detected, a message will be displayed.

3. View your new custom role in the Roles list. If you don't see your custom role, click
Refresh.

It can take a few minutes for your custom role to appear everywhere.

List custom roles

Follow these steps to view your custom roles.

1. Open a management group, subscription, or resource group and then open Access
control (IAM).

2. Click the Roles tab to see a list of all the built-in and custom roles.

3. In the Type list, select CustomRole to just see your custom roles.

If you just created your custom role and you don't see it in the list, click Refresh.

Update a custom role

1. As described earlier in this article, open your list of custom roles.

2. Click the ellipsis (...) for the custom role you want to update and then click Edit.
Note that you can't update built-in roles.

The custom role is opened in the editor.

3. Use the different tabs to update the custom role.

4. Once you are finished with your changes, click the Review + create tab to review
your changes.

5. Click the Update button to update your custom role.

Delete a custom role

1. Remove any role assignments that use the custom role. For more information, see
Find role assignments to delete a custom role.

2. As described earlier in this article, open your list of custom roles.

3. Click the ellipsis (...) for the custom role you want to delete and then click Delete.

It can take a few minutes for your custom role to be completely deleted.

Next steps
Tutorial: Create an Azure custom role using Azure PowerShell
Azure custom roles
Azure resource provider operations
Create or update Azure custom roles
using Azure PowerShell
Article • 12/01/2023

If the Azure built-in roles don't meet the specific needs of your organization, you can
create your own custom roles. This article describes how to list, create, update, or delete
custom roles using Azure PowerShell.

For a step-by-step tutorial on how to create a custom role, see Tutorial: Create an Azure
custom role using Azure PowerShell.

７ Note

Prerequisites
To create custom roles, you need:

Permissions to create custom roles, such as User Access Administrator

Azure Cloud Shell or Azure PowerShell

List custom roles

To list the roles that are available for assignment at a scope, use the Get-
AzRoleDefinition command. The following example lists all roles that are available for
assignment in the selected subscription.

Azure PowerShell

Get-AzRoleDefinition | FT Name, IsCustom

Example

Name IsCustom
---- --------
Virtual Machine Operator True
AcrImageSigner False
AcrQuarantineReader False
AcrQuarantineWriter False
API Management Service Contributor False
...

The following example lists just the custom roles that are available for assignment in the
selected subscription.

Azure PowerShell

Get-AzRoleDefinition -Custom | FT Name, IsCustom

Example

Name IsCustom
---- --------
Virtual Machine Operator True

If the selected subscription isn't in the AssignableScopes of the role, the custom role
won't be listed.

List a custom role definition

To list a custom role definition, use Get-AzRoleDefinition. This is the same command as
you use for a built-in role.

Azure PowerShell

Get-AzRoleDefinition <role_name> | ConvertTo-Json

Example

PS C:\> Get-AzRoleDefinition "Virtual Machine Operator" | ConvertTo-Json

{
"Name": "Virtual Machine Operator",
"Id": "00000000-0000-0000-0000-000000000000",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/11111111-1111-1111-1111-111111111111"
]
}

The following example lists just the actions of the role:

Azure PowerShell

(Get-AzRoleDefinition <role_name>).Actions

Example

PS C:\> (Get-AzRoleDefinition "Virtual Machine Operator").Actions

"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"

Create a custom role

To create a custom role, use the New-AzRoleDefinition command. There are two
methods of structuring the role, using PSRoleDefinition object or a JSON template.

Get operations for a resource provider

When you create custom roles, it is important to know all the possible operations from
the resource providers. You can view the list of resource provider operations or you can
use the Get-AzProviderOperation command to get this information. For example, if you
want to check all the available operations for virtual machines, use this command:
Azure PowerShell

Get-AzProviderOperation <operation> | FT OperationName, Operation,

Description -AutoSize

Example

PS C:\> Get-AzProviderOperation "Microsoft.Compute/virtualMachines/*" | FT

OperationName, Operation, Description -AutoSize

OperationName Operation
Description
------------- ---------
-----------
Get Virtual Machine
Microsoft.Compute/virtualMachines/read Get the
propertie...
Create or Update Virtual Machine
Microsoft.Compute/virtualMachines/write Creates a new
vir...
Delete Virtual Machine
Microsoft.Compute/virtualMachines/delete Deletes the
virtu...
Start Virtual Machine
Microsoft.Compute/virtualMachines/start/action Starts the
virtua...
...

Create a custom role with the PSRoleDefinition object

When you use PowerShell to create a custom role, you can use one of the built-in roles
as a starting point or you can start from scratch. The first example in this section starts
with a built-in role and then customizes it with more permissions. Edit the attributes to
add the Actions , NotActions , or AssignableScopes that you want, and then save the
changes as a new role.

The following example starts with the Virtual Machine Contributor built-in role to create
a custom role named Virtual Machine Operator. The new role grants access to all read
actions of Microsoft.Compute, Microsoft.Storage, and Microsoft.Network resource
providers and grants access to start, restart, and monitor virtual machines. The custom
role can be used in two subscriptions.

Azure PowerShell

$role = Get-AzRoleDefinition "Virtual Machine Contributor"

$role.Id = $null
$role.Name = "Virtual Machine Operator"
$role.Description = "Can monitor and restart virtual machines."
$role.Actions.Clear()
$role.Actions.Add("Microsoft.Storage/*/read")
$role.Actions.Add("Microsoft.Network/*/read")
$role.Actions.Add("Microsoft.Compute/*/read")
$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")
$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")
$role.Actions.Add("Microsoft.Authorization/*/read")
$role.Actions.Add("Microsoft.ResourceHealth/availabilityStatuses/read")
$role.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/read")
$role.Actions.Add("Microsoft.Insights/alertRules/*")
$role.Actions.Add("Microsoft.Support/*")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/00000000-0000-0000-0000-
000000000000")
$role.AssignableScopes.Add("/subscriptions/11111111-1111-1111-1111-
111111111111")
New-AzRoleDefinition -Role $role

The following example shows another way to create the Virtual Machine Operator
custom role. It starts by creating a new PSRoleDefinition object. The actions are
specified in the perms variable and set to the Actions property. The NotActions
property is set by reading the NotActions from the Virtual Machine Contributor built-in
role. Since Virtual Machine Contributor does not have any NotActions , this line is not
required, but it shows how information can be retrieved from another role.

Azure PowerShell

$role =
[Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::
new()
$role.Name = 'Virtual Machine Operator 2'
$role.Description = 'Can monitor and restart virtual machines.'
$role.IsCustom = $true
$perms =
'Microsoft.Storage/*/read','Microsoft.Network/*/read','Microsoft.Compute/*/r
ead'
$perms +=
'Microsoft.Compute/virtualMachines/start/action','Microsoft.Compute/virtualM
achines/restart/action'
$perms += 'Microsoft.Authorization/*/read'
$perms += 'Microsoft.ResourceHealth/availabilityStatuses/read'
$perms += 'Microsoft.Resources/subscriptions/resourceGroups/read'
$perms += 'Microsoft.Insights/alertRules/*','Microsoft.Support/*'
$role.Actions = $perms
$role.NotActions = (Get-AzRoleDefinition -Name 'Virtual Machine
Contributor').NotActions
$subs = '/subscriptions/00000000-0000-0000-0000-
000000000000','/subscriptions/11111111-1111-1111-1111-111111111111'
$role.AssignableScopes = $subs
New-AzRoleDefinition -Role $role

Create a custom role with JSON template

A JSON template can be used as the source definition for the custom role. The following
example creates a custom role that allows read access to storage and compute
resources, access to support, and adds that role to two subscriptions. Create a new file
C:\CustomRoles\customrole1.json with the following example. The Id should be set to

null on initial role creation as a new ID is generated automatically.

JSON

{
"Name": "Custom Role 1",
"Id": null,
"IsCustom": true,
"Description": "Allows for read access to Azure storage and compute
resources and access to support",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000",
"/subscriptions/11111111-1111-1111-1111-111111111111"
]
}

To add the role to the subscriptions, run the following PowerShell command:

Azure PowerShell

New-AzRoleDefinition -InputFile "C:\CustomRoles\customrole1.json"

Update a custom role

Similar to creating a custom role, you can modify an existing custom role using either
the PSRoleDefinition object or a JSON template.

Update a custom role with the PSRoleDefinition object

To modify a custom role, first, use the Get-AzRoleDefinition command to retrieve the
role definition. Second, make the desired changes to the role definition. Finally, use the
Set-AzRoleDefinition command to save the modified role definition.

The following example adds the Microsoft.Insights/diagnosticSettings/* action to the

Virtual Machine Operator custom role.

Azure PowerShell

$role = Get-AzRoleDefinition "Virtual Machine Operator"

$role.Actions.Add("Microsoft.Insights/diagnosticSettings/*")
Set-AzRoleDefinition -Role $role

Example

PS C:\> $role = Get-AzRoleDefinition "Virtual Machine Operator"

PS C:\> $role.Actions.Add("Microsoft.Insights/diagnosticSettings/*")
PS C:\> Set-AzRoleDefinition -Role $role

Name : Virtual Machine Operator

Id : 88888888-8888-8888-8888-888888888888
IsCustom : True
Description : Can monitor and restart virtual machines.
Actions : {Microsoft.Storage/*/read, Microsoft.Network/*/read,
Microsoft.Compute/*/read,
Microsoft.Compute/virtualMachines/start/action...}
NotActions : {}
AssignableScopes : {/subscriptions/00000000-0000-0000-0000-000000000000,
/subscriptions/11111111-1111-1111-1111-111111111111}

The following example adds an Azure subscription to the assignable scopes of the
Virtual Machine Operator custom role.

Azure PowerShell

Get-AzSubscription -SubscriptionName Production3

$role = Get-AzRoleDefinition "Virtual Machine Operator"

$role.AssignableScopes.Add("/subscriptions/22222222-2222-2222-2222-
222222222222")
Set-AzRoleDefinition -Role $role

Example

PS C:\> Get-AzSubscription -SubscriptionName Production3

Name : Production3
Id : 22222222-2222-2222-2222-222222222222
TenantId : 99999999-9999-9999-9999-999999999999
State : Enabled

PS C:\> $role = Get-AzRoleDefinition "Virtual Machine Operator"

PS C:\> $role.AssignableScopes.Add("/subscriptions/22222222-2222-2222-2222-
222222222222")
PS C:\> Set-AzRoleDefinition -Role $role

Name : Virtual Machine Operator

The following example adds a management group to AssignableScopes of the Virtual

Machine Operator custom role.

Azure PowerShell

Get-AzManagementGroup

$role = Get-AzRoleDefinition "Virtual Machine Operator"

$role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups
/{groupId1}")
Set-AzRoleDefinition -Role $role

Example

PS C:\> Get-AzManagementGroup

Id : /providers/Microsoft.Management/managementGroups/marketing-
group
Type : /providers/Microsoft.Management/managementGroups
Name : marketing-group
TenantId : 99999999-9999-9999-9999-999999999999
DisplayName : Marketing group

PS C:\> $role = Get-AzRoleDefinition "Virtual Machine Operator"

PS C:\>
$role.AssignableScopes.Add("/providers/Microsoft.Management/managementGroups
/marketing-group")
PS C:\> Set-AzRoleDefinition -Role $role

Name : Virtual Machine Operator

/providers/Microsoft.Management/managementGroups/marketing-group}

Update a custom role with a JSON template

Using the previous JSON template, you can easily modify an existing custom role to add
or remove Actions. Update the JSON template and add the read action for networking
as shown in the following example. The definitions listed in the template are not
cumulatively applied to an existing definition, meaning that the role appears exactly as
you specify in the template. You also need to update the Id field with the ID of the role.
If you aren't sure what this value is, you can use the Get-AzRoleDefinition cmdlet to get
this information.

JSON

{
"Name": "Custom Role 1",
"Id": "acce7ded-2559-449d-bcd5-e9604e50bad1",
"IsCustom": true,
"Description": "Allows for read access to Azure storage and compute
resources and access to support",
"Actions": [
"Microsoft.Compute/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Support/*"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000",
"/subscriptions/11111111-1111-1111-1111-111111111111"
]
}

To update the existing role, run the following PowerShell command:

Azure PowerShell
Set-AzRoleDefinition -InputFile "C:\CustomRoles\customrole1.json"

Delete a custom role

1. Remove any role assignments that use the custom role. For more information, see
Find role assignments to delete a custom role.

2. Use the Remove-AzRoleDefinition command to delete the custom role.

The following example removes the Virtual Machine Operator custom role.

Azure PowerShell

Get-AzRoleDefinition "Virtual Machine Operator"

Get-AzRoleDefinition "Virtual Machine Operator" | Remove-
AzRoleDefinition

Example

PS C:\> Get-AzRoleDefinition "Virtual Machine Operator"

Name : Virtual Machine Operator

Id : 88888888-8888-8888-8888-888888888888
IsCustom : True
Description : Can monitor and restart virtual machines.
Actions : {Microsoft.Storage/*/read, Microsoft.Network/*/read,
Microsoft.Compute/*/read,
Microsoft.Compute/virtualMachines/start/action...}
NotActions : {}
AssignableScopes : {/subscriptions/00000000-0000-0000-0000-
000000000000,
/subscriptions/11111111-1111-1111-1111-111111111111}

PS C:\> Get-AzRoleDefinition "Virtual Machine Operator" | Remove-

AzRoleDefinition

Confirm
Are you sure you want to remove role definition with name 'Virtual
Machine Operator'.
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y

Next steps
Tutorial: Create an Azure custom role using Azure PowerShell
Azure custom roles
Azure resource provider operations
Create or update Azure custom roles
using Azure CLI
Article • 12/01/2023

For a step-by-step tutorial on how to create a custom role, see Tutorial: Create an Azure
custom role using Azure CLI.

Prerequisites
To create custom roles, you need:

Permissions to create custom roles, such as User Access Administrator

Azure Cloud Shell or Azure CLI

List custom roles

To list custom roles that are available for assignment, use az role definition list. The
following example lists all the custom roles in the current subscription.

Azure CLI

az role definition list --custom-role-only true --output json --query '[].

{roleName:roleName, roleType:roleType}'

JSON

[
{
"roleName": "My Management Contributor",
"type": "CustomRole"
},
{
"roleName": "My Service Reader Role",
"type": "CustomRole"
},
{
"roleName": "Virtual Machine Operator",
"type": "CustomRole"
}
]

List a custom role definition

To list a custom role definition, use az role definition list. This command is the same
command you would use for a built-in role.

Azure CLI

az role definition list --name {roleName}

The following example lists the Virtual Machine Operator role definition:

Azure CLI

az role definition list --name "Virtual Machine Operator"

JSON

[
{
"assignableScopes": [
"/subscriptions/{subscriptionId}"
],
"description": "Can monitor and restart virtual machines.",
"id":
"/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefin
itions/00000000-0000-0000-0000-000000000000",
"name": "00000000-0000-0000-0000-000000000000",
"permissions": [
{
"actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Virtual Machine Operator",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
]

The following example lists just the actions of the Virtual Machine Operator role:

Azure CLI

az role definition list --name "Virtual Machine Operator" --output json --

query '[].permissions[0].actions'

JSON

[
[
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
]
]

Create a custom role

To create a custom role, use az role definition create. The role definition can be a JSON
description or a path to a file containing a JSON description.

Azure CLI

az role definition create --role-definition {roleDefinition}

The following example creates a custom role named Virtual Machine Operator. This
custom role assigns access to all read actions of Microsoft.Compute, Microsoft.Storage,
and Microsoft.Network resource providers and assigns access to start, restart, and
monitor virtual machines. This custom role can be used in two subscriptions. This
example uses a JSON file as an input.

vmoperator.json

JSON

{
"Name": "Virtual Machine Operator",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"NotActions": [

],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}"
]
}

Azure CLI

az role definition create --role-definition ~/roles/vmoperator.json

Update a custom role

To update a custom role, first use az role definition list to retrieve the role definition.
Second, make the desired changes to the role definition. Finally, use az role definition
update to save the updated role definition.

Azure CLI

az role definition update --role-definition {roleDefinition}

The following example adds the Microsoft.Insights/diagnosticSettings/ action to Actions
and adds a management group to AssignableScopes for the Virtual Machine Operator
custom role.

vmoperator.json

JSON

],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/providers/Microsoft.Management/managementGroups/marketing-group"
]
}

Azure CLI

az role definition update --role-definition ~/roles/vmoperator.json

Delete a custom role

1. Remove any role assignments that use the custom role. For more information, see
Find role assignments to delete a custom role.

2. Use az role definition delete to delete the custom role. To specify the role to
delete, use the role name or the role ID. To determine the role ID, use az role
definition list.
Azure CLI

az role definition delete --name {roleNameOrId}

The following example deletes the Virtual Machine Operator custom role.

Azure CLI

az role definition delete --name "Virtual Machine Operator"

Next steps
Tutorial: Create an Azure custom role using Azure CLI
Azure custom roles
Azure resource provider operations
Create or update Azure custom roles
using the REST API
Article • 12/01/2023

Prerequisites
You must use the following version:

2015-07-01 or later

For more information, see API versions of Azure RBAC REST APIs.

List all custom role definitions

To list all custom role definitions in a tenant, use the Role Definitions - List REST API.

The following example lists all custom role definitions in a tenant:

Request

HTTP

GET
https://management.azure.com/providers/Microsoft.Authorization/roleDefi
nitions?$filter=type+eq+'CustomRole'&api-version=2022-04-01

Response

JSON

"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read",

List all custom role definitions at a scope

To list custom role definitions at a scope, use the Role Definitions - List REST API.

1. Start with the following request:

HTTP

GET
https://management.azure.com/{scope}/providers/Microsoft.Authorization/
roleDefinitions?$filter={filter}&api-version=2022-04-01
2. Within the URI, replace {scope} with the scope for which you want to list the roles.

ﾉ Expand table

Scope Type

subscriptions/{subscriptionId1} Subscription

subscriptions/{subscriptionId1}/resourceG Resource group

roups/{resourceGroup1}

subscriptions/{subscriptionId1}/resourceG Resource
roups/{resourceGroup1}/providers/Microsof
t.Web/sites/{site1}

providers/Microsoft.Management/management Management group

Groups/{groupId1}

3. Replace {filter} with the role type.

ﾉ Expand table

Filter Description

$filter=type+eq+'CustomRole' Filter based on the CustomRole type

The following example lists all custom role definitions in a subscription:

Request

HTTP

GET https://management.azure.com/subscriptions/473a4f86-11e3-48cb-9358-
e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions?
$filter=type+eq+'CustomRole'&api-version=2022-04-01

Response

JSON

"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read",

"Microsoft.Billing/invoices/download/action",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Microsoft.CostManagement/exports/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2021-05-22T21:57:23.5764138Z",
"updatedOn": "2021-05-22T21:57:23.5764138Z",
"createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70",
"updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70"
},
"id": "/subscriptions/473a4f86-11e3-48cb-9358-
e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions/17adabda
-4bf1-4f4e-8c97-1f0cab6dea1c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c"
}
]
}

List a custom role definition by name

To get information about a custom role definition by its display name, use the Role
Definitions - Get REST API.

1. Start with the following request:

HTTP

GET
https://management.azure.com/{scope}/providers/Microsoft.Authorization/
roleDefinitions?$filter={filter}&api-version=2022-04-01

2. Within the URI, replace {scope} with the scope for which you want to list the roles.

ﾉ Expand table

Scope Type

subscriptions/{subscriptionId1} Subscription

subscriptions/{subscriptionId1}/resourceG Resource group

roups/{resourceGroup1}

subscriptions/{subscriptionId1}/resourceG Resource
roups/{resourceGroup1}/providers/Microsof
t.Web/sites/{site1}

providers/Microsoft.Management/management Management group

Groups/{groupId1}

3. Replace {filter} with the display name for the role.

ﾉ Expand table

Filter Description

$filter=roleName+eq+'{roleDisplayName}' Use the URL encoded form of the exact

display name of the role. For instance, $filt
er=roleName+eq+'Virtual%20Machine%20Contri
butor'

The following example lists a custom role definition named Billing Reader Plus in a
subscription:

Request

HTTP

GET https://management.azure.com/subscriptions/473a4f86-11e3-48cb-9358-
e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions?
$filter=roleName+eq+'Billing Reader Plus'&api-version=2022-04-01

Response

JSON
{
"value": [
{
"properties": {
"roleName": "Billing Reader Plus",
"type": "CustomRole",
"description": "Read billing data and download
invoices",
"assignableScopes": [
"/subscriptions/473a4f86-11e3-48cb-9358-
e13c220a2f15"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Billing/*/read",
"Microsoft.Commerce/*/read",
"Microsoft.Consumption/*/read",

"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read",

"Microsoft.Billing/invoices/download/action",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Microsoft.CostManagement/exports/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2021-05-22T21:57:23.5764138Z",
"updatedOn": "2021-05-22T21:57:23.5764138Z",
"createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70",
"updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70"
},
"id": "/subscriptions/473a4f86-11e3-48cb-9358-
e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions/17adabda
-4bf1-4f4e-8c97-1f0cab6dea1c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c"
}
]
}

List a custom role definition by ID

To get information about a custom role definition by its unique identifier, use the Role
Definitions - Get REST API.
1. Use the Role Definitions - List REST API to get the GUID identifier for the role.

2. Start with the following request:

HTTP

GET
https://management.azure.com/{scope}/providers/Microsoft.Authorization/
roleDefinitions/{roleDefinitionId}?api-version=2022-04-01

3. Within the URI, replace {scope} with the scope for which you want to list the roles.

ﾉ Expand table

Scope Type

subscriptions/{subscriptionId1} Subscription

subscriptions/{subscriptionId1}/resourceG Resource group

roups/{resourceGroup1}

subscriptions/{subscriptionId1}/resourceG Resource
roups/{resourceGroup1}/providers/Microsof
t.Web/sites/{site1}

providers/Microsoft.Management/management Management group

Groups/{groupId1}

4. Replace {roleDefinitionId} with the GUID identifier of the role definition.

The following example lists a custom role definition with the identifier 17adabda-
4bf1-4f4e-8c97-1f0cab6dea1c in a subscription:

Request

HTTP

GET https://management.azure.com/subscriptions/473a4f86-11e3-48cb-9358-
e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions/17adabda
-4bf1-4f4e-8c97-1f0cab6dea1c?api-version=2022-04-01

Response

JSON

{
"properties": {
"roleName": "Billing Reader Plus",
"type": "CustomRole",
"description": "Read billing data and download invoices",
"assignableScopes": [
"/subscriptions/473a4f86-11e3-48cb-9358-e13c220a2f15"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Billing/*/read",
"Microsoft.Commerce/*/read",
"Microsoft.Consumption/*/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read",
"Microsoft.Billing/invoices/download/action",
"Microsoft.CostManagement/exports/*"
],
"notActions": [
"Microsoft.CostManagement/exports/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"createdOn": "2021-05-22T21:57:23.5764138Z",
"updatedOn": "2021-05-22T21:57:23.5764138Z",
"createdBy": "68f66d4c-c0eb-4009-819b-e5315d677d70",
"updatedBy": "68f66d4c-c0eb-4009-819b-e5315d677d70"
},
"id": "/subscriptions/473a4f86-11e3-48cb-9358-
e13c220a2f15/providers/Microsoft.Authorization/roleDefinitions/17adabda
-4bf1-4f4e-8c97-1f0cab6dea1c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "17adabda-4bf1-4f4e-8c97-1f0cab6dea1c"
}

Create a custom role

To create a custom role, use the Role Definitions - Create Or Update REST API. To call
this API, you must be signed in with a user that is assigned a role that has the
Microsoft.Authorization/roleDefinitions/write permission on all the
assignableScopes . Of the built-in roles, only Owner and User Access Administrator

include this permission.

1. Review the list of resource provider operations that are available to create the
permissions for your custom role.

2. Use a GUID tool to generate a unique identifier that will be used for the custom
role identifier. The identifier has the format: 00000000-0000-0000-0000-000000000000
3. Start with the following request and body:

HTTP

PUT
https://management.azure.com/{scope}/providers/Microsoft.Authorization/
roleDefinitions/{roleDefinitionId}?api-version=2022-04-01

JSON

{
"name": "{roleDefinitionId}",
"properties": {
"roleName": "",
"description": "",
"type": "CustomRole",
"permissions": [
{
"actions": [

],
"notActions": [

]
}
],
"assignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",

"/subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}",

"/subscriptions/{subscriptionId2}/resourceGroups/{resourceGroup2}",
"/providers/Microsoft.Management/managementGroups/{groupId1}"
]
}
}

4. Within the URI, replace {scope} with the first assignableScopes of the custom role.

ﾉ Expand table

Scope Type

subscriptions/{subscriptionId1} Subscription

subscriptions/{subscriptionId1}/resourceG Resource group

roups/{resourceGroup1}
Scope Type

providers/Microsoft.Management/management Management group

Groups/{groupId1}

5. Replace {roleDefinitionId} with the GUID identifier of the custom role.

6. Within the request body, replace {roleDefinitionId} with the GUID identifier.

7. If assignableScopes is a subscription or resource group, replace the {subscriptionId}

or {resourceGroup} instances with your identifiers.

8. If assignableScopes is a management group, replace the {groupId} instance with

your management group identifier.

9. In the actions property, add the actions that the role allows to be performed.

10. In the notActions property, add the actions that are excluded from the allowed
actions .

11. In the roleName and description properties, specify a unique role name and a
description. For more information about the properties, see Azure custom roles.

The following shows an example of a request body:

JSON

{
"name": "88888888-8888-8888-8888-888888888888",
"properties": {
"roleName": "Virtual Machine Operator",
"description": "Can monitor and restart virtual machines.",
"type": "CustomRole",
"permissions": [
{
"actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": []
}
],
"assignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000",
"/providers/Microsoft.Management/managementGroups/marketing-
group"
]
}
}

Update a custom role

To update a custom role, use the Role Definitions - Create Or Update REST API. To call
this API, you must be signed in with a user that is assigned a role that has the
Microsoft.Authorization/roleDefinitions/write permission on all the

assignableScopes , such as User Access Administrator.

1. Use the Role Definitions - List or Role Definitions - Get REST API to get information
about the custom role. For more information, see the earlier List all custom role
definitions section.

2. Start with the following request:

HTTP

PUT
https://management.azure.com/{scope}/providers/Microsoft.Authorization/
roleDefinitions/{roleDefinitionId}?api-version=2022-04-01

3. Within the URI, replace {scope} with the first assignableScopes of the custom role.

ﾉ Expand table

Scope Type

subscriptions/{subscriptionId1} Subscription

subscriptions/{subscriptionId1}/resourceG Resource group

roups/{resourceGroup1}

providers/Microsoft.Management/management Management group

Groups/{groupId1}

4. Replace {roleDefinitionId} with the GUID identifier of the custom role.

5. Based on the information about the custom role, create a request body with the
following format:
JSON

{
"name": "{roleDefinitionId}",
"properties": {
"roleName": "",
"description": "",
"type": "CustomRole",
"permissions": [
{
"actions": [

],
"notActions": [

]
}
],
"assignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",

"/subscriptions/{subscriptionId1}/resourceGroups/{resourceGroup1}",

"/subscriptions/{subscriptionId2}/resourceGroups/{resourceGroup2}",
"/providers/Microsoft.Management/managementGroups/{groupId1}"
]
}
}

6. Update the request body with the changes you want to make to the custom role.

The following shows an example of a request body with a new diagnostic settings
action added:

JSON

{
"name": "88888888-8888-8888-8888-888888888888",
"properties": {
"roleName": "Virtual Machine Operator",
"description": "Can monitor and restart virtual machines.",
"type": "CustomRole",
"permissions": [
{
"actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"notActions": []
}
],
"assignableScopes": [
"/subscriptions/00000000-0000-0000-0000-000000000000",
"/providers/Microsoft.Management/managementGroups/marketing-
group"
]
}
}

Delete a custom role

To delete a custom role, use the Role Definitions - Delete REST API. To call this API, you
must be signed in with a user that is assigned a role that has the
Microsoft.Authorization/roleDefinitions/delete permission on all the

assignableScopes . Of the built-in roles, only Owner and User Access Administrator

include this permission.

1. Remove any role assignments that use the custom role. For more information, see
Find role assignments to delete a custom role.

2. Use the Role Definitions - List or Role Definitions - Get REST API to get the GUID
identifier of the custom role. For more information, see the earlier List all custom
role definitions section.

3. Start with the following request:

HTTP

DELETE
https://management.azure.com/{scope}/providers/Microsoft.Authorization/
roleDefinitions/{roleDefinitionId}?api-version=2022-04-01

4. Within the URI, replace {scope} with the scope that you want to delete the custom
role.

ﾉ Expand table
Scope Type

subscriptions/{subscriptionId1} Subscription

subscriptions/{subscriptionId1}/resourceG Resource group

roups/{resourceGroup1}

providers/Microsoft.Management/management Management group

Groups/{groupId1}

5. Replace {roleDefinitionId} with the GUID identifier of the custom role.

Next steps
Azure custom roles
Assign Azure roles using the REST API
Azure REST API Reference
Create or update Azure custom roles
using Bicep
Article • 02/16/2024

If the Azure built-in roles don't meet the specific needs of your organization, you can
create your own custom roles. This article describes how to create or update a custom
role using Bicep.

To create a custom role, you specify a role name, role permissions, and where the role
can be used. In this article, you create a role named Custom Role - RG Reader with
resource permissions that can be assigned at a subscription scope or lower.

Prerequisites
To create a custom role, you must have permissions to create custom roles, such as User
Access Administrator.

You also must have an active Azure subscription. If you don't have one, you can create a
free account before you begin.

Review the Bicep file

The Bicep file used in this article is from Azure Quickstart Templates . The Bicep file has
four parameters and a resources section. The four parameters are:

Array of actions with a default value of

["Microsoft.Resources/subscriptions/resourceGroups/read"] .

Array of notActions with an empty default value.

Role name with a default value of Custom Role - RG Reader .
Role description with a default value of Subscription Level Deployment of a Role
Definition .

The scope where this custom role can be assigned is set to the current subscription.
A custom role requires a unique ID. The ID can be generated with the guid() function.
Since a custom role also requires a unique display name for the tenant, you can use the
role name as a parameter for the guid() function to create a deterministic GUID. A
deterministic GUID is useful if you later need to update the custom role using the same
Bicep file.

Bicep

targetScope = 'subscription'

@description('Array of actions for the roleDefinition')

param actions array = [
'Microsoft.Resources/subscriptions/resourceGroups/read'
]

@description('Array of notActions for the roleDefinition')

param notActions array = []

@description('Friendly name of the role definition')

param roleName string = 'Custom Role - RG Reader'

@description('Detailed description of the role definition')

param roleDescription string = 'Subscription Level Deployment of a Role
Definition'

var roleDefName = guid(roleName)

resource roleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {

name: roleDefName
properties: {
roleName: roleName
description: roleDescription
type: 'customRole'
permissions: [
{
actions: actions
notActions: notActions
}
]
assignableScopes: [
subscription().id
]
}
}

The resource defined in the Bicep file is:

Microsoft.Authorization/roleDefinitions
Deploy the Bicep file
1. Save the Bicep file as main.bicep to your local computer.

2. Create a variable named myActions with the actions for the roleDefinition.

CLI

Azure CLI

$myActions='["Microsoft.Resources/subscriptions/resourceGroups/read
"]'

3. Deploy the Bicep file using either Azure CLI or Azure PowerShell.

CLI

Azure CLI

az deployment sub create --location eastus --name customRole --

template-file ./main.bicep --parameters actions=$myActions

When the deployment finishes, you should see a message indicating the deployment
succeeded.

Review deployed resources

Use the Azure portal, Azure CLI, or Azure PowerShell to verify that the custom role was
created.

CLI

Azure CLI

az role definition list --name "Custom Role - RG Reader"

Update a custom role

Similar to creating a custom role, you can update an existing custom role using Bicep. To
update a custom role, you need to specify the role you want to update. If you previously
created the custom role in Bicep with a unique role ID that is deterministic, you can use
the same Bicep file and specify the custom role by just using the display name.

1. Specify the updated actions.

CLI

Azure CLI

$myActions='["Microsoft.Resources/resources/read","Microsoft.Resour
ces/subscriptions/resourceGroups/read"]'

2. Use Azure CLI or Azure PowerShell to update the custom role.

CLI

Azure CLI

az deployment sub create --location eastus --name customrole --

template-file ./main.bicep --parameters actions=$myActions
roleName="Custom Role - RG Reader"

７ Note

It may take several minutes for the updated custom role to be propagated.

Clean up resources
When no longer needed, use the Azure portal, Azure CLI, or Azure PowerShell to remove
the custom role.

CLI

Azure CLI

az role definition delete --name "Custom Role - RG Reader"

Next steps
Understand Azure role definitions
Bicep documentation
Create or update Azure custom roles
using an ARM template
Article • 12/01/2023

If the Azure built-in roles don't meet the specific needs of your organization, you can
create your own custom roles. This article describes how to create or update a custom
role using an Azure Resource Manager template (ARM template).

To create a custom role, you specify a role name, permissions, and where the role can be
used. In this article, you create a role named Custom Role - RG Reader with resource
permissions that can be assigned at a subscription scope or lower.

If your environment meets the prerequisites and you're familiar with using ARM
templates, select the Deploy to Azure button. The template will open in the Azure
portal.

Prerequisites
To create a custom role, you must have:

Permissions to create custom roles, such as User Access Administrator.

You must use the following version:

2018-07-01 or later

For more information, see API versions of Azure RBAC REST APIs.

Review the template

The template used in this article is from Azure Quickstart Templates . The template has
four parameters and a resources section. The four parameters are:
Array of actions with a default value of
["Microsoft.Resources/subscriptions/resourceGroups/read"] .

Array of notActions with an empty default value.

Role name with a default value of Custom Role - RG Reader .
Role description with a default value of Subscription Level Deployment of a Role
Definition .

The scope where this custom role can be assigned is set to the current subscription.

JSON

{
"$schema": "https://schema.management.azure.com/schemas/2018-05-
01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.5.6.12127",
"templateHash": "2227781763411200690"
}
},
"parameters": {
"actions": {
"type": "array",
"defaultValue": [
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"metadata": {
"description": "Array of actions for the roleDefinition"
}
},
"notActions": {
"type": "array",
"defaultValue": [],
"metadata": {
"description": "Array of notActions for the roleDefinition"
}
},
"roleName": {
"type": "string",
"defaultValue": "Custom Role - RG Reader",
"metadata": {
"description": "Friendly name of the role definition"
}
},
"roleDescription": {
"type": "string",
"defaultValue": "Subscription Level Deployment of a Role Definition",
"metadata": {
"description": "Detailed description of the role definition"
}
}
},
"variables": {
"roleDefName": "[guid(subscription().id, string(parameters('actions')),
string(parameters('notActions')))]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2018-07-01",
"name": "[variables('roleDefName')]",
"properties": {
"roleName": "[parameters('roleName')]",
"description": "[parameters('roleDescription')]",
"type": "customRole",
"permissions": [
{
"actions": "[parameters('actions')]",
"notActions": "[parameters('notActions')]"
}
],
"assignableScopes": [
"[subscription().id]"
]
}
}
]
}

The resource defined in the template is:

Microsoft.Authorization/roleDefinitions

Deploy the template

Follow these steps to deploy the previous template.

1. Sign in to the Azure portal .

2. Open Azure Cloud Shell for PowerShell.

3. Copy and paste the following script into Cloud Shell.

Azure PowerShell

$location = Read-Host -Prompt "Enter a location (i.e. centralus)"

[string[]]$actions = Read-Host -Prompt "Enter actions as a comma-
separated list (i.e. action1,action2)"
$actions = $actions.Split(',')
$templateUri = "https://raw.githubusercontent.com/Azure/azure-
quickstart-templates/master/subscription-deployments/create-role-
def/azuredeploy.json"
New-AzDeployment -Location $location -TemplateUri $templateUri -actions
$actions

4. Enter a location for the deployment such as centralus .

5. Enter a list of actions for the custom role as a comma-separated list such as
Microsoft.Resources/resources/read,Microsoft.Resources/subscriptions/resourceG
roups/read .

6. If necessary, press Enter to run the New-AzDeployment command.

The New-AzDeployment command deploys the template to create the custom

role.

You should see output similar to the following:

Azure PowerShell

PS> New-AzDeployment -Location $location -TemplateUri $templateUri -

actions $actions

Id :
/subscriptions/{subscriptionId}/providers/Microsoft.Resources/deploymen
ts/azuredeploy
DeploymentName : azuredeploy
Location : centralus
ProvisioningState : Succeeded
Timestamp : 6/25/2020 8:08:32 PM
Mode : Incremental
TemplateLink :
Uri :
https://raw.githubusercontent.com/Azure/azure-quickstart-
templates/master/subscription-deployments/create-role-
def/azuredeploy.json
ContentVersion : 1.0.0.0

Parameters :
Name Type
Value
================= =========================
==========
actions Array
[
"Microsoft.Resources/resources/read",

"Microsoft.Resources/subscriptions/resourceGroups/read"
]
notActions Array
[]
roleName String
Custom Role - RG Reader
roleDescription String
Subscription Level Deployment of a Role Definition

Outputs :
DeploymentDebugLogLevel :

Review deployed resources

Follow these steps to verify that the custom role was created.

1. Run the Get-AzRoleDefinition command to list the custom role.

Azure PowerShell

Get-AzRoleDefinition "Custom Role - RG Reader" | ConvertTo-Json

You should see output similar to the following:

Azure PowerShell

{
"Name": "Custom Role - RG Reader",
"Id": "11111111-1111-1111-1111-111111111111",
"IsCustom": true,
"Description": "Subscription Level Deployment of a Role Definition",
"Actions": [
"Microsoft.Resources/resources/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId}"
]
}

2. In the Azure portal, open your subscription.

3. In the left menu, select Access control (IAM).

4. Select the Roles tab.

5. Set the Type list to CustomRole.

6. Verify that the Custom Role - RG Reader role is listed.

Update a custom role
Similar to creating a custom role, you can update an existing custom role by using a
template. To update a custom role, you must specify the role you want to update.

Here are the changes you would need to make to the previous Quickstart template to
update the custom role.

Include the role ID as a parameter.

JSON

...
"roleDefName": {
"type": "string",
"metadata": {
"description": "ID of the role definition"
}
...

Include the role ID parameter in the role definition.

JSON

...
"resources": [
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2022-04-01",
"name": "[parameters('roleDefName')]",
"properties": {
...
Here's an example of how to deploy the template.

Azure PowerShell

$location = Read-Host -Prompt "Enter a location (i.e. centralus)"

[string[]]$actions = Read-Host -Prompt "Enter actions as a comma-separated
list (i.e. action1,action2)"
$actions = $actions.Split(',')
$roleDefName = Read-Host -Prompt "Enter the role ID to update"
$templateFile = "rg-reader-update.json"
New-AzDeployment -Location $location -TemplateFile $templateFile -actions
$actions -roleDefName $roleDefName

Clean up resources
To remove the custom role, follow these steps.

1. Run the following command to remove the custom role.

Azure PowerShell

Get-AzRoleDefinition -Name "Custom Role - RG Reader" | Remove-

AzRoleDefinition

2. Enter Y to confirm that you want to remove the custom role.

Next steps
Understand Azure role definitions
Quickstart: Assign an Azure role using an Azure Resource Manager template
ARM template documentation
View activity logs for Azure RBAC
changes
Article • 08/21/2022

Sometimes you need information about Azure role-based access control (Azure RBAC)
changes, such as for auditing or troubleshooting purposes. Anytime someone makes
changes to role assignments or role definitions within your subscriptions, the changes
get logged in Azure Activity Log. You can view the activity logs to see all the Azure RBAC
changes for the past 90 days.

Operations that are logged

Here are the Azure RBAC-related operations that are logged in Activity Log:

Create role assignment

Delete role assignment
Create or update custom role definition
Delete custom role definition

Azure portal
The easiest way to get started is to view the activity logs with the Azure portal. The
following screenshot shows an example of role assignment operations in the activity log.
It also includes an option to download the logs as a CSV file.
To get more information, click an entry to open the summary pane. Click the JSON tab
to get a detailed log.

The activity log in the portal has several filters. Here are the Azure RBAC-related filters:

Filter Value

Event category Administrative

Filter Value

Operation Create role assignment

Delete role assignment
Create or update custom role definition
Delete custom role definition

For more information about activity logs, see Azure Activity log.

Interpret a log entry

The log output from the JSON tab, Azure PowerShell, or Azure CLI can include a lot of
information. Here are some of the key properties to look for when trying to interpret a
log entry. For ways to filter the log output using Azure PowerShell or Azure CLI, see the
following sections.

Property Example values Description

authorization:action Microsoft.Authorization/roleAs Create role assignment

signments/write

Microsoft.Authorization/roleAs Delete role assignment

signments/delete

Microsoft.Authorization/roleDe Create or update role

finitions/write definition

Microsoft.Authorization/roleDe Delete role definition

finitions/delete

authorization:scope /subscriptions/{subscriptionId} Scope for the action

/subscriptions/{subscriptionId}
/resourceGroups/{resourceGro
upName}/providers/Microsoft.
Authorization/roleAssignments
/{roleAssignmentId}

caller admin@example.com Who initiated the action

{objectId}

eventTimestamp 2021-03-01T22:07:41.126243Z Time that action occurred

status:value Started Status of the action

Succeeded
Failed
Azure PowerShell
To view activity logs with Azure PowerShell, use the Get-AzLog command.

This command lists all role assignment changes in a subscription for the past seven
days:

Azure PowerShell

Get-AzLog -StartTime (Get-Date).AddDays(-7) | Where-Object

{$_.Authorization.Action -like 'Microsoft.Authorization/roleAssignments/*'}

This command lists all role definition changes in a resource group for the past seven
days:

Azure PowerShell

Get-AzLog -ResourceGroupName pharma-sales -StartTime (Get-Date).AddDays(-7)

| Where-Object {$_.Authorization.Action -like
'Microsoft.Authorization/roleDefinitions/*'}

Filter log output

The log output can include a lot of information. This command lists all role assignment
and role definition changes in a subscription for the past seven days and filters the
output:

Azure PowerShell

Get-AzLog -StartTime (Get-Date).AddDays(-7) | Where-Object

{$_.Authorization.Action -like 'Microsoft.Authorization/role*'} | Format-
List Caller,EventTimestamp,{$_.Authorization.Action},Properties

The following shows an example of the filtered log output when creating a role
assignment:

Azure PowerShell

Caller : admin@example.com
EventTimestamp : 3/1/2021 10:07:42 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties :
statusCode : Created
serviceRequestId: {serviceRequestId}
eventCategory : Administrative
entity :
/subscriptions/{subscriptionId}/resourceGroups/example-
group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}
message :
Microsoft.Authorization/roleAssignments/write
hierarchy : {tenantId}/{subscriptionId}

Caller : admin@example.com
EventTimestamp : 3/1/2021 10:07:41 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties :
requestbody : {"Id":"
{roleAssignmentId}","Properties":{"PrincipalId":"
{principalId}","PrincipalType":"User","RoleDefinitionId":"/providers/Microso
ft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-
ce449e1d2c64","Scope":"/subscriptions/
{subscriptionId}/resourceGroups/example-group"}}
eventCategory : Administrative
entity :
/subscriptions/{subscriptionId}/resourceGroups/example-
group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}
message :
Microsoft.Authorization/roleAssignments/write
hierarchy : {tenantId}/{subscriptionId}

If you are using a service principal to create role assignments, the Caller property will be
a service principal object ID. You can use Get-AzADServicePrincipal to get information
about the service principal.

Example

Caller : {objectId}
EventTimestamp : 3/1/2021 9:43:08 PM
$_.Authorization.Action : Microsoft.Authorization/roleAssignments/write
Properties :
statusCode : Created
serviceRequestId: {serviceRequestId}
eventCategory : Administrative

Azure CLI
To view activity logs with the Azure CLI, use the az monitor activity-log list command.

This command lists the activity logs in a resource group from March 1, looking forward
seven days:

Azure CLI
az monitor activity-log list --resource-group example-group --start-time
2021-03-01 --offset 7d

This command lists the activity logs for the Authorization resource provider from March
1, looking forward seven days:

Azure CLI

az monitor activity-log list --namespace "Microsoft.Authorization" --start-

time 2021-03-01 --offset 7d

Filter log output

The log output can include a lot of information. This command lists all role assignment
and role definition changes in a subscription looking forward seven days and filters the
output:

Azure CLI

az monitor activity-log list --namespace "Microsoft.Authorization" --start-

time 2021-03-01 --offset 7d --query '[].{authorization:authorization,
caller:caller, eventTimestamp:eventTimestamp, properties:properties}'

The following shows an example of the filtered log output when creating a role
assignment:

Azure CLI

[
{
"authorization": {
"action": "Microsoft.Authorization/roleAssignments/write",
"role": null,
"scope": "/subscriptions/{subscriptionId}/resourceGroups/example-
group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}"
},
"caller": "admin@example.com",
"eventTimestamp": "2021-03-01T22:07:42.456241+00:00",
"properties": {
"entity": "/subscriptions/{subscriptionId}/resourceGroups/example-
group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
"eventCategory": "Administrative",
"hierarchy": "{tenantId}/{subscriptionId}",
"message": "Microsoft.Authorization/roleAssignments/write",
"serviceRequestId": "{serviceRequestId}",
"statusCode": "Created"
}
},
{
"authorization": {
"action": "Microsoft.Authorization/roleAssignments/write",
"role": null,
"scope": "/subscriptions/{subscriptionId}/resourceGroups/example-
group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}"
},
"caller": "admin@example.com",
"eventTimestamp": "2021-03-01T22:07:41.126243+00:00",
"properties": {
"entity": "/subscriptions/{subscriptionId}/resourceGroups/example-
group/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}",
"eventCategory": "Administrative",
"hierarchy": "{tenantId}/{subscriptionId}",
"message": "Microsoft.Authorization/roleAssignments/write",
"requestbody": "{\"Id\":\"{roleAssignmentId}\",\"Properties\":
{\"PrincipalId\":\"
{principalId}\",\"PrincipalType\":\"User\",\"RoleDefinitionId\":\"/providers
/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-
ce449e1d2c64\",\"Scope\":\"/subscriptions/{subscriptionId}/resourceGroups/ex
ample-group\"}}"
}
}
]

Azure Monitor logs

Azure Monitor logs is another tool you can use to collect and analyze Azure RBAC
changes for all your Azure resources. Azure Monitor logs has the following benefits:

Write complex queries and logic

Integrate with alerts, Power BI, and other tools
Save data for longer retention periods
Cross-reference with other logs such as security, virtual machine, and custom

Here are the basic steps to get started:

1. Create a Log Analytics workspace.

2. Configure the Activity for your workspace.

3. View the activity logs Insights. A quick way to navigate to the Activity Log
Overview page is to click the Logs option.
4. Optionally use the Azure Monitor Log Analytics to query and view the logs. For
more information, see Get started with log queries in Azure Monitor.

Here's a query that returns new role assignments organized by target resource provider:

Kusto

AzureActivity
| where TimeGenerated > ago(60d) and Authorization contains
"Microsoft.Authorization/roleAssignments/write" and ActivityStatus ==
"Succeeded"
| parse ResourceId with * "/providers/" TargetResourceAuthProvider "/" *
| summarize count(), makeset(Caller) by TargetResourceAuthProvider

Here's a query that returns role assignment changes displayed in a chart:

Kusto

AzureActivity
| where TimeGenerated > ago(60d) and Authorization contains
"Microsoft.Authorization/roleAssignments"
| summarize count() by bin(TimeGenerated, 1d), OperationName
| render timechart
Next steps
Alert on privileged Azure role assignments
View activity logs to monitor actions on resources
Monitor subscription activity with the Azure Activity log
Alert on privileged Azure role
assignments
Article • 11/15/2023

Privileged Azure roles, such as Contributor, Owner, or User Access Administrator, are
powerful roles and may introduce risk into your system. You might want to be notified
by email or text message when these or other roles are assigned. This article describes
how to get notified of privileged role assignments at a subscription scope by creating an
alert rule using Azure Monitor.

Prerequisites
To create an alert rule, you must have:

Access to an Azure subscription

Permission to create resource groups and resources within the subscription
Log Analytics configured so it has access to the AzureActivity table

Estimate costs before using Azure Monitor

There's a cost associated with using Azure Monitor and alert rules. The cost is based on
the frequency the query is executed and the notifications selected. For more
information, see Azure Monitor pricing .

Create an alert rule

To get notified of privileged role assignments, you create an alert rule in Azure Monitor.

1. Sign in to the Azure portal .

2. Navigate to Monitor.

3. In the left navigation, click Alerts.

4. Click Create > Alert rule. The Create an alert rule page opens.

5. On the Scope tab, select your subscription.

6. On the Condition tab, select the Custom log search signal name.
7. In the Log query box, add the following Kusto query that will run on the
subscription's log and trigger the alert.

This query filters for attempts to assign the Contributor, Owner, or User Access
Administrator roles at the scope of the selected subscription.

Kusto

AzureActivity
| where CategoryValue =~ "Administrative" and
OperationNameValue =~
"Microsoft.Authorization/roleAssignments/write" and
(ActivityStatusValue =~ "Start" or ActivityStatus =~ "Started")
| extend Properties_d = todynamic(Properties)
| extend RoleDefinition =
extractjson("$.Properties.RoleDefinitionId",tostring(Properties_d.reque
stbody),typeof(string))
| extend PrincipalId =
extractjson("$.Properties.PrincipalId",tostring(Properties_d.requestbod
y),typeof(string))
| extend PrincipalType =
extractjson("$.Properties.PrincipalType",tostring(Properties_d.requestb
ody),typeof(string))
| extend Scope =
extractjson("$.Properties.Scope",tostring(Properties_d.requestbody),typ
eof(string))
| where Scope !contains "resourcegroups"
| extend RoleId = split(RoleDefinition,'/')[-1]
| extend RoleDisplayName = case(
RoleId =~ 'b24988ac-6180-42a0-ab88-20f7382dd24c', "Contributor",
RoleId =~ '8e3af657-a8ff-443c-a75c-2fe8c4bcb635', "Owner",
RoleId =~ '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9', "User Access
Administrator",
"Irrelevant")
| where RoleDisplayName != "Irrelevant"
| project TimeGenerated,Scope,
PrincipalId,PrincipalType,RoleDisplayName


8. In the Measurement section, set the following values:

Measure: Table rows

Aggregation type: Count
Aggregation granularity: 5 minutes

For Aggregation granularity, you can change the default value to a frequency you
desire.

9. In the Split by dimensions section, set Resource ID column to Don't split.

10. In the Alert logic section, set the following values:

Operator: Greater than

Threshold value: 0
Frequency of evaluation: 5 minutes

For Frequency of evaluation, you can change the default value to a frequency you
desire.

11. On the Actions tab, create an action group or select an existing action group.
An action group defines the actions and notifications that are executed when the
alert is triggered.

When you create an action group, you must specify the resource group to put the
action group within. Then, select the notifications (Email/SMS message/Push/Voice
action) to invoke when the alert rule triggers. You can skip the Actions and Tag
tabs. For more information, see Create and manage action groups in the Azure
portal.

12. On the Details tab, select the resource group to save the alert rule.

13. In the Alert rule details section, select a Severity and specify an Alert rule name.

14. For Region, you can select any region since Azure activity logs are global.

15. Skip the Tags tab.

16. On the Review + create tab, click Create to create your alert rule.

Test the alert rule

Once you've created an alert rule, you can test that it fires.

1. Assign the Contributor, Owner, or User Access Administrator role at subscription

scope. For more information, see Assign Azure roles using the Azure portal.

2. Wait a few minutes to receive the alert based on the aggregation granularity and
the frequency of evaluation of the log query.

3. On the Alerts page, monitor for alert you specified in the action group.

The following image shows an example of the email alert.



Delete the alert rule

Follow these steps to delete the role assignment alert rule and stop additional costs.

1. In Monitor, navigate to Alerts.

2. In the bar, click Alert rules.

3. Add a checkmark next to the alert rule you want to delete.

4. Click Delete to remove the alert.

Next steps
Create, view, and manage activity log alerts by using Azure Monitor
View activity logs for Azure RBAC changes
Elevate access to manage all Azure
subscriptions and management groups
Article • 02/16/2024

As a Global Administrator in Microsoft Entra ID, you might not have access to all
subscriptions and management groups in your directory. This article describes the ways
that you can elevate your access to all subscriptions and management groups.

７ Note

For information about viewing or deleting personal data, see Azure Data Subject
Requests for the GDPR. For more information about GDPR, see the GDPR section
of the Microsoft Trust Center and the GDPR section of the Service Trust
portal .

Why would you need to elevate your access?

If you are a Global Administrator, there might be times when you want to do the
following actions:

Regain access to an Azure subscription or management group when a user has lost
access
Grant another user or yourself access to an Azure subscription or management
group
See all Azure subscriptions or management groups in an organization
Allow an automation app (such as an invoicing or auditing app) to access all Azure
subscriptions or management groups

How does elevated access work?

Microsoft Entra ID and Azure resources are secured independently from one another.
That is, Microsoft Entra role assignments do not grant access to Azure resources, and
Azure role assignments do not grant access to Microsoft Entra ID. However, if you are a
Global Administrator in Microsoft Entra ID, you can assign yourself access to all Azure
subscriptions and management groups in your directory. Use this capability if you don't
have access to Azure subscription resources, such as virtual machines or storage
accounts, and you want to use your Global Administrator privilege to gain access to
those resources.
When you elevate your access, you will be assigned the User Access Administrator role
in Azure at root scope ( / ). This allows you to view all resources and assign access in any
subscription or management group in the directory. User Access Administrator role
assignments can be removed using Azure PowerShell, Azure CLI, or the REST API.

You should remove this elevated access once you have made the changes you need to
make at root scope.

Perform steps at root scope

Azure portal

Step 1: Elevate access for a Global Administrator

Follow these steps to elevate access for a Global Administrator using the Azure
portal.

1. Sign in to the Azure portal as a Global Administrator.

If you are using Microsoft Entra Privileged Identity Management, activate your
Global Administrator role assignment.

2. Open Microsoft Entra ID.

3. Under Manage, select Properties.

4. Under Access management for Azure resources, set the toggle to Yes.

When you set the toggle to Yes, you are assigned the User Access
Administrator role in Azure RBAC at root scope (/). This grants you permission
to assign roles in all Azure subscriptions and management groups associated
with this Microsoft Entra directory. This toggle is only available to users who
are assigned the Global Administrator role in Microsoft Entra ID.

When you set the toggle to No, the User Access Administrator role in Azure
RBAC is removed from your user account. You can no longer assign roles in all
Azure subscriptions and management groups that are associated with this
Microsoft Entra directory. You can view and manage only the Azure
subscriptions and management groups to which you have been granted
access.

７ Note

If you're using Privileged Identity Management, deactivating your role

assignment does not change the Access management for Azure
resources toggle to No. To maintain least privileged access, we
recommend that you set this toggle to No before you deactivate your
role assignment.

5. Click Save to save your setting.

This setting is not a global property and applies only to the currently signed in
user. You can't elevate access for all members of the Global Administrator role.

6. Sign out and sign back in to refresh your access.

You should now have access to all subscriptions and management groups in
your directory. When you view the Access control (IAM) pane, you'll notice
that you have been assigned the User Access Administrator role at root scope.

7. Make the changes you need to make at elevated access.

For information about assigning roles, see Assign Azure roles using the Azure
portal. If you are using Privileged Identity Management, see Discover Azure
resources to manage or Assign Azure resource roles.

8. Perform the steps in the following section to remove your elevated access.
Step 2: Remove elevated access
To remove the User Access Administrator role assignment at root scope ( / ), follow
these steps.

1. Sign in as the same user that was used to elevate access.

2. In the navigation list, click Microsoft Entra ID and then click Properties.

3. Set the Access management for Azure resources toggle back to No. Since
this is a per-user setting, you must be signed in as the same user as was used
to elevate access.

If you try to remove the User Access Administrator role assignment on the
Access control (IAM) pane, you'll see the following message. To remove the
role assignment, you must set the toggle back to No or use Azure PowerShell,
Azure CLI, or the REST API.

4. Sign out as Global Administrator.

If you are using Privileged Identity Management, deactivate your Global

Administrator role assignment.

７ Note

If you're using Privileged Identity Management, deactivating your role

View elevate access log entries in the Directory

Activity logs
When access is elevated, an entry is added to the logs. As a Global Administrator in
Microsoft Entra ID, you might want to check when access was elevated and who did it.
Elevate access log entries do not appear in the standard activity logs, but instead appear
in the Directory Activity logs. This section describes different ways that you can view the
elevate access log entries.

View elevate access log entries using the Azure portal

1. Sign in to the Azure portal as a Global Administrator.

2. Open Monitor > Activity log.

3. Change the Activity list to Directory Activity.

4. Search for the following operation, which signifies the elevate access action.

Assigns the caller to User Access Administrator role

View elevate access log entries using Azure CLI

1. Use the az login command to sign in as Global Administrator.
2. Use the az rest command to make the following call where you will have to filter by
a date as shown with the example timestamp and specify a filename where you
want the logs to be stored.

The url calls an API to retrieve the logs in Microsoft.Insights. The output will be
saved to your file.

Azure CLI

az rest --url
"https://management.azure.com/providers/Microsoft.Insights/eventtypes/m
anagement/values?api-version=2015-04-01&$filter=eventTimestamp ge
'2021-09-10T20:00:00Z'" > output.txt

3. In the output file, search for elevateAccess .

The log will resemble the following where you can see the timestamp of when the
action occurred and who called it.

JSON

"submissionTimestamp": "2021-08-27T15:42:00.1527942Z",
"subscriptionId": "",
"tenantId": "33333333-3333-3333-3333-333333333333"
},
{
"authorization": {
"action": "Microsoft.Authorization/elevateAccess/action",
"scope": "/providers/Microsoft.Authorization"
},
"caller": "user@example.com",
"category": {
"localizedValue": "Administrative",
"value": "Administrative"
},

Delegate access to a group to view elevate access log

entries using Azure CLI
If you want to be able to periodically get the elevate access log entries, you can
delegate access to a group and then use Azure CLI.

1. Open Microsoft Entra ID > Groups.

2. Create a new security group and note the group object ID.
3. Use the az login command to sign in as Global Administrator.

4. Use the az role assignment create command to assign the Reader role to the
group who can only read logs at the directory level, which are found at
Microsoft/Insights .

Azure CLI

az role assignment create --assignee "{groupId}" --role "Reader" --

scope "/providers/Microsoft.Insights"

5. Add a user who will read logs to the previously created group.

A user in the group can now periodically run the az rest command to view elevate
access log entries.

Azure CLI

az rest --url
"https://management.azure.com/providers/Microsoft.Insights/eventtypes/manage
ment/values?api-version=2015-04-01&$filter=eventTimestamp ge '2021-09-
10T20:00:00Z'" > output.txt

Next steps
Understand the different roles
Assign Azure roles using the REST API
Azure classic subscription
administrators
Article • 09/23/2024

） Important

As of August 31, 2024, Azure classic administrator roles (along with Azure classic
resources and Azure Service Manager) are retired and no longer supported. If you
still have active Co-Administrator or Service Administrator role assignments,
convert these role assignments to Azure RBAC immediately.

Microsoft recommends that you manage access to Azure resources using Azure role-
based access control (Azure RBAC). If you're still using the classic deployment model,
you'll need to migrate your resources from classic deployment to Resource Manager
deployment. For more information, see Azure Resource Manager vs. classic deployment.

This article describes the retirement of the Co-Administrator and Service Administrator
roles and how to convert these role assignments.

Frequently asked questions

What happens to classic administrator role assignments after August 31, 2024?

Co-Administrator and Service Administrator roles are retired and no longer

supported. You should convert these role assignments to Azure RBAC immediately.

How do I know what subscriptions have classic administrators?

You can use an Azure Resource Graph query to list subscriptions with Service
Administrator or Co-Administrator role assignments. For steps see List classic
administrators.

What is the equivalent Azure role I should assign for Co-Administrators?

Owner role at subscription scope has the equivalent access. However, Owner is a
privileged administrator role and grants full access to manage Azure resources.
You should consider a job function role with fewer permissions, reduce the scope,
or add a condition.

What is the equivalent Azure role I should assign for Service Administrator?
Owner role at subscription scope has the equivalent access.

Why do I need to migrate to Azure RBAC?

Azure RBAC offers fine grained access control, compatibility with Microsoft Entra
Privileged Identity Management (PIM), and full audit logs support. All future
investments will be in Azure RBAC.

What about the Account Administrator role?

The Account Administrator is the primary user for your billing account. Account
Administrator isn't being deprecated and you don't need to convert this role
assignment. Account Administrator and Service Administrator might be the same
user. However, you only need to convert the Service Administrator role
assignment.

What should I do if I lose access to a subscription?

If you remove your classic administrators without having at least one Owner role
assignment for a subscription, you will lose access to the subscription and the
subscription will be orphaned. To regain access to a subscription, you can do the
following:
Follow steps to elevate access to manage all subscriptions in a tenant.
Assign the Owner role at subscription scope for a user.
Remove elevated access.

What should I do if I have a strong dependency on Co-Administrators or Service

Administrator?

Email ACARDeprecation@microsoft.com and describe your scenario.

List classic administrators

Azure portal

Follow these steps to list the Service Administrator and Co-Administrators for a
subscription using the Azure portal.

1. Sign in to the Azure portal as an Owner of a subscription.

2. Open Subscriptions and select a subscription.

3. Select Access control (IAM).

4. Select the Classic administrators tab to view a list of the Co-Administrators.

Co-Administrators retirement
If you still have classic administrators, use the following steps to help you convert Co-
Administrator role assignments.

Step 1: Review your current Co-Administrators

1. Sign in to the Azure portal as an Owner of a subscription.

2. Use the Azure portal or Azure Resource Graph to list of your Co-Administrators.

3. Review the sign-in logs for your Co-Administrators to assess whether they're active
users.

Step 2: Remove Co-Administrators that no longer need

access
1. If user is no longer in your enterprise, remove Co-Administrator.

2. If user was deleted, but their Co-Administrator assignment wasn't removed,

remove Co-Administrator.
Users that have been deleted typically include the text (User was not found in this
directory).

3. After reviewing activity of user, if user is no longer active, remove Co-

Administrator.

Step 3: Convert Co-Administrators to job function roles

Most users don't need the same permissions as a Co-Administrator. Consider a job
function role instead.

1. If a user still needs some access, determine the appropriate job function role they
need.

2. Determine the scope user needs.

3. Follow steps to assign a job function role to user.

4. Remove Co-Administrator.

Step 4: Convert Co-Administrators to Owner role with

conditions
Some users might need more access than what a job function role can provide. If you
must assign the Owner role, consider adding a condition or using Microsoft Entra
Privileged Identity Management (PIM) to constrain the role assignment.

1. Assign the Owner role with conditions.

For example, assign the Owner role at subscription scope with conditions. If you
have PIM, make the user eligible for Owner role assignment.

2. Remove Co-Administrator.

Step 5: Convert Co-Administrators to Owner role

If a user must be an administrator for a subscription, assign the Owner role at
subscription scope.

Follow the steps in How to convert a Co-Administrator with Owner role.

How to convert a Co-Administrator to Owner role
The easiest way to covert a Co-Administrator role assignment to the Owner role at
subscription scope is to use the Remediate steps.

1. Sign in to the Azure portal as an Owner of a subscription.

2. Open Subscriptions and select a subscription.

3. Select Access control (IAM).

4. Select the Classic administrators tab to view a list of the Co-Administrators.

5. For the Co-Administrator you want to convert to the Owner role, under the
Remediate column, select the Assign RBAC role link.

6. In the Add role assignment pane, review the role assignment.

7. Select Review + assign to assign the Owner role and remove the Co-Administrator
role assignment.

How to remove a Co-Administrator

Follow these steps to remove a Co-Administrator.

1. Sign in to the Azure portal as an Owner of a subscription.

2. Open Subscriptions and select a subscription.

3. Select Access control (IAM).

4. Select the Classic administrators tab to view a list of the Co-Administrators.

5. Add a check mark next to the Co-Administrator you want to remove.

6. Select Delete.

7. In the message box that appears, select Yes.

Service Administrator retirement

If you still have classic administrators, use the following steps to help you convert the
Service Administrator role assignment. Before you remove the Service Administrator,
you must have at least one user who is assigned the Owner role at subscription scope
without conditions to avoid orphaning the subscription. A subscription Owner has the
same access as the Service Administrator.

Step 1: Review your current Service Administrator

1. Sign in to the Azure portal as an Owner of a subscription.

2. Use the Azure portal or Azure Resource Graph to list your Service Administrator.

3. Review the sign-in logs for your Service Administrator to assess whether they're an
active user.

Step 2: Review your current Billing account owners

The user that is assigned the Service Administrator role might also be the same user that
is the administrator for your billing account. You should review your current Billing
account owners to ensure they are still accurate.

1. Use the Azure portal to get your Billing account owners.

2. Review your list of Billing account owners. If necessary, update or add another
Billing account owner.

Step 3: Convert Service Administrator to Owner role

Your Service Administrator might be a Microsoft account or a Microsoft Entra account. A
Microsoft account is a personal account such as Outlook, OneDrive, Xbox LIVE, or
Microsoft 365. A Microsoft Entra account is an identity created through Microsoft Entra
ID.

1. If Service Administrator user is a Microsoft account and you want this user to keep
the same permissions, convert the Service Administrator to Owner role.

2. If Service Administrator user is a Microsoft Entra account and you want this user to
keep the same permissions, convert the Service Administrator to Owner role.

3. If you want to change the Service Administrator user to a different user, assign the
Owner role to this new user at subscription scope without conditions. Then,
remove the Service Administrator.

How to convert the Service Administrator to Owner role

The easiest way to convert the Service Administrator role assignment to the Owner role
at subscription scope is to use the Remediate steps.

1. Sign in to the Azure portal as an Owner of a subscription.

2. Open Subscriptions and select a subscription.

3. Select Access control (IAM).

4. Select the Classic administrators tab to view the Service Administrator.

5. For the Service Administrator, under the Remediate column, select the Assign
RBAC role link.

6. In the Add role assignment pane, review the role assignment.



7. Select Review + assign to assign the Owner role and remove the Service
Administrator role assignment.

How to remove the Service Administrator

） Important

To remove the Service Administrator, you must have a user who is assigned the
Owner role at subscription scope without conditions to avoid orphaning the
subscription. A subscription Owner has the same access as the Service
Administrator.

1. Sign in to the Azure portal as an Owner of a subscription.

2. Open Subscriptions and select a subscription.

3. Select Access control (IAM).

4. Select the Classic administrators tab.

5. Add a check mark next to the Service Administrator.

6. Select Delete.

7. In the message box that appears, select Yes.



Next steps
Understand the different roles
Assign Azure roles using the Azure portal
Understand Microsoft Customer Agreement administrative roles in Azure

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Transfer an Azure subscription to a
different Microsoft Entra directory
Article • 06/16/2024

Organizations might have several Azure subscriptions. Each subscription is associated

with a particular Microsoft Entra directory. To make management easier, you might want
to transfer a subscription to a different Microsoft Entra directory. When you transfer a
subscription to a different Microsoft Entra directory, some resources are not transferred
to the target directory. For example, all role assignments and custom roles in Azure role-
based access control (Azure RBAC) are permanently deleted from the source directory
and are not transferred to the target directory.

This article describes the basic steps you can follow to transfer a subscription to a
different Microsoft Entra directory and re-create some of the resources after the
transfer.

If you want to instead block the transfer of subscriptions to different directories in your
organization, you can configure a subscription policy. For more information, see
Manage Azure subscription policies.

７ Note

For Azure Cloud Solution Providers (CSP) subscriptions, changing the Microsoft
Entra directory for the subscription isn't supported.

Overview
Transferring an Azure subscription to a different Microsoft Entra directory is a complex
process that must be carefully planned and executed. Many Azure services require
security principals (identities) to operate normally or even manage other Azure
resources. This article tries to cover most of the Azure services that depend heavily on
security principals, but is not comprehensive.

） Important

In some scenarios, transferring a subscription might require downtime to complete

the process. Careful planning is required to assess whether downtime will be
required for your transfer.
The following diagram shows the basic steps you must follow when you transfer a
subscription to a different directory.

1. Prepare for the transfer

2. Transfer the Azure subscription to a different directory

3. Re-create resources in the target directory such as role assignments, custom roles,
and managed identities

Deciding whether to transfer a subscription to a different

directory
The following are some reasons why you might want to transfer a subscription:

Because of a company merger or acquisition, you want to manage an acquired

subscription in your primary Microsoft Entra directory.
Someone in your organization created a subscription and you want to consolidate
management to a particular Microsoft Entra directory.
You have applications that depend on a particular subscription ID or URL and it
isn't easy to modify the application configuration or code.
A portion of your business has been split into a separate company and you need
to move some of your resources into a different Microsoft Entra directory.
You want to manage some of your resources in a different Microsoft Entra
directory for security isolation purposes.

Alternate approaches
Transferring a subscription requires downtime to complete the process. Depending on
your scenario, you can consider the following alternate approaches:

Re-create the resources and copy data to the target directory and subscription.
Adopt a multi-directory architecture and leave the subscription in the source
directory. Use Azure Lighthouse to delegate resources so that users in the target
directory can access the subscription in the source directory. For more information,
see Azure Lighthouse in enterprise scenarios.

Understand the impact of transferring a subscription

Several Azure resources have a dependency on a subscription or a directory. Depending
on your situation, the following table lists the known impact of transferring a
subscription. By performing the steps in this article, you can re-create some of the
resources that existed prior to the subscription transfer.

） Important

This section lists the known Azure services or resources that depend on your
subscription. Because resource types in Azure are constantly evolving, there might
be additional dependencies not listed here that can cause a breaking change to
your environment.

ﾉ Expand table

Service or Impacted Recoverable Are you What you can do

resource impacted?

Role assignments Yes Yes List role All role assignments are
assignments permanently deleted. You
must map users, groups, and
service principals to
corresponding objects in the
target directory. You must
Service or Impacted Recoverable Are you What you can do
resource impacted?

re-create the role

assignments.

Custom roles Yes Yes List custom roles All custom roles are
permanently deleted. You
must re-create the custom
roles and any role
assignments.

System-assigned Yes Yes List managed You must disable and re-
managed identities enable the managed
identities identities. You must re-
create the role assignments.

User-assigned Yes Yes List managed You must delete, re-create,

managed identities and attach the managed
identities identities to the appropriate
resource. You must re-create
the role assignments.

Azure Key Vault Yes Yes List Key Vault You must update the tenant
access policies ID associated with the key
vaults. You must remove and
add new access policies.

Azure SQL Yes No Check Azure SQL You cannot transfer an Azure
databases with databases with SQL database with Microsoft
Microsoft Entra Microsoft Entra Entra authentication enabled
authentication authentication to a different directory. For
integration more information, see Use
enabled Microsoft Entra
authentication.

Azure database Yes No You cannot transfer an Azure

for MySQL with database for MySQL (Single
Microsoft Entra and Flexible server) with
authentication Microsoft Entra
integration authentication enabled to a
enabled different directory.

Azure Storage Yes Yes You must re-create any ACLs.

and Azure Data
Lake Storage
Gen2

Azure Files Yes Yes You must re-create any ACLs.

Service or Impacted Recoverable Are you What you can do
resource impacted?

Azure File Sync Yes Yes The storage sync service

and/or storage account can
be moved to a different
directory. For more
information, see Frequently
asked questions (FAQ) about
Azure Files

Azure Managed Yes Yes If you are using Disk

Disks Encryption Sets to encrypt
Managed Disks with
customer-managed keys,
you must disable and re-
enable the system-assigned
identities associated with
Disk Encryption Sets. And
you must re-create the role
assignments i.e. again grant
required permissions to Disk
Encryption Sets in the Key
Vaults.

Azure Yes No You cannot transfer your

Kubernetes AKS cluster and its
Service associated resources to a
different directory. For more
information, see Frequently
asked questions about Azure
Kubernetes Service (AKS)

Azure Policy Yes No All Azure Policy You must export, import, and
objects, including re-assign definitions. Then,
custom create new policy
definitions, assignments and any needed
assignments, policy exemptions.
exemptions, and
compliance data.

Microsoft Entra Yes No You cannot transfer a

Domain Services Microsoft Entra Domain
Services managed domain to
a different directory. For
more information, see
Frequently asked questions
(FAQs) about Microsoft Entra
Domain Services
Service or Impacted Recoverable Are you What you can do
resource impacted?

App registrations Yes Yes

Microsoft Dev Yes No You cannot transfer a dev

Box box and its associated
resources to a different
directory. Once a
subscription moves to
another tenant, you will not
be able to perform any
actions on your dev box

Azure Yes No You cannot transfer an

Deployment environment and its
Environments associated resources to a
different directory. Once a
subscription moves to
another tenant, you will not
be able to perform any
actions on your environment

Azure Service Yes No You must re-create the

Fabric cluster. For more
information, see SF Clusters
FAQ or SF Managed Clusters
FAQ

Azure Service Yes Yes You must delete, re-create,

Bus and attach the managed
identities to the appropriate
resource. You must re-create
the role assignments.

Azure Synapse Yes Yes You must update the tenant

Analytics ID associated with the
Workspace Synapse Analytics
Workspace. If the workspace
is associated with a Git
repository, you must update
the workspace's Git
configuration. For more
information, see Recovering
Synapse Analytics workspace
after transferring a
subscription to a different
Microsoft Entra directory
(tenant).
Service or Impacted Recoverable Are you What you can do
resource impacted?

Azure Databricks Yes No Currently, Azure Databricks

does not support moving
workspaces to a new tenant.
For more information, see
Manage your Azure
Databricks account.

Azure Compute Yes Yes Replicate the image versions

Gallery in the gallery to other
regions or copy an image
from another gallery.

２ Warning

If you are using encryption at rest for a resource, such as a storage account or SQL
database, that has a dependency on a key vault that is being transferred, it can lead
to an unrecoverable scenario. If you have this situation, you should take steps to
use a different key vault or temporarily disable customer-managed keys to avoid
this unrecoverable scenario.

To get a list of some of the Azure resources that are impacted when you transfer a
subscription, you can also run a query in Azure Resource Graph. For a sample query, see
List impacted resources when transferring an Azure subscription.

Prerequisites
To complete these steps, you will need:

Bash in Azure Cloud Shell or Azure CLI

Billing account owner of the subscription you want to transfer in the source
directory
A user account in both the source and target directory for the user making the
directory change

Step 1: Prepare for the transfer

Sign in to source directory

1. Sign in to Azure as an administrator.
2. Get a list of your subscriptions with the az account list command.

Azure CLI

az account list --output table

3. Use az account set to set the active subscription you want to transfer.

Azure CLI

az account set --subscription "Marketing"

Install the Azure Resource Graph extension

The Azure CLI extension for Azure Resource Graph, resource-graph, enables you to use
the az graph command to query resources managed by Azure Resource Manager. You'll
use this command in later steps.

1. Use az extension list to see if you have the resource-graph extension installed.

Azure CLI

az extension list

2. If you are using a preview version or an older version of the resource-graph

extension, use az extension update to update the extension.

Azure CLI

az extension update --name resource-graph

3. If the resource-graph extension is not installed, use az extension add to install the
extension.

Azure CLI

az extension add --name resource-graph

Save all role assignments

1. Use az role assignment list to list all the role assignments (including inherited role
assignments).
To make it easier to review the list, you can export the output as JSON, TSV, or a
table. For more information, see List role assignments using Azure RBAC and Azure
CLI.

Azure CLI

az role assignment list --all --include-inherited --output json >

roleassignments.json
az role assignment list --all --include-inherited --output tsv >
roleassignments.tsv
az role assignment list --all --include-inherited --output table >
roleassignments.txt

2. Save the list of role assignments.

When you transfer a subscription, all of the role assignments are permanently
deleted so it is important to save a copy.

3. Review the list of role assignments. There might be role assignments you won't
need in the target directory.

Save custom roles

1. Use the az role definition list to list your custom roles. For more information, see
Create or update Azure custom roles using Azure CLI.

Azure CLI

az role definition list --custom-role-only true --output json --query

'[].{roleName:roleName, roleType:roleType}'

2. Save each custom role that you will need in the target directory as a separate JSON
file.

Azure CLI

az role definition list --name <custom_role_name> > customrolename.json

3. Make copies of the custom role files.

4. Modify each copy to use the following format.

You'll use these files later to re-create the custom roles in the target directory.

JSON
{
"Name": "",
"Description": "",
"Actions": [],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": []
}

Determine user, group, and service principal mappings

1. Based on your list of role assignments, determine the users, groups, and service
principals you will map to in the target directory.

You can identify the type of principal by looking at the principalType property in
each role assignment.

2. If necessary, in the target directory, create any users, groups, or service principals
you will need.

List role assignments for managed identities

Managed identities do not get updated when a subscription is transferred to another
directory. As a result, any existing system-assigned or user-assigned managed identities
will be broken. After the transfer, you can re-enable any system-assigned managed
identities. For user-assigned managed identities, you will have to re-create and attach
them in the target directory.

1. Review the list of Azure services that support managed identities to note where
you might be using managed identities.

2. Use az ad sp list to list your system-assigned and user-assigned managed

identities.

Azure CLI

az ad sp list --all --filter "servicePrincipalType eq

'ManagedIdentity'"

3. In the list of managed identities, determine which are system-assigned and which
are user-assigned. You can use the following criteria to determine the type.
ﾉ Expand table

Criteria Managed identity type

alternativeNames property includes isExplicit=False System-assigned

alternativeNames property does not include isExplicit System-assigned

alternativeNames property includes isExplicit=True User-assigned

You can also use az identity list to just list user-assigned managed identities. For
more information, see Create, list, or delete a user-assigned managed identity
using the Azure CLI.

Azure CLI

az identity list

4. Get a list of the objectId values for your managed identities.

5. Search your list of role assignments to see if there are any role assignments for
your managed identities.

List key vaults

When you create a key vault, it is automatically tied to the default Microsoft Entra tenant
ID for the subscription in which it is created. All access policy entries are also tied to this
tenant ID. For more information, see Moving an Azure Key Vault to another subscription.

２ Warning

If you have a key vault, use az keyvault show to list the access policies. For more
information, see Assign a Key Vault access policy.

Azure CLI

az keyvault show --name MyKeyVault

List Azure SQL databases with Microsoft Entra
authentication
Use az sql server ad-admin list and the az graph extension to see if you are using
Azure SQL databases with Microsoft Entra authentication integration enabled. For
more information, see Configure and manage Microsoft Entra authentication with
SQL.

Azure CLI

az sql server ad-admin list --ids $(az graph query -q "resources |

where type == 'microsoft.sql/servers' | project id" --query data[*].
[id] -o tsv)

List ACLs
1. If you are using Azure Data Lake Storage Gen2, list the ACLs that are applied to any
file by using the Azure portal or PowerShell.

2. If you are using Azure Files, list the ACLs that are applied to any file.

List other known resources

1. Use az account show to get your subscription ID (in bash ).

Azure CLI

subscriptionId=$(az account show --output tsv --query id)

2. Use the az graph extension to list other Azure resources with known Microsoft
Entra directory dependencies (in bash ).

Azure CLI

az graph query -q 'resources

| where type != "microsoft.azureactivedirectory/b2cdirectories"
| where identity <> "" or properties.tenantId <> "" or
properties.encryptionSettingsCollection.enabled == true
| project name, type, kind, identity, tenantId,
properties.tenantId' --subscriptions $subscriptionId --output yaml

Step 2: Transfer the subscription

In this step, you transfer the subscription from the source directory to the target
directory. The steps will be different depending on whether you want to also transfer the
billing ownership.

２ Warning

When you transfer the subscription, all role assignments in the source directory are
permanently deleted and cannot be restored. You cannot go back once you
transfer the subscription. Be sure you complete the previous steps before
performing this step.

1. Determine whether you want to also transfer the billing ownership to another
account.

2. Transfer the subscription to a different directory.

If you want to keep the current billing ownership, follow the steps in
Associate or add an Azure subscription to your Microsoft Entra tenant.
If you want to also transfer the billing ownership, follow the steps in Transfer
billing ownership of an Azure subscription to another account. To transfer the
subscription to a different directory, you must check the Subscription
Microsoft Entra tenant check box.

3. Once you finish transferring the subscription, return back to this article to re-create
the resources in the target directory.

Step 3: Re-create resources

Sign in to target directory

1. In the target directory, sign in as the user that accepted the transfer request.

Only the user in the new account who accepted the transfer request will have
access to manage the resources.

2. Get a list of your subscriptions with the az account list command.

Azure CLI

az account list --output table

3. Use az account set to set the active subscription you want to use.
Azure CLI

az account set --subscription "Contoso"

Create custom roles

Use az role definition create to create each custom role from the files you created
earlier. For more information, see Create or update Azure custom roles using Azure
CLI.

Azure CLI

az role definition create --role-definition <role_definition>

Assign roles
Use az role assignment create to assign roles to users, groups, and service
principals. For more information, see Assign Azure roles using Azure CLI.

Azure CLI

az role assignment create --role <role_name_or_id> --assignee

<assignee> --scope
"/subscriptions/<subscriptionId>/resourceGroups/<resource_group>"

Update system-assigned managed identities

1. Disable and re-enable system-assigned managed identities.

ﾉ Expand table

Azure service More information

Virtual machines Configure managed identities for Azure resources on an Azure VM

using Azure CLI

Virtual machine Configure managed identities for Azure resources on a virtual

scale sets machine scale set using Azure CLI

Other services Services that support managed identities for Azure resources

2. Use az role assignment create to assign roles to system-assigned managed

identities. For more information, see Assign a managed identity access to a
resource using Azure CLI.

Azure CLI

az role assignment create --assignee <objectid> --role

'<role_name_or_id>' --scope
"/subscriptions/<subscriptionId>/resourceGroups/<resource_group>"

Update user-assigned managed identities

1. Delete, re-create, and attach user-assigned managed identities.

ﾉ Expand table

Azure service More information

Virtual machines Configure managed identities for Azure resources on an Azure VM

using Azure CLI

Virtual machine Configure managed identities for Azure resources on a virtual

scale sets machine scale set using Azure CLI

Other services Services that support managed identities for Azure resources
Create, list, or delete a user-assigned managed identity using the
Azure CLI

2. Use az role assignment create to assign roles to user-assigned managed identities.

For more information, see Assign a managed identity access to a resource using
Azure CLI.

Azure CLI

az role assignment create --assignee <objectid> --role

'<role_name_or_id>' --scope
"/subscriptions/<subscriptionId>/resourceGroups/<resource_group>"

Update key vaults

This section describes the basic steps to update your key vaults. For more information,
see Moving an Azure Key Vault to another subscription.

1. Update the tenant ID associated with all existing key vaults in the subscription to
the target directory.

2. Remove all existing access policy entries.

3. Add new access policy entries associated with the target directory.

Update ACLs
1. If you are using Azure Data Lake Storage Gen2, assign the appropriate ACLs. For
more information, see Access control in Azure Data Lake Storage Gen2.

2. If you are using Azure Files, assign the appropriate ACLs.

Review other security methods

Even though role assignments are removed during the transfer, users in the original
owner account might continue to have access to the subscription through other security
methods, including:

Access keys for services like Storage.

Management certificates that grant the user administrator access to subscription
resources.
Remote Access credentials for services like Azure Virtual Machines.

If your intent is to remove access from users in the source directory so that they don't
have access in the target directory, you should consider rotating any credentials. Until
the credentials are updated, users will continue to have access after the transfer.

1. Rotate storage account access keys. For more information, see Manage storage
account access keys.

2. If you are using access keys for other services such as Azure SQL Database or
Azure Service Bus Messaging, rotate access keys.

3. For resources that use secrets, open the settings for the resource and update the
secret.

4. For resources that use certificates, update the certificate.

Next steps
Transfer billing ownership of an Azure subscription to another account
Transfer Azure subscriptions between subscribers and CSPs
Associate or add an Azure subscription to your Microsoft Entra tenant
Azure Lighthouse in enterprise scenarios
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot Azure RBAC
Article • 03/08/2024

This article describes some common solutions for issues related to Azure role-based
access control (Azure RBAC).

Azure role assignments

Symptom - Add role assignment option is disabled

You're unable to assign a role in the Azure portal on Access control (IAM) because the
Add > Add role assignment option is disabled

Cause

You're currently signed in with a user that doesn't have permission to assign roles at the
selected scope.

Solution

Check that you're currently signed in with a user that is assigned a role that has the
Microsoft.Authorization/roleAssignments/write permission such as Role Based Access

Control Administrator at the scope you're trying to assign the role.

Symptom - Roles or principals are not listed

When you try to assign a role in the Azure portal, some roles or principals are not listed.
For example, on the Role tab, you see a reduced set of roles.


Or, on the Select members pane, you see a reduced set of principals.

Cause

There are restrictions on the role assignments you can add. For example, you are
constrained in the roles that you can assign or constrained in the principals you can
assign roles to.

Solution
View the roles assigned to you. Check if there is a condition that constrains the role
assignments you can add. For more information, see Delegate Azure access
management to others.

Symptom - Unable to assign a role

You are unable to assign a role and you get an error similar to the following:

Failed to add {securityPrincipal} as {role} for {scope} : The client '{clientName}'

with object id '{objectId}' does not have authorization or an ABAC condition not
fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over

scope

'/subscriptions/{subscriptionId}/Microsoft.Authorization/roleAssignments/{roleAssig
nmentId}' or the scope is invalid. If access was recently granted, please refresh

your credentials.

Cause 1

You are currently signed in with a user that does not have permission to assign roles at
the selected scope.

Solution 1

Check that you are currently signed in with a user that is assigned a role that has the
Microsoft.Authorization/roleAssignments/write permission such as Role Based Access

Control Administrator at the scope you are trying to assign the role.

Cause 2
There are restrictions on the role assignments you can add. For example, you are
constrained in the roles that you can assign or constrained in the principals you can
assign roles to.

Solution 2

View the roles assigned to you. Check if there is a condition that constrains the role
assignments you can add. For more information, see Delegate Azure access
management to others.

Symptom - Unable to assign a role using a service

principal with Azure CLI
You're using a service principal to assign roles with Azure CLI and you get the following
error:

Insufficient privileges to complete the operation

For example, let's say that you have a service principal that has been assigned the
Owner role and you try to create the following role assignment as the service principal
using Azure CLI:

Azure CLI

az login --service-principal --username "SPNid" --password "password" --

tenant "tenantid"
az role assignment create --assignee "userupn" --role "Contributor" --scope
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
Cause

It's likely Azure CLI is attempting to look up the assignee identity in Microsoft Entra ID
and the service principal can't read Microsoft Entra ID by default.

Solution

There are two ways to potentially resolve this error. The first way is to assign the
Directory Readers role to the service principal so that it can read data in the directory.

The second way to resolve this error is to create the role assignment by using the --
assignee-object-id parameter instead of --assignee . By using --assignee-object-id ,

Azure CLI will skip the Microsoft Entra lookup. You'll need to get the object ID of the
user, group, or application that you want to assign the role to. For more information, see
Assign Azure roles using Azure CLI.

Azure CLI

az role assignment create --assignee-object-id 11111111-1111-1111-1111-

111111111111 --role "Contributor" --scope
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"

Symptom - Assigning a role to a new principal sometimes

fails
You create a new user, group, or service principal and immediately try to assign a role to
that principal and the role assignment sometimes fails. You get a message similar to
following error:

PrincipalNotFound
Principal {principalId} does not exist in the directory {tenantId}. Check
that you have the correct principal ID. If you are creating this principal
and then immediately assigning a role, this error might be related to a
replication delay. In this case, set the role assignment principalType
property to a value, such as ServicePrincipal, User, or Group. See
https://aka.ms/docs-principaltype

Cause

The reason is likely a replication delay. The principal is created in one region; however,
the role assignment might occur in a different region that hasn't replicated the principal
yet.
Solution 1

If you're creating a new user or service principal using the REST API or ARM template,
set the principalType property when creating the role assignment using the Role
Assignments - Create API.

ﾉ Expand table

principalType apiVersion

User 2020-03-01-preview or later

ServicePrincipal 2018-09-01-preview or later

For more information, see Assign Azure roles to a new service principal using the REST
API or Assign Azure roles to a new service principal using Azure Resource Manager
templates.

Solution 2

If you're creating a new user or service principal using Azure PowerShell, set the
ObjectType parameter to User or ServicePrincipal when creating the role assignment

using New-AzRoleAssignment. The same underlying API version restrictions of Solution

1 still apply. For more information, see Assign Azure roles using Azure PowerShell.

Solution 3

If you're creating a new group, wait a few minutes before creating the role assignment.

Symptom - ARM template role assignment returns

BadRequest status
When you try to deploy a Bicep file or ARM template that assigns a role to a service
principal you get the error:

Tenant ID, application ID, principal ID, and scope are not allowed to be updated.

(code: RoleAssignmentUpdateNotPermitted)

For example, if you create a role assignment for a managed identity, then you delete the
managed identity and recreate it, the new managed identity has a different principal ID.
If you try to deploy the role assignment again and use the same role assignment name,
the deployment fails.

Cause
The role assignment name isn't unique, and it's viewed as an update.

Role assignments are uniquely identified by their name, which is a globally unique
identifier (GUID). You can't create two role assignments with the same name, even in
different Azure subscriptions. You also can't change the properties of an existing role
assignment.

Solution

Provide an idempotent unique value for the role assignment name . It's a good practice
to create a GUID that uses the scope, principal ID, and role ID together. It's a good idea
to use the guid() function to help you to create a deterministic GUID for your role
assignment names, like in this example:

Bicep

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-

10-01-preview' = {
name: guid(resourceGroup().id, principalId, roleDefinitionId)
properties: {
roleDefinitionId: roleDefinitionId
principalId: principalId
principalType: principalType
}
}

For more information, see Create Azure RBAC resources by using Bicep.

Symptom - Role assignments with identity not found

In the list of role assignments for the Azure portal, you notice that the security principal
(user, group, service principal, or managed identity) is listed as Identity not found with
an Unknown type.
If you list this role assignment using Azure PowerShell, you might see an empty
DisplayName and SignInName , or a value for ObjectType of Unknown . For example, Get-

AzRoleAssignment returns a role assignment that is similar to the following output:

RoleAssignmentId : /subscriptions/11111111-1111-1111-1111-
111111111111/providers/Microsoft.Authorization/roleAssignments/22222222-
2222-2222-2222-222222222222
Scope : /subscriptions/11111111-1111-1111-1111-111111111111
DisplayName :
SignInName :
RoleDefinitionName : Storage Blob Data Contributor
RoleDefinitionId : ba92f5b4-2d11-453d-a403-e96b0029c9fe
ObjectId : 33333333-3333-3333-3333-333333333333
ObjectType : User
CanDelegate : False

Similarly, if you list this role assignment using Azure CLI, you might see an empty
principalName . For example, az role assignment list returns a role assignment that is

similar to the following output:

JSON

{
"canDelegate": null,
"id": "/subscriptions/11111111-1111-1111-1111-
111111111111/providers/Microsoft.Authorization/roleAssignments/22222222-
2222-2222-2222-222222222222",
"name": "22222222-2222-2222-2222-222222222222",
"principalId": "33333333-3333-3333-3333-333333333333",
"principalName": "",
"roleDefinitionId": "/subscriptions/11111111-1111-1111-1111-
111111111111/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-
2d11-453d-a403-e96b0029c9fe",
"roleDefinitionName": "Storage Blob Data Contributor",
"scope": "/subscriptions/11111111-1111-1111-1111-111111111111",
"type": "Microsoft.Authorization/roleAssignments"
}

Cause 1

You recently invited a user when creating a role assignment and this security principal is
still in the replication process across regions.

Solution 1

Wait a few moments and refresh the role assignments list.

Cause 2

You deleted a security principal that had a role assignment. If you assign a role to a
security principal and then you later delete that security principal without first removing
the role assignment, the security principal will be listed as Identity not found and an
Unknown type.

Solution 2

It isn't a problem to leave these role assignments where the security principal has been
deleted. If you like, you can remove these role assignments using steps that are similar
to other role assignments. For information about how to remove role assignments, see
Remove Azure role assignments.

In PowerShell, if you try to remove the role assignments using the object ID and role
definition name, and more than one role assignment matches your parameters, you'll
get the error message: The provided information does not map to a role assignment .
The following output shows an example of the error message:

PS C:\> Remove-AzRoleAssignment -ObjectId 33333333-3333-3333-3333-

333333333333 -RoleDefinitionName "Storage Blob Data Contributor"

Remove-AzRoleAssignment : The provided information does not map to a role

assignment.
At line:1 char:1
+ Remove-AzRoleAssignment -ObjectId 33333333-3333-3333-3333-333333333333 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Remove-AzRoleAssignment],
KeyNotFoundException
+ FullyQualifiedErrorId :
Microsoft.Azure.Commands.Resources.RemoveAzureRoleAssignmentCommand

If you get this error message, make sure you also specify the -Scope or -
ResourceGroupName parameters.

PS C:\> Remove-AzRoleAssignment -ObjectId 33333333-3333-3333-3333-

333333333333 -RoleDefinitionName "Storage Blob Data Contributor" - Scope
/subscriptions/11111111-1111-1111-1111-111111111111

Symptom - Cannot delete the last Owner role assignment

You attempt to remove the last Owner role assignment for a subscription and you see
the following error:

Cannot delete the last RBAC admin assignment

Cause

Removing the last Owner role assignment for a subscription isn't supported to avoid
orphaning the subscription.

Solution

If you want to cancel your subscription, see Cancel your Azure subscription.

You're allowed to remove the last Owner (or User Access Administrator) role assignment
at subscription scope, if you're a Global Administrator for the tenant or a classic
administrator (Service Administrator or Co-Administrator) for the subscription. In this
case, there's no constraint for deletion. However, if the call comes from some other
principal, then you won't be able to remove the last Owner role assignment at
subscription scope.

Symptom - Role assignment isn't moved after moving a

resource
Cause

If you move a resource that has an Azure role assigned directly to the resource (or a
child resource), the role assignment isn't moved and becomes orphaned.
Solution

After you move a resource, you must re-create the role assignment. Eventually, the
orphaned role assignment will be automatically removed, but it's a best practice to
remove the role assignment before moving the resource. For information about how to
move resources, see Move resources to a new resource group or subscription.

Symptom - Role assignment changes are not being

detected
You recently added or updated a role assignment, but the changes aren't being
detected. You might see the message Status: 401 (Unauthorized) .

Cause 1

Azure Resource Manager sometimes caches configurations and data to improve

performance.

Solution 1

When you assign roles or remove role assignments, it can take up to 10 minutes for
changes to take effect. If you're using the Azure portal, Azure PowerShell, or Azure CLI,
you can force a refresh of your role assignment changes by signing out and signing in. If
you're making role assignment changes with REST API calls, you can force a refresh by
refreshing your access token.

Cause 2

You added managed identities to a group and assigned a role to that group. The back-
end services for managed identities maintain a cache per resource URI for around 24
hours.

Solution 2

It can take several hours for changes to a managed identity's group or role membership
to take effect. For more information, see Limitation of using managed identities for
authorization.

Symptom - Role assignment changes at management

group scope are not being detected
You recently added or updated a role assignment at management group scope, but the
changes are not being detected.
Cause

Azure Resource Manager sometimes caches configurations and data to improve

performance.

Solution

When you assign roles or remove role assignments, it can take up to 10 minutes for
changes to take effect. If you add or remove a built-in role assignment at management
group scope and the built-in role has DataActions , the access on the data plane might
not be updated for several hours. This applies only to management group scope and
the data plane. Custom roles with DataActions can't be assigned at the management
group scope.

Symptom - Role assignments for management group

changes are not being detected
You created a new child management group and the role assignment on the parent
management group is not being detected for the child management group.

Cause

Azure Resource Manager sometimes caches configurations and data to improve

performance.

Solution

It can take up to 10 minutes for the role assignment for the child management group to
take effect. If you are using the Azure portal, Azure PowerShell, or Azure CLI, you can
force a refresh of your role assignment changes by signing out and signing in. If you are
making role assignment changes with REST API calls, you can force a refresh by
refreshing your access token.

Symptom - Removing role assignments using PowerShell

takes several minutes
You use the Remove-AzRoleAssignment command to remove a role assignment. You
then use the Get-AzRoleAssignment command to verify the role assignment was
removed for a security principal. For example:

PowerShell
Get-AzRoleAssignment -ObjectId $securityPrincipalObject.Id

The Get-AzRoleAssignment command indicates that the role assignment wasn't

removed. However, if you wait 5-10 minutes and run Get-AzRoleAssignment again, the
output indicates the role assignment was removed.

Cause

The role assignment has been removed. However, to improve performance, PowerShell
uses a cache when listing role assignments. There can be delay of around 10 minutes for
the cache to be refreshed.

Solution

Instead of listing the role assignments for a security principal, list all the role
assignments at the subscription scope and filter the output. For example, the following
command:

PowerShell

$validateRemovedRoles = Get-AzRoleAssignment -ObjectId

$securityPrincipalObject.Id

Can be replaced with this command instead:

PowerShell

$validateRemovedRoles = Get-AzRoleAssignment -Scope /subscriptions/$subId |

Where-Object -Property ObjectId -EQ $securityPrincipalObject.Id

Custom roles

Symptom - Unable to update or delete a custom role

You're unable to update or delete an existing custom role.

Cause 1

You're currently signed in with a user that doesn't have permission to update or delete
custom roles.

Solution 1
Check that you're currently signed in with a user that is assigned a role that has the
Microsoft.Authorization/roleDefinitions/write permission such as User Access

Administrator.

Cause 2

The custom role includes a subscription in assignable scopes and that subscription is in
a disabled state.

Solution 2

Reactivate the disabled subscription and update the custom role as needed. For more
information, see Reactivate a disabled Azure subscription.

Symptom - Unable to create or update a custom role

When you try to create or update a custom role, you get an error similar to following:

The client '<clientName>' with object id '<objectId>' has permission to perform

action 'Microsoft.Authorization/roleDefinitions/write' on scope

'/subscriptions/<subscriptionId>'; however, it does not have permission to perform

action 'Microsoft.Authorization/roleDefinitions/write' on the linked

scope(s)'/subscriptions/<subscriptionId1>,/subscriptions/<subscriptionId2>,/subscri
ptions/<subscriptionId3>' or the linked scope(s)are invalid

Cause

This error usually indicates that you don't have permissions to one or more of the
assignable scopes in the custom role.

Solution

Try the following:

Review Who can create, delete, update, or view a custom role and check that you
have permissions to create or update the custom role for all assignable scopes.
If you don't have permissions, ask your administrator to assign you a role that has
the Microsoft.Authorization/roleDefinitions/write action, such as User Access
Administrator, at the scope of the assignable scope.
Check that all the assignable scopes in the custom role are valid. If not, remove any
invalid assignable scopes.

For more information, see the custom role tutorials using the Azure portal, Azure
PowerShell, or Azure CLI.
Symptom - Unable to delete a custom role
You're unable to delete a custom role and get the following error message:

There are existing role assignments referencing role (code:

RoleDefinitionHasAssignments)

Cause

There are role assignments still using the custom role.

Solution

Remove the role assignments that use the custom role and try to delete the custom role
again. For more information, see Find role assignments to delete a custom role.

Symptom - Unable to add more than one management

group as assignable scope
When you try to create or update a custom role, you can't add more than one
management group as assignable scope.

Cause

You can define only one management group in AssignableScopes of a custom role.

Solution

Define one management group in AssignableScopes of your custom role. For more
information about custom roles and management groups, see Organize your resources
with Azure management groups.

Symptom - Unable to add data actions to custom role

When you try to create or update a custom role, you can't add data actions or you see
the following message:

You cannot add data action permissions when you have a management group as an
assignable scope

Cause

You're trying to create a custom role with data actions and a management group as
assignable scope. Custom roles with DataActions can't be assigned at the management
group scope.

Solution

Create the custom role with one or more subscriptions as the assignable scope. For
more information about custom roles and management groups, see Organize your
resources with Azure management groups.

Access denied or permission errors

Symptom - Authorization failed

When you try to create a resource, you get the following error message:

The client with object id does not have authorization to perform action over scope
(code: AuthorizationFailed)

Cause 1

You're currently signed in with a user that doesn't have write permission to the resource
at the selected scope.

Solution 1

Check that you're currently signed in with a user that is assigned a role that has write
permission to the resource at the selected scope. For example, to manage virtual
machines in a resource group, you should have the Virtual Machine Contributor role on
the resource group (or parent scope). For a list of the permissions for each built-in role,
see Azure built-in roles.

Cause 2

The currently signed in user has a role assignment with the following criteria:

Role includes a Microsoft.Storage data action

Role assignment includes an ABAC condition that uses a GUID comparison
operators

Solution 2

At this time, you can't have a role assignment with a Microsoft.Storage data action and
an ABAC condition that uses a GUID comparison operator. Here are a couple of options
to resolve this error:
If the role is a custom role, remove any Microsoft.Storage data actions
Modify the role assignment condition so that it does not use GUID comparison
operators

Symptom - Guest user gets authorization failed

When a guest user tries to access a resource, they get an error message similar to the
following:

The client '<client>' with object id '<objectId>' does not have authorization to
perform action '<action>' over scope '<scope>' or the scope is invalid.

Cause

The guest user doesn't have permissions to the resource at the selected scope.

Solution

Check that the guest user is assigned a role with least privileged permissions to the
resource at the selected scope. For more information, Assign Azure roles to external
users using the Azure portal.

Symptom - Unable to create a support request

When you try to create or update a support ticket, you get the following error message:

You don't have permission to create a support request

Cause

You're currently signed in with a user that doesn't have permission to the create support
requests.

Solution

Check that you're currently signed in with a user that is assigned a role that has the
Microsoft.Support/supportTickets/write permission, such as Support Request

Contributor.

Azure features are disabled

Symptom - Some web app features are disabled

A user has read access to a web app and some features are disabled.

Cause

If you grant a user read access to a web app, some features are disabled that you might
not expect. The following management capabilities require write access to a web app
and aren't available in any read-only scenario.

Commands (like start, stop, etc.)

Changing settings like general configuration, scale settings, backup settings, and
monitoring settings
Accessing publishing credentials and other secrets like app settings and
connection strings
Streaming logs
Resource logs configuration
Console (command prompt)
Active and recent deployments (for local git continuous deployment)
Estimated spend
Web tests
Virtual network (only visible to a reader if a virtual network has previously been
configured by a user with write access).

Solution

Assign the Contributor or another Azure built-in role with write permissions for the web
app.

Symptom - Some web app resources are disabled

A user has write access to a web app and some features are disabled.

Cause

Web apps are complicated by the presence of a few different resources that interplay.
Here's a typical resource group with a couple of websites:
As a result, if you grant someone access to just the web app, much of the functionality
on the website blade in the Azure portal is disabled.

These items require write access to theApp Service plan that corresponds to your
website:

Viewing the web app's pricing tier (Free or Standard)

Scale configuration (number of instances, virtual machine size, autoscale settings)
Quotas (storage, bandwidth, CPU)

These items require write access to the whole Resource group that contains your
website:

TLS/SSL Certificates and bindings (TLS/SSL certificates can be shared between sites
in the same resource group and geo-location)
Alert rules
Autoscale settings
Application insights components
Web tests

Solution

Assign an Azure built-in role with write permissions for the app service plan or resource
group.

Symptom - Some virtual machine features are disabled

A user has access to a virtual machine and some features are disabled.
Cause

Similar to web apps, some features on the virtual machine blade require write access to
the virtual machine, or to other resources in the resource group.

Virtual machines are related to Domain names, virtual networks, storage accounts, and
alert rules.

These items require write access to the virtual machine:

Endpoints
IP addresses
Disks
Extensions

These require write access to both the virtual machine, and the resource group (along
with the Domain name) that it is in:

Availability set
Load balanced set
Alert rules

If you can't access any of these tiles, ask your administrator for Contributor access to the
Resource group.

Solution

Assign an Azure built-in role with write permissions for the virtual machine or resource
group.

Symptom - Some function app features are disabled

A user has access to a function app and some features are disabled. For example, they
can click the Platform features tab and then click All settings to view some settings
related to a function app (similar to a web app), but they can't modify any of these
settings.

Cause

Some features of Azure Functions require write access. For example, if a user is assigned
the Reader role, they won't be able to view the functions within a function app. The
portal displays (No access).
Solution

Assign an Azure built-in role with write permissions for the function app or resource
group.

Transferring a subscription to a different

Symptom - All role assignments are deleted after

transferring a subscription
Cause

When you transfer an Azure subscription to a different Microsoft Entra directory, all role
assignments are permanently deleted from the source Microsoft Entra directory and
aren't migrated to the target Microsoft Entra directory.

Solution

You must re-create your role assignments in the target directory. You also have to
manually recreate managed identities for Azure resources. For more information, see
Transfer an Azure subscription to a different Microsoft Entra directory and FAQs and
known issues with managed identities.

Symptom - Unable to access subscription after

transferring a subscription
Solution

If you're a Microsoft Entra Global Administrator and you don't have access to a
subscription after it was transferred between directories, use the Access management
for Azure resources toggle to temporarily elevate your access to get access to the
subscription.

Classic subscription administrators

） Important

For more information, see Azure classic subscription administrators.

Next steps
Troubleshoot for external users
Assign Azure roles using the Azure portal
View activity logs for Azure RBAC changes
Troubleshoot Azure RBAC limits
Article • 06/27/2024

This article describes some common solutions when you exceed the limits in Azure role-
based access control (Azure RBAC).

Prerequisites
Reader role to run Azure Resource Graph queries.
Role Based Access Control Administrator role to add or remove role assignments.
User Access Administrator role to add role assignments, remove role assignments,
or delete custom roles.
Groups Administrator or User Administrator role to create groups.

７ Note

The queries used in this article only return role assignments or custom roles that
you have permissions to read. For example, if you only have permissions to read
role assignments at resource group scope, role assignments at subscription scope
aren't returned.

Symptom - No more role assignments can be

created
When you try to assign a role, you get the following error message:

No more role assignments can be created (code: RoleAssignmentLimitExceeded)

Cause
Azure supports up to 4000 role assignments per subscription. This limit includes role
assignments at the subscription, resource group, and resource scopes, but not at the
management group scope. Eligible role assignments and role assignments scheduled in
the future do not count towards this limit. You should try to reduce the number of role
assignments in the subscription.

７ Note
The 4000 role assignments limit per subscription is fixed and cannot be increased.

To get the number of role assignments, you can view the chart on the Access control
(IAM) page in the Azure portal. You can also use the following Azure PowerShell
commands:

Azure PowerShell

$scope = "/subscriptions/<subscriptionId>"
$ras = Get-AzRoleAssignment -Scope $scope | Where-Object
{$_.scope.StartsWith($scope)}
$ras.Count

Solution 1 - Replace principal-based role assignments

with group-based role assignments
To reduce the number of role assignments in the subscription, add principals (users,
service principals, and managed identities) to groups and assign roles to the groups
instead. Follow these steps to identify where multiple role assignments for principals can
be replaced with a single role assignment for a group.

1. Sign in to the Azure portal and open the Azure Resource Graph Explorer.

2. Select Scope and set the scope for the query.

You typically set scope to Directory to query your entire tenant, but you can
narrow the scope to particular subscriptions.


3. Select Set authorization scope and set the authorization scope to At, above and
below to query all resources at the specified scope.

4. Run the following query to get the role assignments with the same role and at the
same scope, but for different principals.

This query checks active role assignments and doesn't consider eligible role
assignments in Microsoft Entra Privileged Identity Management. To list eligible role
assignments, you can use the Microsoft Entra admin center, PowerShell, or REST
API. For more information, see Get-AzRoleEligibilityScheduleInstance or Role
Eligibility Schedule Instances - List For Scope.

If you are using role assignment conditions or delegating role assignment

management with conditions, you should use the Conditions query. Otherwise, use
the Default query.

Default

Kusto

authorizationresources
| where type =~ "microsoft.authorization/roleassignments"
| where id startswith "/subscriptions"
| extend RoleId = tolower(tostring(properties.roleDefinitionId))
| join kind = leftouter (
authorizationresources
| where type =~ "microsoft.authorization/roledefinitions"
| extend RoleDefinitionName = tostring(properties.roleName)
| extend RoleId = tolower(id)
| project RoleDefinitionName, RoleId
) on $left.RoleId == $right.RoleId
| extend principalId = tostring(properties.principalId)
| extend principal_to_ra = pack(principalId, id)
| summarize count_ = count(), AllPrincipals =
make_set(principal_to_ra) by RoleDefinitionId = RoleId, Scope =
tolower(properties.scope), RoleDefinitionName
| where count_ > 1
| order by count_ desc

The following shows an example of the results. The count_ column is the number
of principals assigned the same role and at the same scope. The count is sorted in
descending order.


5. Identify a row where you want to replace the multiple role assignments with a
single role assignment for a group.

6. In the row, select See details to open the Details pane.

ﾉ Expand table

Column Description

RoleDefinitionId ID of the currently assigned role.

Scope Scope for the role assignment, which will be a subscription, resource
group, or resource.

RoleDefinitionName Name of the currently assigned role.

count_ Number of principals assigned the same role and at the same scope.

AllPrincipals List of principal IDs assigned the same role and at the same scope.

7. Use RoleDefinitionId, RoleDefinitionName, and Scope to get the role and scope.

8. Use AllPrincipals to get the list of the principal IDs with the same role assignment.

9. Create a Microsoft Entra group. For more information, see Manage Microsoft Entra
groups and group membership.
10. Add the principals from AllPrincipals to the group.

For information about how to add principals in bulk, see Bulk add group members
in Microsoft Entra ID.

11. Assign the role to the group you created at the same scope. For more information,
see Assign Azure roles using the Azure portal.

Now you can find and remove the principal-based role assignments.

12. Get the principal names from the principal IDs.

To use Azure portal, see Add or update a user's profile information and
settings.
To use PowerShell, see Get-MgUser.
To use Azure, CLI, see az ad user show.

13. Open the Access control (IAM) page at the same scope as the role assignments.

14. Select the Role assignments tab.

15. To filter the role assignments, select the Role filter and then select the role name.

16. Find the principal-based role assignments.

You should also see your group-based role assignment.

17. Select and remove the principal-based role assignments. For more information, see
Remove Azure role assignments.
Solution 2 - Remove redundant role assignments
To reduce the number of role assignments in the subscription, remove redundant role
assignments. Follow these steps to identify where redundant role assignments at a lower
scope can potentially be removed since a role assignment at a higher scope already
grants access.

1. Sign in to the Azure portal and open the Azure Resource Graph Explorer.

2. Select Scope and set the scope for the query.

You typically set scope to Directory to query your entire tenant, but you can
narrow the scope to particular subscriptions.

3. Select Set authorization scope and set the authorization scope to At, above and
below to query all resources at the specified scope.


4. Run the following query to get the role assignments with the same role and same
principal, but at different scopes.

If you are using role assignment conditions or delegating role assignment

management with conditions, you should use the Conditions query. Otherwise, use
the Default query.

Default

Kusto

authorizationresources
| where type =~ "microsoft.authorization/roleassignments"
| where id startswith "/subscriptions"
| extend RoleDefinitionId =
tolower(tostring(properties.roleDefinitionId))
| extend PrincipalId = tolower(properties.principalId)
| extend RoleDefinitionId_PrincipalId = strcat(RoleDefinitionId,
"_", PrincipalId)
| join kind = leftouter (
authorizationresources
| where type =~ "microsoft.authorization/roledefinitions"
| extend RoleDefinitionName = tostring(properties.roleName)
| extend rdId = tolower(id)
| project RoleDefinitionName, rdId
) on $left.RoleDefinitionId == $right.rdId
| summarize count_ = count(), Scopes =
make_set(tolower(properties.scope)) by
RoleDefinitionId_PrincipalId,RoleDefinitionName
| project RoleDefinitionId = split(RoleDefinitionId_PrincipalId,
"_", 0)[0], RoleDefinitionName, PrincipalId =
split(RoleDefinitionId_PrincipalId, "_", 1)[0], count_, Scopes
| where count_ > 1
| order by count_ desc

The following shows an example of the results. The count_ column is the number
of different scopes for role assignments with the same role and same principal. The
count is sorted in descending order.

ﾉ Expand table

Column Description

RoleDefinitionId ID of the currently assigned role.

RoleDefinitionName Name of the currently assigned role.

PrincipalId ID of the principal assigned the role.

count_ Number of different scopes for role assignments with the same role
and same principal.

Scopes Scopes for role assignments with the same role and same principal.

5. Identify a row where you want to remove redundant role assignments.

6. In a row, select See details to open the Details pane.



7. Use RoleDefinitionId, RoleDefinitionName, and PrincipalId to get the role and

principal ID.

8. Use Scopes to get the list of the scopes for the same role and same principal.

9. Determine which scope is required for the role assignment. The other role
assignments can be removed.

You should follow best practices of least privilege when determining which role
assignments can be removed. The role assignment at the higher scope might be
granting more access to the principal than what is needed. In that case, you should
remove the role assignment with the higher scope. For example, a user might not
need a Virtual Machine Contributor role assignment at subscription scope when a
Virtual Machine Contributor role assignment at a lower resource group scope
grants the required access.

10. Get the principal name from the principal ID.

To use Azure portal, see Add or update a user's profile information and
settings.
To use PowerShell, see Get-MgUser.
To use Azure, CLI, see az ad user show.

11. Open the Access control (IAM) page at the scope for a role assignment you want
to remove.
12. Select the Role assignments tab.

13. To filter the role assignments, select the Role filter and then select the role name.

14. Find the principal.

15. Select and remove the role assignment. For more information, see Remove Azure
role assignments.

Solution 3 - Replace multiple built-in role assignments

with a custom role assignment
To reduce the number of role assignments in the subscription, replace multiple built-in
role assignments with a single custom role assignment. Follow these steps to identify
where multiple built-in role assignments can potentially be replaced.

1. Sign in to the Azure portal and open the Azure Resource Graph Explorer.

2. Select Scope and set the scope for the query.

You typically set scope to Directory to query your entire tenant, but you can
narrow the scope to particular subscriptions.

3. Run the following query to get role assignments with the same principal and same
scope, but with different built-in roles.
This query checks active role assignments and doesn't consider eligible role
assignments in Microsoft Entra Privileged Identity Management. To list eligible role
assignments, you can use the Microsoft Entra admin center, PowerShell, or REST
API. For more information, see Get-AzRoleEligibilityScheduleInstance or Role
Eligibility Schedule Instances - List For Scope.

If you are using role assignment conditions or delegating role assignment

management with conditions, you should use the Conditions query. Otherwise, use
the Default query.

Default

Kusto

AuthorizationResources
| where type =~ "microsoft.authorization/roleassignments"
| where id startswith "/subscriptions"
| extend PrincipalId = tostring(properties.principalId)
| extend Scope = tolower(properties.scope)
| extend RoleDefinitionId =
tolower(tostring(properties.roleDefinitionId))
| join kind = leftouter (
AuthorizationResources
| where type =~ "microsoft.authorization/roledefinitions"
| extend RoleName = tostring(properties.roleName)
| extend RoleId = tolower(id)
| extend RoleType = tostring(properties.type)
| where RoleType == "BuiltInRole"
| extend RoleId_RoleName = pack(RoleId, RoleName)
) on $left.RoleDefinitionId == $right.RoleId
| summarize count_ = count(), AllRD = make_set(RoleId_RoleName) by
PrincipalId, Scope
| where count_ > 1
| order by count_ desc

The following shows an example of the results. The count_ column is the number
of different built-in role assignments with the same principal and same scope. The
count is sorted in descending order.


ﾉ Expand table

Column Description

PrincipalId ID of the principal assigned the built-in roles.

Scope Scope for built-in role assignments.

count_ Number of built-in role assignments with the same principal and same scope.

AllRD ID and name of built-in roles.

4. In a row, select See details to open the Details pane.


5. Use AllRD to see the built-in roles that can potentially be combined into a custom
role.

6. List the actions and data actions for the built-in roles. For more information, see
List Azure role definitions or Azure built-in roles

7. Create a custom role that includes all the actions and data actions as the built-in
roles. To make it easier to create the custom role, you can start by cloning one of
the built-in roles. For more information, see Create or update Azure custom roles
using the Azure portal.

8. Get the principal name from the principal ID.

To use Azure portal, see Add or update a user's profile information and
settings.
To use PowerShell, see Get-MgUser.
To use Azure, CLI, see az ad user show.

9. Open the Access control (IAM) page at the same scope as the role assignments.

10. Assign the new custom role to the principal. For more information, see Assign
Azure roles using the Azure portal.

Now you can remove the built-in role assignments.

11. On the Access control (IAM) page at the same scope, select the Role assignments
tab.

12. Find the principal and built-in role assignments.

13. Remove the built-in role assignments from the principal. For more information, see
Remove Azure role assignments.

Solution 4 - Make role assignments eligible

To reduce the number of role assignments in the subscription and you have Microsoft
Entra ID P2, make role assignments eligible in Microsoft Entra Privileged Identity
Management instead of permanently assigned.

Solution 5 - Add an additional subscription

Add an additional subscription.
Symptom - No more role assignments can be
created at management group scope
You're unable to assign a role at management group scope.

Cause
Azure supports up to 500 role assignments per management group. This limit is
different than the role assignments limit per subscription.

７ Note

The 500 role assignments limit per management group is fixed and cannot be
increased.

Solution
Try to reduce the number of role assignments in the management group. For possible
options, see Symptom - No more role assignments can be created. For the queries to
retrieve resources at the management group level, you'll need to make the following
change to the queries:

Replace

| where id startswith "/subscriptions"

With

| where id startswith "/providers/Microsoft.Management/managementGroups"

Symptom - No more role definitions can be

created
When you try to create a new custom role, you get the following message:

Role definition limit exceeded. No more role definitions can be created (code:

RoleDefinitionLimitExceeded)

Cause
Azure supports up to 5000 custom roles in a directory. (For Microsoft Azure operated by
21Vianet, the limit is 2000 custom roles.)

Solution
Follow these steps to find and delete unused Azure custom roles.

1. Sign in to the Azure portal and open the Azure Resource Graph Explorer.

2. Select Scope and set the scope to Directory for the query.

3. Run the following query to get all custom roles that don't have any role
assignments:

This query checks active role assignments and doesn't consider eligible custom
role assignments in Microsoft Entra Privileged Identity Management. To list eligible
custom role assignments, you can use the Microsoft Entra admin center,
PowerShell, or REST API. For more information, see Get-
AzRoleEligibilityScheduleInstance or Role Eligibility Schedule Instances - List For
Scope.

Kusto

AuthorizationResources
| where type =~ "microsoft.authorization/roledefinitions"
| where tolower(properties.type) == "customrole"
| extend rdId = tolower(id)
| extend Scope = tolower(properties.assignableScopes)
| join kind = leftouter (
AuthorizationResources
| where type =~ "microsoft.authorization/roleassignments"
| extend RoleId = tolower(tostring(properties.roleDefinitionId))
| summarize RoleAssignmentCount = count() by RoleId
) on $left.rdId == $right.RoleId
| where isempty(RoleAssignmentCount)
| project RoleDefinitionId = rdId, RoleDefinitionName =
tostring(properties.roleName), Scope

The following shows an example of the results:

ﾉ Expand table

Column Description

RoleDefinitionId ID of the unused custom role.

RoleDefinitionName Name of the unused custom role.

Scope Assignable scopes for the unused custom role.

4. Open the scope (typically subscription) and then open the Access control (IAM)
page.

5. Select the Roles tab to see a list of all the built-in and custom roles.

6. In the Type filter, select CustomRole to just see your custom roles.

7. Select the ellipsis (...) for the custom role you want to delete and then select
Delete.


Next steps
Remove Azure role assignments
Create or update Azure custom roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Troubleshoot Azure role assignment
conditions
Article • 04/16/2024

General issues

Symptom - Condition is not enforced

Cause 1

Security principals have one or more role assignments at the same or higher scope.

Solution 1

Ensure that the security principals don't have multiple role assignments (with or without
conditions) that grant access to the same data action leading to non-enforcement of
conditions. For information about the evaluation logic, see How Azure RBAC determines
if a user has access to a resource.

Cause 2

Your role assignment has multiple actions that grant a permission and your condition
doesn't target all the actions. For example, you can create a blob if you have either
/blobs/write or /blobs/add/action data actions. If your role assignment has both data

actions and you target only one of them in a condition, the role assignment will grant
the permission to create blobs and bypass the condition.

Solution 2

If your role assignment has multiple actions that grant a permission, ensure that you
target all relevant actions.

Cause 3

When you add a condition to a role assignment, it can take up to 5 minutes for the
condition to be enforced. When you add a condition, resource providers (such as
Microsoft Storage) are notified of the update. Resource providers make updates to their
local caches immediately to ensure that they have the latest role assignments. This
process completes in 1 or 2 minutes, but can take up to 5 minutes.

Solution 3
Wait for 5 minutes and test the condition again.

Symptom - Condition is not valid error when adding a

condition
When you try to add a role assignment with a condition, you get an error similar to:

The given role assignment condition is invalid.

Cause 1

The conditionVersion property is set to "1.0".

Solution 1

Set conditionVersion property to "2.0".

Cause 2

Your condition isn't formatted correctly.

Solution 2

Fix any condition format or syntax issues. Alternatively, add the condition using the
visual editor in the Azure portal.

Issues in the visual editor

Symptom - Condition editor appears when editing a

condition
You created a condition using a template described in Delegate Azure role assignment
management to others with conditions. When you try to edit the condition, you see the
advanced condition editor.


When you previously edited the condition, you edited using the condition template.

Cause

The condition doesn't match the pattern for the template.

Solution 1

Edit the condition to match one of the following template patterns.

ﾉ Expand table

Template Condition

Constrain roles Example: Constrain roles

Constrain roles and principal Example: Constrain roles and principal types
types

Constrain roles and principals Example: Constrain roles and specific groups

Allow all except specific roles Example: Allow most roles, but don't allow others to assign
roles

Solution 2

Delete the condition and recreate it using the steps at Delegate Azure role assignment
management to others with conditions.

Symptom - Principal does not appear in Attribute source

When you try to add a role assignment with a condition, Principal doesn't appear in the
Attribute source list.

Instead, you see the message:

To use principal (user) attributes, you must have Microsoft Entra permissions (such

as the [Attribute Assignment Administrator](../active-directory/roles/permissions-

reference.md#attribute-assignment-administrator) role) and custom security
attributes defined in Microsoft Entra ID.

Cause

You don't meet the prerequisites. To use principal attributes, you must have the
following:

Microsoft Entra permissions for the signed-in user to read at least one attribute set
Custom security attributes defined in Microsoft Entra ID

Solution

1. Open Microsoft Entra ID > Custom security attributes.

If you see the Get started page, you don't have permissions to read at least one
attribute set or custom security attributes haven't been defined yet.

2. If custom security attributes have been defined, assign one of the following roles
at tenant scope or attribute set scope. For more information, see Manage access to
custom security attributes in Microsoft Entra ID.

Attribute Definition Reader

Attribute Assignment Reader
Attribute Definition Administrator
Attribute Assignment Administrator
） Important

By default, Global Administrator and other administrator roles do not have

permissions to read, define, or assign custom security attributes.

3. If custom security attributes haven't been defined yet, assign the Attribute
Definition Administrator role at tenant scope and add custom security attributes.
For more information, see Add or deactivate custom security attributes in
Microsoft Entra ID.

When finished, you should be able to read at least one attribute set.

Principal should now appear in the Attribute source list when you add a role
assignment with a condition.

Symptom - Principal does not appear in Attribute source

when using PIM
When you try to add a role assignment with a condition using Microsoft Entra Privileged
Identity Management (PIM), Principal does not appear in the Attribute source list.
Cause

PIM currently does not support using the principal attribute in a role assignment
condition.

Error messages in visual editor

Symptom - Condition not recognized

After using the code editor, you switch to the visual editor and get a message similar to
the following:

The current expression cannot be recognized. Switch to the code editor to edit the
expression or delete the expression and add a new one.

Cause

Updates were made to the condition that the visual editor is not able to parse.

Solution

Fix any condition format or syntax issues. Alternatively, you can delete the condition and
try again.

Symptom - Attribute does not apply error for previously

saved condition
When you open a previously saved condition in the visual editor, you get the following
message:
Attribute does not apply for the selected actions. Select a different set of
actions.

Cause

In May 2022, the Read a blob action was changed from the following format:

(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/rea
d'})

To exclude the Blob.List suboperation:

(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/rea

d'} AND NOT SubOperationMatches{'Blob.List'})

If you created a condition with the Read a blob action prior to May 2022, you might see
this error message in the visual editor.

Solution

Open the Select an action pane and reselect the Read a blob action.

Symptom - Attribute does not apply error

When you select one or more actions in the visual editor with an existing expression,
you get the following message and the previously selected attribute is removed:

Attribute does not apply for the selected actions. Select a different set of
actions.

Cause

The previously selected attribute no longer applies to the currently selected actions.

Solution 1

In the Add action section, select an action that applies to the selected attribute. For a list
of storage actions that each storage attribute supports, see Actions and attributes for
Azure role assignment conditions for Azure Blob Storage and Actions and attributes for
Azure role assignment conditions for Azure queues.

Solution 2
In the Build expression section, select an attribute that applies to the currently selected
actions. For a list of storage attributes that each storage action supports, see Actions
and attributes for Azure role assignment conditions for Azure Blob Storage and Actions
and attributes for Azure role assignment conditions for Azure queues.

Symptom - Attribute does not apply in this context

warning
When you make edits in the code editor and then switch to the visual editor, you get the
following message and the previously selected attribute is removed:

Attribute does not apply in this context. Use a different role assignment scope or

remove the expression.

Cause

The specified attribute isn't available in the current scope, such as using Version ID in a
storage account with hierarchical namespace enabled.

Solution

If you want to use the currently specified attribute, create the role assignment condition
at a different scope, such as resource group scope. Or remove and re-create the
expression using the currently selected actions.

Symptom - Attribute is not recognized error

When you make edits in the code editor and then switch to the visual editor, you get the
following message and the previously selected attribute is removed:

Attribute is not recognized. Select a valid attribute or remove the expression.

Cause

The specified attribute isn't recognized, possibly because of a typo.

Solution

In the code editor, fix the typo. Or remove the existing expression and use the visual
editor to select an attribute.

Symptom - Attribute value is invalid error

When you make edits in the code editor and then switch to the visual editor, you get the
following message and the previously selected attribute is removed:

Attribute value is invalid. Select another attribute or value.

Cause

The right side of the expression contains an attribute or value that isn't valid.

Solution

Use the visual editor to select an attribute or specify a value.

Symptom - No actions selected error

When you remove all of the actions in the visual editor, you get the following message:

No actions selected. Select one or more actions to edit expressions.

Cause

There's an existing expression, but no actions have been selected as a target.

Solution

In the Add action section, add one or more actions that the expression should target.

Symptom - No options available error

When you attempt to add an expression, you get the following message:

No options available

Cause

You selected to target multiple actions and there aren't any attributes that apply to all of
the currently selected actions.

Solution

In the Add action section, select fewer actions to target. To target the actions you
removed, add multiple conditions.

Symptom - Role definition IDs not found

When you attempt to add an expression, you get the following message:
Cannot find built-in or custom role definitions with IDs: <role IDs>. These IDs
were removed. Check that the IDs are valid and try to add again. You can also

refresh the page or sign out and sign in again.

Cause

One or more role definition IDs that you attempted to add for the Role definition ID
attribute wasn't found or doesn't have the correct GUID format: 00000000-0000-0000-
0000-000000000000 .

Solution

Use the condition editor to select the role. If you recently added the custom role, refresh
the page or sign out and sign in again.

Symptom - Principal IDs not found

When you attempt to add an expression, you get the following message:

Cannot find users, groups, or service principals in Azure Active Directory with

principal IDs: <principal IDs>. These IDs were removed. Check that the IDs are
valid and try to add again. You can also refresh the page or sign out and sign in

again.

Cause

One or more principal IDs that you attempted to add for the Principal ID attribute wasn't
found or doesn't have the correct GUID format: 00000000-0000-0000-0000-000000000000 .

Solution

Use the condition editor to select the principal. If you recently added the principal,
refresh the page or sign out and sign in again.

Error messages in Azure PowerShell

Symptom - Resource attribute is not valid error

When you try to add a role assignment with a condition using Azure PowerShell, you get
an error similar to:
New-AzRoleAssignment : Resource attribute
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project
<$> is not valid.

Cause

If your condition includes a dollar sign ($), you must prefix it with a backtick (`).

Solution

Add a backtick (`) before each dollar sign. The following shows an example. For more
information about rules for quotation marks in PowerShell, see About Quoting Rules.

Azure PowerShell

$condition = "((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/t
ags:Project<`$key_case_sensitive`$>] StringEquals 'Cascade'))"

Symptom - Error when copying and pasting a condition

Cause

If you use PowerShell and copy a condition from a document, it might include special
characters that cause the following error. Some editors (such as Microsoft Word) add
control characters when formatting text that doesn't appear.

The given role assignment condition is invalid.

Solution

If you copied a condition from a rich text editor and you're certain the condition is
correct, delete all spaces and returns and then add back the relevant spaces.
Alternatively, use a plain text editor or a code editor, such as Visual Studio Code.

Error messages in Azure CLI

Symptom - Resource attribute is not valid error

When you try to add a role assignment with a condition using Azure CLI, you get an
error similar to:
Resource attribute
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project
<$> is not valid.

Cause

If your condition includes a dollar sign ($), you must prefix it with a backslash (\).

Solution

Add a backslash (\) before each dollar sign. The following shows an example. For more
information about rules for quotation marks in Bash, see Double Quotes .

Azure CLI

condition="((!
(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/bl
obs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR
(@Resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/t
ags:Project<\$key_case_sensitive\$>] StringEquals 'Cascade'))"

Symptom - Unrecognized arguments error

When you try to add a role assignment with a condition using Azure CLI, you get an
error similar to:

az: error: unrecognized arguments: --description {description} --condition

{condition} --condition-version 2.0

Cause

You're likely using an earlier version of Azure CLI that doesn't support role assignment
condition parameters.

Solution

Update to the latest version of Azure CLI (2.18 or later). For more information, see Install
the Azure CLI.

Symptom - Error when assigning a condition string to a

variable in Bash
When you try to assign a condition string to a variable in Bash, you get the bash: !:
event not found message.

Cause

In Bash, if history expansion is enabled, you might see the message bash: !: event not
found because of the exclamation point (!).

Solution

Disable history expansion with the command set +H . To re-enable history expansion,
use set -H .

Next steps
Azure role assignment condition format and syntax
FAQ for Azure role assignment conditions
Troubleshoot custom security attributes in Microsoft Entra ID (Preview)
Azure built-in roles
Article • 09/23/2024

Azure role-based access control (Azure RBAC) has several Azure built-in roles that you
can assign to users, groups, service principals, and managed identities. Role assignments
are the way you control access to Azure resources. If the built-in roles don't meet the
specific needs of your organization, you can create your own Azure custom roles. For
information about how to assign roles, see Steps to assign an Azure role.

This article lists the Azure built-in roles. If you are looking for administrator roles for
Microsoft Entra ID, see Microsoft Entra built-in roles.

The following table provides a brief description of each built-in role. Click the role name
to see the list of Actions , NotActions , DataActions , and NotDataActions for each role.
For information about what these actions mean and how they apply to the control and
data planes, see Understand Azure role definitions.

Privileged
ﾉ Expand table

Built-in role Description ID

Contributor Grants full access to manage b24988ac-6180-42a0-ab88-

all resources, but does not 20f7382dd24c
allow you to assign roles in
Azure RBAC, manage
assignments in Azure
Blueprints, or share image
galleries.

Owner Grants full access to manage 8e3af657-a8ff-443c-a75c-

all resources, including the 2fe8c4bcb635
ability to assign roles in Azure
RBAC.

Reservations Administrator Lets one read and manage all a8889054-8d42-49c9-bc1c-

the reservations in a tenant 52486c10e7cd

Role Based Access Control Manage access to Azure f58310d9-a9f6-439a-9e8d-

Administrator resources by assigning roles f62e7b41a168
using Azure RBAC. This role
does not allow you to manage
Built-in role Description ID

access using other ways, such

as Azure Policy.

User Access Administrator Lets you manage user access 18d7d88d-d35e-4fb5-a5c3-

to Azure resources. 7773c20a72d9

General
ﾉ Expand table

Built-in role Description ID

Reader View all resources, but does acdd72a7-3385-48ef-bd42-

not allow you to make any f606fba81ae7
changes.

Compute
ﾉ Expand table

Built-in role Description ID

Azure Arc VMware VM Arc VMware VM Contributor b748a06d-6150-4f8a-aaa9-

Contributor has permissions to perform all ce3940cd96cb
VM actions.

Classic Virtual Machine Lets you manage classic virtual d73bb868-a0df-4d4d-bd69-

Contributor machines, but not access to 98a00b01fccb
them, and not the virtual
network or storage account
they're connected to.

Compute Gallery Artifacts This is the role for publishing 85a2d0d9-2eba-4c9c-b355-

Publisher gallery artifacts. 11c2cc0788ab

Compute Gallery Sharing This role allows user to share 1ef6a3be-d0ac-425d-8c01-

Admin gallery to another acb62866290b
subscription/tenant or share it
to the public.

Data Operator for Managed Provides permissions to 959f8984-c045-4866-89c7-

Disks upload data to empty 12bf9737be2e
managed disks, read, or export
data of managed disks (not
attached to running VMs) and
Built-in role Description ID

snapshots using SAS URIs and

Azure AD authentication.

Desktop Virtualization Contributor of the Desktop 86240b0e-9422-4c43-887b-

Application Group Contributor Virtualization Application b61143f32ba8
Group.

Desktop Virtualization Reader of the Desktop aebf23d0-b568-4e86-b8f9-

Application Group Reader Virtualization Application fe83a2c6ab55
Group.

Desktop Virtualization Contributor of Desktop 082f0a83-3be5-4ba1-904c-

Contributor Virtualization. 961cca79b387

Desktop Virtualization Host Contributor of the Desktop e307426c-f9b6-4e81-87de-

Pool Contributor Virtualization Host Pool. d99efb3c32bc

Desktop Virtualization Host Reader of the Desktop ceadfde2-b300-400a-ab7b-

Pool Reader Virtualization Host Pool. 6143895aa822

Desktop Virtualization Power Provide permission to the 489581de-a3bd-480d-9518-

On Contributor Azure Virtual Desktop 53dea7416b33
Resource Provider to start
virtual machines.

Desktop Virtualization Power Provide permission to the 40c5ff49-9181-41f8-ae61-

On Off Contributor Azure Virtual Desktop 143b0e78555e
Resource Provider to start and
stop virtual machines.

Desktop Virtualization Reader Reader of Desktop 49a72310-ab8d-41df-bbb0-

Virtualization. 79b649203868

Desktop Virtualization Session Operator of the Desktop 2ad6aaab-ead9-4eaa-8ac5-

Host Operator Virtualization Session Host. da422f562408

Desktop Virtualization User Allows user to use the 1d18fff3-a72a-46b5-b4a9-

applications in an application 0b38a3cd7e63
group.

Desktop Virtualization User Operator of the Desktop ea4bfff8-7fb4-485a-aadd-

Session Operator Virtualization User Session. d4129a0ffaa6

Desktop Virtualization Virtual This role is in preview and a959dbd1-f747-45e3-8ba6-

Machine Contributor subject to change. Provide dd80f235f97c
permission to the Azure Virtual
Desktop Resource Provider to
create, delete, update, start,
and stop virtual machines.
Built-in role Description ID

Desktop Virtualization Contributor of the Desktop 21efdde3-836f-432b-bf3d-

Workspace Contributor Virtualization Workspace. 3e8e734d4b2b

Desktop Virtualization Reader of the Desktop 0fa44ee9-7a7d-466b-9bb2-

Workspace Reader Virtualization Workspace. 2bf446b1204d

Disk Backup Reader Provides permission to backup 3e5e47e6-65f7-47ef-90b5-

vault to perform disk backup. e5dd4d455f24

Disk Pool Operator Provide permission to 60fc6e62-5479-42d4-8bf4-

StoragePool Resource Provider 67625fcc2840
to manage disks added to a
disk pool.

Disk Restore Operator Provides permission to backup b50d9833-a0cb-478e-945f-

vault to perform disk restore. 707fcc997c13

Disk Snapshot Contributor Provides permission to backup 7efff54f-a5b4-42b5-a1c5-

vault to manage disk 5411624893ce
snapshots.

Virtual Machine Administrator View Virtual Machines in the 1c0163c0-47e6-4577-8991-

Virtual Machine Contributor Create and manage virtual 9980e02c-c2be-4d73-94e8-

machines, manage disks, 173b1dc7cf3c
install and run software, reset
password of the root user of
the virtual machine using VM
extensions, and manage local
user accounts using VM
extensions. This role does not
grant you management access
to the virtual network or
storage account the virtual
machines are connected to.
This role does not allow you to
assign roles in Azure RBAC.

Virtual Machine Data Access Manage access to Virtual 66f75aeb-eabe-4b70-9f1e-

Administrator (preview) Machines by adding or c350c4c9ad04
removing role assignments for
the Virtual Machine
Administrator Login and
Virtual Machine User Login
roles. Includes an ABAC
Built-in role Description ID

condition to constrain role

assignments.

Virtual Machine Local User View Virtual Machines in the 602da2ba-a5c2-41da-b01d-

Virtual Machine User Login View Virtual Machines in the fb879df8-f326-4884-b1cf-

portal and login as a regular 06f3ad86be52
user.

Windows 365 Network This role is used by Windows 1f135831-5bbe-4924-9016-

Interface Contributor 365 to provision required 264044c00788
network resources and join
Microsoft-hosted VMs to
network interfaces.

Windows 365 Network User This role is used by Windows 7eabc9a4-85f7-4f71-b8ab-

365 to read virtual networks 75daaccc1033
and join the designated virtual
networks.

Windows Admin Center Let's you manage the OS of a6333a3e-0164-44c3-b281-

Administrator Login your resource via Windows 7a577aff287f
Admin Center as an
administrator.

Networking
ﾉ Expand table

Built-in role Description ID

Azure Front Door Domain For internal use within Azure. 0ab34830-df19-4f8c-b84e-
Contributor Can manage Azure Front Door aa85b8afa6e8
domains, but can't grant
access to other users.

Azure Front Door Domain For internal use within Azure. 0f99d363-226e-4dca-9920-
Reader Can view Azure Front Door b807cf8e1a5f
domains, but can't make
changes.

Azure Front Door Profile Can view AFD standard and 662802e2-50f6-46b0-aed2-
Reader premium profiles and their e834bacc6d12
endpoints, but can't make
changes.
Built-in role Description ID

Azure Front Door Secret For internal use within Azure. 3f2eb865-5811-4578-b90a-
Contributor Can manage Azure Front Door 6fc6fa0df8e5
secrets, but can't grant access
to other users.

Azure Front Door Secret For internal use within Azure. 0db238c4-885e-4c4f-a933-
Reader Can view Azure Front Door aa2cef684fca
secrets, but can't make
changes.

CDN Endpoint Contributor Can manage CDN endpoints, 426e0c7f-0c7e-4658-b36f-

but can't grant access to other ff54d6c29b45
users.

CDN Endpoint Reader Can view CDN endpoints, but 871e35f6-b5c1-49cc-a043-

can't make changes. bde969a0f2cd

CDN Profile Contributor Can manage CDN and Azure ec156ff8-a8d1-4d15-830c-

Front Door standard and 5b80698ca432
premium profiles and their
endpoints, but can't grant
access to other users.

CDN Profile Reader Can view CDN profiles and 8f96442b-4075-438f-813d-

their endpoints, but can't ad51ab4019af
make changes.

Classic Network Contributor Lets you manage classic b34d265f-36f7-4a0d-a4d4-

networks, but not access to e158ca92e90f
them.

DNS Zone Contributor Lets you manage DNS zones befefa01-2a29-4197-83a8-

and record sets in Azure DNS, 272ff33ce314
but does not let you control
who has access to them.

Network Contributor Lets you manage networks, 4d97b98b-1d4f-4787-a291-

but not access to them. This c67834d212e7
role does not grant you
permission to deploy or
manage Virtual Machines.

Private DNS Zone Contributor Lets you manage private DNS b12aa53e-6015-4669-85d0-
zone resources, but not the 8515ebb3ae7f
virtual networks they are
linked to.

Traffic Manager Contributor Lets you manage Traffic a4b10055-b0c7-44c2-b00f-

Manager profiles, but does not c7b5b3550cf7
Built-in role Description ID

let you control who has access

to them.

Storage
ﾉ Expand table

Built-in role Description ID

Avere Contributor Can create and manage an 4f8fab4f-1852-4a58-a46a-

Avere vFXT cluster. 8eaf358af14a

Avere Operator Used by the Avere vFXT cluster c025889f-8102-4ebf-b32c-

to manage the cluster fc0c6f0c6bd9

Backup Contributor Lets you manage backup 5e467623-bb1f-42f4-a55d-

service, but can't create vaults 6e525e11384b
and give access to others

Backup MUA Admin Backup MultiUser- c2a970b4-16a7-4a51-8c84-

Authorization. Can 8a8ea6ee0bb8
create/delete ResourceGuard

Backup MUA Operator Backup MultiUser- f54b6d04-23c6-443e-b462-

Authorization. Allows user to 9c16ab7b4a52
perform critical operation
protected by resourceguard

Backup Operator Lets you manage backup 00c29273-979b-4161-815c-

services, except removal of 10b084fb9324
backup, vault creation and
giving access to others

Backup Reader Can view backup services, but a795c7a0-d4a2-40c1-ae25-

can't make changes d81f01202912

Classic Storage Account Lets you manage classic 86e8f5dc-a6e9-4c67-9d15-

Contributor storage accounts, but not de283e8eac25
access to them.

Classic Storage Account Key Classic Storage Account Key 985d6b00-f706-48f5-a6fe-

Operator Service Role Operators are allowed to list d0ca12fb668d
and regenerate keys on Classic
Storage Accounts

Data Box Contributor Lets you manage everything add466c9-e687-43fc-8d98-

under Data Box Service except dfcf8d720be5
Built-in role Description ID

giving access to others.

Data Box Reader Lets you manage Data Box 028f4ed7-e2a9-465e-a8f4-

Service except creating order 9c0ffdfdc027
or editing order details and
giving access to others.

Data Lake Analytics Developer Lets you submit, monitor, and 47b7735b-770e-4598-a7da-
manage your own jobs but not 8b91488b4c88
create or delete Data Lake
Analytics accounts.

Defender for Storage Data Grants access to read blobs 1e7ca9b1-60d1-4db8-a914-

Scanner and update index tags. This f2ca1ff27c40
role is used by the data
scanner of Defender for
Storage.

Elastic SAN Network Admin Allows access to create Private fa6cecf6-5db3-4c43-8470-

Endpoints on SAN resources, c540bcb4eafa
and to read SAN resources

Elastic SAN Owner Allows for full access to all 80dcbedb-47ef-405d-95bd-

resources under Azure Elastic 188a1b4ac406
SAN including changing
network security policies to
unblock data path access

Elastic SAN Reader Allows for control path read af6a70f8-3c9f-4105-acf1-

access to Azure Elastic SAN d719e9fca4ca

Elastic SAN Volume Group Allows for full access to a a8281131-f312-4f34-8d98-

Owner volume group in Azure Elastic ae12be9f0d23
SAN including changing
network security policies to
unblock data path access

Reader and Data Access Lets you view everything but c12c1c16-33a1-487b-954d-
will not let you delete or 41c89c60f349
create a storage account or
contained resource. It will also
allow read/write access to all
data contained in a storage
account via access to storage
account keys.

Storage Account Backup Lets you perform backup and e5e2a7ff-d759-4cd2-bb51-

Contributor restore operations using Azure 3152d37e2eb1
Built-in role Description ID

Backup on the storage

account.

Storage Account Contributor Permits management of 17d1049b-9a84-46fb-8f53-

storage accounts. Provides 869881c3d3ab
access to the account key,
which can be used to access
data via Shared Key
authorization.

Storage Account Key Operator Permits listing and 81a9662b-bebf-436f-a333-

Service Role regenerating storage account f67b29880f12
access keys.

Storage Blob Data Contributor Read, write, and delete Azure ba92f5b4-2d11-453d-a403-
Storage containers and blobs. e96b0029c9fe
To learn which actions are
required for a given data
operation, see Permissions for
calling data operations.

Storage Blob Data Owner Provides full access to Azure b7e6dc6d-f1e8-4753-8033-

Storage blob containers and 0f276bb0955b
data, including assigning
POSIX access control. To learn
which actions are required for
a given data operation, see
Permissions for calling data
operations.

Storage Blob Data Reader Read and list Azure Storage 2a2b9908-6ea1-4ae2-8e65-
containers and blobs. To learn a410df84e7d1
which actions are required for
a given data operation, see
Permissions for calling data
operations.

Storage Blob Delegator Get a user delegation key, db58b8e5-c6ad-4a2a-8342-

which can then be used to 4190687cbf4a
create a shared access
signature for a container or
blob that is signed with Azure
AD credentials. For more
information, see Create a user
delegation SAS.

Storage File Data Privileged Allows for read, write, delete, 69566ab7-960f-475b-8e7c-
Contributor and modify ACLs on b3118f30c6bd
files/directories in Azure file
Built-in role Description ID

shares by overriding existing

ACLs/NTFS permissions. This
role has no built-in equivalent
on Windows file servers.

Storage File Data Privileged Allows for read access on b8eda974-7b85-4f76-af95-

Reader files/directories in Azure file 65846b26df6d
shares by overriding existing
ACLs/NTFS permissions. This
role has no built-in equivalent
on Windows file servers.

Storage File Data SMB Share Allows for read, write, and 0c867c2a-1d8c-454a-a3db-
Contributor delete access on ab2ea1bdc8bb
files/directories in Azure file
shares. This role has no built-in
equivalent on Windows file
servers.

Storage File Data SMB Share Allows for read, write, delete, a7264617-510b-434b-a828-
Elevated Contributor and modify ACLs on 9731dc254ea7
files/directories in Azure file
shares. This role is equivalent
to a file share ACL of change
on Windows file servers.

Storage File Data SMB Share Allows for read access on aba4ae5f-2193-4029-9191-
Reader files/directories in Azure file 0cb91df5e314
shares. This role is equivalent
to a file share ACL of read on
Windows file servers.

Storage Queue Data Read, write, and delete Azure 974c5e8b-45b9-4653-ba55-

Contributor Storage queues and queue 5f855dd0fb88
messages. To learn which
actions are required for a
given data operation, see
Permissions for calling data
operations.

Storage Queue Data Message Peek, retrieve, and delete a 8a0f0c08-91a1-4084-bc3d-

Processor message from an Azure 661d67233fed
Storage queue. To learn which
actions are required for a
given data operation, see
Permissions for calling data
operations.
Built-in role Description ID

Storage Queue Data Message Add messages to an Azure c6a89b2d-59bc-44d0-9896-

Sender Storage queue. To learn which 0f6e12d7b80a
actions are required for a
given data operation, see
Permissions for calling data
operations.

Storage Queue Data Reader Read and list Azure Storage 19e7f393-937e-4f77-808e-
queues and queue messages. 94535e297925
To learn which actions are
required for a given data
operation, see Permissions for
calling data operations.

Storage Table Data Allows for read, write and 0a9a7e1f-b9d0-4cc4-a60d-

Contributor delete access to Azure Storage 0319b160aaa3
tables and entities

Storage Table Data Reader Allows for read access to 76199698-9eea-4c19-bc75-

Azure Storage tables and cec21354c6b6
entities

Web and Mobile

ﾉ Expand table

Built-in role Description ID

Azure Maps Data Contributor Grants access to read, write, 8f5e0ce6-4f7b-4dcf-bddf-

and delete access to map e6f48634a204
related data from an Azure
maps account.

Azure Maps Data Reader Grants access to read map 423170ca-a8f6-4b0f-8487-

related data from an Azure 9e4eb8f49bfa
maps account.

Azure Maps Search and Grants access to very limited 6be48352-4f82-47c9-ad5e-

Render Data Reader set of data APIs for common 0acacefdb005
visual web SDK scenarios.
Specifically, render and search
data APIs.

Azure Spring Apps Application Read content of config file 25211fc6-dc78-40b6-b205-

Configuration Service Config pattern for Application e4ac934fd9fd
File Pattern Reader Role
Built-in role Description ID

Configuration Service in Azure

Spring Apps

Azure Spring Apps Application Read real-time logs for 6593e776-2a30-40f9-8a32-

Configuration Service Log Application Configuration 4fe28b77655d
Reader Role Service in Azure Spring Apps

Azure Spring Apps Connect Azure Spring Apps Connect 80558df3-64f9-4c0f-b32d-

Role Role e5094b036b0b

Azure Spring Apps Job Log Read real-time logs for jobs in b459aa1d-e3c8-436f-ae21-
Reader Role Azure Spring Apps c0531140f43e

Azure Spring Apps Remote Azure Spring Apps Remote a99b0159-1064-4c22-a57b-

Debugging Role Debugging Role c9b3caa1c054

Azure Spring Apps Spring Read real-time logs for Spring 4301dc2a-25a9-44b0-ae63-
Cloud Gateway Log Reader Cloud Gateway in Azure Spring 3636cf7f2bd2
Role Apps

Azure Spring Cloud Config Allow read, write and delete a06f5c24-21a7-4e1a-aa2b-
Server Contributor access to Azure Spring Cloud f19eb6684f5b
Config Server

Azure Spring Cloud Config Allow read access to Azure d04c6db6-4947-4782-9e91-

Server Reader Spring Cloud Config Server 30a88feb7be7

Azure Spring Cloud Data Allow read access to Azure b5537268-8956-4941-a8f0-

Reader Spring Cloud Data 646150406f0c

Azure Spring Cloud Service Allow read, write and delete f5880b48-c26d-48be-b172-
Registry Contributor access to Azure Spring Cloud 7927bfa1c8f1
Service Registry

Azure Spring Cloud Service Allow read access to Azure cff1b556-2399-4e7e-856d-

Registry Reader Spring Cloud Service Registry a8f754be7b65

Media Services Account Create, read, modify, and 054126f8-9a2b-4f1c-a9ad-

Administrator delete Media Services eca461f08466
accounts; read-only access to
other Media Services
resources.

Media Services Live Events Create, read, modify, and 532bc159-b25e-42c0-969e-

Administrator delete Live Events, Assets, a1d439f60d77
Asset Filters, and Streaming
Locators; read-only access to
other Media Services
resources.
Built-in role Description ID

Media Services Media Create, read, modify, and e4395492-1534-4db2-bedf-

Operator delete Assets, Asset Filters, 88c14621589c
Streaming Locators, and Jobs;
read-only access to other
Media Services resources.

Media Services Policy Create, read, modify, and c4bba371-dacd-4a26-b320-

Administrator delete Account Filters, 7250bca963ae
Streaming Policies, Content
Key Policies, and Transforms;
read-only access to other
Media Services resources.
Cannot create Jobs, Assets or
Streaming resources.

Media Services Streaming Create, read, modify, and 99dba123-b5fe-44d5-874c-

Endpoints Administrator delete Streaming Endpoints; ced7199a5804
read-only access to other
Media Services resources.

SignalR AccessKey Reader Read SignalR Service Access 04165923-9d83-45d5-8227-

Keys 78b77b0a687e

SignalR App Server Lets your app server access 420fcaa2-552c-430f-98ca-

SignalR Service with AAD auth 3264be4806c7
options.

SignalR REST API Owner Full access to Azure SignalR fd53cd77-2268-407a-8f46-

Service REST APIs 7e7863d0f521

SignalR REST API Reader Read-only access to Azure ddde6b66-c0df-4114-a159-

SignalR Service REST APIs 3618637b3035

SignalR Service Owner Full access to Azure SignalR 7e4f1700-ea5a-4f59-8f37-

Service REST APIs 079cfe29dce3

SignalR/Web PubSub Create, Read, Update, and 8cf5e20a-e4b2-4e9d-b3a1-

Contributor Delete SignalR service 5ceb692c2761
resources

Web Plan Contributor Manage the web plans for 2cc479cb-7b4d-49a8-b449-

websites. Does not allow you 8c00fd0f0a4b
to assign roles in Azure RBAC.

Web PubSub Service Owner Full access to Azure Web 12cf5a90-567b-43ae-8102-

PubSub Service REST APIs 96cf46c7d9b4

Web PubSub Service Reader Read-only access to Azure bfb1c7d2-fb1a-466b-b2ba-

Web PubSub Service REST APIs aee63b92deaf
Built-in role Description ID

Website Contributor Manage websites, but not web de139f84-1756-47ae-9be6-

plans. Does not allow you to 808fbbe84772
assign roles in Azure RBAC.

Containers
ﾉ Expand table

Built-in role Description ID

AcrDelete Delete repositories, tags, or c2f4ef07-c644-48eb-af81-

manifests from a container 4b1b4947fb11
registry.

AcrImageSigner Push trusted images to or pull 6cef56e8-d556-48e5-a04f-

trusted images from a b8e64114680f
container registry enabled for
content trust.

AcrPull Pull artifacts from a container 7f951dda-4ed3-4680-a7ca-

registry. 43fe172d538d

AcrPush Push artifacts to or pull 8311e382-0749-4cb8-b61a-

artifacts from a container 304f252e45ec
registry.

AcrQuarantineReader Pull quarantined images from cdda3590-29a3-44f6-95f2-

a container registry. 9f980659eb04

AcrQuarantineWriter Push quarantined images to or c8d4ff99-41c3-41a8-9f60-

pull quarantined images from 21dfdad59608
a container registry.

Azure Arc Enabled Kubernetes List cluster user credentials 00493d72-78f6-4148-b6c5-

Cluster User Role action. d3ce8e4799dd

Azure Arc Kubernetes Admin Lets you manage all resources dffb1e0c-446f-4dde-a09f-
under cluster/namespace, 99eb5cc68b96
except update or delete
resource quotas and
namespaces.

Azure Arc Kubernetes Cluster Lets you manage all resources 8393591c-06b9-48a2-a542-
Admin in the cluster. 1bd6b377f6a2

Azure Arc Kubernetes Viewer Lets you view all resources in 63f0a09d-1495-4db4-a681-
cluster/namespace, except 037d84835eb4
Built-in role Description ID

secrets.

Azure Arc Kubernetes Writer Lets you update everything in 5b999177-9696-4545-85c7-

cluster/namespace, except 50de3797e5a1
(cluster)roles and (cluster)role
bindings.

Azure Container Storage Install Azure Container Storage 95dd08a6-00bd-4661-84bf-

Contributor and manage its storage f6726f83a4d0
resources. Includes an ABAC
condition to constrain role
assignments.

Azure Container Storage Enable a managed identity to 08d4c71a-cc63-4ce4-a9c8-

Operator perform Azure Container 5dd251b4d619
Storage operations, such as
manage virtual machines and
manage virtual networks.

Azure Container Storage Install Azure Container 95de85bd-744d-4664-9dde-

Owner Storage, grant access to its 11430bc34793
storage resources, and
configure Azure Elastic storage
area network (SAN). Includes
an ABAC condition to
constrain role assignments.

Azure Kubernetes Fleet Grants read/write access to 63bb64ad-9799-4770-b5c3-

Manager Contributor Role Azure resources provided by 24ed299a07bf
Azure Kubernetes Fleet
Manager, including fleets, fleet
members, fleet update
strategies, fleet update runs,
etc.

Azure Kubernetes Fleet Grants read/write access to 434fb43a-c01c-447e-9f67-

Manager RBAC Admin Kubernetes resources within a c3ad923cfaba
namespace in the fleet-
managed hub cluster -
provides write permissions on
most objects within a
namespace, with the exception
of ResourceQuota object and
the namespace object itself.
Applying this role at cluster
scope will give access across
all namespaces.
Built-in role Description ID

Azure Kubernetes Fleet Grants read/write access to all 18ab4d3d-a1bf-4477-8ad9-

Manager RBAC Cluster Admin Kubernetes resources in the 8359bc988f69
fleet-managed hub cluster.

Azure Kubernetes Fleet Grants read-only access to 30b27cfc-9c84-438e-b0ce-

Manager RBAC Reader most Kubernetes resources 70e35255df80
within a namespace in the
fleet-managed hub cluster. It
does not allow viewing roles
or role bindings. This role does
not allow viewing Secrets,
since reading the contents of
Secrets enables access to
ServiceAccount credentials in
the namespace, which would
allow API access as any
ServiceAccount in the
namespace (a form of privilege
escalation). Applying this role
at cluster scope will give
access across all namespaces.

Azure Kubernetes Fleet Grants read/write access to 5af6afb3-c06c-4fa4-8848-

Manager RBAC Writer most Kubernetes resources 71a8aee05683
within a namespace in the
fleet-managed hub cluster.
This role does not allow
viewing or modifying roles or
role bindings. However, this
role allows accessing Secrets
as any ServiceAccount in the
namespace, so it can be used
to gain the API access levels of
any ServiceAccount in the
namespace. Applying this role
at cluster scope will give
access across all namespaces.

Azure Kubernetes Service Arc List cluster admin credential b29efa5f-7782-4dc3-9537-

Cluster Admin Role action. 4d5bc70a5e9f

Azure Kubernetes Service Arc List cluster user credential 233ca253-b031-42ff-9fba-

Cluster User Role action. 87ef12d6b55f

Azure Kubernetes Service Arc Grants access to read and 5d3f1697-4507-4d08-bb4a-

Contributor Role write Azure Kubernetes 477695db5f82
Services hybrid clusters
Built-in role Description ID

Azure Kubernetes Service List cluster admin credential 0ab0b1a8-8aac-4efd-b8c2-

Cluster Admin Role action. 3ee1fb270be8

Azure Kubernetes Service List cluster monitoring user 1afdec4b-e479-420e-99e7-

Cluster Monitoring User credential action. f82237c7c5e6

Azure Kubernetes Service List cluster user credential 4abbcc35-e782-43d8-92c5-

Cluster User Role action. 2d3f1bd2253f

Azure Kubernetes Service Grants access to read and ed7f3fbd-7b88-4dd4-9017-

Contributor Role write Azure Kubernetes Service 9adb7ce333f8
clusters

Azure Kubernetes Service Lets you manage all resources 3498e952-d568-435e-9b2c-

RBAC Admin under cluster/namespace, 8d77e338d7f7
except update or delete
resource quotas and
namespaces.

Azure Kubernetes Service Lets you manage all resources b1ff04bb-8a4e-4dc4-8eb5-

RBAC Cluster Admin in the cluster. 8693973ce19b

Azure Kubernetes Service Allows read-only access to see 7f6c6a51-bcf8-42ba-9220-

RBAC Reader most objects in a namespace. 52d62157d7db
It does not allow viewing roles
or role bindings. This role does
not allow viewing Secrets,
since reading the contents of
Secrets enables access to
ServiceAccount credentials in
the namespace, which would
allow API access as any
ServiceAccount in the
namespace (a form of privilege
escalation). Applying this role
at cluster scope will give
access across all namespaces.

Azure Kubernetes Service Allows read/write access to a7ffa36f-339b-4b5c-8bdf-

RBAC Writer most objects in a namespace. e2c188b2c0eb
This role does not allow
viewing or modifying roles or
role bindings. However, this
role allows accessing Secrets
and running Pods as any
ServiceAccount in the
namespace, so it can be used
to gain the API access levels of
any ServiceAccount in the
Built-in role Description ID

namespace. Applying this role

at cluster scope will give
access across all namespaces.

Connected Cluster Managed Built-in role that allows a 65a14201-8f6c-4c28-bec4-

Identity CheckAccess Reader Connected Cluster managed 12619c5a9aaa
identity to call the checkAccess
API

Kubernetes Agentless Grants Microsoft Defender for d5a2ae44-610b-4500-93be-

Operator Cloud access to Azure 660a0c5f5ca6
Kubernetes Services

Kubernetes Cluster - Azure Arc Role definition to authorize 34e09817-6cbe-4d01-b1a2-

Onboarding any user/service to create e0eac5743d41
connectedClusters resource

Kubernetes Extension Can create, update, get, list 85cb6faf-e071-4c9b-8136-

Contributor and delete Kubernetes 154b5a04f717
Extensions, and get extension
async operations

Databases
ﾉ Expand table

Built-in role Description ID

Azure Connected SQL Server Allows for read and write e8113dce-c529-4d33-91fa-
Onboarding access to Azure resources for e9b972617508
SQL Server on Arc-enabled
servers.

Cosmos DB Account Reader Can read Azure Cosmos DB fbdf93bf-df7d-467e-a4d2-

Role account data. See 9458aa1360c8
DocumentDB Account
Contributor for managing
Azure Cosmos DB accounts.

Cosmos DB Operator Lets you manage Azure 230815da-be43-4aae-9cb4-

Cosmos DB accounts, but not 875f7bd000aa
access data in them. Prevents
access to account keys and
connection strings.

CosmosBackupOperator Can submit restore request for db7b14f2-5adf-42da-9f96-

a Cosmos DB database or a f2ee17bab5cb
Built-in role Description ID

container for an account

CosmosRestoreOperator Can perform restore action for 5432c526-bc82-444a-b7ba-

Cosmos DB database account 57c5b0b5b34f
with continuous backup mode

DocumentDB Account Can manage Azure Cosmos DB 5bd9cd88-fe45-4216-938b-

Contributor accounts. Azure Cosmos DB is f97437e15450
formerly known as
DocumentDB.

PostgreSQL Flexible Server Role to allow backup vault to c088a766-074b-43ba-90d4-

Long Term Retention Backup access PostgreSQL Flexible 1fb21feae531
Role Server Resource APIs for Long
Term Retention Backup.

Redis Cache Contributor Lets you manage Redis caches, e0f68234-74aa-48ed-b826-

but not access to them. c38b57376e17

SQL DB Contributor Lets you manage SQL 9b7fa17d-e63e-47b0-bb0a-

databases, but not access to 15c516ac86ec
them. Also, you can't manage
their security-related policies
or their parent SQL servers.

SQL Managed Instance Lets you manage SQL 4939a1f6-9ae0-4e48-a1e0-

Contributor Managed Instances and f2cbe897382d
required network
configuration, but can't give
access to others.

SQL Security Manager Lets you manage the security- 056cd41c-7e88-42e1-933e-

related policies of SQL servers 88ba6a50c9c3
and databases, but not access
to them.

SQL Server Contributor Lets you manage SQL servers 6d8ee4ec-f05a-4a1d-8b00-

and databases, but not access a9b17e38b437
to them, and not their
security-related policies.

Analytics
ﾉ Expand table
Built-in role Description ID

Azure Event Hubs Data Owner Allows for full access to Azure f526a384-b230-433a-b45c-
Event Hubs resources. 95f59c4a2dec

Azure Event Hubs Data Allows receive access to Azure a638d3c7-ab3a-418d-83e6-

Receiver Event Hubs resources. 5f17a39d4fde

Azure Event Hubs Data Sender Allows send access to Azure 2b629674-e913-4c01-ae53-
Event Hubs resources. ef4638d8f975

Data Factory Contributor Create and manage data 673868aa-7521-48a0-acc6-

factories, as well as child 0f60742d39f5
resources within them.

Data Purger Delete private data from a Log 150f5e0c-0603-4f03-8c7f-

Analytics workspace. cf70034c4e90

HDInsight Cluster Operator Lets you read and modify 61ed4efc-fab3-44fd-b111-

HDInsight cluster e24485cc132a
configurations.

HDInsight Domain Services Can Read, Create, Modify and 8d8d5a11-05d3-4bda-a417-

Contributor Delete Domain Services a08778121c7c
related operations needed for
HDInsight Enterprise Security
Package

HDInsight on AKS Cluster Grants a user/group the ability fd036e6b-1266-47a0-b0bb-

Admin to create, delete and manage a05d04831731
clusters within a given cluster
pool. Cluster Admin can also
run workloads, monitor, and
manage all user activity on
these clusters.

HDInsight on AKS Cluster Pool Can read, create, modify and 7656b436-37d4-490a-a4ab-
Admin delete HDInsight on AKS d39f838f0042
cluster pools and create
clusters

Log Analytics Contributor Log Analytics Contributor can 92aaf0da-9dab-42b6-94a3-

read all monitoring data and d43ce8d16293
edit monitoring settings.
Editing monitoring settings
includes adding the VM
extension to VMs; reading
storage account keys to be
able to configure collection of
logs from Azure Storage;
adding solutions; and
Built-in role Description ID

configuring Azure diagnostics

on all Azure resources.

Log Analytics Reader Log Analytics Reader can view 73c42c96-874c-492b-b04d-

and search all monitoring data ab87d138a893
as well as and view monitoring
settings, including viewing the
configuration of Azure
diagnostics on all Azure
resources.

Schema Registry Contributor Read, write, and delete 5dffeca3-4936-4216-b2bc-

(Preview) Schema Registry groups and 10343a5abb25
schemas.

Schema Registry Reader Read and list Schema Registry 2c56ea50-c6b3-40a6-83c0-

(Preview) groups and schemas. 9d98858bc7d2

Stream Analytics Query Tester Lets you perform query testing 1ec5b3c1-b17e-4e25-8312-
without creating a stream 2acb3c3c5abf
analytics job first

AI + machine learning
ﾉ Expand table

Built-in role Description ID

AgFood Platform Sensor Provides contribute access to 6b77f0a0-0d89-41cc-acd1-

Partner Contributor manage sensor related entities 579c22c17a67
in AgFood Platform Service

AgFood Platform Service Provides admin access to f8da80de-1ff9-4747-ad80-

Admin AgFood Platform Service a19b7f6079e3

AgFood Platform Service Provides contribute access to 8508508a-4469-4e45-963b-

Contributor AgFood Platform Service 2518ee0bb728

AgFood Platform Service Provides read access to 7ec7ccdc-f61e-41fe-9aaf-

Reader AgFood Platform Service 980df0a44eba

Azure AI Developer Can perform all actions within 64702f94-c441-49e6-a78b-

an Azure AI resource besides ef80e0188fee
managing the resource itself.

Azure AI Enterprise Network Can approve private endpoint b556d68e-0be0-4f35-a333-

Connection Approver connections to Azure AI ad7ee1ce17ea
Built-in role Description ID

common dependency
resources

Azure AI Inference Can perform all actions 3afb7f49-54cb-416e-8c09-

Deployment Operator required to create a resource 6dc049efa503
deployment within a resource
group.

AzureML Compute Operator Can access and perform CRUD e503ece1-11d0-4e8e-8e2c-

operations on Machine 7a6c3bf38815
Learning Services managed
compute resources (including
Notebook VMs).

AzureML Data Scientist Can perform all actions within f6c7c914-8db3-469d-8ca1-

an Azure Machine Learning 694a8f32e121
workspace, except for creating
or deleting compute resources
and modifying the workspace
itself.

AzureML Metrics Writer Lets you write metrics to 635dd51f-9968-44d3-b7fb-

(preview) AzureML workspace 6d9a6bd613ae

AzureML Registry User Can perform all actions on 1823dd4f-9b8c-4ab6-ab4e-

Machine Learning Services 7397a3684615
Registry assets as well as get
Registry resources.

Cognitive Services Contributor Lets you create, read, update, 25fbc0a9-bd7c-42a3-aa1a-

delete and manage keys of 3b75d497ee68
Cognitive Services.

Cognitive Services Custom Full access to the project, c1ff6cc2-c111-46fe-8896-

Vision Contributor including the ability to view, e0ef812ad9f3
create, edit, or delete projects.

Cognitive Services Custom Publish, unpublish or export 5c4089e1-6d96-4d2f-b296-

Vision Deployment models. Deployment can view c1bc7137275f
the project but can't update.

Cognitive Services Custom View, edit training images and 88424f51-ebe7-446f-bc41-

Vision Labeler create, add, remove, or delete 7fa16989e96c
the image tags. Labelers can
view the project but can't
update anything other than
training images and tags.
Built-in role Description ID

Cognitive Services Custom Read-only actions in the 93586559-c37d-4a6b-ba08-

Vision Reader project. Readers can't create or b9f0940c2d73
update the project.

Cognitive Services Custom View, edit projects and train 0a5ae4ab-0d65-4eeb-be61-

Vision Trainer the models, including the 29fc9b54394b
ability to publish, unpublish,
export the models. Trainers
can't create or delete the
project.

Cognitive Services Data Lets you read Cognitive b59867f0-fa02-499b-be73-

Reader (Preview) Services data. 45a86b5b3e1c

Cognitive Services Face Lets you perform detect, verify, 9894cab4-e18a-44aa-828b-

Recognizer identify, group, and find cb588cd6f2d7
similar operations on Face API.
This role does not allow create
or delete operations, which
makes it well suited for
endpoints that only need
inferencing capabilities,
following 'least privilege' best
practices.

Cognitive Services Immersive Provides access to create b2de6794-95db-4659-8781-

Reader User Immersive Reader sessions and 7e080d3f2b9d
call APIs

Cognitive Services Language Has access to all Read, Test, f07febfe-79bc-46b1-8b37-

Owner Write, Deploy and Delete 790e26e6e498
functions under Language
portal

Cognitive Services Language Has access to Read and Test 7628b7b8-a8b2-4cdc-b46f-

Reader functions under Language e9b35248918e
portal

Cognitive Services Language Has access to all Read, Test, f2310ca1-dc64-4889-bb49-

Writer and Write functions under c8e0fa3d47a8
Language Portal

Cognitive Services LUIS Owner Has access to all Read, Test, f72c8140-2111-481c-87ff-
Write, Deploy and Delete 72b910f6e3f8
functions under LUIS

Cognitive Services LUIS Reader Has access to Read and Test 18e81cdc-4e98-4e29-a639-
functions under LUIS. e7d10c5a6226
Built-in role Description ID

Cognitive Services LUIS Writer Has access to all Read, Test, 6322a993-d5c9-4bed-b113-
and Write functions under e49bbea25b27
LUIS

Cognitive Services Metrics Full access to the project, cb43c632-a144-4ec5-977c-

Advisor Administrator including the system level e80c4affc34a
configuration.

Cognitive Services Metrics Access to the project. 3b20f47b-3825-43cb-8114-

Advisor User 4bd2201156a8

Cognitive Services OpenAI Full access including the ability a001fd3d-188f-4b5d-821b-

Contributor to fine-tune, deploy and 7da978bf7442
generate text

Cognitive Services OpenAI Read access to view files, 5e0bd9bd-7b93-4f28-af87-

User models, deployments. The 19fc36ad61bd
ability to create completion
and embedding calls.

Cognitive Services QnA Maker Let's you create, edit, import f4cc2bf9-21be-47a1-bdf1-
Editor and export a KB. You cannot 5c5804381025
publish or delete a KB.

Cognitive Services QnA Maker Let's you read and test a KB 466ccd10-b268-4a11-b098-
Reader only. b4849f024126

Cognitive Services Speech Full access to Speech projects, 0e75ca1e-0464-4b4d-8b93-

Contributor including read, write and 68208a576181
delete all entities, for real-time
speech recognition and batch
transcription tasks, real-time
speech synthesis and long
audio tasks, custom speech
and custom voice.

Cognitive Services Speech Access to the real-time speech f2dc8367-1007-4938-bd23-

User recognition and batch fe263f013447
transcription APIs, real-time
speech synthesis and long
audio APIs, as well as to read
the data/test/model/endpoint
for custom models, but can't
create, delete or modify the
data/test/model/endpoint for
custom models.

Cognitive Services Usages Minimal permission to view bba48692-92b0-4667-a9ad-

Reader Cognitive Services usages. c31c7b334ac2
Built-in role Description ID

Cognitive Services User Lets you read and list keys of a97b65f3-24c7-4388-baec-
Cognitive Services. 2e87135dc908

Health Bot Admin Users with admin access can f1082fec-a70f-419f-9230-

sign in, view and edit all of the 885d2550fb38
bot resources, scenarios and
configuration setting including
the bot instance keys &
secrets.

Health Bot Editor Users with editor access can af854a69-80ce-4ff7-8447-

sign in, view and edit all the f1118a2e0ca8
bot resources, scenarios and
configuration setting except
for the bot instance keys &
secrets and the end-user
inputs (including Feedback,
Unrecognized utterances and
Conversation logs). A read-
only access to the bot skills
and channels.

Health Bot Reader Users with reader access can eb5a76d5-50e7-4c33-a449-

sign in, have read-only access 070e7c9c4cf2
to the bot resources, scenarios
and configuration setting
except for the bot instance
keys & secrets (including
Authentication, Data
Connection and Channels
keys) and the end-user inputs
(including Feedback,
Unrecognized utterances and
Conversation logs).

Search Index Data Contributor Grants full access to Azure 8ebe5a00-799e-43f5-93ac-

Cognitive Search index data. 243d3dce84a7

Search Index Data Reader Grants read access to Azure 1407120a-92aa-4202-b7e9-

Cognitive Search index data. c0e197c71c8f

Search Service Contributor Lets you manage Search 7ca78c08-252a-4471-8644-

services, but not access to bb5ff32d4ba0
them.

Internet of Things
ﾉ Expand table

Built-in role Description ID

Azure Digital Twins Data Full access role for Digital bcd981a7-7f74-457b-83e1-
Owner Twins data-plane cceb9e632ffe

Azure Digital Twins Data Read-only role for Digital d57506d4-4c8d-48b1-8587-

Reader Twins data-plane properties 93c323f6a5a3

Device Provisioning Service Allows for full access to Device dfce44e4-17b7-4bd1-a6d1-

Data Contributor Provisioning Service data- 04996ec95633
plane operations.

Device Provisioning Service Allows for full read access to 10745317-c249-44a1-a5ce-

Data Reader Device Provisioning Service 3a4353c0bbd8
data-plane properties.

Device Update Administrator Gives you full access to 02ca0879-e8e4-47a5-a61e-

management and content 5c618b76e64a
operations

Device Update Content Gives you full access to 0378884a-3af5-44ab-8323-

Administrator content operations f5b22f9f3c98

Device Update Content Reader Gives you read access to d1ee9a80-8b14-47f0-bdc2-

content operations, but does f4a351625a7b
not allow making changes

Device Update Deployments Gives you full access to e4237640-0e3d-4a46-8fda-

Administrator management operations 70bc94856432

Device Update Deployments Gives you read access to 49e2f5d2-7741-4835-8efa-

Reader management operations, but 19e1fe35e47f
does not allow making
changes

Device Update Reader Gives you read access to e9dba6fb-3d52-4cf0-bce3-

management and content f06ce71b9e0f
operations, but does not allow
making changes

Firmware Analysis Admin Upload and analyze firmware 9c1607d1-791d-4c68-885d-

images in Defender for IoT c7b7aaff7c8a

IoT Hub Data Contributor Allows for full access to IoT 4fc6c259-987e-4a07-842e-
Hub data plane operations. c321cc9d413f

IoT Hub Data Reader Allows for full read access to b447c946-2db7-41ec-983d-
IoT Hub data-plane properties d8bf3b1c77e3
Built-in role Description ID

IoT Hub Registry Contributor Allows for full access to IoT 4ea46cd5-c1b2-4a8e-910b-
Hub device registry. 273211f9ce47

IoT Hub Twin Contributor Allows for read and write 494bdba2-168f-4f31-a0a1-
access to all IoT Hub device 191d2f7c028c
and module twins.

Mixed reality
ﾉ Expand table

Built-in role Description ID

Remote Rendering Provides user with conversion, 3df8b902-2a6f-47c7-8cc5-

Administrator manage session, rendering 360e9b272a7e
and diagnostics capabilities for
Azure Remote Rendering

Remote Rendering Client Provides user with manage d39065c4-c120-43c9-ab0a-

session, rendering and 63eed9795f0a
diagnostics capabilities for
Azure Remote Rendering.

Spatial Anchors Account Lets you manage spatial 8bbe83f1-e2a6-4df7-8cb4-

Contributor anchors in your account, but 4e04d4e5c827
not delete them

Spatial Anchors Account Lets you manage spatial 70bbe301-9835-447d-afdd-

Owner anchors in your account, 19eb3167307c
including deleting them

Spatial Anchors Account Lets you locate and read 5d51204f-eb77-4b1c-b86a-

Reader properties of spatial anchors in 2ec626c49413
your account

Integration
ﾉ Expand table

Built-in role Description ID

API Management Developer Can customize the developer c031e6a8-4391-4de0-8d69-

Portal Content Editor portal, edit its content, and 4706a7ed3729
publish it.
Built-in role Description ID

API Management Service Can manage service and the 312a565d-c81f-4fd8-895a-

Contributor APIs 4e21e48d571c

API Management Service Can manage service but not e022efe7-f5ba-4159-bbe4-

Operator Role the APIs b44f577e9b61

API Management Service Read-only access to service 71522526-b88f-4d52-b57f-

Reader Role and APIs d31fc3546d0d

API Management Service Has read access to tags and 9565a273-41b9-4368-97d2-

Workspace API Developer products and write access to aeb0c976a9b3
allow: assigning APIs to
products, assigning tags to
products and APIs. This role
should be assigned on the
service scope.

API Management Service Has the same access as API d59a3e9c-6d52-4a5a-aeed-

Workspace API Product Management Service 6bf3cf0e31da
Manager Workspace API Developer as
well as read access to users
and write access to allow
assigning users to groups. This
role should be assigned on the
service scope.

API Management Workspace Has read access to entities in 56328988-075d-4c6a-8766-

API Developer the workspace and read and d93edd6725b6
write access to entities for
editing APIs. This role should
be assigned on the workspace
scope.

API Management Workspace Has read access to entities in 73c2c328-d004-4c5e-938c-

API Product Manager the workspace and read and 35c6f5679a1f
write access to entities for
publishing APIs. This role
should be assigned on the
workspace scope.

API Management Workspace Can manage the workspace 0c34c906-8d99-4cb7-8bb7-

Contributor and view, but not modify its 33f5b0a1a799
members. This role should be
assigned on the workspace
scope.

API Management Workspace Has read-only access to ef1c2c96-4a77-49e8-b9a4-

Reader entities in the workspace. This 6179fe1d2fd2
Built-in role Description ID

role should be assigned on the

workspace scope.

App Configuration Contributor Grants permission for all fe86443c-f201-4fc4-9d2a-

management operations, ac61149fbda0
except purge, for App
Configuration resources.

App Configuration Data Allows full access to App 5ae67dd6-50cb-40e7-96ff-

Owner Configuration data. dc2bfa4b606b

App Configuration Data Allows read access to App 516239f1-63e1-4d78-a4de-

Reader Configuration data. a74fb236a071

App Configuration Reader Grants permission for read 175b81b9-6e0d-490a-85e4-

operations for App 0d422273c10c
Configuration resources.

Azure API Center Compliance Allows managing API ede9aaa3-4627-494e-be13-

Manager compliance in Azure API 4aa7c256148d
Center service.

Azure API Center Data Reader Allows for access to Azure API c7244dfb-f447-457d-b2ba-
Center data plane read 3999044d1706
operations.

Azure API Center Service Allows managing Azure API dd24193f-ef65-44e5-8a7e-

Contributor Center service. 6fa6e03f7713

Azure API Center Service Allows read-only access to 6cba8790-29c5-48e5-bab1-

Reader Azure API Center service. c7541b01cb04

Azure Relay Listener Allows for listen access to 26e0b698-aa6d-4085-9386-

Azure Relay resources. aadae190014d

Azure Relay Owner Allows for full access to Azure 2787bf04-f1f5-4bfe-8383-

Relay resources. c8a24483ee38

Azure Relay Sender Allows for send access to 26baccc8-eea7-41f1-98f4-

Azure Relay resources. 1762cc7f685d

Azure Resource Notifications Lets you create system topics 0b962ed2-6d56-471c-bd5f-

System Topics Subscriber and event subscriptions on all 3477d83a7ba4
system topics exposed
currently and in the future by
Azure Resource Notifications

Azure Service Bus Data Owner Allows for full access to Azure 090c5cfd-751d-490a-894a-
Service Bus resources. 3ce6f1109419
Built-in role Description ID

Azure Service Bus Data Allows for receive access to 4f6d3b9b-027b-4f4c-9142-

Receiver Azure Service Bus resources. 0e5a2a2247e0

Azure Service Bus Data Sender Allows for send access to 69a216fc-b8fb-44d8-bc22-
Azure Service Bus resources. 1f3c2cd27a39

BizTalk Contributor Lets you manage BizTalk 5e3c6656-6cfa-4708-81fe-

services, but not access to 0de47ac73342
them.

Chamber Admin Lets you manage everything 4e9b8407-af2e-495b-ae54-

under your Modeling and bb60a55b1b5a
Simulation Workbench
chamber.

Chamber User Lets you view everything 4447db05-44ed-4da3-ae60-

under your Modeling and 6cbece780e32
Simulation Workbench
chamber, but not make any
changes.

DeID Batch Data Owner Create and manage DeID 8a90fa6b-6997-4a07-8a95-

batch jobs. This role is in 30633a7c97b9
preview and subject to change.

DeID Batch Data Reader Read DeID batch jobs. This b73a14ee-91f5-41b7-bd81-
role is in preview and subject 920e12466be9
to change.

DeID Data Owner Full access to DeID data. This 78e4b983-1a0b-472e-8b7d-

role is in preview and subject 8d770f7c5890
to change

DeID Realtime Data User Execute requests against DeID bb6577c4-ea0a-40b2-8962-

realtime endpoint. This role is ea18cb8ecd4e
in preview and subject to
change.

DICOM Data Owner Full access to DICOM data. 58a3b984-7adf-4c20-983a-

32417c86fbc8

DICOM Data Reader Read and search DICOM data. e89c7a3c-2f64-4fa1-a847-

3e4c9ba4283a

EventGrid Contributor Lets you manage EventGrid 1e241071-0855-49ea-94dc-

operations. 649edcd759de

EventGrid Data Sender Allows send access to event d5a91429-5739-47e2-a06b-

grid events. 3470a27159e7
Built-in role Description ID

EventGrid EventSubscription Lets you manage EventGrid 428e0ff0-5e57-4d9c-a221-

Contributor event subscription operations. 2c70d0e0a443

EventGrid EventSubscription Lets you read EventGrid event 2414bbcf-6497-4faf-8c65-

Reader subscriptions. 045460748405

EventGrid TopicSpaces Lets you publish messages on a12b0b94-b317-4dcd-84a8-

Publisher topicspaces. 502ce99884c6

EventGrid TopicSpaces Lets you subscribe messages 4b0f2fd7-60b4-4eca-896f-

Subscriber on topicspaces. 4435034f8bf5

FHIR Data Contributor Role allows user or principal 5a1fc7df-4bf1-4951-a576-

full access to FHIR Data 89034ee01acd

FHIR Data Converter Role allows user or principal to a1705bd2-3a8f-45a5-8683-

convert data from legacy 466fcfd5cc24
format to FHIR

FHIR Data Exporter Role allows user or principal to 3db33094-8700-4567-8da5-

read and export FHIR Data 1501d4e7e843

FHIR Data Importer Role allows user or principal to 4465e953-8ced-4406-a58e-

read and import FHIR Data 0f6e3f3b530b

FHIR Data Reader Role allows user or principal to 4c8d0bbc-75d3-4935-991f-

read FHIR Data 5f3c56d81508

FHIR Data Writer Role allows user or principal to 3f88fce4-5892-4214-ae73-

read and write FHIR Data ba5294559913

FHIR SMART User Role allows user to access FHIR 4ba50f17-9666-485c-a643-

Service according to SMART ff00808643f0
on FHIR specification

Integration Service Lets you manage integration a41e2c5b-bd99-4a07-88f4-

Environment Contributor service environments, but not 9bf657a760b8
access to them.

Integration Service Allows developers to create c7aa55d3-1abb-444a-a5ca-

Environment Developer and update workflows, 5e51e485d6ec
integration accounts and API
connections in integration
service environments.

Intelligent Systems Account Lets you manage Intelligent 03a6d094-3444-4b3d-88af-

Contributor Systems accounts, but not 7477090a9e5e
access to them.
Built-in role Description ID

Logic App Contributor Lets you manage logic apps, 87a39d53-fc1b-424a-814c-

but not change access to f7e04687dc9e
them.

Logic App Operator Lets you read, enable, and 515c2055-d9d4-4321-b1b9-

disable logic apps, but not edit bd0c9a0f79fe
or update them.

Logic Apps Standard You can manage all aspects of ad710c24-b039-4e85-a019-

Contributor (Preview) a Standard logic app and deb4a06e8570
workflows. You can't change
access or ownership.

Logic Apps Standard You can create and edit 523776ba-4eb2-4600-a3c8-

Developer (Preview) workflows, connections, and f2dc93da4bdb
settings for a Standard logic
app. You can't make changes
outside the workflow scope.

Logic Apps Standard Operator You can enable and disable the b70c96e9-66fe-4c09-b6e7-
(Preview) logic app, resubmit workflow c98e69c98555
runs, as well as create
connections. You can't edit
workflows or settings.

Logic Apps Standard Reader You have read-only access to 4accf36b-2c05-432f-91c8-

(Preview) all resources in a Standard 5c532dff4c73
logic app and workflows,
including the workflow runs
and their history.

Scheduler Job Collections Lets you manage Scheduler 188a0f2f-5c9e-469b-ae67-

Contributor job collections, but not access 2aa5ce574b94
to them.

Services Hub Operator Services Hub Operator allows 82200a5b-e217-47a5-b665-

you to perform all read, write, 6d8765ee745b
and deletion operations
related to Services Hub
Connectors.

Identity
ﾉ Expand table
Built-in role Description ID

Domain Services Contributor Can manage Azure AD eeaeda52-9324-47f6-8069-

Domain Services and related 5d5bade478b2
network configurations

Domain Services Reader Can view Azure AD Domain 361898ef-9ed1-48c2-849c-

Services and related network a832951106bb
configurations

Managed Identity Contributor Create, Read, Update, and e40ec5ca-96e0-45a2-b4ff-

Delete User Assigned Identity 59039f2c2b59

Managed Identity Operator Read and Assign User f1a07417-d97a-45cb-824c-

Assigned Identity 7a7467783830

Security
ﾉ Expand table

Built-in role Description ID

App Compliance Automation Create, read, download, 0f37683f-2463-46b6-9ce7-

Administrator modify and delete reports 9b788b988ba2
objects and related other
resource objects.

App Compliance Automation Read, download the reports ffc6bbe0-e443-4c3b-bf54-

Reader objects and related other 26581bb2f78e
resource objects.

Attestation Contributor Can read write or delete the bbf86eb8-f7b4-4cce-96e4-

attestation provider instance 18cddf81d86e

Attestation Reader Can read the attestation fd1bd22b-8476-40bc-a0bc-

provider properties 69b95687b9f3

Key Vault Administrator Perform all data plane 00482a5a-887f-4fb3-b363-

operations on a key vault and 3b7fe8e74483
all objects in it, including
certificates, keys, and secrets.
Cannot manage key vault
resources or manage role
assignments. Only works for
key vaults that use the 'Azure
role-based access control'
permission model.
Built-in role Description ID

Key Vault Certificate User Read certificate contents. Only db79e9a7-68ee-4b58-9aeb-

works for key vaults that use b90e7c24fcba
the 'Azure role-based access
control' permission model.

Key Vault Certificates Officer Perform any action on the a4417e6f-fecd-4de8-b567-

certificates of a key vault, 7b0420556985
except manage permissions.
Only works for key vaults that
use the 'Azure role-based
access control' permission
model.

Key Vault Contributor Manage key vaults, but does f25e0fa2-a7c8-4377-a976-

not allow you to assign roles in 54943a77a395
Azure RBAC, and does not
allow you to access secrets,
keys, or certificates.

Key Vault Crypto Officer Perform any action on the keys 14b46e9e-c2b7-41b4-b07b-
of a key vault, except manage 48a6ebf60603
permissions. Only works for
key vaults that use the 'Azure
role-based access control'
permission model.

Key Vault Crypto Service Read metadata of keys and e147488a-f6f5-4113-8e2d-

Encryption User perform wrap/unwrap b22465e65bf6
operations. Only works for key
vaults that use the 'Azure role-
based access control'
permission model.

Key Vault Crypto Service Release keys. Only works for 08bbd89e-9f13-488c-ac41-
Release User key vaults that use the 'Azure acfcb10c90ab
role-based access control'
permission model.

Key Vault Crypto User Perform cryptographic 12338af0-0e69-4776-bea7-

operations using keys. Only 57ae8d297424
works for key vaults that use
the 'Azure role-based access
control' permission model.

Key Vault Data Access Manage access to Azure Key 8b54135c-b56d-4d72-a534-

Administrator Vault by adding or removing 26097cfdc8d8
role assignments for the Key
Vault Administrator, Key Vault
Certificates Officer, Key Vault
Built-in role Description ID

Crypto Officer, Key Vault

Crypto Service Encryption
User, Key Vault Crypto User,
Key Vault Reader, Key Vault
Secrets Officer, or Key Vault
Secrets User roles. Includes an
ABAC condition to constrain
role assignments.

Key Vault Reader Read metadata of key vaults 21090545-7ca7-4776-b22c-

and its certificates, keys, and e363652d74d2
secrets. Cannot read sensitive
values such as secret contents
or key material. Only works for
key vaults that use the 'Azure
role-based access control'
permission model.

Key Vault Secrets Officer Perform any action on the b86a8fe4-44ce-4948-aee5-

secrets of a key vault, except eccb2c155cd7
manage permissions. Only
works for key vaults that use
the 'Azure role-based access
control' permission model.

Key Vault Secrets User Read secret contents. Only 4633458b-17de-408a-b874-

works for key vaults that use 0445c86b69e6
the 'Azure role-based access
control' permission model.

Managed HSM contributor Lets you manage managed 18500a29-7fe2-46b2-a342-

HSM pools, but not access to b16a415e101d
them.

Microsoft Sentinel Automation Microsoft Sentinel Automation f4c81013-99ee-4d62-a7ee-

Contributor Contributor b3f1f648599a

Microsoft Sentinel Contributor Microsoft Sentinel Contributor ab8e14d6-4a74-4a29-9ba8-

549422addade

Microsoft Sentinel Playbook Microsoft Sentinel Playbook 51d6186e-6489-4900-b93f-

Operator Operator 92e23144cca5

Microsoft Sentinel Reader Microsoft Sentinel Reader 8d289c81-5878-46d4-8554-

54e1e3d8b5cb

Microsoft Sentinel Responder Microsoft Sentinel Responder 3e150937-b8fe-4cfb-8069-

0eaf05ecd056
Built-in role Description ID

Security Admin View and update permissions fb1c8493-542b-48eb-b624-

for Microsoft Defender for b4c8fea62acd
Cloud. Same permissions as
the Security Reader role and
can also update the security
policy and dismiss alerts and
recommendations.

For Microsoft Defender for IoT,

see Azure user roles for OT
and Enterprise IoT monitoring.

Security Assessment Lets you push assessments to 612c2aa1-cb24-443b-ac28-

Contributor Microsoft Defender for Cloud 3ab7272de6f5

Security Manager (Legacy) This is a legacy role. Please use e3d13bf0-dd5a-482e-ba6b-

Security Admin instead. 9b8433878d10

Security Reader View permissions for Microsoft 39bc4728-0917-49c7-9d2c-

Defender for Cloud. Can view d95423bc2eb4
recommendations, alerts, a
security policy, and security
states, but cannot make
changes.

For Microsoft Defender for IoT,

see Azure user roles for OT
and Enterprise IoT monitoring.

DevOps
ﾉ Expand table

Built-in role Description ID

Deployment Environments Provides read access to eb960402-bf75-4cc3-8d68-

Reader environment resources. 35b34f960f72

Deployment Environments Provides access to manage 18e40d4e-8d2e-438d-97e1-

User environment resources. 9528336e149c

DevCenter Dev Box User Provides access to create and 45d50f46-0b78-4001-a660-

manage dev boxes. 4198cbe8cd05

DevCenter Project Admin Provides access to manage 331c37c6-af14-46d9-b9f4-

project resources. e1909e1b95a0
Built-in role Description ID

DevTest Labs User Lets you connect, start, restart, 76283e04-6283-4c54-8f91-

and shutdown your virtual bcf1374a3c64
machines in your Azure
DevTest Labs.

Lab Assistant Enables you to view an ce40b423-cede-4313-a93f-

existing lab, perform actions 9b28290b72e1
on the lab VMs and send
invitations to the lab.

Lab Contributor Applied at lab level, enables 5daaa2af-1fe8-407c-9122-

you to manage the lab. bba179798270
Applied at a resource group,
enables you to create and
manage labs.

Lab Creator Lets you create new labs under b97fb8bc-a8b2-4522-a38b-

your Azure Lab Accounts. dd33c7e65ead

Lab Operator Gives you limited ability to a36e6959-b6be-4b12-8e9f-

manage existing labs. ef4b474d304d

Lab Services Contributor Enables you to fully control all f69b8690-cc87-41d6-b77a-

Lab Services scenarios in the a4bc3c0a966f
resource group.

Lab Services Reader Enables you to view, but not 2a5c394f-5eb7-4d4f-9c8e-

change, all lab plans and lab e8eae39faebc
resources.

Load Test Contributor View, create, update, delete 749a398d-560b-491b-bb21-

and execute load tests. View 08924219302e
and list load test resources but
can not make any changes.

Load Test Owner Execute all operations on load 45bb0b16-2f0c-4e78-afaa-

test resources and load tests a07599b003f6

Load Test Reader View and list all load tests and 3ae3fb29-0000-4ccd-bf80-
load test resources but can not 542e7b26e081
make any changes

Monitor
ﾉ Expand table
Built-in role Description ID

Application Insights Can manage Application ae349356-3a1b-4a5e-921d-

Component Contributor Insights components 050484c6347e

Application Insights Snapshot Gives user permission to view 08954f03-6346-4c2e-81c0-

Debugger and download debug ec3a5cfae23b
snapshots collected with the
Application Insights Snapshot
Debugger. Note that these
permissions are not included
in the Owner or Contributor
roles. When giving users the
Application Insights Snapshot
Debugger role, you must grant
the role directly to the user.
The role is not recognized
when it is added to a custom
role.

Grafana Admin Manage server-wide settings 22926164-76b3-42b3-bc55-

and manage access to 97df8dab3e41
resources such as
organizations, users, and
licenses.

Grafana Editor Create, edit, delete, or view a79a5197-3a5c-4973-a920-

dashboards; create, edit, or 486035ffd60f
delete folders; and edit or view
playlists.

Grafana Limited Viewer View home page. 41e04612-9dac-4699-a02b-

c82ff2cc3fb5

Grafana Viewer View dashboards, playlists, and 60921a7e-fef1-4a43-9b16-

query data sources. a26c52ad4769

Monitoring Contributor Can read all monitoring data 749f88d5-cbae-40b8-bcfc-

and edit monitoring settings. e573ddc772fa
See also Get started with roles,
permissions, and security with
Azure Monitor.

Monitoring Metrics Publisher Enables publishing metrics 3913510d-42f4-4e42-8a64-

against Azure resources 420c390055eb

Monitoring Reader Can read all monitoring data 43d0d8ad-25c7-4714-9337-

(metrics, logs, etc.). See also 8ba259a9fe05
Get started with roles,
Built-in role Description ID

permissions, and security with

Azure Monitor.

Workbook Contributor Can save shared workbooks. e8ddcd69-c73f-4f9f-9844-

4100522f16ad

Workbook Reader Can read workbooks. b279062a-9be3-42a0-92ae-

8b3cf002ec4d

Management and governance

ﾉ Expand table

Built-in role Description ID

Advisor Recommendations View assessment 6b534d80-e337-47c4-864f-

Contributor (Assessments and recommendations, accepted 140f5c7f593d
Reviews) review recommendations, and
manage the recommendations
lifecycle (mark
recommendations as
completed, postponed or
dismissed, in progress, or not
started).

Advisor Reviews Contributor View reviews for a workload 8aac15f0-d885-4138-8afa-

and triage recommendations bfb5872f7d13
linked to them.

Advisor Reviews Reader View reviews for a workload c64499e0-74c3-47ad-921c-

and recommendations linked 13865957895c
to them.

Automation Contributor Manage Azure Automation f353d9bd-d4a6-484e-a77a-

resources and other resources 8050b599b867
using Azure Automation.

Automation Job Operator Create and Manage Jobs using 4fe576fe-1146-4730-92eb-

Automation Runbooks. 48519fa6bf9f

Automation Operator Automation Operators are d3881f73-407a-4167-8283-

able to start, stop, suspend, e981cbba0404
and resume jobs

Automation Runbook Read Runbook properties - to 5fb5aef8-1081-4b8e-bb16-

Operator be able to create Jobs of the 9d5d0385bab5
runbook.
Built-in role Description ID

Azure Center for SAP solutions This role provides read and 7b0c7e81-271f-4c71-90bf-
administrator write access to all capabilities e30bdfdbc2f7
of Azure Center for SAP
solutions.

Azure Center for SAP solutions This role provides read access 05352d14-a920-4328-a0de-
reader to all capabilities of Azure 4cbe7430e26b
Center for SAP solutions.

Azure Center for SAP solutions Azure Center for SAP solutions aabbc5dd-1af0-458b-a942-
service role service role - This role is 81af88f9c138
intended to be used for
providing the permissions to
user assigned managed
identity. Azure Center for SAP
solutions will use this identity
to deploy and manage SAP
systems.

Azure Connected Machine Can onboard Azure Connected b64e21ea-ac4e-4cdf-9dc9-

Onboarding Machines. 5b892992bee7

Azure Connected Machine Can read, write, delete and re- cd570a14-e51a-42ad-bac8-
Resource Administrator onboard Azure Connected bafd67325302
Machines.

Azure Connected Machine Custom Role for f5819b54-e033-4d82-ac66-

Resource Manager AzureStackHCI RP to manage 4fec3cbf3f4c
hybrid compute machines and
hybrid connectivity endpoints
in a resource group

Azure Customer Lockbox Can approve Microsoft 4dae6930-7baf-46f5-909e-

Approver for Subscription support requests to access 0383bc931c46
specific resources contained
within a subscription, or the
subscription itself, when
Customer Lockbox for
Microsoft Azure is enabled on
the tenant where the
subscription resides.

Billing Reader Allows read access to billing fa23ad8b-c56e-40d8-ac0c-

data ce449e1d2c64

Blueprint Contributor Can manage blueprint 41077137-e803-4205-871c-

definitions, but not assign 5a86e6a753b4
them.
Built-in role Description ID

Blueprint Operator Can assign existing published 437d2ced-4a38-4302-8479-

blueprints, but cannot create ed2bcb43d090
new blueprints. Note that this
only works if the assignment is
done with a user-assigned
managed identity.

Carbon Optimization Reader Allow read access to Azure fa0d39e6-28e5-40cf-8521-

Carbon Optimization data 1eb320653a4c

Cost Management Contributor Can view costs and manage 434105ed-43f6-45c7-a02f-

cost configuration (e.g. 909b2ba83430
budgets, exports)

Cost Management Reader Can view cost data and 72fafb9e-0641-4937-9268-

configuration (e.g. budgets, a91bfd8191a3
exports)

Hierarchy Settings Allows users to edit and delete 350f8d15-c687-4448-8ae1-

Administrator Hierarchy Settings 157740a3936d

Managed Application Allows for creating managed 641177b8-a67a-45b9-a033-

Contributor Role application resources. 47bc880bb21e

Managed Application Lets you read and perform c7393b34-138c-406f-901b-

Operator Role actions on Managed d8cf2b17e6ae
Application resources

Managed Applications Reader Lets you read resources in a b9331d33-8a36-4f8c-b097-

managed app and request JIT 4f54124fdb44
access.

Managed Services Registration Managed Services Registration 91c1777a-f3dc-4fae-b103-

assignment Delete Role Assignment Delete Role allows 61d183457e46
the managing tenant users to
delete the registration
assignment assigned to their
tenant.

Management Group Management Group 5d58bcaf-24a5-4b20-bdb6-

Contributor Contributor Role eed9f69fbe4c

Management Group Reader Management Group Reader ac63b705-f282-497d-ac71-

Role 919bf39d939d

New Relic APM Account Lets you manage New Relic 5d28c62d-5b37-4476-8438-
Contributor Application Performance e587778df237
Management accounts and
Built-in role Description ID

applications, but not access to

them.

Policy Insights Data Writer Allows read access to resource 66bb4e9e-b016-4a94-8249-

(Preview) policies and write access to 4c0511c2be84
resource component policy
events.

Quota Request Operator Read and create quota 0e5f05e5-9ab9-446b-b98d-

requests, get quota request 1e2157c94125
status, and create support
tickets.

Reservation Purchaser Lets you purchase reservations f7b75c60-3036-4b75-91c3-

6b41c27c1689

Reservations Reader Lets one read all the 582fc458-8989-419f-a480-

reservations in a tenant 75249bc5db7e

Resource Policy Contributor Users with rights to 36243c78-bf99-498c-9df9-

create/modify resource policy, 86d9f8d28608
create support ticket and read
resources/hierarchy.

Savings plan Purchaser Lets you purchase savings 3d24a3a0-c154-4f6f-a5ed-

plans adc8e01ddb74

Scheduled Patching Provides access to manage cd08ab90-6b14-449c-ad9a-

Contributor maintenance configurations 8f8e549482c6
with maintenance scope
InGuestPatch and
corresponding configuration
assignments

Site Recovery Contributor Lets you manage Site Recovery 6670b86e-a3f7-4917-ac9b-

service except vault creation 5d6ab1be4567
and role assignment

Site Recovery Operator Lets you failover and failback 494ae006-db33-4328-bf46-

but not perform other Site 533a6560a3ca
Recovery management
operations

Site Recovery Reader Lets you view Site Recovery dbaa88c4-0c30-4179-9fb3-

status but not perform other 46319faa6149
management operations

Support Request Contributor Lets you create and manage cfd33db0-3dd1-45e3-aa9d-

Support requests cdbdf3b6f24e
Built-in role Description ID

Tag Contributor Lets you manage tags on 4a9ae827-6dc8-4573-8ac7-

entities, without providing 8239d42aa03f
access to the entities
themselves.

Template Spec Contributor Allows full access to Template 1c9b6475-caf0-4164-b5a1-

Spec operations at the 2142a7116f4b
assigned scope.

Template Spec Reader Allows read access to Template 392ae280-861d-42bd-9ea5-

Specs at the assigned scope. 08ee6d83b80e

Hybrid + multicloud
ﾉ Expand table

Built-in role Description ID

Azure Resource Bridge Azure Resource Bridge 7b1f81f9-4196-4058-8aae-

Deployment Role Deployment Role 762e593270df

Azure Stack HCI Administrator Grants full access to the cluster bda0d508-adf1-4af0-9c28-
and its resources, including the 88919fc3ae06
ability to register Azure Stack
HCI and assign others as Azure
Arc HCI VM Contributor
and/or Azure Arc HCI VM
Reader

Azure Stack HCI Device Microsoft.AzureStackHCI 865ae368-6a45-4bd1-8fbf-

Management Role Device Management Role 0d5151f56fc1

Azure Stack HCI VM Grants permissions to perform 874d1c73-6003-4e60-a13a-

Contributor all VM actions cb31ea190a85

Azure Stack HCI VM Reader Grants permissions to view 4b3fe76c-f777-4d24-a2d7-

VMs b027b0f7b273

Azure Stack Registration Lets you manage Azure Stack 6f12a6df-dd06-4f3e-bcb1-

Owner registrations. ce8be600526a

Hybrid Server Resource Can read, write, delete, and re- 48b40c6e-82e0-4eb3-90d5-
Administrator onboard Hybrid servers to the 19e40f49b624
Hybrid Resource Provider.
Next steps
Assign Azure roles using the Azure portal
Azure custom roles
Permissions in Microsoft Defender for Cloud

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Privileged
Article • 09/29/2024

This article lists the Azure built-in roles in the Privileged category.

Contributor
Grants full access to manage all resources, but does not allow you to assign roles in
Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

Learn more

ﾉ Expand table

Actions Description

* Create and manage resources of all types

NotActions

Microsoft.Authorization/*/Delete Delete roles, policy assignments, policy

definitions and policy set definitions

Microsoft.Authorization/*/Write Create roles, role assignments, policy

assignments, policy definitions and policy set
definitions

Microsoft.Authorization/elevateAccess/Action Grants the caller User Access Administrator

access at the tenant scope

Microsoft.Blueprint/blueprintAssignments/write Create or update any blueprint assignments

Microsoft.Blueprint/blueprintAssignments/delet Delete any blueprint assignments

Microsoft.Compute/galleries/share/action Shares a Gallery to different scopes

Microsoft.Purview/consents/write Create or Update a Consent Resource.

Microsoft.Purview/consents/delete Delete the Consent Resource.

Microsoft.Resources/deploymentStacks/manag Manage the denySettings property of a

eDenySetting/action deployment stack.

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, but does not
allow you to assign roles in Azure RBAC, manage assignments in Azure
Blueprints, or share image galleries.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-
42a0-ab88-20f7382dd24c",
"name": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Purview/consents/write",
"Microsoft.Purview/consents/delete",
"Microsoft.Resources/deploymentStacks/manageDenySetting/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Owner
Grants full access to manage all resources, including the ability to assign roles in Azure
RBAC.

Learn more
ﾉ Expand table

Actions Description

* Create and manage resources of all types

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants full access to manage all resources, including the
ability to assign roles in Azure RBAC.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-
443c-a75c-2fe8c4bcb635",
"name": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
"permissions": [
{
"actions": [
"*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Reservations Administrator
Lets one read and manage all the reservations in a tenant

Learn more
ﾉ Expand table

Actions Description

Microsoft.Capacity/*/read

Microsoft.Capacity/*/action

Microsoft.Capacity/*/write

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

Microsoft.Authorization/roleAssignments/write Create a role assignment at the specified scope.

Microsoft.Authorization/roleAssignments/delet Delete a role assignment at the specified scope.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/providers/Microsoft.Capacity"
],
"description": "Lets one read and manage all the reservations in a
tenant",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a8889054-8d42-
49c9-bc1c-52486c10e7cd",
"name": "a8889054-8d42-49c9-bc1c-52486c10e7cd",
"permissions": [
{
"actions": [
"Microsoft.Capacity/*/read",
"Microsoft.Capacity/*/action",
"Microsoft.Capacity/*/write",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reservations Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Role Based Access Control Administrator

Manage access to Azure resources by assigning roles using Azure RBAC. This role does
not allow you to manage access using other ways, such as Azure Policy.

ﾉ Expand table

Actions Description

Microsoft.Authorization/roleAssignments/write Create a role assignment at the specified scope.

Microsoft.Authorization/roleAssignments/delet Delete a role assignment at the specified scope.

*/read Read resources of all types, except secrets.

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Manage access to Azure resources by assigning roles using
Azure RBAC. This role does not allow you to manage access using other ways,
such as Azure Policy.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f58310d9-a9f6-
439a-9e8d-f62e7b41a168",
"name": "f58310d9-a9f6-439a-9e8d-f62e7b41a168",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"*/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Role Based Access Control Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

User Access Administrator

Lets you manage user access to Azure resources.

Learn more

ﾉ Expand table

Actions Description

*/read Read resources of all types, except secrets.

Microsoft.Authorization/* Manage authorization

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Lets you manage user access to Azure resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-
4fb5-a5c3-7773c20a72d9",
"name": "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Authorization/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "User Access Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for General
Article • 09/29/2024

This article lists the Azure built-in roles in the General category.

Reader
View all resources, but does not allow you to make any changes.

Learn more

ﾉ Expand table

Actions Description

*/read Read resources of all types, except secrets.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "View all resources, but does not allow you to make any
changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-
48ef-bd42-f606fba81ae7",
"name": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Compute
Article • 09/23/2024

This article lists the Azure built-in roles in the Compute category.

Azure Arc VMware VM Contributor

Arc VMware VM Contributor has permissions to perform all VM actions.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ConnectedVMwarevSphere/virtualma
chines/*

Microsoft.ConnectedVMwarevSphere/virtualma
chineinstances/*

Microsoft.Insights/AlertRules/Write Create or update a classic metric alert

Microsoft.Insights/AlertRules/Delete Delete a classic metric alert

Microsoft.Insights/AlertRules/Read Read a classic metric alert

Microsoft.Insights/AlertRules/Activated/Action Classic metric alert activated

Microsoft.Insights/AlertRules/Resolved/Action Classic metric alert resolved

Microsoft.Insights/AlertRules/Throttled/Action Classic metric alert rule throttled

Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Resources/deployments/write Creates or updates an deployment.

Microsoft.Resources/deployments/delete Deletes a deployment.

Microsoft.Resources/deployments/cancel/actio Cancels a deployment.

Microsoft.Resources/deployments/validate/acti Validates an deployment.

Microsoft.Resources/deployments/whatIf/actio Predicts template deployment changes.

Actions Description

Microsoft.Resources/deployments/exportTempl Export template for a deployment

ate/action

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/deployments/operationsta Gets or lists deployment operation statuses.

tuses/read

Microsoft.Resources/subscriptions/resourcegro Gets or lists deployments.

ups/deployments/read

Microsoft.Resources/subscriptions/resourcegro Creates or updates an deployment.

ups/deployments/write

Microsoft.Resources/subscriptions/resourcegro Gets or lists deployment operations.

ups/deployments/operations/read

Microsoft.Resources/subscriptions/resourcegro Gets or lists deployment operation statuses.

ups/deployments/operationstatuses/read

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.HybridCompute/machines/read Read any Azure Arc machines

Microsoft.HybridCompute/machines/write Writes an Azure Arc machines

Microsoft.HybridCompute/machines/delete Deletes an Azure Arc machines

Microsoft.HybridCompute/machines/UpgradeE Upgrades Extensions on Azure Arc machines

xtensions/action

Microsoft.HybridCompute/machines/assessPatc Assesses any Azure Arc machines to get

hes/action missing software patches

Microsoft.HybridCompute/machines/installPatc Installs patches on any Azure Arc machines

hes/action
Actions Description

Microsoft.HybridCompute/machines/extensions Reads any Azure Arc extensions

/read

Microsoft.HybridCompute/machines/extensions Installs or Updates an Azure Arc extensions

/write

Microsoft.HybridCompute/machines/extensions Deletes an Azure Arc extensions

/delete

Microsoft.HybridCompute/operations/read Read all Operations for Azure Arc for Servers

Microsoft.HybridCompute/locations/operationr Reads the status of an operation on

esults/read Microsoft.HybridCompute Resource Provider

Microsoft.HybridCompute/locations/operations Reads the status of an operation on

tatus/read Microsoft.HybridCompute Resource Provider

Microsoft.HybridCompute/machines/patchAsse Reads any Azure Arc patchAssessmentResults

ssmentResults/read

Microsoft.HybridCompute/machines/patchAsse Reads any Azure Arc

ssmentResults/softwarePatches/read patchAssessmentResults/softwarePatches

Microsoft.HybridCompute/machines/patchInsta Reads any Azure Arc patchInstallationResults

llationResults/read

Microsoft.HybridCompute/machines/patchInsta Reads any Azure Arc

llationResults/softwarePatches/read patchInstallationResults/softwarePatches

Microsoft.HybridCompute/locations/updateCen Reads the status of an update center operation

terOperationResults/read on machines

Microsoft.HybridCompute/machines/hybridIde Read any Azure Arc machines's Hybrid Identity

ntityMetadata/read Metadata

Microsoft.HybridCompute/osType/agentVersio Read all Azure Connected Machine Agent

ns/read versions available

Microsoft.HybridCompute/osType/agentVersio Read the latest Azure Connected Machine

ns/latest/read Agent version

Microsoft.HybridCompute/machines/runcomm Reads any Azure Arc runcommands

ands/read

Microsoft.HybridCompute/machines/runcomm Installs or Updates an Azure Arc runcommands

ands/write

Microsoft.HybridCompute/machines/runcomm Deletes an Azure Arc runcommands

ands/delete
Actions Description

Microsoft.HybridCompute/machines/licensePro Reads any Azure Arc licenseProfiles

files/read

Microsoft.HybridCompute/machines/licensePro Installs or Updates an Azure Arc licenseProfiles

files/write

Microsoft.HybridCompute/machines/licensePro Deletes an Azure Arc licenseProfiles

files/delete

Microsoft.HybridCompute/licenses/read Reads any Azure Arc licenses

Microsoft.HybridCompute/licenses/write Installs or Updates an Azure Arc licenses

Microsoft.HybridCompute/licenses/delete Deletes an Azure Arc licenses

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Arc VMware VM Contributor has permissions to perform all
VM actions.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-
4f8a-aaa9-ce3940cd96cb",
"name": "b748a06d-6150-4f8a-aaa9-ce3940cd96cb",
"permissions": [
{
"actions": [
"Microsoft.ConnectedVMwarevSphere/virtualmachines/*",
"Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/*",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",

"Microsoft.Resources/subscriptions/resourcegroups/deployments/write",

"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/rea
d",

"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatu
ses/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/machines/delete",
"Microsoft.HybridCompute/machines/UpgradeExtensions/action",
"Microsoft.HybridCompute/machines/assessPatches/action",
"Microsoft.HybridCompute/machines/installPatches/action",
"Microsoft.HybridCompute/machines/extensions/read",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.HybridCompute/machines/extensions/delete",
"Microsoft.HybridCompute/operations/read",
"Microsoft.HybridCompute/locations/operationresults/read",
"Microsoft.HybridCompute/locations/operationstatus/read",
"Microsoft.HybridCompute/machines/patchAssessmentResults/read",

"Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/rea
d",
"Microsoft.HybridCompute/machines/patchInstallationResults/read",

"Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/r
ead",

"Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
"Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
"Microsoft.HybridCompute/osType/agentVersions/read",
"Microsoft.HybridCompute/osType/agentVersions/latest/read",
"Microsoft.HybridCompute/machines/runcommands/read",
"Microsoft.HybridCompute/machines/runcommands/write",
"Microsoft.HybridCompute/machines/runcommands/delete",
"Microsoft.HybridCompute/machines/licenseProfiles/read",
"Microsoft.HybridCompute/machines/licenseProfiles/write",
"Microsoft.HybridCompute/machines/licenseProfiles/delete",
"Microsoft.HybridCompute/licenses/read",
"Microsoft.HybridCompute/licenses/write",
"Microsoft.HybridCompute/licenses/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc VMware VM Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Classic Virtual Machine Contributor

Lets you manage classic virtual machines, but not access to them, and not the virtual
network or storage account they're connected to.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.ClassicCompute/domainNames/* Create and manage classic compute domain

names

Microsoft.ClassicCompute/virtualMachines/* Create and manage virtual machines

Microsoft.ClassicNetwork/networkSecurityGrou
ps/join/action

Microsoft.ClassicNetwork/reservedIps/link/actio Link a reserved Ip

Microsoft.ClassicNetwork/reservedIps/read Gets the reserved Ips

Microsoft.ClassicNetwork/virtualNetworks/join/ Joins the virtual network.

action

Microsoft.ClassicNetwork/virtualNetworks/read Get the virtual network.

Microsoft.ClassicStorage/storageAccounts/disks Returns the storage account disk.

/read

Microsoft.ClassicStorage/storageAccounts/ima Returns the storage account image.

ges/read (Deprecated. Use
'Microsoft.ClassicStorage/storageAccounts/vmI
mages')
Actions Description

Microsoft.ClassicStorage/storageAccounts/listK Lists the access keys for the storage accounts.

eys/action

Microsoft.ClassicStorage/storageAccounts/read Return the storage account with the given

account.

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic virtual machines, but not access
to them, and not the virtual network or storage account they're connected
to.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-
4d4d-bd69-98a00b01fccb",
"name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/domainNames/*",
"Microsoft.ClassicCompute/virtualMachines/*",
"Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
"Microsoft.ClassicNetwork/reservedIps/link/action",
"Microsoft.ClassicNetwork/reservedIps/read",
"Microsoft.ClassicNetwork/virtualNetworks/join/action",
"Microsoft.ClassicNetwork/virtualNetworks/read",
"Microsoft.ClassicStorage/storageAccounts/disks/read",
"Microsoft.ClassicStorage/storageAccounts/images/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Compute Gallery Artifacts Publisher

This is the role for publishing gallery artifacts.

ﾉ Expand table

Actions Description

Microsoft.Compute/galleries/*

Microsoft.Compute/locations/capsOperations/r Gets the status of an asynchronous Caps

ead operation

Microsoft.Compute/locations/communityGalleri
es/*

Microsoft.Compute/locations/sharedGalleries/*

Microsoft.Compute/images/*

Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an

existing virtual machine

Microsoft.Compute/disks/write Creates a new Disk or updates an existing one

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Actions Description

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

Microsoft.Compute/galleries/share/action Shares a Gallery to different scopes

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "This is the role for publishing gallery artifacts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85a2d0d9-2eba-
4c9c-b355-11c2cc0788ab",
"name": "85a2d0d9-2eba-4c9c-b355-11c2cc0788ab",
"permissions": [
{
"actions": [
"Microsoft.Compute/galleries/*",
"Microsoft.Compute/locations/capsOperations/read",
"Microsoft.Compute/locations/communityGalleries/*",
"Microsoft.Compute/locations/sharedGalleries/*",
"Microsoft.Compute/images/*",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/disks/write",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Compute Gallery Artifacts Publisher",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Compute Gallery Sharing Admin

This role allows user to share gallery to another subscription/tenant or share it to the
public.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Compute/galleries/share/action Shares a Gallery to different scopes

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "This role allows user to share gallery to another
subscription/tenant or share it to the public.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1ef6a3be-d0ac-
425d-8c01-acb62866290b",
"name": "1ef6a3be-d0ac-425d-8c01-acb62866290b",
"permissions": [
{
"actions": [
"Microsoft.Compute/galleries/share/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Compute Gallery Sharing Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Data Operator for Managed Disks

Provides permissions to upload data to empty managed disks, read, or export data of
managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure
AD authentication.

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Compute/disks/download/action Perform read data operations on Disk SAS Uri

Microsoft.Compute/disks/upload/action Perform write data operations on Disk SAS Uri

Microsoft.Compute/snapshots/download/actio Perform read data operations on Snapshot SAS

n Uri

Microsoft.Compute/snapshots/upload/action Perform write data operations on Snapshot SAS

Uri

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides permissions to upload data to empty managed
disks, read, or export data of managed disks (not attached to running VMs)
and snapshots using SAS URIs and Azure AD authentication.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-
4866-89c7-12bf9737be2e",
"name": "959f8984-c045-4866-89c7-12bf9737be2e",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Compute/disks/download/action",
"Microsoft.Compute/disks/upload/action",
"Microsoft.Compute/snapshots/download/action",
"Microsoft.Compute/snapshots/upload/action"
],
"notDataActions": []
}
],
"roleName": "Data Operator for Managed Disks",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Application Group

Contributor
Contributor of the Desktop Virtualization Application Group.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DesktopVirtualization/applicationgro
ups/*

Microsoft.DesktopVirtualization/hostpools/read Read hostpools

Microsoft.DesktopVirtualization/hostpools/sessi Read hostpools/sessionhosts

onhosts/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Support/* Create and update a support ticket

NotActions
Actions Description

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Contributor of the Desktop Virtualization Application
Group.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-
4c43-887b-b61143f32ba8",
"name": "86240b0e-9422-4c43-887b-b61143f32ba8",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/applicationgroups/*",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Application Group Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Application Group

Reader
Reader of the Desktop Virtualization Application Group.
Learn more

ﾉ Expand table

Actions Description

Microsoft.DesktopVirtualization/applicationgro
ups/*/read

Microsoft.DesktopVirtualization/applicationgro Read applicationgroups

ups/read

Microsoft.DesktopVirtualization/hostpools/read Read hostpools

Microsoft.DesktopVirtualization/hostpools/sessi Read hostpools/sessionhosts

onhosts/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/read Read a classic metric alert

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Reader of the Desktop Virtualization Application Group.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-
4e86-b8f9-fe83a2c6ab55",
"name": "aebf23d0-b568-4e86-b8f9-fe83a2c6ab55",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/applicationgroups/*/read",
"Microsoft.DesktopVirtualization/applicationgroups/read",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Application Group Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Contributor

Contributor of Desktop Virtualization.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DesktopVirtualization/*

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions
Actions Description

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Contributor of Desktop Virtualization.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-
4ba1-904c-961cca79b387",
"name": "082f0a83-3be5-4ba1-904c-961cca79b387",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Host Pool Contributor

Contributor of the Desktop Virtualization Host Pool.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DesktopVirtualization/hostpools/*
Actions Description

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Contributor of the Desktop Virtualization Host Pool.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-
4e81-87de-d99efb3c32bc",
"name": "e307426c-f9b6-4e81-87de-d99efb3c32bc",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Host Pool Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Host Pool Reader

Reader of the Desktop Virtualization Host Pool.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DesktopVirtualization/hostpools/*/re
ad

Microsoft.DesktopVirtualization/hostpools/read Read hostpools

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/read Read a classic metric alert

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Reader of the Desktop Virtualization Host Pool.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-
400a-ab7b-6143895aa822",
"name": "ceadfde2-b300-400a-ab7b-6143895aa822",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/*/read",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Host Pool Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Power On Contributor

Provide permission to the Azure Virtual Desktop Resource Provider to start virtual
machines.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Compute/virtualMachines/start/actio Starts the virtual machine

Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Microsoft.Compute/virtualMachines/instanceVi Gets the detailed runtime status of the virtual

ew/read machine and its resources

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read
Actions Description

Microsoft.HybridCompute/machines/read Read any Azure Arc machines

Microsoft.HybridCompute/operations/read Read all Operations for Azure Arc for Servers

Microsoft.HybridCompute/locations/operationr Reads the status of an operation on

esults/read Microsoft.HybridCompute Resource Provider

Microsoft.HybridCompute/locations/operations Reads the status of an operation on

tatus/read Microsoft.HybridCompute Resource Provider

Microsoft.AzureStackHCI/virtualMachineInstanc Gets/Lists virtual machine instance resource

es/read

Microsoft.AzureStackHCI/virtualMachineInstanc Starts virtual machine instance resource

es/start/action

Microsoft.AzureStackHCI/operations/read Gets operations

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provide permission to the Azure Virtual Desktop Resource
Provider to start virtual machines.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-
480d-9518-53dea7416b33",
"name": "489581de-a3bd-480d-9518-53dea7416b33",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/operations/read",
"Microsoft.HybridCompute/locations/operationresults/read",
"Microsoft.HybridCompute/locations/operationstatus/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/start/action",
"Microsoft.AzureStackHCI/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Power On Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Power On Off

Contributor
Provide permission to the Azure Virtual Desktop Resource Provider to start and stop
virtual machines.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.AzureStackHCI/operations/read Gets operations

Microsoft.AzureStackHCI/virtualMachineInstanc Gets/Lists virtual machine instance resource

es/read

Microsoft.AzureStackHCI/virtualMachineInstanc Restarts virtual machine instance resource

es/restart/action

Microsoft.AzureStackHCI/virtualMachineInstanc Starts virtual machine instance resource

es/start/action

Microsoft.AzureStackHCI/virtualMachineInstanc Stops virtual machine instance resource

es/stop/action

Microsoft.Compute/virtualMachines/deallocate Powers off the virtual machine and releases the

/action compute resources
Actions Description

Microsoft.Compute/virtualMachines/instanceVi Gets the detailed runtime status of the virtual

ew/read machine and its resources

Microsoft.Compute/virtualMachines/powerOff/ Powers off the virtual machine. Note that the

action virtual machine will continue to be billed.

Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Microsoft.Compute/virtualMachines/restart/acti Restarts the virtual machine

Microsoft.Compute/virtualMachines/start/actio Starts the virtual machine

Microsoft.ComputeSchedule/locations/virtualM virtualMachinesCancelOperations:
achinesCancelOperations/action cancelOperations for a virtual machine

Microsoft.ComputeSchedule/locations/virtualM virtualMachinesExecuteDeallocate:
achinesExecuteDeallocate/action executeDeallocate for a virtual machine

Microsoft.ComputeSchedule/locations/virtualM virtualMachinesExecuteHibernate:
achinesExecuteHibernate/action executeHibernate for a virtual machine

Microsoft.ComputeSchedule/locations/virtualM virtualMachinesExecuteStart: executeStart for a

achinesExecuteStart/action virtual machine

Microsoft.ComputeSchedule/locations/virtualM
achinesGetOperationErrors/action

Microsoft.ComputeSchedule/locations/virtualM virtualMachinesGetOperationStatus:
achinesGetOperationStatus/action getOperationStatus for a virtual machine

Microsoft.ComputeSchedule/locations/virtualM virtualMachinesSubmitDeallocate:
achinesSubmitDeallocate/action submitDeallocate for a virtual machine

Microsoft.ComputeSchedule/locations/virtualM virtualMachinesSubmitHibernate:
achinesSubmitHibernate/action submitHibernate for a virtual machine

Microsoft.ComputeSchedule/locations/virtualM virtualMachinesSubmitStart: submitStart for a

achinesSubmitStart/action virtual machine

Microsoft.ComputeSchedule/register/action Register the subscription for

Microsoft.ComputeSchedule

Microsoft.DesktopVirtualization/hostpools/read Read hostpools

Microsoft.DesktopVirtualization/hostpools/sessi Read hostpools/sessionhosts

onhosts/read

Microsoft.DesktopVirtualization/hostpools/sessi Delete hostpools/sessionhosts/usersessions

Actions Description

onhosts/usersessions/delete

Microsoft.DesktopVirtualization/hostpools/sessi Read hostpools/sessionhosts/usersessions

onhosts/usersessions/read

Microsoft.DesktopVirtualization/hostpools/sessi Send message to user session

onhosts/usersessions/sendMessage/action

Microsoft.DesktopVirtualization/hostpools/sessi Write hostpools/sessionhosts

onhosts/write

Microsoft.DesktopVirtualization/hostpools/writ Write hostpools

Microsoft.HybridCompute/locations/operationr Reads the status of an operation on

esults/read Microsoft.HybridCompute Resource Provider

Microsoft.HybridCompute/locations/operations Reads the status of an operation on

tatus/read Microsoft.HybridCompute Resource Provider

Microsoft.HybridCompute/machines/read Read any Azure Arc machines

Microsoft.HybridCompute/operations/read Read all Operations for Azure Arc for Servers

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/eventtypes/values/read Read Activity Log events

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provide permission to the Azure Virtual Desktop Resource
Provider to start and stop virtual machines.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-
41f8-ae61-143b0e78555e",
"name": "40c5ff49-9181-41f8-ae61-143b0e78555e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.AzureStackHCI/operations/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/restart/action",
"Microsoft.AzureStackHCI/virtualMachineInstances/start/action",
"Microsoft.AzureStackHCI/virtualMachineInstances/stop/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/start/action",

"Microsoft.ComputeSchedule/locations/virtualMachinesCancelOperations/action"
,

"Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDeallocate/action
",

"Microsoft.ComputeSchedule/locations/virtualMachinesExecuteHibernate/action"
,

"Microsoft.ComputeSchedule/locations/virtualMachinesExecuteStart/action",

"Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationErrors/actio
n",

"Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationStatus/actio
n",

"Microsoft.ComputeSchedule/locations/virtualMachinesSubmitDeallocate/action"
,

"Microsoft.ComputeSchedule/locations/virtualMachinesSubmitHibernate/action",

"Microsoft.ComputeSchedule/locations/virtualMachinesSubmitStart/action",
"Microsoft.ComputeSchedule/register/action",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",

"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete"
,

"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read",

"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMes
sage/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/write",
"Microsoft.DesktopVirtualization/hostpools/write",
"Microsoft.HybridCompute/locations/operationresults/read",
"Microsoft.HybridCompute/locations/operationstatus/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/operations/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/eventtypes/values/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Power On Off Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Reader

Reader of Desktop Virtualization.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DesktopVirtualization/*/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/read Read a classic metric alert

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions
Actions Description

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Reader of Desktop Virtualization.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-
41df-bbb0-79b649203868",
"name": "49a72310-ab8d-41df-bbb0-79b649203868",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Session Host Operator

Operator of the Desktop Virtualization Session Host.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DesktopVirtualization/hostpools/read Read hostpools

Actions Description

Microsoft.DesktopVirtualization/hostpools/sessi
onhosts/*

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Operator of the Desktop Virtualization Session Host.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-
4eaa-8ac5-da422f562408",
"name": "2ad6aaab-ead9-4eaa-8ac5-da422f562408",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Session Host Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization User

Allows user to use the applications in an application group.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.DesktopVirtualization/applicationGro Use ApplicationGroup

ups/useApplications/action

Microsoft.DesktopVirtualization/appAttachPack Allow user permissioning on app attach

ages/useApplications/action packages in an application group

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows user to use the applications in an application
group.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-
46b5-b4a9-0b38a3cd7e63",
"name": "1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.DesktopVirtualization/applicationGroups/useApplications/action",

"Microsoft.DesktopVirtualization/appAttachPackages/useApplications/action"
],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization User Session Operator

Operator of the Desktop Virtualization User Session.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DesktopVirtualization/hostpools/read Read hostpools

Microsoft.DesktopVirtualization/hostpools/sessi Read hostpools/sessionhosts

onhosts/read

Microsoft.DesktopVirtualization/hostpools/sessi
onhosts/usersessions/*

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Operator of the Desktop Virtualization Uesr Session.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-
485a-aadd-d4129a0ffaa6",
"name": "ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",

"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization User Session Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Virtual Machine

Contributor
This role is in preview and subject to change. Provide permission to the Azure Virtual
Desktop Resource Provider to create, delete, update, start, and stop virtual machines.

Learn more

ﾉ Expand table
Actions Description

Microsoft.DesktopVirtualization/hostpools/read Read hostpools

Microsoft.DesktopVirtualization/hostpools/writ Write hostpools

Microsoft.DesktopVirtualization/hostpools/retri List registration tokens for host pool

eveRegistrationToken/action

Microsoft.DesktopVirtualization/hostpools/sessi Read hostpools/sessionhosts

onhosts/read

Microsoft.DesktopVirtualization/hostpools/sessi Write hostpools/sessionhosts

onhosts/write

Microsoft.DesktopVirtualization/hostpools/sessi Delete hostpools/sessionhosts

onhosts/delete

Microsoft.DesktopVirtualization/hostpools/sessi Read hostpools/sessionhosts/usersessions

onhosts/usersessions/read

Microsoft.DesktopVirtualization/hostpools/sessi Disconnects the user session form session host

onhosts/usersessions/disconnect/action

Microsoft.DesktopVirtualization/hostpools/sessi Send message to user session

onhosts/usersessions/sendMessage/action

Microsoft.DesktopVirtualization/hostpools/sessi Read hostpools/sessionhostconfigurations

onHostConfigurations/read

Microsoft.DesktopVirtualization/hostpools/doN Internal operation that is not meant to be

otUseInternalAPI/action called by customers. This will be removed in a
future version. Do not use it.

Microsoft.DesktopVirtualization/hostpools/sessi Action on retryprovisioning.

onhosts/retryprovisioning/action

Microsoft.Compute/availabilitySets/read Get the properties of an availability set

Microsoft.Compute/availabilitySets/write Creates a new availability set or updates an

existing one

Microsoft.Compute/availabilitySets/vmSizes/rea List available sizes for creating or updating a

d virtual machine in the availability set

Microsoft.Compute/disks/read Get the properties of a Disk

Microsoft.Compute/disks/write Creates a new Disk or updates an existing one

Microsoft.Compute/disks/delete Deletes the Disk

Actions Description

Microsoft.Compute/galleries/read Gets the properties of Gallery

Microsoft.Compute/galleries/images/read Gets the properties of Gallery Image

Microsoft.Compute/galleries/images/versions/r Gets the properties of Gallery Image Version

ead

Microsoft.Compute/images/read Get the properties of the Image

Microsoft.Compute/locations/usages/read Gets service limits and current usage quantities

for the subscription's compute resources in a
location

Microsoft.Compute/locations/vmSizes/read Lists available virtual machine sizes in a location

Microsoft.Compute/operations/read Lists operations available on

Microsoft.Compute resource provider

Microsoft.Compute/skus/read Gets the list of Microsoft.Compute SKUs

available for your Subscription

Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an

existing virtual machine

Microsoft.Compute/virtualMachines/delete Deletes the virtual machine

Microsoft.Compute/virtualMachines/start/actio Starts the virtual machine

Microsoft.Compute/virtualMachines/powerOff/ Powers off the virtual machine. Note that the

action virtual machine will continue to be billed.

Microsoft.Compute/virtualMachines/restart/acti Restarts the virtual machine

Microsoft.Compute/virtualMachines/deallocate Powers off the virtual machine and releases the

/action compute resources

Microsoft.Compute/virtualMachines/runComm Executes a predefined script on the virtual

and/action machine

Microsoft.Compute/virtualMachines/extensions Get the properties of a virtual machine

/read extension

Microsoft.Compute/virtualMachines/extensions Creates a new virtual machine extension or

/write updates an existing one

Microsoft.Compute/virtualMachines/extensions Deletes the virtual machine extension

Actions Description

/delete

Microsoft.Compute/virtualMachines/runComm Get the properties of a virtual machine run

ands/read command

Microsoft.Compute/virtualMachines/runComm Creates a new virtual machine run command or

ands/write updates an existing one

Microsoft.Compute/virtualMachines/vmSizes/re Lists available sizes the virtual machine can be

ad updated to

Microsoft.Network/networkSecurityGroups/rea Gets a network security group definition

Microsoft.Network/networkInterfaces/write Creates a network interface or updates an

existing network interface.

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Microsoft.Network/networkInterfaces/join/actio Joins a Virtual Machine to a network interface.

n Not Alertable.

Microsoft.Network/networkInterfaces/delete Deletes a network interface

Microsoft.Network/virtualNetworks/subnets/rea Gets a virtual network subnet definition

Microsoft.Network/virtualNetworks/subnets/joi Joins a virtual network. Not Alertable.

n/action

Microsoft.Network/virtualNetworks/usages/rea Get the IP usages for each subnet of the virtual

d network

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/networkSecurityGroups/rea Gets a network security group definition

Microsoft.Marketplace/offerTypes/publishers/of Returns an Agreement.

fers/plans/agreements/read

Microsoft.KeyVault/vaults/deploy/action Enables access to secrets in a key vault when

deploying Azure resources

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Actions Description

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.DesktopVirtualization/scalingPlans/re Read scalingplans

Microsoft.DesktopVirtualization/scalingPlans/wr Write scalingplans

ite

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "This role is in preview and subject to change. Provide
permission to the Azure Virtual Desktop Resource Provider to create, delete,
update, start, and stop virtual machines.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-
45e3-8ba6-dd80f235f97c",
"name": "a959dbd1-f747-45e3-8ba6-dd80f235f97c",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/write",

"Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action"
,
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/write",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete",

"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read",

"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconn
ect/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMes
sage/action",

"Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read",

"Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action",

"Microsoft.DesktopVirtualization/hostpools/sessionhosts/retryprovisioning/ac
tion",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/write",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/images/read",
"Microsoft.Compute/locations/usages/read",
"Microsoft.Compute/locations/vmSizes/read",
"Microsoft.Compute/operations/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Compute/virtualMachines/extensions/delete",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/runCommands/write",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/usages/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/read",

"Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read",
"Microsoft.KeyVault/vaults/deploy/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.DesktopVirtualization/scalingPlans/read",
"Microsoft.DesktopVirtualization/scalingPlans/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Workspace Contributor

Contributor of the Desktop Virtualization Workspace.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DesktopVirtualization/workspaces/*

Microsoft.DesktopVirtualization/applicationgro Read applicationgroups

ups/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Contributor of the Desktop Virtualization Workspace.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-
432b-bf3d-3e8e734d4b2b",
"name": "21efdde3-836f-432b-bf3d-3e8e734d4b2b",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/workspaces/*",
"Microsoft.DesktopVirtualization/applicationgroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Workspace Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Desktop Virtualization Workspace Reader

Reader of the Desktop Virtualization Workspace.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DesktopVirtualization/workspaces/re Read workspaces

ad
Actions Description

Microsoft.DesktopVirtualization/applicationgro Read applicationgroups

ups/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/read Read a classic metric alert

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Reader of the Desktop Virtualization Workspace.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-
466b-9bb2-2bf446b1204d",
"name": "0fa44ee9-7a7d-466b-9bb2-2bf446b1204d",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/workspaces/read",
"Microsoft.DesktopVirtualization/applicationgroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Workspace Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Disk Backup Reader

Provides permission to backup vault to perform disk backup.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Compute/disks/read Get the properties of a Disk

Microsoft.Compute/disks/beginGetAccess/actio Get the SAS URI of the Disk for blob access
n

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to perform disk
backup.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-
47ef-90b5-e5dd4d455f24",
"name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/beginGetAccess/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Disk Pool Operator

Provide permission to StoragePool Resource Provider to manage disks added to a disk
pool.

ﾉ Expand table

Actions Description

Microsoft.Compute/disks/write Creates a new Disk or updates an existing one

Microsoft.Compute/disks/read Get the properties of a Disk

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Used by the StoragePool Resource Provider to manage Disks
added to a Disk Pool.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-
42d4-8bf4-67625fcc2840",
"name": "60fc6e62-5479-42d4-8bf4-67625fcc2840",
"permissions": [
{
"actions": [
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Pool Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Disk Restore Operator

Provides permission to backup vault to perform disk restore.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Compute/disks/write Creates a new Disk or updates an existing one

Microsoft.Compute/disks/read Get the properties of a Disk

NotActions
Actions Description

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to perform disk
restore.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-
478e-945f-707fcc997c13",
"name": "b50d9833-a0cb-478e-945f-707fcc997c13",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Restore Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Disk Snapshot Contributor

Provides permission to backup vault to manage disk snapshots.

Learn more

ﾉ Expand table
Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Compute/snapshots/delete Delete a Snapshot

Microsoft.Compute/snapshots/write Create a new Snapshot or update an existing

one

Microsoft.Compute/snapshots/read Get the properties of a Snapshot

Microsoft.Compute/snapshots/beginGetAccess Get the SAS URI of the Snapshot for blob

/action access

Microsoft.Compute/snapshots/endGetAccess/a Revoke the SAS URI of the Snapshot

ction

Microsoft.Compute/disks/beginGetAccess/actio Get the SAS URI of the Disk for blob access
n

Microsoft.Storage/storageAccounts/listkeys/acti Returns the access keys for the specified

on storage account.

Microsoft.Storage/storageAccounts/write Creates a storage account with the specified

parameters or update the properties or tags or
adds custom domain for the specified storage
account.

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.Storage/storageAccounts/delete Deletes an existing storage account.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to manage disk
snapshots.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-
42b5-a1c5-5411624893ce",
"name": "7efff54f-a5b4-42b5-a1c5-5411624893ce",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Snapshot Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Virtual Machine Administrator Login

View Virtual Machines in the portal and login as administrator

Learn more

ﾉ Expand table

Actions Description

Microsoft.Network/publicIPAddresses/read Gets a public IP address definition.

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/loadBalancers/read Gets a load balancer definition

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Actions Description

Microsoft.Compute/virtualMachines/*/read

Microsoft.HybridCompute/machines/*/read

Microsoft.HybridConnectivity/endpoints/listCre List the endpoint access credentials to the

dentials/action resource.

NotActions

none

DataActions

Microsoft.Compute/virtualMachines/login/actio Log in to a virtual machine as a regular user

Microsoft.Compute/virtualMachines/loginAsAd Log in to a virtual machine with Windows

min/action administrator or Linux root user privileges

Microsoft.HybridCompute/machines/login/acti Log in to an Azure Arc machine as a regular

on user

Microsoft.HybridCompute/machines/loginAsAd Log in to an Azure Arc machine with Windows

min/action administrator or Linux root user privilege

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as
administrator",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-
4577-8991-ea5c82e286e4",
"name": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.Compute/virtualMachines/loginAsAdmin/action",
"Microsoft.HybridCompute/machines/login/action",
"Microsoft.HybridCompute/machines/loginAsAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Virtual Machine Contributor

Create and manage virtual machines, manage disks, install and run software, reset
password of the root user of the virtual machine using VM extensions, and manage local
user accounts using VM extensions. This role does not grant you management access to
the virtual network or storage account the virtual machines are connected to. This role
does not allow you to assign roles in Azure RBAC.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Compute/availabilitySets/* Create and manage compute availability sets

Microsoft.Compute/locations/* Create and manage compute locations

Microsoft.Compute/virtualMachines/* Perform all virtual machine actions including

create, update, delete, start, restart, and power
off virtual machines. Execute scripts on virtual
machines.

Microsoft.Compute/virtualMachineScaleSets/* Create and manage virtual machine scale sets

Microsoft.Compute/cloudServices/*

Microsoft.Compute/disks/write Creates a new Disk or updates an existing one

Microsoft.Compute/disks/read Get the properties of a Disk

Microsoft.Compute/disks/delete Deletes the Disk

Actions Description

Microsoft.DevTestLab/schedules/*

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Network/applicationGateways/backe Joins an application gateway backend address

ndAddressPools/join/action pool. Not Alertable.

Microsoft.Network/loadBalancers/backendAddr Joins a load balancer backend address pool.

essPools/join/action Not Alertable.

Microsoft.Network/loadBalancers/inboundNatP Joins a load balancer inbound NAT pool. Not

ools/join/action alertable.

Microsoft.Network/loadBalancers/inboundNatR Joins a load balancer inbound nat rule. Not

ules/join/action Alertable.

Microsoft.Network/loadBalancers/probes/join/a Allows using probes of a load balancer. For

ction example, with this permission healthProbe
property of VM scale set can reference the
probe. Not alertable.

Microsoft.Network/loadBalancers/read Gets a load balancer definition

Microsoft.Network/locations/* Create and manage network locations

Microsoft.Network/networkInterfaces/* Create and manage network interfaces

Microsoft.Network/networkSecurityGroups/join Joins a network security group. Not Alertable.

/action

Microsoft.Network/networkSecurityGroups/rea Gets a network security group definition

Microsoft.Network/publicIPAddresses/join/actio Joins a public IP address. Not Alertable.

Microsoft.Network/publicIPAddresses/read Gets a public IP address definition.

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/virtualNetworks/subnets/joi Joins a virtual network. Not Alertable.

n/action

Microsoft.RecoveryServices/locations/*

Microsoft.RecoveryServices/Vaults/backupFabri Create a backup Protection Intent

cs/backupProtectionIntent/write

Microsoft.RecoveryServices/Vaults/backupFabri
cs/protectionContainers/protectedItems/*/read
Actions Description

Microsoft.RecoveryServices/Vaults/backupFabri Returns object details of the Protected Item

cs/protectionContainers/protectedItems/read

Microsoft.RecoveryServices/Vaults/backupFabri Create a backup Protected Item

cs/protectionContainers/protectedItems/write

Microsoft.RecoveryServices/Vaults/backupPolici Returns all Protection Policies

es/read

Microsoft.RecoveryServices/Vaults/backupPolici Creates Protection Policy

es/write

Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object

representing the Azure resource of type 'vault'

Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services

Vault.

Microsoft.RecoveryServices/Vaults/write Create Vault operation creates an Azure

resource of type 'vault'

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.SerialConsole/serialPorts/connect/act Connect to a serial port

ion

Microsoft.SqlVirtualMachine/*

Microsoft.Storage/storageAccounts/listKeys/act Returns the access keys for the specified

ion storage account.

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage virtual machines, but not access to them,
and not the virtual network or storage account they're connected to.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-
4d73-94e8-173b1dc7cf3c",
"name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/cloudServices/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.DevTestLab/schedules/*",
"Microsoft.Insights/alertRules/*",

"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.RecoveryServices/locations/*",

"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/writ
e",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/*/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/write",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/write",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.SerialConsole/serialPorts/connect/action",
"Microsoft.SqlVirtualMachine/*",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Virtual Machine Data Access Administrator

(preview)
Manage access to Virtual Machines by adding or removing role assignments for the
Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an
ABAC condition to constrain role assignments.

ﾉ Expand table

Actions Description

Microsoft.Authorization/roleAssignments/write Create a role assignment at the specified scope.

Microsoft.Authorization/roleAssignments/delet Delete a role assignment at the specified scope.

Microsoft.Authorization/*/read Read roles and role assignments

Actions Description

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Management/managementGroups/re List management groups for the authenticated

ad user.

Microsoft.Network/publicIPAddresses/read Gets a public IP address definition.

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/loadBalancers/read Gets a load balancer definition

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Microsoft.Compute/virtualMachines/*/read

Microsoft.HybridCompute/machines/*/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

Condition

((! Add or remove role assignments for the

(ActionMatches{'Microsoft.Authorization/roleAs following roles:
signments/write'})) OR Virtual Machine Administrator Login
(@Request[Microsoft.Authorization/roleAssign Virtual Machine User Login
ments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{1c0163c0-
47e6-4577-8991-ea5c82e286e4, fb879df8-
f326-4884-b1cf-06f3ad86be52})) AND ((!
(ActionMatches{'Microsoft.Authorization/roleAs
signments/delete'})) OR
(@Resource[Microsoft.Authorization/roleAssign
ments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{1c0163c0-
Actions Description

47e6-4577-8991-ea5c82e286e4, fb879df8-
f326-4884-b1cf-06f3ad86be52}))

JSON

{
"assignableScopes": [
"/"
],
"description": "Manage access to Virtual Machines by adding or removing
role assignments for the Virtual Machine Administrator Login and Virtual
Machine User Login roles. Includes an ABAC condition to constrain role
assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/66f75aeb-eabe-
4b70-9f1e-c350c4c9ad04",
"name": "66f75aeb-eabe-4b70-9f1e-c350c4c9ad04",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!
(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR
(@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-
f326-4884-b1cf-06f3ad86be52})) AND ((!
(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR
(@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-
f326-4884-b1cf-06f3ad86be52}))"
}
],
"roleName": "Virtual Machine Data Access Administrator (preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Virtual Machine Local User Login

View Virtual Machines in the portal and login as a local user configured on the arc server

Learn more

ﾉ Expand table

Actions Description

Microsoft.HybridCompute/machines/*/read

Microsoft.HybridConnectivity/endpoints/listCre List the endpoint access credentials to the

dentials/action resource.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as a local
user configured on the arc server",
"id": "/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-
41da-b01d-5360126ab525",
"name": "602da2ba-a5c2-41da-b01d-5360126ab525",
"permissions": [
{
"actions": [
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Virtual Machine Local User Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Virtual Machine User Login

View Virtual Machines in the portal and login as a regular user.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Network/publicIPAddresses/read Gets a public IP address definition.

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/loadBalancers/read Gets a load balancer definition

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Microsoft.Compute/virtualMachines/*/read

Microsoft.HybridCompute/machines/*/read

Microsoft.HybridConnectivity/endpoints/listCre List the endpoint access credentials to the

dentials/action resource.

NotActions

none

DataActions

Microsoft.Compute/virtualMachines/login/actio Log in to a virtual machine as a regular user

Microsoft.HybridCompute/machines/login/acti Log in to an Azure Arc machine as a regular

on user

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as a regular
user.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-
4884-b1cf-06f3ad86be52",
"name": "fb879df8-f326-4884-b1cf-06f3ad86be52",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.HybridCompute/machines/login/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine User Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Windows 365 Network Interface Contributor

This role is used by Windows 365 to provision required network resources and join
Microsoft-hosted VMs to network interfaces.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Resources/subscriptions/resourcegro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/read Gets or lists deployments.

Actions Description

Microsoft.Resources/deployments/write Creates or updates an deployment.

Microsoft.Resources/deployments/delete Deletes a deployment.

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/deployments/operationsta Gets or lists deployment operation statuses.

tuses/read

Microsoft.Network/locations/operations/read Gets operation resource that represents status

of an asynchronous operation

Microsoft.Network/locations/operationResults/r Gets operation result of an async POST or

ead DELETE operation

Microsoft.Network/locations/usages/read Gets the resources usage metrics

Microsoft.Network/networkInterfaces/write Creates a network interface or updates an

existing network interface.

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Microsoft.Network/networkInterfaces/delete Deletes a network interface

Microsoft.Network/networkInterfaces/join/actio Joins a Virtual Machine to a network interface.

n Not Alertable.

Microsoft.Network/networkInterfaces/effective Get Network Security Groups configured On

NetworkSecurityGroups/action Network Interface Of The Vm

Microsoft.Network/networkInterfaces/effective Get Route Table configured On Network

RouteTable/action Interface Of The Vm

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "This role is used by Windows 365 to provision required
network resources and join Microsoft-hosted VMs to network interfaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1f135831-5bbe-
4924-9016-264044c00788",
"name": "1f135831-5bbe-4924-9016-264044c00788",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourcegroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Network/locations/operations/read",
"Microsoft.Network/locations/operationResults/read",
"Microsoft.Network/locations/usages/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",

"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action",
"Microsoft.Network/networkInterfaces/effectiveRouteTable/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Windows 365 Network Interface Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Windows 365 Network User

This role is used by Windows 365 to read virtual networks and join the designated
virtual networks.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Actions Description

Microsoft.Network/virtualNetworks/subnets/rea Gets a virtual network subnet definition

Microsoft.Network/virtualNetworks/usages/rea Get the IP usages for each subnet of the virtual

d network

Microsoft.Network/virtualNetworks/subnets/joi Joins a virtual network. Not Alertable.

n/action

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "This role is used by Windows 365 to read virtual networks
and join the designated virtual networks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7eabc9a4-85f7-
4f71-b8ab-75daaccc1033",
"name": "7eabc9a4-85f7-4f71-b8ab-75daaccc1033",
"permissions": [
{
"actions": [
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/usages/read",
"Microsoft.Network/virtualNetworks/subnets/join/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Windows 365 Network User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Windows Admin Center Administrator Login
Let's you manage the OS of your resource via Windows Admin Center as an
administrator.

Learn more

ﾉ Expand table

Actions Description

Microsoft.HybridCompute/machines/*/read

Microsoft.HybridCompute/machines/extensions
/*

Microsoft.HybridCompute/machines/upgradeEx Upgrades Extensions on Azure Arc machines

tensions/action

Microsoft.HybridCompute/operations/read Read all Operations for Azure Arc for Servers

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Microsoft.Network/loadBalancers/read Gets a load balancer definition

Microsoft.Network/publicIPAddresses/read Gets a public IP address definition.

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/networkSecurityGroups/rea Gets a network security group definition

Microsoft.Network/networkSecurityGroups/def Gets a default security rule definition

aultSecurityRules/read

Microsoft.Network/networkWatchers/securityGr View the configured and effective network

oupView/action security group rules applied on a VM.

Microsoft.Network/networkSecurityGroups/sec Gets a security rule definition

urityRules/read

Microsoft.Network/networkSecurityGroups/sec Creates a security rule or updates an existing

urityRules/write security rule

Microsoft.HybridConnectivity/endpoints/write Create or update the endpoint to the target

resource.

Microsoft.HybridConnectivity/endpoints/read Get or list of endpoints to the target resource.

Microsoft.HybridConnectivity/endpoints/service Create or update the serviceConfigurations to

Configurations/write the endpoints resource.
Actions Description

Microsoft.HybridConnectivity/endpoints/service Get or list of serviceConfigurations to the

Configurations/read endpoints resource.

Microsoft.HybridConnectivity/endpoints/listMa List the managed proxy details to the resource.

nagedProxyDetails/action

Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Microsoft.Compute/virtualMachines/patchAsse Retrieves the summary of the latest patch

ssmentResults/latest/read assessment operation

Microsoft.Compute/virtualMachines/patchAsse Retrieves list of patches assessed during the

ssmentResults/latest/softwarePatches/read last patch assessment operation

Microsoft.Compute/virtualMachines/patchInstal Retrieves the summary of the latest patch

lationResults/read installation operation

Microsoft.Compute/virtualMachines/patchInstal Retrieves list of patches attempted to be

lationResults/softwarePatches/read installed during the last patch installation
operation

Microsoft.Compute/virtualMachines/extensions Get the properties of a virtual machine

/read extension

Microsoft.Compute/virtualMachines/instanceVi Gets the detailed runtime status of the virtual

ew/read machine and its resources

Microsoft.Compute/virtualMachines/runComm Get the properties of a virtual machine run

ands/read command

Microsoft.Compute/virtualMachines/vmSizes/re Lists available sizes the virtual machine can be

ad updated to

Microsoft.Compute/locations/publishers/artifac Get the properties of a VMExtension Type

ttypes/types/read

Microsoft.Compute/locations/publishers/artifac Get the properties of a VMExtension Version

ttypes/types/versions/read

Microsoft.Compute/diskAccesses/read Get the properties of DiskAccess resource

Microsoft.Compute/galleries/images/read Gets the properties of Gallery Image

Microsoft.Compute/images/read Get the properties of the Image

Microsoft.AzureStackHCI/Clusters/Read Gets clusters

Microsoft.AzureStackHCI/Clusters/ArcSettings/ Gets arc resource of HCI cluster

Read
Actions Description

Microsoft.AzureStackHCI/Clusters/ArcSettings/E Gets extension resource of HCI cluster

xtensions/Read

Microsoft.AzureStackHCI/Clusters/ArcSettings/E Create or update extension resource of HCI

xtensions/Write cluster

Microsoft.AzureStackHCI/Clusters/ArcSettings/E Delete extension resources of HCI cluster

xtensions/Delete

Microsoft.AzureStackHCI/Operations/Read Gets operations

Microsoft.ConnectedVMwarevSphere/VirtualMa Read virtualmachines

chines/Read

Microsoft.ConnectedVMwarevSphere/VirtualMa Write extension resource

chines/Extensions/Write

Microsoft.ConnectedVMwarevSphere/VirtualMa Gets extension resource

chines/Extensions/Read

NotActions

none

DataActions

Microsoft.HybridCompute/machines/WACLogin Lets you manage the OS of your resource via

AsAdmin/action Windows Admin Center as an administrator.

Microsoft.Compute/virtualMachines/WAClogin Lets you manage the OS of your resource via

AsAdmin/action Windows Admin Center as an administrator

Microsoft.AzureStackHCI/Clusters/WACloginAs Manage OS of HCI resource via Windows

Admin/Action Admin Center as an administrator

Microsoft.ConnectedVMwarevSphere/virtualma Lets you manage the OS of your resource via

chines/WACloginAsAdmin/action Windows Admin Center as an administrator.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Let's you manage the OS of your resource via Windows Admin
Center as an administrator.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-
44c3-b281-7a577aff287f",
"name": "a6333a3e-0164-44c3-b281-7a577aff287f",
"permissions": [
{
"actions": [
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridCompute/machines/extensions/*",
"Microsoft.HybridCompute/machines/upgradeExtensions/action",
"Microsoft.HybridCompute/operations/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkWatchers/securityGroupView/action",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.HybridConnectivity/endpoints/write",
"Microsoft.HybridConnectivity/endpoints/read",

"Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write",
"Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read",

"Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action",
"Microsoft.Compute/virtualMachines/read",

"Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read",

"Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePat
ches/read",
"Microsoft.Compute/virtualMachines/patchInstallationResults/read",

"Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/
read",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Compute/locations/publishers/artifacttypes/types/read",

"Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
"Microsoft.Compute/diskAccesses/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/images/read",
"Microsoft.AzureStackHCI/Clusters/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete",
"Microsoft.AzureStackHCI/Operations/Read",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read"
],
"notActions": [],
"dataActions": [
"Microsoft.HybridCompute/machines/WACLoginAsAdmin/action",
"Microsoft.Compute/virtualMachines/WACloginAsAdmin/action",
"Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action",

"Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Windows Admin Center Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Networking
Article • 09/20/2024

This article lists the Azure built-in roles in the Networking category.

Azure Front Door Domain Contributor

For internal use within Azure. Can manage Azure Front Door domains, but can't grant
access to other users.

ﾉ Expand table

Actions Description

Microsoft.Cdn/operationresults/profileresults/c
ustomdomainresults/read

Microsoft.Cdn/profiles/customdomains/read

Microsoft.Cdn/profiles/customdomains/write

Microsoft.Cdn/profiles/customdomains/delete

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "For internal use within Azure. Can manage Azure Front Door
domains, but can't grant access to other users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab34830-df19-
4f8c-b84e-aa85b8afa6e8",
"name": "0ab34830-df19-4f8c-b84e-aa85b8afa6e8",
"permissions": [
{
"actions": [

"Microsoft.Cdn/operationresults/profileresults/customdomainresults/read",
"Microsoft.Cdn/profiles/customdomains/read",
"Microsoft.Cdn/profiles/customdomains/write",
"Microsoft.Cdn/profiles/customdomains/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Domain Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Front Door Domain Reader

For internal use within Azure. Can view Azure Front Door domains, but can't make
changes.

ﾉ Expand table

Actions Description

Microsoft.Cdn/operationresults/profileresults/c
ustomdomainresults/read

Microsoft.Cdn/profiles/customdomains/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "For internal use within Azure. Can view Azure Front Door
domains, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0f99d363-226e-
4dca-9920-b807cf8e1a5f",
"name": "0f99d363-226e-4dca-9920-b807cf8e1a5f",
"permissions": [
{
"actions": [

"Microsoft.Cdn/operationresults/profileresults/customdomainresults/read",
"Microsoft.Cdn/profiles/customdomains/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Domain Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Front Door Profile Reader

Can view AFD standard and premium profiles and their endpoints, but can't make
changes.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Cdn/edgenodes/read

Microsoft.Cdn/operationresults/*

Microsoft.Cdn/profiles/*/read

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Actions Description

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Cdn/operationresults/profileresults/af
dendpointresults/CheckCustomDomainDNSMa
ppingStatus/action

Microsoft.Cdn/profiles/queryloganalyticsmetric
s/action

Microsoft.Cdn/profiles/queryloganalyticsrankin
gs/action

Microsoft.Cdn/profiles/querywafloganalyticsme
trics/action

Microsoft.Cdn/profiles/querywafloganalyticsran
kings/action

Microsoft.Cdn/profiles/afdendpoints/CheckCust
omDomainDNSMappingStatus/action

Microsoft.Cdn/profiles/Usages/action

Microsoft.Cdn/profiles/afdendpoints/Usages/ac
tion

Microsoft.Cdn/profiles/origingroups/Usages/ac
tion

Microsoft.Cdn/profiles/rulesets/Usages/action

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can view AFD standard and premium profiles and their
endpoints, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/662802e2-50f6-
46b0-aed2-e834bacc6d12",
"name": "662802e2-50f6-46b0-aed2-e834bacc6d12",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",

"Microsoft.Cdn/operationresults/profileresults/afdendpointresults/CheckCusto
mDomainDNSMappingStatus/action",
"Microsoft.Cdn/profiles/queryloganalyticsmetrics/action",
"Microsoft.Cdn/profiles/queryloganalyticsrankings/action",
"Microsoft.Cdn/profiles/querywafloganalyticsmetrics/action",
"Microsoft.Cdn/profiles/querywafloganalyticsrankings/action",

"Microsoft.Cdn/profiles/afdendpoints/CheckCustomDomainDNSMappingStatus/actio
n",
"Microsoft.Cdn/profiles/Usages/action",
"Microsoft.Cdn/profiles/afdendpoints/Usages/action",
"Microsoft.Cdn/profiles/origingroups/Usages/action",
"Microsoft.Cdn/profiles/rulesets/Usages/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Profile Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Front Door Secret Contributor

For internal use within Azure. Can manage Azure Front Door secrets, but can't grant
access to other users.

ﾉ Expand table

Actions Description

Microsoft.Cdn/operationresults/profileresults/s
Actions Description

ecretresults/read

Microsoft.Cdn/profiles/secrets/read

Microsoft.Cdn/profiles/secrets/write

Microsoft.Cdn/profiles/secrets/delete

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "For internal use within Azure. Can manage Azure Front Door
secrets, but can't grant access to other users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3f2eb865-5811-
4578-b90a-6fc6fa0df8e5",
"name": "3f2eb865-5811-4578-b90a-6fc6fa0df8e5",
"permissions": [
{
"actions": [
"Microsoft.Cdn/operationresults/profileresults/secretresults/read",
"Microsoft.Cdn/profiles/secrets/read",
"Microsoft.Cdn/profiles/secrets/write",
"Microsoft.Cdn/profiles/secrets/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Secret Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Front Door Secret Reader

For internal use within Azure. Can view Azure Front Door secrets, but can't make
changes.

ﾉ Expand table

Actions Description

Microsoft.Cdn/operationresults/profileresults/s
ecretresults/read

Microsoft.Cdn/profiles/secrets/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "For internal use within Azure. Can view Azure Front Door
secrets, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0db238c4-885e-
4c4f-a933-aa2cef684fca",
"name": "0db238c4-885e-4c4f-a933-aa2cef684fca",
"permissions": [
{
"actions": [
"Microsoft.Cdn/operationresults/profileresults/secretresults/read",
"Microsoft.Cdn/profiles/secrets/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Front Door Secret Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

CDN Endpoint Contributor

Can manage CDN endpoints, but can't grant access to other users.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Cdn/edgenodes/read

Microsoft.Cdn/operationresults/*

Microsoft.Cdn/profiles/endpoints/*

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Can manage CDN endpoints, but can't grant access to other
users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-
4658-b36f-ff54d6c29b45",
"name": "426e0c7f-0c7e-4658-b36f-ff54d6c29b45",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/endpoints/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Endpoint Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

CDN Endpoint Reader

Can view CDN endpoints, but can't make changes.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Cdn/edgenodes/read

Microsoft.Cdn/operationresults/*

Microsoft.Cdn/profiles/endpoints/*/read

Microsoft.Cdn/profiles/afdendpoints/validateC
ustomDomain/action
Actions Description

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can view CDN endpoints, but can't make changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-
49cc-a043-bde969a0f2cd",
"name": "871e35f6-b5c1-49cc-a043-bde969a0f2cd",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/endpoints/*/read",
"Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Endpoint Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

CDN Profile Contributor

Can manage CDN and Azure Front Door standard and premium profiles and their
endpoints, but can't grant access to other users.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Cdn/edgenodes/read

Microsoft.Cdn/operationresults/*

Microsoft.Cdn/profiles/*

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can manage CDN and Azure Front Door standard and premium
profiles and their endpoints, but can't grant access to other users.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-
4d15-830c-5b80698ca432",
"name": "ec156ff8-a8d1-4d15-830c-5b80698ca432",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Profile Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

CDN Profile Reader

Can view CDN profiles and their endpoints, but can't make changes.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Cdn/edgenodes/read

Microsoft.Cdn/operationresults/*

Microsoft.Cdn/profiles/*/read

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Cdn/profiles/afdendpoints/validateC
ustomDomain/action

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

Actions Description

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Cdn/profiles/CheckResourceUsage/ac
tion

Microsoft.Cdn/profiles/endpoints/CheckResour
ceUsage/action

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can view CDN profiles and their endpoints, but can't make
changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-
438f-813d-ad51ab4019af",
"name": "8f96442b-4075-438f-813d-ad51ab4019af",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cdn/edgenodes/read",
"Microsoft.Cdn/operationresults/*",
"Microsoft.Cdn/profiles/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Cdn/profiles/afdendpoints/validateCustomDomain/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Cdn/profiles/CheckResourceUsage/action",
"Microsoft.Cdn/profiles/endpoints/CheckResourceUsage/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CDN Profile Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Classic Network Contributor

Lets you manage classic networks, but not access to them.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.ClassicNetwork/* Create and manage classic networks

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic networks, but not access to
them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-
4a0d-a4d4-e158ca92e90f",
"name": "b34d265f-36f7-4a0d-a4d4-e158ca92e90f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicNetwork/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Network Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

DNS Zone Contributor

Lets you manage DNS zones and record sets in Azure DNS, but does not let you control
who has access to them.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Network/dnsZones/* Create and manage DNS zones and records

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read
Actions Description

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage DNS zones and record sets in Azure DNS,
but does not let you control who has access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-
4197-83a8-272ff33ce314",
"name": "befefa01-2a29-4197-83a8-272ff33ce314",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/dnsZones/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DNS Zone Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Network Contributor
Lets you manage networks, but not access to them. This role does not grant you
permission to deploy or manage Virtual Machines.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Network/* Create and manage networks

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage networks, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-
4787-a291-c67834d212e7",
"name": "4d97b98b-1d4f-4787-a291-c67834d212e7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Network Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Private DNS Zone Contributor

Lets you manage private DNS zone resources, but not the virtual networks they are
linked to.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Network/privateDnsZones/*

Microsoft.Network/privateDnsOperationResults
/*

Microsoft.Network/privateDnsOperationStatuse
s/*

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/virtualNetworks/join/action Joins a virtual network. Not Alertable.

Microsoft.Authorization/*/read Read roles and role assignments

NotActions
Actions Description

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage private DNS zone resources, but not the
virtual networks they are linked to.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-
4669-85d0-8515ebb3ae7f",
"name": "b12aa53e-6015-4669-85d0-8515ebb3ae7f",
"permissions": [
{
"actions": [
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/privateDnsZones/*",
"Microsoft.Network/privateDnsOperationResults/*",
"Microsoft.Network/privateDnsOperationStatuses/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Private DNS Zone Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Traffic Manager Contributor

Lets you manage Traffic Manager profiles, but does not let you control who has access
to them.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Network/trafficManagerProfiles/*

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage Traffic Manager profiles, but does not let
you control who has access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-
44c2-b00f-c7b5b3550cf7",
"name": "a4b10055-b0c7-44c2-b00f-c7b5b3550cf7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/trafficManagerProfiles/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Traffic Manager Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Storage
Article • 09/22/2024

This article lists the Azure built-in roles in the Storage category.

Avere Contributor
Can create and manage an Avere vFXT cluster.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Compute/*/read

Microsoft.Compute/availabilitySets/*

Microsoft.Compute/proximityPlacementGroups
/*

Microsoft.Compute/virtualMachines/*

Microsoft.Compute/disks/*

Microsoft.Network/*/read

Microsoft.Network/networkInterfaces/*

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/virtualNetworks/subnets/rea Gets a virtual network subnet definition

Microsoft.Network/virtualNetworks/subnets/joi Joins a virtual network. Not Alertable.

n/action

Microsoft.Network/virtualNetworks/subnets/joi Joins resource such as storage account or SQL

nViaServiceEndpoint/action database to a subnet. Not alertable.

Microsoft.Network/networkSecurityGroups/join Joins a network security group. Not Alertable.

/action

Microsoft.Resources/deployments/* Create and manage a deployment

Actions Description

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Storage/*/read

Microsoft.Storage/storageAccounts/* Create and manage storage accounts

Microsoft.Support/* Create and update a support ticket

Microsoft.Resources/subscriptions/resourceGro Gets the resources for the resource group.

ups/resources/read

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/blobService Returns the result of deleting a blob

s/containers/blobs/delete

Microsoft.Storage/storageAccounts/blobService Returns a blob or a list of blobs

s/containers/blobs/read

Microsoft.Storage/storageAccounts/blobService Returns the result of writing a blob

s/containers/blobs/write

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can create and manage an Avere vFXT cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-
4a58-a46a-8eaf358af14a",
"name": "4f8fab4f-1852-4a58-a46a-8eaf358af14a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/proximityPlacementGroups/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/disks/*",
"Microsoft.Network/*/read",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",

"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/deployments/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read"
],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Avere Operator
Used by the Avere vFXT cluster to manage the cluster

Learn more

ﾉ Expand table

Actions Description

Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Microsoft.Network/networkInterfaces/write Creates a network interface or updates an

existing network interface.
Actions Description

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/virtualNetworks/subnets/rea Gets a virtual network subnet definition

Microsoft.Network/virtualNetworks/subnets/joi Joins a virtual network. Not Alertable.

n/action

Microsoft.Network/networkSecurityGroups/join Joins a network security group. Not Alertable.

/action

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Storage/storageAccounts/blobService Returns the result of deleting a container

s/containers/delete

Microsoft.Storage/storageAccounts/blobService Returns list of containers

s/containers/read

Microsoft.Storage/storageAccounts/blobService Returns the result of put blob container

s/containers/write

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/blobService Returns the result of deleting a blob

s/containers/blobs/delete

Microsoft.Storage/storageAccounts/blobService Returns a blob or a list of blobs

s/containers/blobs/read

Microsoft.Storage/storageAccounts/blobService Returns the result of writing a blob

s/containers/blobs/write

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Used by the Avere vFXT cluster to manage the cluster",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-
4ebf-b32c-fc0c6f0c6bd9",
"name": "c025889f-8102-4ebf-b32c-fc0c6f0c6bd9",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write"
],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notDataActions": []
}
],
"roleName": "Avere Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Backup Contributor
Lets you manage backup service, but can't create vaults and give access to others

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.RecoveryServices/locations/*
Actions Description

Microsoft.RecoveryServices/Vaults/backupFabri Manage results of operation on backup

cs/operationResults/* management

Microsoft.RecoveryServices/Vaults/backupFabri Create and manage backup containers inside

cs/protectionContainers/* backup fabrics of Recovery Services vault

Microsoft.RecoveryServices/Vaults/backupFabri Refreshes the container list

cs/refreshContainers/action

Microsoft.RecoveryServices/Vaults/backupJobs/ Create and manage backup jobs

Microsoft.RecoveryServices/Vaults/backupJobsE Export Jobs

xport/action

Microsoft.RecoveryServices/Vaults/backupOper Create and manage Results of backup

ationResults/* management operations

Microsoft.RecoveryServices/Vaults/backupPolici Create and manage backup policies

es/*

Microsoft.RecoveryServices/Vaults/backupProte Create and manage items which can be backed

ctableItems/* up

Microsoft.RecoveryServices/Vaults/backupProte Create and manage backed up items

ctedItems/*

Microsoft.RecoveryServices/Vaults/backupProte Create and manage containers holding backup

ctionContainers/* items

Microsoft.RecoveryServices/Vaults/backupSecur
ityPIN/*

Microsoft.RecoveryServices/Vaults/backupUsag Returns summaries for Protected Items and

eSummaries/read Protected Servers for a Recovery Services .

Microsoft.RecoveryServices/Vaults/certificates/* Create and manage certificates related to

backup in Recovery Services vault

Microsoft.RecoveryServices/Vaults/extendedInf Create and manage extended info related to

ormation/* vault

Microsoft.RecoveryServices/Vaults/monitoringA Gets the alerts for the Recovery services vault.

lerts/read

Microsoft.RecoveryServices/Vaults/monitoringC
onfigurations/*

Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object

representing the Azure resource of type 'vault'
Actions Description

Microsoft.RecoveryServices/Vaults/registeredId Create and manage registered identities

entities/*

Microsoft.RecoveryServices/Vaults/usages/* Create and manage usage of Recovery Services

vault

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.RecoveryServices/Vaults/backupstora
geconfig/*

Microsoft.RecoveryServices/Vaults/backupconfi
g/*

Microsoft.RecoveryServices/Vaults/backupValid Validate Operation on Protected Item

ateOperation/action

Microsoft.RecoveryServices/Vaults/write Create Vault operation creates an Azure

resource of type 'vault'

Microsoft.RecoveryServices/Vaults/backupOper Returns Backup Operation Status for Recovery

ations/read Services Vault.

Microsoft.RecoveryServices/Vaults/backupEngin Returns all the backup management servers

es/read registered with vault.

Microsoft.RecoveryServices/Vaults/backupFabri
cs/backupProtectionIntent/*

Microsoft.RecoveryServices/Vaults/backupFabri Get all protectable containers

cs/protectableContainers/read

Microsoft.RecoveryServices/vaults/operationSta Gets Operation Status for a given Operation

tus/read

Microsoft.RecoveryServices/vaults/operationRes The Get Operation Results operation can be

ults/read used get the operation status and result for the
asynchronously submitted operation

Microsoft.RecoveryServices/locations/backupSt Check Backup Status for Recovery Services

atus/action Vaults

Microsoft.RecoveryServices/locations/backupPr
eValidateProtection/action
Actions Description

Microsoft.RecoveryServices/locations/backupVa Validate Features

lidateFeatures/action

Microsoft.RecoveryServices/Vaults/monitoringA Resolves the alert.

lerts/write

Microsoft.RecoveryServices/operations/read Operation returns the list of Operations for a

Resource Provider

Microsoft.RecoveryServices/locations/operation Gets Operation Status for a given Operation

Status/read

Microsoft.RecoveryServices/Vaults/backupProte List all backup Protection Intents

ctionIntents/read

Microsoft.Support/* Create and update a support ticket

Microsoft.DataProtection/locations/getBackupS Check Backup Status for Recovery Services

tatus/action Vaults

Microsoft.DataProtection/backupVaults/backup Creates a Backup Instance

Instances/write

Microsoft.DataProtection/backupVaults/backup Deletes the Backup Instance

Instances/delete

Microsoft.DataProtection/backupVaults/backup Returns all Backup Instances

Instances/read

Microsoft.DataProtection/backupVaults/backup Returns all Backup Instances

Instances/read

Microsoft.DataProtection/backupVaults/deleted List soft-deleted Backup Instances in a Backup

BackupInstances/read Vault.

Microsoft.DataProtection/backupVaults/deleted Perform undelete of soft-deleted Backup

BackupInstances/undelete/action Instance. Backup Instance moves from
SoftDeleted to ProtectionStopped state.

Microsoft.DataProtection/backupVaults/backup Performs Backup on the Backup Instance

Instances/backup/action

Microsoft.DataProtection/backupVaults/backup Validates for Restore of the Backup Instance

Instances/validateRestore/action

Microsoft.DataProtection/backupVaults/backup Triggers restore on the Backup Instance

Instances/restore/action

Microsoft.DataProtection/subscriptions/resourc Triggers cross region restore operation on

eGroups/providers/locations/crossRegionResto given backup instance.
Actions Description

re/action

Microsoft.DataProtection/subscriptions/resourc Performs validations for cross region restore

eGroups/providers/locations/validateCrossRegi operation.
onRestore/action

Microsoft.DataProtection/subscriptions/resourc List cross region restore jobs of backup

eGroups/providers/locations/fetchCrossRegion instance from secondary region.
RestoreJobs/action

Microsoft.DataProtection/subscriptions/resourc Get cross region restore job details from

eGroups/providers/locations/fetchCrossRegion secondary region.
RestoreJob/action

Microsoft.DataProtection/subscriptions/resourc Returns recovery points from secondary region

eGroups/providers/locations/fetchSecondaryRe for cross region restore enabled Backup Vaults.
coveryPoints/action

Microsoft.DataProtection/backupVaults/backup Creates Backup Policy

Policies/write

Microsoft.DataProtection/backupVaults/backup Deletes the Backup Policy

Policies/delete

Microsoft.DataProtection/backupVaults/backup Returns all Backup Policies

Policies/read

Microsoft.DataProtection/backupVaults/backup Returns all Backup Policies

Policies/read

Microsoft.DataProtection/backupVaults/backup Returns all Recovery Points

Instances/recoveryPoints/read

Microsoft.DataProtection/backupVaults/backup Returns all Recovery Points

Instances/recoveryPoints/read

Microsoft.DataProtection/backupVaults/backup Finds Restorable Time Ranges

Instances/findRestorableTimeRanges/action

Microsoft.DataProtection/backupVaults/backup Returns Backup Operation Result for Backup

Instances/operationResults/read Vault.

Microsoft.DataProtection/backupVaults/write Update BackupVault operation updates an

Azure resource of type 'Backup Vault'

Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group

Microsoft.DataProtection/backupVaults/operati Gets Operation Result of a Patch Operation for

onResults/read a Backup Vault
Actions Description

Microsoft.DataProtection/backupVaults/operati Returns Backup Operation Status for Backup

onStatus/read Vault.

Microsoft.DataProtection/locations/checkName Checks if the requested BackupVault Name is

Availability/action Available

Microsoft.DataProtection/locations/checkFeatur Validates if a feature is supported

eSupport/action

Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group

Microsoft.DataProtection/locations/operationSt Returns Backup Operation Status for Backup

atus/read Vault.

Microsoft.DataProtection/locations/operationR Returns Backup Operation Result for Backup

esults/read Vault.

Microsoft.DataProtection/backupVaults/validate Validates for backup of Backup Instance

ForBackup/action

Microsoft.DataProtection/operations/read Operation returns the list of Operations for a

Resource Provider

Microsoft.RecoveryServices/Vaults/backupReso The Delete ResourceGuard proxy operation

urceGuardProxies/delete deletes the specified Azure resource of type
'ResourceGuard proxy'

Microsoft.RecoveryServices/Vaults/backupReso Get the list of ResourceGuard proxies for a

urceGuardProxies/read resource

Microsoft.RecoveryServices/Vaults/backupReso Unlock delete ResourceGuard proxy operation

urceGuardProxies/unlockDelete/action unlocks the next delete critical operation

Microsoft.RecoveryServices/Vaults/backupReso Create ResourceGuard proxy operation creates

urceGuardProxies/write an Azure resource of type 'ResourceGuard
Proxy'

Microsoft.DataProtection/backupVaults/backup Get ResourceGuard proxy operation gets an

ResourceGuardProxies/read object representing the Azure resource of type
'ResourceGuard proxy'

Microsoft.DataProtection/backupVaults/backup Create ResourceGuard proxy operation creates

ResourceGuardProxies/write an Azure resource of type 'ResourceGuard
Proxy'

Microsoft.DataProtection/backupVaults/backup The Delete ResourceGuard proxy operation

ResourceGuardProxies/delete deletes the specified Azure resource of type
'ResourceGuard proxy'
Actions Description

Microsoft.DataProtection/backupVaults/backup Unlock delete ResourceGuard proxy operation

ResourceGuardProxies/unlockDelete/action unlocks the next delete critical operation

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage backups, but can't delete vaults and give
access to others",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-
42f4-a55d-6e525e11384b",
"name": "5e467623-bb1f-42f4-a55d-6e525e11384b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/locations/*",

"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/*",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/*",

"Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action",
"Microsoft.RecoveryServices/Vaults/backupJobs/*",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/*",
"Microsoft.RecoveryServices/Vaults/backupPolicies/*",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/*",
"Microsoft.RecoveryServices/Vaults/backupSecurityPIN/*",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/*",
"Microsoft.RecoveryServices/Vaults/extendedInformation/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
"Microsoft.RecoveryServices/Vaults/usages/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/*",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read"
,
"Microsoft.RecoveryServices/vaults/operationStatus/read",
"Microsoft.RecoveryServices/vaults/operationResults/read",
"Microsoft.RecoveryServices/locations/backupStatus/action",

"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",

"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/backupInstances/delete",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",

"Microsoft.DataProtection/backupVaults/deletedBackupInstances/undelete/actio
n",

"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",

"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/actio
n",

"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/c
rossRegionRestore/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/v
alidateCrossRegionRestore/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/f
etchCrossRegionRestoreJobs/action",
"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/f
etchCrossRegionRestoreJob/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/f
etchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/backupVaults/backupPolicies/write",
"Microsoft.DataProtection/backupVaults/backupPolicies/delete",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",

"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",

"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRan
ges/action",

"Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read
",
"Microsoft.DataProtection/backupVaults/write",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/locations/checkNameAvailability/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/operations/read",

"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read",

"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/a
ction",

"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write",

"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",

"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",

"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",

"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDele
te/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Backup MUA Admin

Backup MultiUser-Authorization. Can create/delete ResourceGuard

Learn more

ﾉ Expand table

Actions Description

Microsoft.DataProtection/*/read

Microsoft.DataProtection/*/resourceGuards/wri
te

Microsoft.DataProtection/subscriptions/resourc Update ResouceGuard operation updates an

eGroups/providers/resourceGuards/write Azure resource of type 'ResourceGuard'

Microsoft.DataProtection/subscriptions/resourc The Delete ResourceGuard operation deletes

eGroups/providers/resourceGuards/delete the specified Azure resource of type
'ResourceGuard'

Microsoft.DataProtection/subscriptions/resourc Gets list of ResourceGuards in a Resource

eGroups/providers/resourceGuards/read Group

Microsoft.DataProtection/locations/operationR Returns Backup Operation Result for Backup

esults/read Vault.

Microsoft.DataProtection/locations/operationSt Returns Backup Operation Status for Backup

atus/read Vault.

Microsoft.DataProtection/locations/getBackupS Check Backup Status for Recovery Services

tatus/action Vaults

Microsoft.DataProtection/locations/checkFeatur Validates if a feature is supported

eSupport/action

Microsoft.DataProtection/subscriptions/resourc Returns Backup Operation Status for Backup

eGroups/providers/locations/operationStatus/r Vault.
ead

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Features/features/read Gets the features of a subscription.

Actions Description

Microsoft.Features/providers/features/read Gets the feature of a subscription in a given

resource provider.

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourcegro
ups/deployments/*

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.DataProtection/backupVaults/backup Get ResourceGuard proxy operation gets an

ResourceGuardProxies/read object representing the Azure resource of type
'ResourceGuard proxy'

Microsoft.DataProtection/backupVaults/backup Create ResourceGuard proxy operation creates

ResourceGuardProxies/write an Azure resource of type 'ResourceGuard
Proxy'

Microsoft.DataProtection/backupVaults/backup The Delete ResourceGuard proxy operation

ResourceGuardProxies/delete deletes the specified Azure resource of type
'ResourceGuard proxy'

Microsoft.DataProtection/backupVaults/backup Unlock delete ResourceGuard proxy operation

ResourceGuardProxies/unlockDelete/action unlocks the next delete critical operation

Microsoft.DataProtection/subscriptions/provide Gets list of ResourceGuards in a Subscription

rs/resourceGuards/read

Microsoft.DataProtection/subscriptions/resourc Gets ResourceGuard default operation request

eGroups/providers/resourceGuards/{operation info
Name}/read

NotActions

none

DataActions
Actions Description

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Backup MultiUser-Authorization. Can create/delete
ResourceGuard ",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2a970b4-16a7-
4a51-8c84-8a8ea6ee0bb8",
"name": "c2a970b4-16a7-4a51-8c84-8a8ea6ee0bb8",
"permissions": [
{
"actions": [
"Microsoft.DataProtection/*/read",
"Microsoft.DataProtection/*/resourceGuards/write",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGua
rds/write",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGua
rds/delete",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGua
rds/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/o
perationStatus/read",
"Microsoft.Authorization/*/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",

"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",
"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",

"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",

"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDele
te/action",

"Microsoft.DataProtection/subscriptions/providers/resourceGuards/read",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/resourceGua
rds/{operationName}/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup MUA Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Backup MUA Operator

Backup MultiUser-Authorization. Allows user to perform critical operation protected by
resourceguard

Learn more

ﾉ Expand table

Actions Description

Microsoft.DataProtection/*/action

Microsoft.DataProtection/*/read

Microsoft.Authorization/*/read Read roles and role assignments

NotActions

none

DataActions

none

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Backup MultiUser-Authorization. Allows user to perform
critical operation protected by resourceguard",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f54b6d04-23c6-
443e-b462-9c16ab7b4a52",
"name": "f54b6d04-23c6-443e-b462-9c16ab7b4a52",
"permissions": [
{
"actions": [
"Microsoft.DataProtection/*/action",
"Microsoft.DataProtection/*/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup MUA Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Backup Operator
Lets you manage backup services, except removal of backup, vault creation and giving
access to others

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.RecoveryServices/Vaults/backupFabri Returns status of the operation

cs/operationResults/read

Microsoft.RecoveryServices/Vaults/backupFabri Gets result of Operation performed on

cs/protectionContainers/operationResults/read Protection Container.
Actions Description

Microsoft.RecoveryServices/Vaults/backupFabri Performs Backup for Protected Item.

cs/protectionContainers/protectedItems/backu
p/action

Microsoft.RecoveryServices/Vaults/backupFabri Gets Result of Operation Performed on

cs/protectionContainers/protectedItems/operat Protected Items.
ionResults/read

Microsoft.RecoveryServices/Vaults/backupFabri Returns the status of Operation performed on

cs/protectionContainers/protectedItems/operat Protected Items.
ionsStatus/read

Microsoft.RecoveryServices/Vaults/backupFabri Returns object details of the Protected Item

cs/protectionContainers/protectedItems/read

Microsoft.RecoveryServices/Vaults/backupFabri Provision Instant Item Recovery for Protected

cs/protectionContainers/protectedItems/recove Item
ryPoints/provisionInstantItemRecovery/action

Microsoft.RecoveryServices/vaults/backupFabric Get AccessToken for Cross Region Restore.

s/protectionContainers/protectedItems/recover
yPoints/accessToken/action

Microsoft.RecoveryServices/Vaults/backupFabri Get Recovery Points for Protected Items.

cs/protectionContainers/protectedItems/recove
ryPoints/read

Microsoft.RecoveryServices/Vaults/backupFabri Restore Recovery Points for Protected Items.

cs/protectionContainers/protectedItems/recove
ryPoints/restore/action

Microsoft.RecoveryServices/Vaults/backupFabri Revoke Instant Item Recovery for Protected

cs/protectionContainers/protectedItems/recove Item
ryPoints/revokeInstantItemRecovery/action

Microsoft.RecoveryServices/Vaults/backupFabri Create a backup Protected Item

cs/protectionContainers/protectedItems/write

Microsoft.RecoveryServices/Vaults/backupFabri Returns all registered containers

cs/protectionContainers/read

Microsoft.RecoveryServices/Vaults/backupFabri Refreshes the container list

cs/refreshContainers/action

Microsoft.RecoveryServices/Vaults/backupJobs/ Create and manage backup jobs

Microsoft.RecoveryServices/Vaults/backupJobsE Export Jobs

xport/action
Actions Description

Microsoft.RecoveryServices/Vaults/backupOper Create and manage Results of backup

ationResults/* management operations

Microsoft.RecoveryServices/Vaults/backupPolici Get Results of Policy Operation.

es/operationResults/read

Microsoft.RecoveryServices/Vaults/backupPolici Returns all Protection Policies

es/read

Microsoft.RecoveryServices/Vaults/backupProte Create and manage items which can be backed

ctableItems/* up

Microsoft.RecoveryServices/Vaults/backupProte Returns the list of all Protected Items.

ctedItems/read

Microsoft.RecoveryServices/Vaults/backupProte Returns all containers belonging to the

ctionContainers/read subscription

Microsoft.RecoveryServices/Vaults/backupUsag Returns summaries for Protected Items and

eSummaries/read Protected Servers for a Recovery Services .

Microsoft.RecoveryServices/Vaults/certificates/ The Update Resource Certificate operation

write updates the resource/vault credential
certificate.

Microsoft.RecoveryServices/Vaults/extendedInf The Get Extended Info operation gets an

ormation/read object's Extended Info representing the Azure
resource of type ?vault?

Microsoft.RecoveryServices/Vaults/extendedInf The Get Extended Info operation gets an

ormation/write object's Extended Info representing the Azure
resource of type ?vault?

Microsoft.RecoveryServices/Vaults/monitoringA Gets the alerts for the Recovery services vault.

lerts/read

Microsoft.RecoveryServices/Vaults/monitoringC
onfigurations/*

Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object

representing the Azure resource of type 'vault'

Microsoft.RecoveryServices/Vaults/registeredId The Get Operation Results operation can be

entities/operationResults/read used get the operation status and result for the
asynchronously submitted operation

Microsoft.RecoveryServices/Vaults/registeredId The Get Containers operation can be used get

entities/read the containers registered for a resource.
Actions Description

Microsoft.RecoveryServices/Vaults/registeredId The Register Service Container operation can

entities/write be used to register a container with Recovery
Service.

Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services

Vault.

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.RecoveryServices/Vaults/backupstora
geconfig/*

Microsoft.RecoveryServices/Vaults/backupValid Validate Operation on Protected Item

ateOperation/action

Microsoft.RecoveryServices/Vaults/backupTrigg Validate Operation on Protected Item

erValidateOperation/action

Microsoft.RecoveryServices/Vaults/backupValid Validate Operation on Protected Item

ateOperationResults/read

Microsoft.RecoveryServices/Vaults/backupValid Validate Operation on Protected Item

ateOperationsStatuses/read

Microsoft.RecoveryServices/Vaults/backupOper Returns Backup Operation Status for Recovery

ations/read Services Vault.

Microsoft.RecoveryServices/Vaults/backupPolici Get Status of Policy Operation.

es/operations/read

Microsoft.RecoveryServices/Vaults/backupFabri Creates a registered container

cs/protectionContainers/write

Microsoft.RecoveryServices/Vaults/backupFabri Do inquiry for workloads within a container

cs/protectionContainers/inquire/action

Microsoft.RecoveryServices/Vaults/backupEngin Returns all the backup management servers

es/read registered with vault.

Microsoft.RecoveryServices/Vaults/backupFabri Create a backup Protection Intent

cs/backupProtectionIntent/write

Microsoft.RecoveryServices/Vaults/backupFabri Get a backup Protection Intent

cs/backupProtectionIntent/read
Actions Description

Microsoft.RecoveryServices/Vaults/backupFabri Get all protectable containers

cs/protectableContainers/read

Microsoft.RecoveryServices/Vaults/backupFabri Get all items in a container

cs/protectionContainers/items/read

Microsoft.RecoveryServices/locations/backupSt Check Backup Status for Recovery Services

atus/action Vaults

Microsoft.RecoveryServices/locations/backupPr
eValidateProtection/action

Microsoft.RecoveryServices/locations/backupVa Validate Features

lidateFeatures/action

Microsoft.RecoveryServices/locations/backupAa Get AAD Properties for authentication in the

dProperties/read third region for Cross Region Restore.

Microsoft.RecoveryServices/locations/backupCr List Cross Region Restore Jobs in the secondary

rJobs/action region for Recovery Services Vault.

Microsoft.RecoveryServices/locations/backupCr Get Cross Region Restore Job Details in the

rJob/action secondary region for Recovery Services Vault.

Microsoft.RecoveryServices/locations/backupCr Trigger Cross region restore.

ossRegionRestore/action

Microsoft.RecoveryServices/locations/backupCr Returns CRR Operation Result for Recovery

rOperationResults/read Services Vault.

Microsoft.RecoveryServices/locations/backupCr Returns CRR Operation Status for Recovery

rOperationsStatus/read Services Vault.

Microsoft.RecoveryServices/Vaults/monitoringA Resolves the alert.

lerts/write

Microsoft.RecoveryServices/operations/read Operation returns the list of Operations for a

Resource Provider

Microsoft.RecoveryServices/locations/operation Gets Operation Status for a given Operation

Status/read

Microsoft.RecoveryServices/Vaults/backupProte List all backup Protection Intents

ctionIntents/read

Microsoft.Support/* Create and update a support ticket

Microsoft.DataProtection/backupVaults/backup Returns all Backup Instances

Instances/read
Actions Description

Microsoft.DataProtection/backupVaults/backup Returns all Backup Instances

Instances/read

Microsoft.DataProtection/backupVaults/backup Returns Backup Operation Result for Backup

Instances/operationResults/read Vault.

Microsoft.DataProtection/backupVaults/backup Creates a Backup Instance

Instances/write

Microsoft.DataProtection/backupVaults/deleted List soft-deleted Backup Instances in a Backup

BackupInstances/read Vault.

Microsoft.DataProtection/backupVaults/backup Returns all Backup Policies

Policies/read

Microsoft.DataProtection/backupVaults/backup Returns all Backup Policies

Policies/read

Microsoft.DataProtection/backupVaults/backup Returns all Recovery Points

Instances/recoveryPoints/read

Microsoft.DataProtection/backupVaults/backup Returns all Recovery Points

Instances/recoveryPoints/read

Microsoft.DataProtection/backupVaults/backup Finds Restorable Time Ranges

Instances/findRestorableTimeRanges/action

Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group

Microsoft.DataProtection/backupVaults/operati Gets Operation Result of a Patch Operation for

onResults/read a Backup Vault

Microsoft.DataProtection/backupVaults/operati Returns Backup Operation Status for Backup

onStatus/read Vault.

Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group

Microsoft.DataProtection/locations/operationSt Returns Backup Operation Status for Backup

atus/read Vault.

Microsoft.DataProtection/locations/operationR Returns Backup Operation Result for Backup

esults/read Vault.

Microsoft.DataProtection/operations/read Operation returns the list of Operations for a

Resource Provider

Microsoft.DataProtection/backupVaults/validate Validates for backup of Backup Instance

ForBackup/action
Actions Description

Microsoft.DataProtection/backupVaults/backup Performs Backup on the Backup Instance

Instances/backup/action

Microsoft.DataProtection/backupVaults/backup Validates for Restore of the Backup Instance

Instances/validateRestore/action

Microsoft.DataProtection/backupVaults/backup Triggers restore on the Backup Instance

Instances/restore/action

Microsoft.DataProtection/subscriptions/resourc Triggers cross region restore operation on

eGroups/providers/locations/crossRegionResto given backup instance.
re/action

Microsoft.DataProtection/subscriptions/resourc Performs validations for cross region restore

eGroups/providers/locations/validateCrossRegi operation.
onRestore/action

Microsoft.DataProtection/subscriptions/resourc List cross region restore jobs of backup

eGroups/providers/locations/fetchCrossRegion instance from secondary region.
RestoreJobs/action

Microsoft.DataProtection/subscriptions/resourc Get cross region restore job details from

eGroups/providers/locations/fetchCrossRegion secondary region.
RestoreJob/action

Microsoft.DataProtection/subscriptions/resourc Returns recovery points from secondary region

eGroups/providers/locations/fetchSecondaryRe for cross region restore enabled Backup Vaults.
coveryPoints/action

Microsoft.DataProtection/locations/checkFeatur Validates if a feature is supported

eSupport/action

Microsoft.RecoveryServices/Vaults/backupReso The Delete ResourceGuard proxy operation

urceGuardProxies/delete deletes the specified Azure resource of type
'ResourceGuard proxy'

Microsoft.RecoveryServices/Vaults/backupReso Get the list of ResourceGuard proxies for a

urceGuardProxies/read resource

Microsoft.RecoveryServices/Vaults/backupReso Unlock delete ResourceGuard proxy operation

urceGuardProxies/unlockDelete/action unlocks the next delete critical operation

Microsoft.RecoveryServices/Vaults/backupReso Create ResourceGuard proxy operation creates

urceGuardProxies/write an Azure resource of type 'ResourceGuard
Proxy'

Microsoft.DataProtection/backupVaults/backup Get ResourceGuard proxy operation gets an

ResourceGuardProxies/read object representing the Azure resource of type
'ResourceGuard proxy'
Actions Description

Microsoft.DataProtection/backupVaults/backup Create ResourceGuard proxy operation creates

ResourceGuardProxies/write an Azure resource of type 'ResourceGuard
Proxy'

Microsoft.DataProtection/backupVaults/backup The Delete ResourceGuard proxy operation

ResourceGuardProxies/delete deletes the specified Azure resource of type
'ResourceGuard proxy'

Microsoft.DataProtection/backupVaults/backup Unlock delete ResourceGuard proxy operation

ResourceGuardProxies/unlockDelete/action unlocks the next delete critical operation

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage backup services, except removal of backup,
vault creation and giving access to others",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-
4161-815c-10b084fb9324",
"name": "00c29273-979b-4161-815c-10b084fb9324",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Network/virtualNetworks/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operat
ionResults/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/backup/action",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/operationsStatus/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/recoveryPoints/provisionInstantItemRecovery/action",

"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protec
tedItems/recoveryPoints/accessToken/action",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/recoveryPoints/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/recoveryPoints/restore/action",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/recoveryPoints/revokeInstantItemRecovery/action",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/write",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",

"Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupProtectableItems/*",
"Microsoft.RecoveryServices/Vaults/backupProtectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read",
"Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read",
"Microsoft.RecoveryServices/Vaults/certificates/write",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/write",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/read",

"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/rea
d",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/write",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/*",
"Microsoft.RecoveryServices/Vaults/backupValidateOperation/action",
"Microsoft.RecoveryServices/Vaults/backupTriggerValidateOperation/action",

"Microsoft.RecoveryServices/Vaults/backupValidateOperationResults/read",

"Microsoft.RecoveryServices/Vaults/backupValidateOperationsStatuses/read",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write"
,

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquir
e/action",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/writ
e",

"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read
",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read"
,

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/
read",
"Microsoft.RecoveryServices/locations/backupStatus/action",

"Microsoft.RecoveryServices/locations/backupPreValidateProtection/action",

"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/locations/backupAadProperties/read",
"Microsoft.RecoveryServices/locations/backupCrrJobs/action",
"Microsoft.RecoveryServices/locations/backupCrrJob/action",

"Microsoft.RecoveryServices/locations/backupCrossRegionRestore/action",

"Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",

"Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.Support/*",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/backupInstances/read",

"Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read
",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",

"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",

"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRan
ges/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/operations/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",

"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",

"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/actio
n",

"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/c
rossRegionRestore/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/v
alidateCrossRegionRestore/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/f
etchCrossRegionRestoreJobs/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/f
etchCrossRegionRestoreJob/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/f
etchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action",

"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/delete",
"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/read",

"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/unlockDelete/a
ction",

"Microsoft.RecoveryServices/Vaults/backupResourceGuardProxies/write",

"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/read",

"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/write",

"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/delete",

"Microsoft.DataProtection/backupVaults/backupResourceGuardProxies/unlockDele
te/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Backup Reader
Can view backup services, but can't make changes

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.RecoveryServices/locations/allocated GetAllocatedStamp is internal operation used

Stamp/read by service

Microsoft.RecoveryServices/Vaults/backupFabri Returns status of the operation

cs/operationResults/read

Microsoft.RecoveryServices/Vaults/backupFabri Gets result of Operation performed on

cs/protectionContainers/operationResults/read Protection Container.

Microsoft.RecoveryServices/Vaults/backupFabri Gets Result of Operation Performed on

cs/protectionContainers/protectedItems/operat Protected Items.
ionResults/read

Microsoft.RecoveryServices/Vaults/backupFabri Returns the status of Operation performed on

cs/protectionContainers/protectedItems/operat Protected Items.
ionsStatus/read

Microsoft.RecoveryServices/Vaults/backupFabri Returns object details of the Protected Item

cs/protectionContainers/protectedItems/read

Microsoft.RecoveryServices/Vaults/backupFabri Get Recovery Points for Protected Items.

cs/protectionContainers/protectedItems/recove
ryPoints/read

Microsoft.RecoveryServices/Vaults/backupFabri Returns all registered containers

cs/protectionContainers/read
Actions Description

Microsoft.RecoveryServices/Vaults/backupJobs/ Returns the Result of Job Operation.

operationResults/read

Microsoft.RecoveryServices/Vaults/backupJobs/ Returns all Job Objects

read

Microsoft.RecoveryServices/Vaults/backupJobsE Export Jobs

xport/action

Microsoft.RecoveryServices/Vaults/backupOper Returns Backup Operation Result for Recovery

ationResults/read Services Vault.

Microsoft.RecoveryServices/Vaults/backupPolici Get Results of Policy Operation.

es/operationResults/read

Microsoft.RecoveryServices/Vaults/backupPolici Returns all Protection Policies

es/read

Microsoft.RecoveryServices/Vaults/backupProte Returns the list of all Protected Items.

ctedItems/read

Microsoft.RecoveryServices/Vaults/backupProte Returns all containers belonging to the

ctionContainers/read subscription

Microsoft.RecoveryServices/Vaults/backupUsag Returns summaries for Protected Items and

eSummaries/read Protected Servers for a Recovery Services .

Microsoft.RecoveryServices/Vaults/extendedInf The Get Extended Info operation gets an

ormation/read object's Extended Info representing the Azure
resource of type ?vault?

Microsoft.RecoveryServices/Vaults/monitoringA Gets the alerts for the Recovery services vault.

lerts/read

Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object

representing the Azure resource of type 'vault'

Microsoft.RecoveryServices/Vaults/registeredId The Get Operation Results operation can be

entities/operationResults/read used get the operation status and result for the
asynchronously submitted operation

Microsoft.RecoveryServices/Vaults/registeredId The Get Containers operation can be used get

entities/read the containers registered for a resource.

Microsoft.RecoveryServices/Vaults/backupstora Returns Storage Configuration for Recovery

geconfig/read Services Vault.

Microsoft.RecoveryServices/Vaults/backupconfi Returns Configuration for Recovery Services

g/read Vault.
Actions Description

Microsoft.RecoveryServices/Vaults/backupOper Returns Backup Operation Status for Recovery

ations/read Services Vault.

Microsoft.RecoveryServices/Vaults/backupPolici Get Status of Policy Operation.

es/operations/read

Microsoft.RecoveryServices/Vaults/backupEngin Returns all the backup management servers

es/read registered with vault.

Microsoft.RecoveryServices/Vaults/backupFabri Get a backup Protection Intent

cs/backupProtectionIntent/read

Microsoft.RecoveryServices/Vaults/backupFabri Get all items in a container

cs/protectionContainers/items/read

Microsoft.RecoveryServices/locations/backupSt Check Backup Status for Recovery Services

atus/action Vaults

Microsoft.RecoveryServices/Vaults/monitoringC
onfigurations/*

Microsoft.RecoveryServices/Vaults/monitoringA Resolves the alert.

lerts/write

Microsoft.RecoveryServices/operations/read Operation returns the list of Operations for a

Resource Provider

Microsoft.RecoveryServices/locations/operation Gets Operation Status for a given Operation

Status/read

Microsoft.RecoveryServices/Vaults/backupProte List all backup Protection Intents

ctionIntents/read

Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services

Vault.

Microsoft.RecoveryServices/locations/backupVa Validate Features

lidateFeatures/action

Microsoft.RecoveryServices/locations/backupCr List Cross Region Restore Jobs in the secondary

rJobs/action region for Recovery Services Vault.

Microsoft.RecoveryServices/locations/backupCr Get Cross Region Restore Job Details in the

rJob/action secondary region for Recovery Services Vault.

Microsoft.RecoveryServices/locations/backupCr Returns CRR Operation Result for Recovery

rOperationResults/read Services Vault.

Microsoft.RecoveryServices/locations/backupCr Returns CRR Operation Status for Recovery

rOperationsStatus/read Services Vault.
Actions Description

Microsoft.DataProtection/locations/getBackupS Check Backup Status for Recovery Services

tatus/action Vaults

Microsoft.DataProtection/backupVaults/backup Creates a Backup Instance

Instances/write

Microsoft.DataProtection/backupVaults/backup Returns all Backup Instances

Instances/read

Microsoft.DataProtection/backupVaults/deleted List soft-deleted Backup Instances in a Backup

BackupInstances/read Vault.

Microsoft.DataProtection/backupVaults/backup Performs Backup on the Backup Instance

Instances/backup/action

Microsoft.DataProtection/backupVaults/backup Validates for Restore of the Backup Instance

Instances/validateRestore/action

Microsoft.DataProtection/backupVaults/backup Triggers restore on the Backup Instance

Instances/restore/action

Microsoft.DataProtection/backupVaults/backup Returns all Backup Policies

Policies/read

Microsoft.DataProtection/backupVaults/backup Returns all Backup Policies

Policies/read

Microsoft.DataProtection/backupVaults/backup Returns all Recovery Points

Instances/recoveryPoints/read

Microsoft.DataProtection/backupVaults/backup Returns all Recovery Points

Instances/recoveryPoints/read

Microsoft.DataProtection/backupVaults/backup Returns Backup Operation Result for Backup

Instances/operationResults/read Vault.

Microsoft.DataProtection/backupVaults/backup Finds Restorable Time Ranges

Instances/findRestorableTimeRanges/action

Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group

Microsoft.DataProtection/backupVaults/operati Gets Operation Result of a Patch Operation for

onResults/read a Backup Vault

Microsoft.DataProtection/backupVaults/operati Returns Backup Operation Status for Backup

onStatus/read Vault.

Microsoft.DataProtection/backupVaults/read Gets list of Backup Vaults in a Resource Group

Actions Description

Microsoft.DataProtection/locations/operationSt Returns Backup Operation Status for Backup

atus/read Vault.

Microsoft.DataProtection/locations/operationR Returns Backup Operation Result for Backup

esults/read Vault.

Microsoft.DataProtection/backupVaults/validate Validates for backup of Backup Instance

ForBackup/action

Microsoft.DataProtection/operations/read Operation returns the list of Operations for a

Resource Provider

Microsoft.DataProtection/subscriptions/resourc List cross region restore jobs of backup

eGroups/providers/locations/fetchCrossRegion instance from secondary region.
RestoreJobs/action

Microsoft.DataProtection/subscriptions/resourc Get cross region restore job details from

eGroups/providers/locations/fetchCrossRegion secondary region.
RestoreJob/action

Microsoft.DataProtection/subscriptions/resourc Returns recovery points from secondary region

eGroups/providers/locations/fetchSecondaryRe for cross region restore enabled Backup Vaults.
coveryPoints/action

Microsoft.DataProtection/locations/checkFeatur Validates if a feature is supported

eSupport/action

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can view backup services, but can't make changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-
40c1-ae25-d81f01202912",
"name": "a795c7a0-d4a2-40c1-ae25-d81f01202912",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operat
ionResults/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/operationResults/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/operationsStatus/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protec
tedItems/recoveryPoints/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read",

"Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read",
"Microsoft.RecoveryServices/Vaults/backupJobs/read",
"Microsoft.RecoveryServices/Vaults/backupJobsExport/action",
"Microsoft.RecoveryServices/Vaults/backupOperationResults/read",

"Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/rea
d",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/read",
"Microsoft.RecoveryServices/Vaults/backupstorageconfig/read",
"Microsoft.RecoveryServices/Vaults/backupconfig/read",
"Microsoft.RecoveryServices/Vaults/backupOperations/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read",
"Microsoft.RecoveryServices/Vaults/backupEngines/read",

"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read
",

"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/
read",
"Microsoft.RecoveryServices/locations/backupStatus/action",
"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/*",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/write",
"Microsoft.RecoveryServices/operations/read",
"Microsoft.RecoveryServices/locations/operationStatus/read",
"Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read",
"Microsoft.RecoveryServices/Vaults/usages/read",

"Microsoft.RecoveryServices/locations/backupValidateFeatures/action",
"Microsoft.RecoveryServices/locations/backupCrrJobs/action",
"Microsoft.RecoveryServices/locations/backupCrrJob/action",

"Microsoft.RecoveryServices/locations/backupCrrOperationResults/read",

"Microsoft.RecoveryServices/locations/backupCrrOperationsStatus/read",
"Microsoft.DataProtection/locations/getBackupStatus/action",
"Microsoft.DataProtection/backupVaults/backupInstances/write",
"Microsoft.DataProtection/backupVaults/backupInstances/read",
"Microsoft.DataProtection/backupVaults/deletedBackupInstances/read",

"Microsoft.DataProtection/backupVaults/backupInstances/backup/action",

"Microsoft.DataProtection/backupVaults/backupInstances/validateRestore/actio
n",

"Microsoft.DataProtection/backupVaults/backupInstances/restore/action",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",
"Microsoft.DataProtection/backupVaults/backupPolicies/read",

"Microsoft.DataProtection/backupVaults/backupInstances/recoveryPoints/read",

"Microsoft.DataProtection/backupVaults/backupInstances/operationResults/read
",

"Microsoft.DataProtection/backupVaults/backupInstances/findRestorableTimeRan
ges/action",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/operationResults/read",
"Microsoft.DataProtection/backupVaults/operationStatus/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/backupVaults/read",
"Microsoft.DataProtection/locations/operationStatus/read",
"Microsoft.DataProtection/locations/operationResults/read",
"Microsoft.DataProtection/backupVaults/validateForBackup/action",
"Microsoft.DataProtection/operations/read",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/f
etchCrossRegionRestoreJobs/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/f
etchCrossRegionRestoreJob/action",

"Microsoft.DataProtection/subscriptions/resourceGroups/providers/locations/f
etchSecondaryRecoveryPoints/action",
"Microsoft.DataProtection/locations/checkFeatureSupport/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Classic Storage Account Contributor

Lets you manage classic storage accounts, but not access to them.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.ClassicStorage/storageAccounts/* Create and manage storage accounts

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic storage accounts, but not access
to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-
4c67-9d15-de283e8eac25",
"name": "86e8f5dc-a6e9-4c67-9d15-de283e8eac25",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicStorage/storageAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Classic Storage Account Key Operator Service

Role
Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic
Storage Accounts

Learn more

ﾉ Expand table

Actions Description

Microsoft.ClassicStorage/storageAccounts/listk Lists the access keys for the storage accounts.

eys/action

Microsoft.ClassicStorage/storageAccounts/rege Regenerates the existing access keys for the

neratekey/action storage account.

NotActions

none
Actions Description

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Classic Storage Account Key Operators are allowed to list
and regenerate keys on Classic Storage Accounts",
"id": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-
48f5-a6fe-d0ca12fb668d",
"name": "985d6b00-f706-48f5-a6fe-d0ca12fb668d",
"permissions": [
{
"actions": [
"Microsoft.ClassicStorage/storageAccounts/listkeys/action",
"Microsoft.ClassicStorage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Data Box Contributor

Lets you manage everything under Data Box Service except giving access to others.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Actions Description

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Databox/*

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage everything under Data Box Service except
giving access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-
43fc-8d98-dfcf8d720be5",
"name": "add466c9-e687-43fc-8d98-dfcf8d720be5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Databox/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Data Box Reader

Lets you manage Data Box Service except creating order or editing order details and
giving access to others.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Databox/*/read

Microsoft.Databox/jobs/listsecrets/action

Microsoft.Databox/jobs/listcredentials/action Lists the unencrypted credentials related to the

order.

Microsoft.Databox/locations/availableSkus/acti This method returns the list of available skus.

Microsoft.Databox/locations/validateInputs/acti This method does all type of validations.

Microsoft.Databox/locations/regionConfigurati This method returns the configurations for the

on/action region.

Microsoft.Databox/locations/validateAddress/a Validates the shipping address and provides

ction alternate addresses if any.

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage Data Box Service except creating order or
editing order details and giving access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-
465e-a8f4-9c0ffdfdc027",
"name": "028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Databox/*/read",
"Microsoft.Databox/jobs/listsecrets/action",
"Microsoft.Databox/jobs/listcredentials/action",
"Microsoft.Databox/locations/availableSkus/action",
"Microsoft.Databox/locations/validateInputs/action",
"Microsoft.Databox/locations/regionConfiguration/action",
"Microsoft.Databox/locations/validateAddress/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Box Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Data Lake Analytics Developer

Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake
Analytics accounts.

Learn more

ﾉ Expand table
Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.BigAnalytics/accounts/*

Microsoft.DataLakeAnalytics/accounts/*

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

Microsoft.BigAnalytics/accounts/Delete

Microsoft.BigAnalytics/accounts/TakeOwnershi
p/action

Microsoft.BigAnalytics/accounts/Write

Microsoft.DataLakeAnalytics/accounts/Delete Delete a DataLakeAnalytics account.

Microsoft.DataLakeAnalytics/accounts/TakeOwn Grant permissions to cancel jobs submitted by

ership/action other users.

Microsoft.DataLakeAnalytics/accounts/Write Create or update a DataLakeAnalytics account.

Microsoft.DataLakeAnalytics/accounts/dataLake Create or update a linked DataLakeStore

StoreAccounts/Write account of a DataLakeAnalytics account.

Microsoft.DataLakeAnalytics/accounts/dataLake Unlink a DataLakeStore account from a

StoreAccounts/Delete DataLakeAnalytics account.

Microsoft.DataLakeAnalytics/accounts/storageA Create or update a linked Storage account of a

ccounts/Write DataLakeAnalytics account.

Microsoft.DataLakeAnalytics/accounts/storageA Unlink a Storage account from a

ccounts/Delete DataLakeAnalytics account.

Microsoft.DataLakeAnalytics/accounts/firewallR Create or update a firewall rule.

ules/Write

Microsoft.DataLakeAnalytics/accounts/firewallR Delete a firewall rule.

ules/Delete
Actions Description

Microsoft.DataLakeAnalytics/accounts/compute Create or update a compute policy.

Policies/Write

Microsoft.DataLakeAnalytics/accounts/compute Delete a compute policy.

Policies/Delete

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you submit, monitor, and manage your own jobs but not
create or delete Data Lake Analytics accounts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-
4598-a7da-8b91488b4c88",
"name": "47b7735b-770e-4598-a7da-8b91488b4c88",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.BigAnalytics/accounts/*",
"Microsoft.DataLakeAnalytics/accounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.BigAnalytics/accounts/Delete",
"Microsoft.BigAnalytics/accounts/TakeOwnership/action",
"Microsoft.BigAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action",
"Microsoft.DataLakeAnalytics/accounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write",
"Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Write",
"Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Write",
"Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Lake Analytics Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Defender for Storage Data Scanner

Grants access to read blobs and update index tags. This role is used by the data scanner
of Defender for Storage.

ﾉ Expand table

Actions Description

Microsoft.Storage/storageAccounts/blobService Returns list of containers

s/containers/read

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/blobService Returns a blob or a list of blobs

s/containers/blobs/read

Microsoft.Storage/storageAccounts/blobService Returns the result of writing blob tags

s/containers/blobs/tags/write

Microsoft.Storage/storageAccounts/blobService Returns the result of reading blob tags

s/containers/blobs/tags/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants access to read blobs and update index tags. This
role is used by the data scanner of Defender for Storage.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1e7ca9b1-60d1-
4db8-a914-f2ca1ff27c40",
"name": "1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read"
],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write"
,

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read"
],
"notDataActions": []
}
],
"roleName": "Defender for Storage Data Scanner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Elastic SAN Network Admin

Allows access to create Private Endpoints on SAN resources, and to read SAN resources

Learn more

ﾉ Expand table

Actions Description

Microsoft.ElasticSan/elasticSans/*/read

Microsoft.ElasticSan/elasticSans/PrivateEndpoin
tConnectionsApproval/action

Microsoft.ElasticSan/elasticSans/privateEndpoin
tConnections/write

Microsoft.ElasticSan/elasticSans/privateEndpoin
tConnections/delete

Microsoft.ElasticSan/locations/asyncoperations/ Polls the status of an asynchronous operation.

read
Actions Description

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows access to create Private Endpoints on SAN
resources, and to read SAN resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fa6cecf6-5db3-
4c43-8470-c540bcb4eafa",
"name": "fa6cecf6-5db3-4c43-8470-c540bcb4eafa",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*/read",

"Microsoft.ElasticSan/elasticSans/PrivateEndpointConnectionsApproval/action"
,
"Microsoft.ElasticSan/elasticSans/privateEndpointConnections/write",

"Microsoft.ElasticSan/elasticSans/privateEndpointConnections/delete",
"Microsoft.ElasticSan/locations/asyncoperations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Network Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Elastic SAN Owner

Allows for full access to all resources under Azure Elastic SAN including changing
network security policies to unblock data path access

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ElasticSan/elasticSans/*

Microsoft.ElasticSan/locations/*

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for full access to all resources under Azure
Elastic SAN including changing network security policies to unblock data
path access",
"id": "/providers/Microsoft.Authorization/roleDefinitions/80dcbedb-47ef-
405d-95bd-188a1b4ac406",
"name": "80dcbedb-47ef-405d-95bd-188a1b4ac406",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Elastic SAN Reader

Allows for control path read access to Azure Elastic SAN

ﾉ Expand table

Actions Description

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ElasticSan/elasticSans/*/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for control path read access to Azure Elastic SAN",
"id": "/providers/Microsoft.Authorization/roleDefinitions/af6a70f8-3c9f-
4105-acf1-d719e9fca4ca",
"name": "af6a70f8-3c9f-4105-acf1-d719e9fca4ca",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ElasticSan/elasticSans/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Elastic SAN Volume Group Owner

Allows for full access to a volume group in Azure Elastic SAN including changing
network security policies to unblock data path access

ﾉ Expand table

Actions Description

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

Microsoft.ElasticSan/elasticSans/volumeGroups
/*

Microsoft.ElasticSan/locations/asyncoperations/ Polls the status of an asynchronous operation.

read

NotActions

none

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for full access to a volume group in Azure Elastic
SAN including changing network security policies to unblock data path
access",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a8281131-f312-
4f34-8d98-ae12be9f0d23",
"name": "a8281131-f312-4f34-8d98-ae12be9f0d23",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/locations/asyncoperations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Elastic SAN Volume Group Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Reader and Data Access

Lets you view everything but will not let you delete or create a storage account or
contained resource. It will also allow read/write access to all data contained in a storage
account via access to storage account keys.

ﾉ Expand table

Actions Description

Microsoft.Storage/storageAccounts/listKeys/act Returns the access keys for the specified

ion storage account.
Actions Description

Microsoft.Storage/storageAccounts/ListAccount Returns the Account SAS token for the

Sas/action specified storage account.

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you view everything but will not let you delete or
create a storage account or contained resource. It will also allow
read/write access to all data contained in a storage account via access to
storage account keys.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-
487b-954d-41c89c60f349",
"name": "c12c1c16-33a1-487b-954d-41c89c60f349",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/ListAccountSas/action",
"Microsoft.Storage/storageAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reader and Data Access",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Account Backup Contributor
Lets you perform backup and restore operations using Azure Backup on the storage
account.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Authorization/locks/read Gets locks at the specified scope.

Microsoft.Authorization/locks/write Add locks at the specified scope.

Microsoft.Authorization/locks/delete Delete locks at the specified scope.

Microsoft.Features/features/read Gets the features of a subscription.

Microsoft.Features/providers/features/read Gets the feature of a subscription in a given

resource provider.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Storage/operations/read Polls the status of an asynchronous operation.

Microsoft.Storage/storageAccounts/objectRepli Delete object replication policy

cationPolicies/delete

Microsoft.Storage/storageAccounts/objectRepli List object replication policies

cationPolicies/read

Microsoft.Storage/storageAccounts/objectRepli Create or update object replication policy

cationPolicies/write

Microsoft.Storage/storageAccounts/objectRepli Create object replication restore point marker

cationPolicies/restorePointMarkers/write

Microsoft.Storage/storageAccounts/blobService Returns list of containers

s/containers/read

Microsoft.Storage/storageAccounts/blobService Returns the result of put blob container

s/containers/write

Microsoft.Storage/storageAccounts/blobService Returns blob service properties or statistics

s/read
Actions Description

Microsoft.Storage/storageAccounts/blobService Returns the result of put blob service properties

s/write

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.Storage/storageAccounts/restoreBlob Restore blob ranges to the state of the

Ranges/action specified time

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you perform backup and restore operations using Azure
Backup on the storage account.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-
4cd2-bb51-3152d37e2eb1",
"name": "e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/locks/read",
"Microsoft.Authorization/locks/write",
"Microsoft.Authorization/locks/delete",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/operations/read",

"Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/read",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/write",

"Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMar
kers/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/restoreBlobRanges/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Backup Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage Account Contributor

Permits management of storage accounts. Provides access to the account key, which can
be used to access data via Shared Key authorization.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/diagnosticSettings/* Creates, updates, or reads the diagnostic

setting for Analysis Server

Microsoft.Network/virtualNetworks/subnets/joi Joins resource such as storage account or SQL

nViaServiceEndpoint/action database to a subnet. Not alertable.

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Storage/storageAccounts/* Create and manage storage accounts

Microsoft.Support/* Create and update a support ticket

NotActions
Actions Description

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage storage accounts, including accessing
storage account keys which provide full access to storage account data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-
46fb-8f53-869881c3d3ab",
"name": "17d1049b-9a84-46fb-8f53-869881c3d3ab",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",

"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage Account Key Operator Service Role

Permits listing and regenerating storage account access keys.
Learn more

ﾉ Expand table

Actions Description

Microsoft.Storage/storageAccounts/listkeys/acti Returns the access keys for the specified

on storage account.

Microsoft.Storage/storageAccounts/regenerate Regenerates the access keys for the specified

key/action storage account.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Storage Account Key Operators are allowed to list and
regenerate keys on Storage Accounts",
"id": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-
436f-a333-f67b29880f12",
"name": "81a9662b-bebf-436f-a333-f67b29880f12",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/regeneratekey/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Account Key Operator Service Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Storage Blob Data Contributor
Read, write, and delete Azure Storage containers and blobs. To learn which actions are
required for a given data operation, see Permissions for calling data operations.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Storage/storageAccounts/blobService Delete a container.

s/containers/delete

Microsoft.Storage/storageAccounts/blobService Return a container or a list of containers.

s/containers/read

Microsoft.Storage/storageAccounts/blobService Modify a container's metadata or properties.

s/containers/write

Microsoft.Storage/storageAccounts/blobService Returns a user delegation key for the Blob

s/generateUserDelegationKey/action service.

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/blobService Delete a blob.

s/containers/blobs/delete

Microsoft.Storage/storageAccounts/blobService Return a blob or a list of blobs.

s/containers/blobs/read

Microsoft.Storage/storageAccounts/blobService Write to a blob.

s/containers/blobs/write

Microsoft.Storage/storageAccounts/blobService Moves the blob from one path to another

s/containers/blobs/move/action

Microsoft.Storage/storageAccounts/blobService Returns the result of adding blob content

s/containers/blobs/add/action

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage
blob containers and data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-
453d-a403-e96b0029c9fe",
"name": "ba92f5b4-2d11-453d-a403-e96b0029c9fe",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",

"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/ac
tion"
],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action
",

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage Blob Data Owner

Provides full access to Azure Storage blob containers and data, including assigning
POSIX access control. To learn which actions are required for a given data operation, see
Permissions for calling data operations.

Learn more
ﾉ Expand table

Actions Description

Microsoft.Storage/storageAccounts/blobService Full permissions on containers.

s/containers/*

Microsoft.Storage/storageAccounts/blobService Returns a user delegation key for the Blob

s/generateUserDelegationKey/action service.

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/blobService Full permissions on blobs.

s/containers/blobs/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Storage blob containers
and data, including assigning POSIX access control.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-
4753-8033-0f276bb0955b",
"name": "b7e6dc6d-f1e8-4753-8033-0f276bb0955b",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/*",

"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/ac
tion"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage Blob Data Reader

Read and list Azure Storage containers and blobs. To learn which actions are required for
a given data operation, see Permissions for calling data operations.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Storage/storageAccounts/blobService Return a container or a list of containers.

s/containers/read

Microsoft.Storage/storageAccounts/blobService Returns a user delegation key for the Blob

s/generateUserDelegationKey/action service.

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/blobService Return a blob or a list of blobs.

s/containers/blobs/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage blob containers
and data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-
4ae2-8e65-a410df84e7d1",
"name": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/ac
tion"
],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notDataActions": []
}
],
"roleName": "Storage Blob Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage Blob Delegator

Get a user delegation key, which can then be used to create a shared access signature
for a container or blob that is signed with Azure AD credentials. For more information,
see Create a user delegation SAS.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Storage/storageAccounts/blobService Returns a user delegation key for the Blob

s/generateUserDelegationKey/action service.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for generation of a user delegation key which can
be used to sign SAS tokens",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-
4a2a-8342-4190687cbf4a",
"name": "db58b8e5-c6ad-4a2a-8342-4190687cbf4a",
"permissions": [
{
"actions": [

"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/ac
tion"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Storage Blob Delegator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage File Data Privileged Contributor

Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares by
overriding existing ACLs/NTFS permissions. This role has no built-in equivalent on
Windows file servers.

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/fileServices Returns a file/folder or a list of files/folders

/fileshares/files/read

Microsoft.Storage/storageAccounts/fileServices Returns the result of writing a file or creating a

/fileshares/files/write folder

Microsoft.Storage/storageAccounts/fileServices Returns the result of deleting a file/folder

/fileshares/files/delete
Actions Description

Microsoft.Storage/storageAccounts/fileServices Returns the result of modifying permission on a

/fileshares/files/modifypermissions/action file/folder

Microsoft.Storage/storageAccounts/fileServices Read File Backup Semantics Privilege

/readFileBackupSemantics/action

Microsoft.Storage/storageAccounts/fileServices Write File Backup Semantics Privilege

/writeFileBackupSemantics/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Customer has read, write, delete and modify NTFS
permission access on Azure Storage file shares.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69566ab7-960f-
475b-8e7c-b3118f30c6bd",
"name": "69566ab7-960f-475b-8e7c-b3118f30c6bd",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermi
ssions/action",

"Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/acti
on",

"Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/act
ion"
],
"notDataActions": []
}
],
"roleName": "Storage File Data Privileged Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage File Data Privileged Reader

Allows for read access on files/directories in Azure file shares by overriding existing
ACLs/NTFS permissions. This role has no built-in equivalent on Windows file servers.

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/fileServices Returns a file/folder or a list of files/folders

/fileshares/files/read

Microsoft.Storage/storageAccounts/fileServices Read File Backup Semantics Privilege

/readFileBackupSemantics/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Customer has read access on Azure Storage file shares.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b8eda974-7b85-
4f76-af95-65846b26df6d",
"name": "b8eda974-7b85-4f76-af95-65846b26df6d",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",

"Microsoft.Storage/storageAccounts/fileServices/readFileBackupSemantics/acti
on"
],
"notDataActions": []
}
],
"roleName": "Storage File Data Privileged Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage File Data SMB Share Contributor

Allows for read, write, and delete access on files/directories in Azure file shares. This role
has no built-in equivalent on Windows file servers.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/fileServices Returns a file/folder or a list of files/folders.

/fileshares/files/read

Microsoft.Storage/storageAccounts/fileServices Returns the result of writing a file or creating a

/fileshares/files/write folder.

Microsoft.Storage/storageAccounts/fileServices Returns the result of deleting a file/folder.

/fileshares/files/delete

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access in Azure Storage
file shares over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-
454a-a3db-ab2ea1bdc8bb",
"name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage File Data SMB Share Elevated

Contributor
Allows for read, write, delete, and modify ACLs on files/directories in Azure file shares.
This role is equivalent to a file share ACL of change on Windows file servers.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/fileServices Returns a file/folder or a list of files/folders.

/fileshares/files/read

Microsoft.Storage/storageAccounts/fileServices Returns the result of writing a file or creating a

/fileshares/files/write folder.
Actions Description

Microsoft.Storage/storageAccounts/fileServices Returns the result of deleting a file/folder.

/fileshares/files/delete

Microsoft.Storage/storageAccounts/fileServices Returns the result of modifying permission on a

/fileshares/files/modifypermissions/action file/folder.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, delete and modify NTFS permission
access in Azure Storage file shares over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-
434b-a828-9731dc254ea7",
"name": "a7264617-510b-434b-a828-9731dc254ea7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete",

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermi
ssions/action"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Elevated Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage File Data SMB Share Reader

Allows for read access on files/directories in Azure file shares. This role is equivalent to a
file share ACL of read on Windows file servers.
Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/fileServices Returns a file/folder or a list of files/folders.

/fileshares/files/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure File Share over SMB",
"id": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-
4029-9191-0cb91df5e314",
"name": "aba4ae5f-2193-4029-9191-0cb91df5e314",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read"
],
"notDataActions": []
}
],
"roleName": "Storage File Data SMB Share Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage Queue Data Contributor

Read, write, and delete Azure Storage queues and queue messages. To learn which
actions are required for a given data operation, see Permissions for calling data
operations.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Storage/storageAccounts/queueServi Delete a queue.

ces/queues/delete

Microsoft.Storage/storageAccounts/queueServi Return a queue or a list of queues.

ces/queues/read

Microsoft.Storage/storageAccounts/queueServi Modify queue metadata or properties.

ces/queues/write

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/queueServi Delete one or more messages from a queue.

ces/queues/messages/delete

Microsoft.Storage/storageAccounts/queueServi Peek or retrieve one or more messages from a

ces/queues/messages/read queue.

Microsoft.Storage/storageAccounts/queueServi Add a message to a queue.

ces/queues/messages/write

Microsoft.Storage/storageAccounts/queueServi Returns the result of processing a message

ces/queues/messages/process/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for read, write, and delete access to Azure Storage
queues and queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-
4653-ba55-5f855dd0fb88",
"name": "974c5e8b-45b9-4653-ba55-5f855dd0fb88",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/delete",
"Microsoft.Storage/storageAccounts/queueServices/queues/read",
"Microsoft.Storage/storageAccounts/queueServices/queues/write"
],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete",

"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",

"Microsoft.Storage/storageAccounts/queueServices/queues/messages/write",

"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/act
ion"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage Queue Data Message Processor

Peek, retrieve, and delete a message from an Azure Storage queue. To learn which
actions are required for a given data operation, see Permissions for calling data
operations.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/queueServi Peek a message.

ces/queues/messages/read
Actions Description

Microsoft.Storage/storageAccounts/queueServi Retrieve and delete a message.

ces/queues/messages/process/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for peek, receive, and delete access to Azure
Storage queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-
4084-bc3d-661d67233fed",
"name": "8a0f0c08-91a1-4084-bc3d-661d67233fed",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",

"Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/act
ion"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Processor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage Queue Data Message Sender

Add messages to an Azure Storage queue. To learn which actions are required for a
given data operation, see Permissions for calling data operations.

Learn more

ﾉ Expand table
Actions Description

none

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/queueServi Add a message to a queue.

ces/queues/messages/add/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for sending of Azure Storage queue messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-
44d0-9896-0f6e12d7b80a",
"name": "c6a89b2d-59bc-44d0-9896-0f6e12d7b80a",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Message Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage Queue Data Reader

Read and list Azure Storage queues and queue messages. To learn which actions are
required for a given data operation, see Permissions for calling data operations.

Learn more
ﾉ Expand table

Actions Description

Microsoft.Storage/storageAccounts/queueServi Returns a queue or a list of queues.

ces/queues/read

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/queueServi Peek or retrieve one or more messages from a

ces/queues/messages/read queue.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage queues and queue
messages",
"id": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-
4f77-808e-94535e297925",
"name": "19e7f393-937e-4f77-808e-94535e297925",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/queueServices/queues/read"
],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/queueServices/queues/messages/read"
],
"notDataActions": []
}
],
"roleName": "Storage Queue Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage Table Data Contributor

Allows for read, write and delete access to Azure Storage tables and entities

ﾉ Expand table

Actions Description

Microsoft.Storage/storageAccounts/tableServic Query tables

es/tables/read

Microsoft.Storage/storageAccounts/tableServic Create tables

es/tables/write

Microsoft.Storage/storageAccounts/tableServic Delete tables

es/tables/delete

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/tableServic Query table entities

es/tables/entities/read

Microsoft.Storage/storageAccounts/tableServic Insert, merge, or replace table entities

es/tables/entities/write

Microsoft.Storage/storageAccounts/tableServic Delete table entities

es/tables/entities/delete

Microsoft.Storage/storageAccounts/tableServic Insert table entities

es/tables/entities/add/action

Microsoft.Storage/storageAccounts/tableServic Merge or update table entities

es/tables/entities/update/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for read, write and delete access to Azure Storage
tables and entities",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-
4cc4-a60d-0319b160aaa3",
"name": "0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/read",
"Microsoft.Storage/storageAccounts/tableServices/tables/write",
"Microsoft.Storage/storageAccounts/tableServices/tables/delete"
],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read",

"Microsoft.Storage/storageAccounts/tableServices/tables/entities/write",

"Microsoft.Storage/storageAccounts/tableServices/tables/entities/delete",

"Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action"
,

"Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/acti
on"
],
"notDataActions": []
}
],
"roleName": "Storage Table Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Storage Table Data Reader

Allows for read access to Azure Storage tables and entities

ﾉ Expand table

Actions Description

Microsoft.Storage/storageAccounts/tableServic Query tables

es/tables/read

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/tableServic Query table entities

es/tables/entities/read

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for read access to Azure Storage tables and
entities",
"id": "/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-
4c19-bc75-cec21354c6b6",
"name": "76199698-9eea-4c19-bc75-cec21354c6b6",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/tableServices/tables/read"
],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/tableServices/tables/entities/read"
],
"notDataActions": []
}
],
"roleName": "Storage Table Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Web and Mobile
Article • 09/23/2024

This article lists the Azure built-in roles in the Web and Mobile category.

Azure Maps Data Contributor

Grants access to read, write, and delete access to map related data from an Azure maps
account.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Maps/accounts/*/read

Microsoft.Maps/accounts/*/write

Microsoft.Maps/accounts/*/delete

Microsoft.Maps/accounts/*/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants access to read, write, and delete access to map
related data from an Azure maps account.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-
4dcf-bddf-e6f48634a204",
"name": "8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Maps/accounts/*/read",
"Microsoft.Maps/accounts/*/write",
"Microsoft.Maps/accounts/*/delete",
"Microsoft.Maps/accounts/*/action"
],
"notDataActions": []
}
],
"roleName": "Azure Maps Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Maps Data Reader

Grants access to read map related data from an Azure maps account.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Maps/accounts/*/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants access to read map related data from an Azure maps
account.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-
4b0f-8487-9e4eb8f49bfa",
"name": "423170ca-a8f6-4b0f-8487-9e4eb8f49bfa",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Maps/accounts/*/read"
],
"notDataActions": []
}
],
"roleName": "Azure Maps Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Maps Search and Render Data Reader

Grants access to very limited set of data APIs for common visual web SDK scenarios.
Specifically, render and search data APIs.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Maps/accounts/services/render/read Allows reading of data for Render services.

Microsoft.Maps/accounts/services/search/read Allows reading of data for Search services.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants access to very limited set of data APIs for common
visual web SDK scenarios. Specifically, render and search data APIs.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-
47c9-ad5e-0acacefdb005",
"name": "6be48352-4f82-47c9-ad5e-0acacefdb005",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Maps/accounts/services/render/read",
"Microsoft.Maps/accounts/services/search/read"
],
"notDataActions": []
}
],
"roleName": "Azure Maps Search and Render Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Apps Application Configuration

Service Config File Pattern Reader Role
Read content of config file pattern for Application Configuration Service in Azure Spring
Apps

Learn more

ﾉ Expand table

Actions Description

Microsoft.AppPlatform/Spring/read Get Azure Spring Apps service instance(s)

Microsoft.AppPlatform/Spring/configurationSer Get the Application Configuration Services for a

vices/read specific Azure Spring Apps service instance

NotActions

none

DataActions

Microsoft.AppPlatform/Spring/ApplicationConfi Read the configuration content (for example,

gurationService/read application-prod.yaml) pulled by Application
Configuration Service for a specific Azure
Spring Apps service instance
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read content of config file pattern for Application
Configuration Service in Azure Spring Apps",
"id": "/providers/Microsoft.Authorization/roleDefinitions/25211fc6-dc78-
40b6-b205-e4ac934fd9fd",
"name": "25211fc6-dc78-40b6-b205-e4ac934fd9fd",
"permissions": [
{
"actions": [
"Microsoft.AppPlatform/Spring/read",
"Microsoft.AppPlatform/Spring/configurationServices/read"
],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/ApplicationConfigurationService/read"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Apps Application Configuration Service Config
File Pattern Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Apps Application Configuration

Service Log Reader Role
Read real-time logs for Application Configuration Service in Azure Spring Apps

Learn more

ﾉ Expand table

Actions Description

Microsoft.AppPlatform/Spring/read Get Azure Spring Apps service instance(s)

Actions Description

Microsoft.AppPlatform/Spring/configurationSer Get the Application Configuration Services for a

vices/read specific Azure Spring Apps service instance

NotActions

none

DataActions

Microsoft.AppPlatform/Spring/ApplicationConfi Read the streaming log of all subcomponents

gurationService/logstream/action in Application Configuration Service from a
specific Azure Spring Apps service instance

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read real-time logs for Application Configuration Service
in Azure Spring Apps",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6593e776-2a30-
40f9-8a32-4fe28b77655d",
"name": "6593e776-2a30-40f9-8a32-4fe28b77655d",
"permissions": [
{
"actions": [
"Microsoft.AppPlatform/Spring/read",
"Microsoft.AppPlatform/Spring/configurationServices/read"
],
"notActions": [],
"dataActions": [

"Microsoft.AppPlatform/Spring/ApplicationConfigurationService/logstream/acti
on"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Apps Application Configuration Service Log
Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Apps Connect Role
Azure Spring Apps Connect Role

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.AppPlatform/Spring/apps/deployme Connect to an instance for a specific

nts/connect/action application

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Azure Spring Apps Connect Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/80558df3-64f9-
4c0f-b32d-e5094b036b0b",
"name": "80558df3-64f9-4c0f-b32d-e5094b036b0b",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/apps/deployments/connect/action"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Apps Connect Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Spring Apps Job Log Reader Role
Read real-time logs for jobs in Azure Spring Apps

Learn more

ﾉ Expand table

Actions Description

Microsoft.AppPlatform/Spring/read Get Azure Spring Apps service instance(s)

Microsoft.AppPlatform/Spring/jobs/read Get the job for a specific Azure Spring Apps

service instance

Microsoft.AppPlatform/Spring/jobs/executions/ Get the job execution for a specific Azure

read Spring Apps service instance

NotActions

none

DataActions

Microsoft.AppPlatform/Spring/jobs/executions/ Get the streaming log of job executions for a

logstream/action specific Azure Spring Apps service instance

Microsoft.AppPlatform/Spring/jobs/executions/ List instances of a specific job execution for a

listInstances/action specific Azure Spring Apps service instance

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read real-time logs for jobs in Azure Spring Apps",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b459aa1d-e3c8-
436f-ae21-c0531140f43e",
"name": "b459aa1d-e3c8-436f-ae21-c0531140f43e",
"permissions": [
{
"actions": [
"Microsoft.AppPlatform/Spring/read",
"Microsoft.AppPlatform/Spring/jobs/read",
"Microsoft.AppPlatform/Spring/jobs/executions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/jobs/executions/logstream/action",
"Microsoft.AppPlatform/Spring/jobs/executions/listInstances/action"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Apps Job Log Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Apps Remote Debugging Role

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.AppPlatform/Spring/apps/deployme Remote debugging app instance for a specific

nts/remotedebugging/action application

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Azure Spring Apps Remote Debugging Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a99b0159-1064-
4c22-a57b-c9b3caa1c054",
"name": "a99b0159-1064-4c22-a57b-c9b3caa1c054",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [

"Microsoft.AppPlatform/Spring/apps/deployments/remotedebugging/action"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Apps Remote Debugging Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Apps Spring Cloud Gateway Log

Reader Role
Read real-time logs for Spring Cloud Gateway in Azure Spring Apps

Learn more

ﾉ Expand table

Actions Description

Microsoft.AppPlatform/Spring/read Get Azure Spring Apps service instance(s)

Microsoft.AppPlatform/Spring/gateways/read Get the Spring Cloud Gateways for a specific

Azure Spring Apps service instance

NotActions

none

DataActions

Microsoft.AppPlatform/Spring/SpringCloudGat Read the streaming log of Spring Cloud

eway/logstream/action Gateway from a specific Azure Spring Apps
service instance

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read real-time logs for Spring Cloud Gateway in Azure
Spring Apps",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4301dc2a-25a9-
44b0-ae63-3636cf7f2bd2",
"name": "4301dc2a-25a9-44b0-ae63-3636cf7f2bd2",
"permissions": [
{
"actions": [
"Microsoft.AppPlatform/Spring/read",
"Microsoft.AppPlatform/Spring/gateways/read"
],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/SpringCloudGateway/logstream/action"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Apps Spring Cloud Gateway Log Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud Config Server Contributor

Allow read, write and delete access to Azure Spring Cloud Config Server

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.AppPlatform/Spring/configService/re Read the configuration content(for example,

ad application.yaml) for a specific Azure Spring
Apps service instance

Microsoft.AppPlatform/Spring/configService/wr Write config server content for a specific Azure

ite Spring Apps service instance
Actions Description

Microsoft.AppPlatform/Spring/configService/de Delete config server content for a specific

lete Azure Spring Apps service instance

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allow read, write and delete access to Azure Spring Cloud
Config Server",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-
4e1a-aa2b-f19eb6684f5b",
"name": "a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/configService/read",
"Microsoft.AppPlatform/Spring/configService/write",
"Microsoft.AppPlatform/Spring/configService/delete"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Config Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud Config Server Reader

Allow read access to Azure Spring Cloud Config Server

Learn more

ﾉ Expand table

Actions Description

none
Actions Description

NotActions

none

DataActions

Microsoft.AppPlatform/Spring/configService/re Read the configuration content(for example,

ad application.yaml) for a specific Azure Spring
Apps service instance

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allow read access to Azure Spring Cloud Config Server",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-
4782-9e91-30a88feb7be7",
"name": "d04c6db6-4947-4782-9e91-30a88feb7be7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/configService/read"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Config Server Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud Data Reader

Allow read access to Azure Spring Cloud Data

ﾉ Expand table
Actions Description

none

NotActions

none

DataActions

Microsoft.AppPlatform/Spring/*/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allow read access to Azure Spring Cloud Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-
4941-a8f0-646150406f0c",
"name": "b5537268-8956-4941-a8f0-646150406f0c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/*/read"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud Service Registry

Contributor
Allow read, write and delete access to Azure Spring Cloud Service Registry

Learn more
ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.AppPlatform/Spring/eurekaService/re Read the user app(s) registration information

ad for a specific Azure Spring Apps service
instance

Microsoft.AppPlatform/Spring/eurekaService/w Write the user app(s) registration information

rite for a specific Azure Spring Apps service
instance

Microsoft.AppPlatform/Spring/eurekaService/d Delete the user app registration information for

elete a specific Azure Spring Apps service instance

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allow read, write and delete access to Azure Spring Cloud
Service Registry",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-
48be-b172-7927bfa1c8f1",
"name": "f5880b48-c26d-48be-b172-7927bfa1c8f1",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/eurekaService/read",
"Microsoft.AppPlatform/Spring/eurekaService/write",
"Microsoft.AppPlatform/Spring/eurekaService/delete"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Service Registry Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Spring Cloud Service Registry Reader

Allow read access to Azure Spring Cloud Service Registry

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.AppPlatform/Spring/eurekaService/re Read the user app(s) registration information

ad for a specific Azure Spring Apps service
instance

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allow read access to Azure Spring Cloud Service Registry",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-
4e7e-856d-a8f754be7b65",
"name": "cff1b556-2399-4e7e-856d-a8f754be7b65",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppPlatform/Spring/eurekaService/read"
],
"notDataActions": []
}
],
"roleName": "Azure Spring Cloud Service Registry Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Media Services Account Administrator

Create, read, modify, and delete Media Services accounts; read-only access to other
Media Services resources.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/metricDefinitions/read Read metric definitions

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Media/mediaservices/*/read

Microsoft.Media/mediaservices/assets/listStrea List Streaming Locators for Asset

mingLocators/action

Microsoft.Media/mediaservices/streamingLocat List Paths

ors/listPaths/action

Microsoft.Media/mediaservices/write Create or Update any Media Services Account

Microsoft.Media/mediaservices/delete Delete any Media Services Account

Microsoft.Media/mediaservices/privateEndpoin Approve Private Endpoint Connections

tConnectionsApproval/action

Microsoft.Media/mediaservices/privateEndpoin
tConnections/*

NotActions

none
Actions Description

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Media Services accounts;
read-only access to other Media Services resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-
4f1c-a9ad-eca461f08466",
"name": "054126f8-9a2b-4f1c-a9ad-eca461f08466",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
"Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
"Microsoft.Media/mediaservices/write",
"Microsoft.Media/mediaservices/delete",

"Microsoft.Media/mediaservices/privateEndpointConnectionsApproval/action",
"Microsoft.Media/mediaservices/privateEndpointConnections/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Account Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Media Services Live Events Administrator

Create, read, modify, and delete Live Events, Assets, Asset Filters, and Streaming
Locators; read-only access to other Media Services resources.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/metricDefinitions/read Read metric definitions

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Media/mediaservices/*/read

Microsoft.Media/mediaservices/assets/*

Microsoft.Media/mediaservices/assets/assetfilte
rs/*

Microsoft.Media/mediaservices/streamingLocat
ors/*

Microsoft.Media/mediaservices/liveEvents/*

NotActions

Microsoft.Media/mediaservices/assets/getEncry Get Asset Encryption Key

ptionKey/action

Microsoft.Media/mediaservices/streamingLocat List Content Keys

ors/listContentKeys/action

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Live Events, Assets,
Asset Filters, and Streaming Locators; read-only access to other Media
Services resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-
42c0-969e-a1d439f60d77",
"name": "532bc159-b25e-42c0-969e-a1d439f60d77",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/*",
"Microsoft.Media/mediaservices/assets/assetfilters/*",
"Microsoft.Media/mediaservices/streamingLocators/*",
"Microsoft.Media/mediaservices/liveEvents/*"
],
"notActions": [
"Microsoft.Media/mediaservices/assets/getEncryptionKey/action",

"Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Live Events Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Media Services Media Operator

Create, read, modify, and delete Assets, Asset Filters, Streaming Locators, and Jobs;
read-only access to other Media Services resources.

ﾉ Expand table
Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/metricDefinitions/read Read metric definitions

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Media/mediaservices/*/read

Microsoft.Media/mediaservices/assets/*

Microsoft.Media/mediaservices/assets/assetfilte
rs/*

Microsoft.Media/mediaservices/streamingLocat
ors/*

Microsoft.Media/mediaservices/transforms/jobs
/*

NotActions

Microsoft.Media/mediaservices/assets/getEncry Get Asset Encryption Key

ptionKey/action

Microsoft.Media/mediaservices/streamingLocat List Content Keys

ors/listContentKeys/action

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Assets, Asset Filters,
Streaming Locators, and Jobs; read-only access to other Media Services
resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-
4db2-bedf-88c14621589c",
"name": "e4395492-1534-4db2-bedf-88c14621589c",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/*",
"Microsoft.Media/mediaservices/assets/assetfilters/*",
"Microsoft.Media/mediaservices/streamingLocators/*",
"Microsoft.Media/mediaservices/transforms/jobs/*"
],
"notActions": [
"Microsoft.Media/mediaservices/assets/getEncryptionKey/action",

"Microsoft.Media/mediaservices/streamingLocators/listContentKeys/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Media Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Media Services Policy Administrator

Create, read, modify, and delete Account Filters, Streaming Policies, Content Key Policies,
and Transforms; read-only access to other Media Services resources. Cannot create Jobs,
Assets or Streaming resources.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Actions Description

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/metricDefinitions/read Read metric definitions

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Media/mediaservices/*/read

Microsoft.Media/mediaservices/assets/listStrea List Streaming Locators for Asset

mingLocators/action

Microsoft.Media/mediaservices/streamingLocat List Paths

ors/listPaths/action

Microsoft.Media/mediaservices/accountFilters/*

Microsoft.Media/mediaservices/streamingPolici
es/*

Microsoft.Media/mediaservices/contentKeyPoli
cies/*

Microsoft.Media/mediaservices/transforms/*

NotActions

Microsoft.Media/mediaservices/contentKeyPoli Get Policy Properties With Secrets

cies/getPolicyPropertiesWithSecrets/action

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Account Filters,
Streaming Policies, Content Key Policies, and Transforms; read-only access
to other Media Services resources. Cannot create Jobs, Assets or Streaming
resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-
4a26-b320-7250bca963ae",
"name": "c4bba371-dacd-4a26-b320-7250bca963ae",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
"Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
"Microsoft.Media/mediaservices/accountFilters/*",
"Microsoft.Media/mediaservices/streamingPolicies/*",
"Microsoft.Media/mediaservices/contentKeyPolicies/*",
"Microsoft.Media/mediaservices/transforms/*"
],
"notActions": [

"Microsoft.Media/mediaservices/contentKeyPolicies/getPolicyPropertiesWithSec
rets/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Policy Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Media Services Streaming Endpoints

Administrator
Create, read, modify, and delete Streaming Endpoints; read-only access to other Media
Services resources.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Actions Description

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/metricDefinitions/read Read metric definitions

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Media/mediaservices/*/read

Microsoft.Media/mediaservices/assets/listStrea List Streaming Locators for Asset

mingLocators/action

Microsoft.Media/mediaservices/streamingLocat List Paths

ors/listPaths/action

Microsoft.Media/mediaservices/streamingEndp
oints/*

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Create, read, modify, and delete Streaming Endpoints;
read-only access to other Media Services resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-
44d5-874c-ced7199a5804",
"name": "99dba123-b5fe-44d5-874c-ced7199a5804",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Media/mediaservices/*/read",
"Microsoft.Media/mediaservices/assets/listStreamingLocators/action",
"Microsoft.Media/mediaservices/streamingLocators/listPaths/action",
"Microsoft.Media/mediaservices/streamingEndpoints/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Media Services Streaming Endpoints Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

SignalR AccessKey Reader

Read SignalR Service Access Keys

ﾉ Expand table

Actions Description

Microsoft.SignalRService/*/read

Microsoft.SignalRService/SignalR/listkeys/actio View the value of SignalR access keys in the

n management portal or through API

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read SignalR Service Access Keys",
"id": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-
45d5-8227-78b77b0a687e",
"name": "04165923-9d83-45d5-8227-78b77b0a687e",
"permissions": [
{
"actions": [
"Microsoft.SignalRService/*/read",
"Microsoft.SignalRService/SignalR/listkeys/action",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SignalR AccessKey Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

SignalR App Server

Lets your app server access SignalR Service with AAD auth options.

ﾉ Expand table

Actions Description

none

NotActions

none
Actions Description

DataActions

Microsoft.SignalRService/SignalR/auth/accessK Generate an AccessKey for signing

ey/action AccessTokens, the key will expire in 90 minutes
by default

Microsoft.SignalRService/SignalR/serverConnec Start a server connection

tion/write

Microsoft.SignalRService/SignalR/clientConnect Close client connection

ion/write

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets your app server access SignalR Service with AAD auth
options.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/420fcaa2-552c-
430f-98ca-3264be4806c7",
"name": "420fcaa2-552c-430f-98ca-3264be4806c7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/auth/accessKey/action",
"Microsoft.SignalRService/SignalR/serverConnection/write",
"Microsoft.SignalRService/SignalR/clientConnection/write"
],
"notDataActions": []
}
],
"roleName": "SignalR App Server",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

SignalR REST API Owner

Full access to Azure SignalR Service REST APIs
ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.SignalRService/SignalR/auth/clientTo Generate an AccessToken for client to connect

ken/action to ASRS, the token will expire in 5 minutes by
default

Microsoft.SignalRService/SignalR/hub/*

Microsoft.SignalRService/SignalR/group/*

Microsoft.SignalRService/SignalR/clientConnect
ion/*

Microsoft.SignalRService/SignalR/user/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Full access to Azure SignalR Service REST APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-
407a-8f46-7e7863d0f521",
"name": "fd53cd77-2268-407a-8f46-7e7863d0f521",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/auth/clientToken/action",
"Microsoft.SignalRService/SignalR/hub/*",
"Microsoft.SignalRService/SignalR/group/*",
"Microsoft.SignalRService/SignalR/clientConnection/*",
"Microsoft.SignalRService/SignalR/user/*"
],
"notDataActions": []
}
],
"roleName": "SignalR REST API Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

SignalR REST API Reader

Read-only access to Azure SignalR Service REST APIs

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.SignalRService/SignalR/group/read Check group existence or user existence in

group

Microsoft.SignalRService/SignalR/clientConnect Check client connection existence

ion/read

Microsoft.SignalRService/SignalR/user/read Check user existence

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read-only access to Azure SignalR Service REST APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-
4114-a159-3618637b3035",
"name": "ddde6b66-c0df-4114-a159-3618637b3035",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/group/read",
"Microsoft.SignalRService/SignalR/clientConnection/read",
"Microsoft.SignalRService/SignalR/user/read"
],
"notDataActions": []
}
],
"roleName": "SignalR REST API Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

SignalR Service Owner

Full access to Azure SignalR Service REST APIs

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.SignalRService/SignalR/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Full access to Azure SignalR Service REST APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-
4f59-8f37-079cfe29dce3",
"name": "7e4f1700-ea5a-4f59-8f37-079cfe29dce3",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/SignalR/*"
],
"notDataActions": []
}
],
"roleName": "SignalR Service Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

SignalR/Web PubSub Contributor

Create, Read, Update, and Delete SignalR service resources

ﾉ Expand table

Actions Description

Microsoft.SignalRService/*

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Create, Read, Update, and Delete SignalR service
resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-
4e9d-b3a1-5ceb692c2761",
"name": "8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761",
"permissions": [
{
"actions": [
"Microsoft.SignalRService/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SignalR/Web PubSub Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Web Plan Contributor

Manage the web plans for websites. Does not allow you to assign roles in Azure RBAC.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Web/serverFarms/* Create and manage server farms

Microsoft.Web/hostingEnvironments/Join/Actio Joins an App Service Environment

Microsoft.Insights/autoscalesettings/*
Actions Description

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage the web plans for websites, but not access
to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-
49a8-b449-8c00fd0f0a4b",
"name": "2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/serverFarms/*",
"Microsoft.Web/hostingEnvironments/Join/Action",
"Microsoft.Insights/autoscalesettings/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Web Plan Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Web PubSub Service Owner

Full access to Azure Web PubSub Service REST APIs
Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.SignalRService/WebPubSub/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Full access to Azure Web PubSub Service REST APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/12cf5a90-567b-
43ae-8102-96cf46c7d9b4",
"name": "12cf5a90-567b-43ae-8102-96cf46c7d9b4",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/WebPubSub/*"
],
"notDataActions": []
}
],
"roleName": "Web PubSub Service Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Web PubSub Service Reader

Read-only access to Azure Web PubSub Service REST APIs

Learn more
ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.SignalRService/WebPubSub/*/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read-only access to Azure Web PubSub Service REST APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bfb1c7d2-fb1a-
466b-b2ba-aee63b92deaf",
"name": "bfb1c7d2-fb1a-466b-b2ba-aee63b92deaf",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.SignalRService/WebPubSub/*/read"
],
"notDataActions": []
}
],
"roleName": "Web PubSub Service Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Website Contributor
Manage websites, but not web plans. Does not allow you to assign roles in Azure RBAC.

ﾉ Expand table
Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/components/* Create and manage Insights components

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Web/certificates/* Create and manage website certificates

Microsoft.Web/listSitesAssignedToHostName/r Get names of sites assigned to hostname.

ead

Microsoft.Web/register/action Register Microsoft.Web resource provider for

the subscription.

Microsoft.Web/serverFarms/join/action Joins an App Service Plan

Microsoft.Web/serverFarms/read Get the properties on an App Service Plan

Microsoft.Web/sites/* Create and manage websites (site creation also

requires write permissions to the associated
App Service Plan)

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage websites (not web plans), but not access
to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-
47ae-9be6-808fbbe84772",
"name": "de139f84-1756-47ae-9be6-808fbbe84772",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/components/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/certificates/*",
"Microsoft.Web/listSitesAssignedToHostName/read",
"Microsoft.Web/register/action",
"Microsoft.Web/serverFarms/join/action",
"Microsoft.Web/serverFarms/read",
"Microsoft.Web/sites/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Website Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Containers
Article • 10/13/2024

This article lists the Azure built-in roles in the Containers category.

AcrDelete
Delete repositories, tags, or manifests from a container registry.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ContainerRegistry/registries/artifacts/ Delete artifact in a container registry.

delete

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "acr delete",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-
48eb-af81-4b1b4947fb11",
"name": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/artifacts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrDelete",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AcrImageSigner
Push trusted images to or pull trusted images from a container registry enabled for
content trust.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ContainerRegistry/registries/sign/writ Push/Pull content trust metadata for a

e container registry.

NotActions

none

DataActions

Microsoft.ContainerRegistry/registries/trustedC Allows push or publish of trusted collections of

ollections/write container registry content. This is similar to
Microsoft.ContainerRegistry/registries/sign/writ
e action except that this is a data action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "acr image signer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-
48e5-a04f-b8e64114680f",
"name": "6cef56e8-d556-48e5-a04f-b8e64114680f",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/sign/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/trustedCollections/write"
],
"notDataActions": []
}
],
"roleName": "AcrImageSigner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AcrPull
Pull artifacts from a container registry.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ContainerRegistry/registries/pull/read Pull or Get images from a container registry.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "acr pull",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-
4680-a7ca-43fe172d538d",
"name": "7f951dda-4ed3-4680-a7ca-43fe172d538d",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPull",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AcrPush
Push artifacts to or pull artifacts from a container registry.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ContainerRegistry/registries/pull/read Pull or Get images from a container registry.

Microsoft.ContainerRegistry/registries/push/wri Push or Write images to a container registry.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "acr push",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-
4cb8-b61a-304f252e45ec",
"name": "8311e382-0749-4cb8-b61a-304f252e45ec",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/pull/read",
"Microsoft.ContainerRegistry/registries/push/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AcrPush",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineReader
Pull quarantined images from a container registry.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ContainerRegistry/registries/quaranti Pull or Get quarantined images from container

ne/read registry

NotActions

none

DataActions

Microsoft.ContainerRegistry/registries/quaranti Allows pull or get of the quarantined artifacts

nedArtifacts/read from container registry. This is similar to
Microsoft.ContainerRegistry/registries/quaranti
ne/read except that it is a data action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "acr quarantine data reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-
44f6-95f2-9f980659eb04",
"name": "cdda3590-29a3-44f6-95f2-9f980659eb04",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineReader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AcrQuarantineWriter
Push quarantined images to or pull quarantined images from a container registry.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ContainerRegistry/registries/quaranti Pull or Get quarantined images from container

ne/read registry

Microsoft.ContainerRegistry/registries/quaranti Write/Modify quarantine state of quarantined

ne/write images

NotActions

none

DataActions

Microsoft.ContainerRegistry/registries/quaranti Allows pull or get of the quarantined artifacts

nedArtifacts/read from container registry. This is similar to
Microsoft.ContainerRegistry/registries/quaranti
ne/read except that it is a data action

Microsoft.ContainerRegistry/registries/quaranti Allows write or update of the quarantine state

nedArtifacts/write of quarantined artifacts. This is similar to
Actions Description

Microsoft.ContainerRegistry/registries/quaranti
ne/write action except that it is a data action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "acr quarantine data writer",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-
41a8-9f60-21dfdad59608",
"name": "c8d4ff99-41c3-41a8-9f60-21dfdad59608",
"permissions": [
{
"actions": [
"Microsoft.ContainerRegistry/registries/quarantine/read",
"Microsoft.ContainerRegistry/registries/quarantine/write"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/read",
"Microsoft.ContainerRegistry/registries/quarantinedArtifacts/write"
],
"notDataActions": []
}
],
"roleName": "AcrQuarantineWriter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Enabled Kubernetes Cluster User

Role
List cluster user credentials action.

ﾉ Expand table

Actions Description

Microsoft.Resources/deployments/write Creates or updates an deployment.

Actions Description

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Kubernetes/connectedClusters/listClu List clusterUser credential(preview)

sterUserCredentials/action

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Support/* Create and update a support ticket

Microsoft.Kubernetes/connectedClusters/listClu List clusterUser credential

sterUserCredential/action

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "List cluster user credentials action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-
4148-b6c5-d3ce8e4799dd",
"name": "00493d72-78f6-4148-b6c5-d3ce8e4799dd",
"permissions": [
{
"actions": [
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",

"Microsoft.Kubernetes/connectedClusters/listClusterUserCredentials/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*",

"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc Enabled Kubernetes Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes Admin

Lets you manage all resources under cluster/namespace, except update or delete
resource quotas and namespaces.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/write Creates or updates an deployment.

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions
Actions Description

Microsoft.Kubernetes/connectedClusters/apps/ Reads controllerrevisions

controllerrevisions/read

Microsoft.Kubernetes/connectedClusters/apps/
daemonsets/*

Microsoft.Kubernetes/connectedClusters/apps/
deployments/*

Microsoft.Kubernetes/connectedClusters/apps/
replicasets/*

Microsoft.Kubernetes/connectedClusters/apps/
statefulsets/*

Microsoft.Kubernetes/connectedClusters/autho Writes localsubjectaccessreviews

rization.k8s.io/localsubjectaccessreviews/write

Microsoft.Kubernetes/connectedClusters/autos
caling/horizontalpodautoscalers/*

Microsoft.Kubernetes/connectedClusters/batch
/cronjobs/*

Microsoft.Kubernetes/connectedClusters/batch
/jobs/*

Microsoft.Kubernetes/connectedClusters/config
maps/*

Microsoft.Kubernetes/connectedClusters/endp
oints/*

Microsoft.Kubernetes/connectedClusters/event Reads events

s.k8s.io/events/read

Microsoft.Kubernetes/connectedClusters/event Reads events

s/read

Microsoft.Kubernetes/connectedClusters/exten
sions/daemonsets/*

Microsoft.Kubernetes/connectedClusters/exten
sions/deployments/*

Microsoft.Kubernetes/connectedClusters/exten
sions/ingresses/*

Microsoft.Kubernetes/connectedClusters/exten
sions/networkpolicies/*
Actions Description

Microsoft.Kubernetes/connectedClusters/exten
sions/replicasets/*

Microsoft.Kubernetes/connectedClusters/limitra Reads limitranges

nges/read

Microsoft.Kubernetes/connectedClusters/name Reads namespaces

spaces/read

Microsoft.Kubernetes/connectedClusters/netwo
rking.k8s.io/ingresses/*

Microsoft.Kubernetes/connectedClusters/netwo
rking.k8s.io/networkpolicies/*

Microsoft.Kubernetes/connectedClusters/persis
tentvolumeclaims/*

Microsoft.Kubernetes/connectedClusters/pods/
*

Microsoft.Kubernetes/connectedClusters/policy
/poddisruptionbudgets/*

Microsoft.Kubernetes/connectedClusters/rbac.a
uthorization.k8s.io/rolebindings/*

Microsoft.Kubernetes/connectedClusters/rbac.a
uthorization.k8s.io/roles/*

Microsoft.Kubernetes/connectedClusters/replic
ationcontrollers/*

Microsoft.Kubernetes/connectedClusters/resour Reads resourcequotas

cequotas/read

Microsoft.Kubernetes/connectedClusters/secret
s/*

Microsoft.Kubernetes/connectedClusters/servic
eaccounts/*

Microsoft.Kubernetes/connectedClusters/servic
es/*

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace,
except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-
4dde-a09f-99eb5cc68b96",
"name": "dffb1e0c-446f-4dde-a09f-99eb5cc68b96",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [

"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/*",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/*",

"Microsoft.Kubernetes/connectedClusters/authorization.k8s.io/localsubjectacc
essreviews/write",

"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers
/*",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/*",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/*",
"Microsoft.Kubernetes/connectedClusters/configmaps/*",
"Microsoft.Kubernetes/connectedClusters/endpoints/*",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/*",
"Microsoft.Kubernetes/connectedClusters/extensions/deployments/*",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/*",

"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/*",
"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/*",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",

"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",

"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*"
,
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",

"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",

"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/rolebindin
gs/*",

"Microsoft.Kubernetes/connectedClusters/rbac.authorization.k8s.io/roles/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes Cluster Admin

Lets you manage all resources in the cluster.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/write Creates or updates an deployment.

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Actions Description

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

Microsoft.Kubernetes/connectedClusters/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-
48a2-a542-1bd6b377f6a2",
"name": "8393591c-06b9-48a2-a542-1bd6b377f6a2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Kubernetes/connectedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Arc Kubernetes Viewer
Lets you view all resources in cluster/namespace, except secrets.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/write Creates or updates an deployment.

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

Microsoft.Kubernetes/connectedClusters/apps/ Reads controllerrevisions

controllerrevisions/read

Microsoft.Kubernetes/connectedClusters/apps/ Reads daemonsets

daemonsets/read

Microsoft.Kubernetes/connectedClusters/apps/ Reads deployments

deployments/read

Microsoft.Kubernetes/connectedClusters/apps/ Reads replicasets

replicasets/read

Microsoft.Kubernetes/connectedClusters/apps/ Reads statefulsets

statefulsets/read

Microsoft.Kubernetes/connectedClusters/autos Reads horizontalpodautoscalers

caling/horizontalpodautoscalers/read

Microsoft.Kubernetes/connectedClusters/batch Reads cronjobs

Actions Description

/cronjobs/read

Microsoft.Kubernetes/connectedClusters/batch Reads jobs

/jobs/read

Microsoft.Kubernetes/connectedClusters/config Reads configmaps

maps/read

Microsoft.Kubernetes/connectedClusters/endp Reads endpoints

oints/read

Microsoft.Kubernetes/connectedClusters/event Reads events

s.k8s.io/events/read

Microsoft.Kubernetes/connectedClusters/event Reads events

s/read

Microsoft.Kubernetes/connectedClusters/exten Reads daemonsets

sions/daemonsets/read

Microsoft.Kubernetes/connectedClusters/exten Reads deployments

sions/deployments/read

Microsoft.Kubernetes/connectedClusters/exten Reads ingresses

sions/ingresses/read

Microsoft.Kubernetes/connectedClusters/exten Reads networkpolicies

sions/networkpolicies/read

Microsoft.Kubernetes/connectedClusters/exten Reads replicasets

sions/replicasets/read

Microsoft.Kubernetes/connectedClusters/limitra Reads limitranges

nges/read

Microsoft.Kubernetes/connectedClusters/name Reads namespaces

spaces/read

Microsoft.Kubernetes/connectedClusters/netwo Reads ingresses

rking.k8s.io/ingresses/read

Microsoft.Kubernetes/connectedClusters/netwo Reads networkpolicies

rking.k8s.io/networkpolicies/read

Microsoft.Kubernetes/connectedClusters/persis Reads persistentvolumeclaims

tentvolumeclaims/read

Microsoft.Kubernetes/connectedClusters/pods/ Reads pods

read
Actions Description

Microsoft.Kubernetes/connectedClusters/policy Reads poddisruptionbudgets

/poddisruptionbudgets/read

Microsoft.Kubernetes/connectedClusters/replic Reads replicationcontrollers

ationcontrollers/read

Microsoft.Kubernetes/connectedClusters/replic Reads replicationcontrollers

ationcontrollers/read

Microsoft.Kubernetes/connectedClusters/resour Reads resourcequotas

cequotas/read

Microsoft.Kubernetes/connectedClusters/servic Reads serviceaccounts

eaccounts/read

Microsoft.Kubernetes/connectedClusters/servic Reads services

es/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you view all resources in cluster/namespace, except
secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-
4db4-a681-037d84835eb4",
"name": "63f0a09d-1495-4db4-a681-037d84835eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [

"Microsoft.Kubernetes/connectedClusters/apps/controllerrevisions/read",
"Microsoft.Kubernetes/connectedClusters/apps/daemonsets/read",
"Microsoft.Kubernetes/connectedClusters/apps/deployments/read",
"Microsoft.Kubernetes/connectedClusters/apps/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/apps/statefulsets/read",

"Microsoft.Kubernetes/connectedClusters/autoscaling/horizontalpodautoscalers
/read",
"Microsoft.Kubernetes/connectedClusters/batch/cronjobs/read",
"Microsoft.Kubernetes/connectedClusters/batch/jobs/read",
"Microsoft.Kubernetes/connectedClusters/configmaps/read",
"Microsoft.Kubernetes/connectedClusters/endpoints/read",
"Microsoft.Kubernetes/connectedClusters/events.k8s.io/events/read",
"Microsoft.Kubernetes/connectedClusters/events/read",
"Microsoft.Kubernetes/connectedClusters/extensions/daemonsets/read",

"Microsoft.Kubernetes/connectedClusters/extensions/deployments/read",
"Microsoft.Kubernetes/connectedClusters/extensions/ingresses/read",

"Microsoft.Kubernetes/connectedClusters/extensions/networkpolicies/read",

"Microsoft.Kubernetes/connectedClusters/extensions/replicasets/read",
"Microsoft.Kubernetes/connectedClusters/limitranges/read",
"Microsoft.Kubernetes/connectedClusters/namespaces/read",

"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/read",

"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/re
ad",

"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/read",
"Microsoft.Kubernetes/connectedClusters/pods/read",

"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/read",

"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",

"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/read",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/read",
"Microsoft.Kubernetes/connectedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Arc Kubernetes Writer

Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role
bindings.
Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/write Creates or updates an deployment.

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

Microsoft.Kubernetes/connectedClusters/apps/ Reads controllerrevisions

controllerrevisions/read

Microsoft.Kubernetes/connectedClusters/apps/
daemonsets/*

Microsoft.Kubernetes/connectedClusters/apps/
deployments/*

Microsoft.Kubernetes/connectedClusters/apps/
replicasets/*

Microsoft.Kubernetes/connectedClusters/apps/
statefulsets/*

Microsoft.Kubernetes/connectedClusters/autos
caling/horizontalpodautoscalers/*

Microsoft.Kubernetes/connectedClusters/batch
/cronjobs/*

Microsoft.Kubernetes/connectedClusters/batch
/jobs/*
Actions Description

Microsoft.Kubernetes/connectedClusters/config
maps/*

Microsoft.Kubernetes/connectedClusters/endp
oints/*

Microsoft.Kubernetes/connectedClusters/event Reads events

s.k8s.io/events/read

Microsoft.Kubernetes/connectedClusters/event Reads events

s/read

Microsoft.Kubernetes/connectedClusters/exten
sions/daemonsets/*

Microsoft.Kubernetes/connectedClusters/exten
sions/deployments/*

Microsoft.Kubernetes/connectedClusters/exten
sions/ingresses/*

Microsoft.Kubernetes/connectedClusters/exten
sions/networkpolicies/*

Microsoft.Kubernetes/connectedClusters/exten
sions/replicasets/*

Microsoft.Kubernetes/connectedClusters/limitra Reads limitranges

nges/read

Microsoft.Kubernetes/connectedClusters/name Reads namespaces

spaces/read

Microsoft.Kubernetes/connectedClusters/netwo
rking.k8s.io/ingresses/*

Microsoft.Kubernetes/connectedClusters/netwo
rking.k8s.io/networkpolicies/*

Microsoft.Kubernetes/connectedClusters/persis
tentvolumeclaims/*

Microsoft.Kubernetes/connectedClusters/pods/
*

Microsoft.Kubernetes/connectedClusters/policy
/poddisruptionbudgets/*

Microsoft.Kubernetes/connectedClusters/replic
ationcontrollers/*
Actions Description

Microsoft.Kubernetes/connectedClusters/replic
ationcontrollers/*

Microsoft.Kubernetes/connectedClusters/resour Reads resourcequotas

cequotas/read

Microsoft.Kubernetes/connectedClusters/secret
s/*

Microsoft.Kubernetes/connectedClusters/servic
eaccounts/*

Microsoft.Kubernetes/connectedClusters/servic
es/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you update everything in cluster/namespace, except
(cluster)roles and (cluster)role bindings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-
4545-85c7-50de3797e5a1",
"name": "5b999177-9696-4545-85c7-50de3797e5a1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [

"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/ingresses/*",

"Microsoft.Kubernetes/connectedClusters/networking.k8s.io/networkpolicies/*"
,
"Microsoft.Kubernetes/connectedClusters/persistentvolumeclaims/*",
"Microsoft.Kubernetes/connectedClusters/pods/*",

"Microsoft.Kubernetes/connectedClusters/policy/poddisruptionbudgets/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/replicationcontrollers/*",
"Microsoft.Kubernetes/connectedClusters/resourcequotas/read",
"Microsoft.Kubernetes/connectedClusters/secrets/*",
"Microsoft.Kubernetes/connectedClusters/serviceaccounts/*",
"Microsoft.Kubernetes/connectedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Arc Kubernetes Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Container Storage Contributor

Install Azure Container Storage and manage its storage resources. Includes an ABAC
condition to constrain role assignments.

ﾉ Expand table

Actions Description

Microsoft.KubernetesConfiguration/extensions/ Creates or updates extension resource.

write
Actions Description

Microsoft.KubernetesConfiguration/extensions/ Gets extension instance resource.

read

Microsoft.KubernetesConfiguration/extensions/ Deletes extension instance resource.

delete

Microsoft.KubernetesConfiguration/extensions/ Gets Async Operation status.

operations/read

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Management/managementGroups/re List management groups for the authenticated

ad user.

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

Actions

Microsoft.Authorization/roleAssignments/write Create a role assignment at the specified scope.

Microsoft.Authorization/roleAssignments/delet Delete a role assignment at the specified scope.

NotActions

none

DataActions

none

NotDataActions
Actions Description

none

Condition

((! Add or remove role assignments for the

(ActionMatches{'Microsoft.Authorization/roleAs following roles:
signments/write'})) OR Azure Container Storage Operator
(@Request[Microsoft.Authorization/roleAssign
ments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{08d4c71acc634
ce4a9c85dd251b4d619})) AND ((!
(ActionMatches{'Microsoft.Authorization/roleAs
signments/delete'})) OR
(@Resource[Microsoft.Authorization/roleAssign
ments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{08d4c71acc634
ce4a9c85dd251b4d619}))

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and manage its
storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95dd08a6-00bd-
4661-84bf-f6726f83a4d0",
"name": "95dd08a6-00bd-4661-84bf-f6726f83a4d0",
"permissions": [
{
"actions": [
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!
(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR
(@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!
(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR
(@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Container Storage Operator

Enable a managed identity to perform Azure Container Storage operations, such as
manage virtual machines and manage virtual networks.

ﾉ Expand table

Actions Description

Microsoft.ElasticSan/elasticSans/*

Microsoft.ElasticSan/locations/asyncoperations/ Polls the status of an asynchronous operation.

read

Microsoft.Network/routeTables/join/action Joins a route table. Not Alertable.

Microsoft.Network/networkSecurityGroups/join Joins a network security group. Not Alertable.

/action

Microsoft.Network/virtualNetworks/write Creates a virtual network or updates an existing

virtual network

Microsoft.Network/virtualNetworks/delete Deletes a virtual network

Microsoft.Network/virtualNetworks/join/action Joins a virtual network. Not Alertable.

Microsoft.Network/virtualNetworks/subnets/rea Gets a virtual network subnet definition

d
Actions Description

Microsoft.Network/virtualNetworks/subnets/wri Creates a virtual network subnet or updates an

te existing virtual network subnet

Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an

existing virtual machine

Microsoft.Compute/virtualMachineScaleSets/re Get the properties of a Virtual Machine Scale

ad Set

Microsoft.Compute/virtualMachineScaleSets/wr Creates a new Virtual Machine Scale Set or

ite updates an existing one

Microsoft.Compute/virtualMachineScaleSets/vir Updates the properties of a Virtual Machine in

tualMachines/write a VM Scale Set

Microsoft.Compute/virtualMachineScaleSets/vir Retrieves the properties of a Virtual Machine in

tualMachines/read a VM Scale Set

Microsoft.Resources/subscriptions/providers/re Gets or lists resource providers.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Network/virtualNetworks/read Get the virtual network definition

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Role required by a Managed Identity for Azure Container
Storage operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08d4c71a-cc63-
4ce4-a9c8-5dd251b4d619",
"name": "08d4c71a-cc63-4ce4-a9c8-5dd251b4d619",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Resources/subscriptions/providers/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/virtualNetworks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Container Storage Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Container Storage Owner

Install Azure Container Storage, grant access to its storage resources, and configure
Azure Elastic storage area network (SAN). Includes an ABAC condition to constrain role
assignments.

ﾉ Expand table

Actions Description

Microsoft.ElasticSan/elasticSans/*

Microsoft.ElasticSan/locations/*

Microsoft.ElasticSan/elasticSans/volumeGroups
/*
Actions Description

Microsoft.ElasticSan/elasticSans/volumeGroups
/volumes/*

Microsoft.ElasticSan/locations/asyncoperations/ Polls the status of an asynchronous operation.

read

Microsoft.KubernetesConfiguration/extensions/ Creates or updates extension resource.

write

Microsoft.KubernetesConfiguration/extensions/ Gets extension instance resource.

read

Microsoft.KubernetesConfiguration/extensions/ Deletes extension instance resource.

delete

Microsoft.KubernetesConfiguration/extensions/ Gets Async Operation status.

operations/read

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Management/managementGroups/re List management groups for the authenticated

ad user.

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

Actions

Microsoft.Authorization/roleAssignments/write Create a role assignment at the specified scope.

Microsoft.Authorization/roleAssignments/delet Delete a role assignment at the specified scope.

e
Actions Description

NotActions

none

DataActions

none

NotDataActions

none

Condition

((! Add or remove role assignments for the

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you install Azure Container Storage and grants access
to its storage resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/95de85bd-744d-
4664-9dde-11430bc34793",
"name": "95de85bd-744d-4664-9dde-11430bc34793",
"permissions": [
{
"actions": [
"Microsoft.ElasticSan/elasticSans/*",
"Microsoft.ElasticSan/locations/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/*",
"Microsoft.ElasticSan/elasticSans/volumeGroups/volumes/*",
"Microsoft.ElasticSan/locations/asyncoperations/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
},
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!
(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR
(@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619})) AND ((!
(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR
(@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{08d4c71acc634ce4a9c85dd251b4d619}))"
}
],
"roleName": "Azure Container Storage Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Fleet Manager Contributor

Role
Grants read/write access to Azure resources provided by Azure Kubernetes Fleet
Manager, including fleets, fleet members, fleet update strategies, fleet update runs, etc.

ﾉ Expand table

Actions Description

Microsoft.ContainerService/fleets/*

Microsoft.Resources/deployments/* Create and manage a deployment

Actions Description

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Azure resources provided by
Azure Kubernetes Fleet Manager, including fleets, fleet members, fleet
update strategies, fleet update runs, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/63bb64ad-9799-
4770-b5c3-24ed299a07bf",
"name": "63bb64ad-9799-4770-b5c3-24ed299a07bf",
"permissions": [
{
"actions": [
"Microsoft.ContainerService/fleets/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Fleet Manager RBAC Admin

Grants read/write access to Kubernetes resources within a namespace in the fleet-
managed hub cluster - provides write permissions on most objects within a namespace,
with the exception of ResourceQuota object and the namespace object itself. Applying
this role at cluster scope will give access across all namespaces.
Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ContainerService/fleets/read Get fleet

Microsoft.ContainerService/fleets/listCredential List fleet credentials

s/action

NotActions

none

DataActions

Microsoft.ContainerService/fleets/apps/controll Reads controllerrevisions

errevisions/read

Microsoft.ContainerService/fleets/apps/daemo
nsets/*

Microsoft.ContainerService/fleets/apps/deploy
ments/*

Microsoft.ContainerService/fleets/apps/stateful
sets/*

Microsoft.ContainerService/fleets/authorization. Writes localsubjectaccessreviews

k8s.io/localsubjectaccessreviews/write

Microsoft.ContainerService/fleets/autoscaling/h
orizontalpodautoscalers/*

Microsoft.ContainerService/fleets/batch/cronjo
bs/*

Microsoft.ContainerService/fleets/batch/jobs/*

Microsoft.ContainerService/fleets/configmaps/*
Actions Description

Microsoft.ContainerService/fleets/endpoints/*

Microsoft.ContainerService/fleets/events.k8s.io/ Reads events

events/read

Microsoft.ContainerService/fleets/events/read Reads events

Microsoft.ContainerService/fleets/extensions/d
aemonsets/*

Microsoft.ContainerService/fleets/extensions/d
eployments/*

Microsoft.ContainerService/fleets/extensions/in
gresses/*

Microsoft.ContainerService/fleets/extensions/n
etworkpolicies/*

Microsoft.ContainerService/fleets/limitranges/r Reads limitranges

ead

Microsoft.ContainerService/fleets/namespaces/ Reads namespaces

read

Microsoft.ContainerService/fleets/networking.k
8s.io/ingresses/*

Microsoft.ContainerService/fleets/networking.k
8s.io/networkpolicies/*

Microsoft.ContainerService/fleets/persistentvol
umeclaims/*

Microsoft.ContainerService/fleets/policy/poddis
ruptionbudgets/*

Microsoft.ContainerService/fleets/rbac.authoriz
ation.k8s.io/rolebindings/*

Microsoft.ContainerService/fleets/rbac.authoriz
ation.k8s.io/roles/*

Microsoft.ContainerService/fleets/replicationco
ntrollers/*

Microsoft.ContainerService/fleets/resourcequot Reads resourcequotas

Actions Description

as/read

Microsoft.ContainerService/fleets/secrets/*

Microsoft.ContainerService/fleets/serviceaccou
nts/*

Microsoft.ContainerService/fleets/services/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to Kubernetes resources within a
namespace in the fleet-managed hub cluster - provides write permissions on
most objects within a a namespace, with the exception of ResourceQuota
object and the namespace object itself. Applying this role at cluster scope
will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434fb43a-c01c-
447e-9f67-c3ad923cfaba",
"name": "434fb43a-c01c-447e-9f67-c3ad923cfaba",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",

"Microsoft.ContainerService/fleets/authorization.k8s.io/localsubjectaccessre
views/write",

"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/*",
"Microsoft.ContainerService/fleets/batch/cronjobs/*",
"Microsoft.ContainerService/fleets/batch/jobs/*",
"Microsoft.ContainerService/fleets/configmaps/*",
"Microsoft.ContainerService/fleets/endpoints/*",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/*",
"Microsoft.ContainerService/fleets/extensions/deployments/*",
"Microsoft.ContainerService/fleets/extensions/ingresses/*",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/*",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",
"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/*",

"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/rolebindings/*"
,

"Microsoft.ContainerService/fleets/rbac.authorization.k8s.io/roles/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Fleet Manager RBAC Cluster

Admin
Grants read/write access to all Kubernetes resources in the fleet-managed hub cluster.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read
Actions Description

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ContainerService/fleets/read Get fleet

Microsoft.ContainerService/fleets/listCredential List fleet credentials

s/action

NotActions

none

DataActions

Microsoft.ContainerService/fleets/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to all Kubernetes resources in
the fleet-managed hub cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18ab4d3d-a1bf-
4477-8ad9-8359bc988f69",
"name": "18ab4d3d-a1bf-4477-8ad9-8359bc988f69",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Fleet Manager RBAC Reader

Grants read-only access to most Kubernetes resources within a namespace in the fleet-
managed hub cluster. It does not allow viewing roles or role bindings. This role does not
allow viewing Secrets, since reading the contents of Secrets enables access to
ServiceAccount credentials in the namespace, which would allow API access as any
ServiceAccount in the namespace (a form of privilege escalation). Applying this role at
cluster scope will give access across all namespaces.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ContainerService/fleets/read Get fleet

Microsoft.ContainerService/fleets/listCredential List fleet credentials

s/action

NotActions

none

DataActions

Microsoft.ContainerService/fleets/apps/controll Reads controllerrevisions

errevisions/read

Microsoft.ContainerService/fleets/apps/daemo Reads daemonsets

nsets/read

Microsoft.ContainerService/fleets/apps/deploy Reads deployments

ments/read
Actions Description

Microsoft.ContainerService/fleets/apps/stateful Reads statefulsets

sets/read

Microsoft.ContainerService/fleets/autoscaling/h Reads horizontalpodautoscalers

orizontalpodautoscalers/read

Microsoft.ContainerService/fleets/batch/cronjo Reads cronjobs

bs/read

Microsoft.ContainerService/fleets/batch/jobs/re Reads jobs

Microsoft.ContainerService/fleets/configmaps/r Reads configmaps

ead

Microsoft.ContainerService/fleets/endpoints/re Reads endpoints

Microsoft.ContainerService/fleets/events.k8s.io/ Reads events

events/read

Microsoft.ContainerService/fleets/events/read Reads events

Microsoft.ContainerService/fleets/extensions/d Reads daemonsets

aemonsets/read

Microsoft.ContainerService/fleets/extensions/d Reads deployments

eployments/read

Microsoft.ContainerService/fleets/extensions/in Reads ingresses

gresses/read

Microsoft.ContainerService/fleets/extensions/n Reads networkpolicies

etworkpolicies/read

Microsoft.ContainerService/fleets/limitranges/r Reads limitranges

ead

Microsoft.ContainerService/fleets/namespaces/ Reads namespaces

read

Microsoft.ContainerService/fleets/networking.k Reads ingresses

8s.io/ingresses/read

Microsoft.ContainerService/fleets/networking.k Reads networkpolicies

8s.io/networkpolicies/read

Microsoft.ContainerService/fleets/persistentvol Reads persistentvolumeclaims

umeclaims/read
Actions Description

Microsoft.ContainerService/fleets/policy/poddis Reads poddisruptionbudgets

ruptionbudgets/read

Microsoft.ContainerService/fleets/replicationco Reads replicationcontrollers

ntrollers/read

Microsoft.ContainerService/fleets/replicationco Reads replicationcontrollers

ntrollers/read

Microsoft.ContainerService/fleets/resourcequot Reads resourcequotas

as/read

Microsoft.ContainerService/fleets/serviceaccou Reads serviceaccounts

nts/read

Microsoft.ContainerService/fleets/services/read Reads services

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants read-only access to most Kubernetes resources
within a namespace in the fleet-managed hub cluster. It does not allow
viewing roles or role bindings. This role does not allow viewing Secrets,
since reading the contents of Secrets enables access to ServiceAccount
credentials in the namespace, which would allow API access as any
ServiceAccount in the namespace (a form of privilege escalation). Applying
this role at cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/30b27cfc-9c84-
438e-b0ce-70e35255df80",
"name": "30b27cfc-9c84-438e-b0ce-70e35255df80",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/read",
"Microsoft.ContainerService/fleets/apps/deployments/read",
"Microsoft.ContainerService/fleets/apps/statefulsets/read",

"Microsoft.ContainerService/fleets/autoscaling/horizontalpodautoscalers/read
",
"Microsoft.ContainerService/fleets/batch/cronjobs/read",
"Microsoft.ContainerService/fleets/batch/jobs/read",
"Microsoft.ContainerService/fleets/configmaps/read",
"Microsoft.ContainerService/fleets/endpoints/read",
"Microsoft.ContainerService/fleets/events.k8s.io/events/read",
"Microsoft.ContainerService/fleets/events/read",
"Microsoft.ContainerService/fleets/extensions/daemonsets/read",
"Microsoft.ContainerService/fleets/extensions/deployments/read",
"Microsoft.ContainerService/fleets/extensions/ingresses/read",
"Microsoft.ContainerService/fleets/extensions/networkpolicies/read",
"Microsoft.ContainerService/fleets/limitranges/read",
"Microsoft.ContainerService/fleets/namespaces/read",

"Microsoft.ContainerService/fleets/networking.k8s.io/ingresses/read",

"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/read",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/read",

"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/replicationcontrollers/read",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/serviceaccounts/read",
"Microsoft.ContainerService/fleets/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Fleet Manager RBAC Writer

Grants read/write access to most Kubernetes resources within a namespace in the fleet-
managed hub cluster. This role does not allow viewing or modifying roles or role
bindings. However, this role allows accessing Secrets as any ServiceAccount in the
namespace, so it can be used to gain the API access levels of any ServiceAccount in the
namespace. Applying this role at cluster scope will give access across all namespaces.

Learn more

ﾉ Expand table
Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ContainerService/fleets/read Get fleet

Microsoft.ContainerService/fleets/listCredential List fleet credentials

s/action

NotActions

none

DataActions

Microsoft.ContainerService/fleets/apps/controll Reads controllerrevisions

errevisions/read

Microsoft.ContainerService/fleets/apps/daemo
nsets/*

Microsoft.ContainerService/fleets/apps/deploy
ments/*

Microsoft.ContainerService/fleets/apps/stateful
sets/*

Microsoft.ContainerService/fleets/autoscaling/h
orizontalpodautoscalers/*

Microsoft.ContainerService/fleets/batch/cronjo
bs/*

Microsoft.ContainerService/fleets/batch/jobs/*

Microsoft.ContainerService/fleets/configmaps/*

Microsoft.ContainerService/fleets/endpoints/*

Microsoft.ContainerService/fleets/events.k8s.io/ Reads events

events/read

Microsoft.ContainerService/fleets/events/read Reads events

Actions Description

Microsoft.ContainerService/fleets/extensions/d
aemonsets/*

Microsoft.ContainerService/fleets/extensions/d
eployments/*

Microsoft.ContainerService/fleets/extensions/in
gresses/*

Microsoft.ContainerService/fleets/extensions/n
etworkpolicies/*

Microsoft.ContainerService/fleets/limitranges/r Reads limitranges

ead

Microsoft.ContainerService/fleets/namespaces/ Reads namespaces

read

Microsoft.ContainerService/fleets/networking.k
8s.io/ingresses/*

Microsoft.ContainerService/fleets/networking.k
8s.io/networkpolicies/*

Microsoft.ContainerService/fleets/persistentvol
umeclaims/*

Microsoft.ContainerService/fleets/policy/poddis
ruptionbudgets/*

Microsoft.ContainerService/fleets/replicationco
ntrollers/*

Microsoft.ContainerService/fleets/resourcequot Reads resourcequotas

as/read

Microsoft.ContainerService/fleets/secrets/*

Microsoft.ContainerService/fleets/serviceaccou
nts/*

Microsoft.ContainerService/fleets/services/*

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Grants read/write access to most Kubernetes resources
within a namespace in the fleet-managed hub cluster. This role does not
allow viewing or modifying roles or role bindings. However, this role allows
accessing Secrets as any ServiceAccount in the namespace, so it can be used
to gain the API access levels of any ServiceAccount in the namespace.
Applying this role at cluster scope will give access across all
namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5af6afb3-c06c-
4fa4-8848-71a8aee05683",
"name": "5af6afb3-c06c-4fa4-8848-71a8aee05683",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.ContainerService/fleets/read",
"Microsoft.ContainerService/fleets/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/fleets/apps/controllerrevisions/read",
"Microsoft.ContainerService/fleets/apps/daemonsets/*",
"Microsoft.ContainerService/fleets/apps/deployments/*",
"Microsoft.ContainerService/fleets/apps/statefulsets/*",

"Microsoft.ContainerService/fleets/networking.k8s.io/networkpolicies/*",
"Microsoft.ContainerService/fleets/persistentvolumeclaims/*",
"Microsoft.ContainerService/fleets/policy/poddisruptionbudgets/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/replicationcontrollers/*",
"Microsoft.ContainerService/fleets/resourcequotas/read",
"Microsoft.ContainerService/fleets/secrets/*",
"Microsoft.ContainerService/fleets/serviceaccounts/*",
"Microsoft.ContainerService/fleets/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Fleet Manager RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Arc Cluster Admin

Role
List cluster admin credential action.

Learn more

ﾉ Expand table

Actions Description

Microsoft.HybridContainerService/provisionedC Gets the Hybrid AKS provisioned cluster

lusterInstances/read instances associated with the connected cluster

Microsoft.HybridContainerService/provisionedC Lists the admin credentials of a provisioned

lusterInstances/listAdminKubeconfig/action cluster instance used only in direct mode.

Microsoft.Kubernetes/connectedClusters/Read Read connectedClusters

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b29efa5f-7782-
4dc3-9537-4d5bc70a5e9f",
"name": "b29efa5f-7782-4dc3-9537-4d5bc70a5e9f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",

"Microsoft.HybridContainerService/provisionedClusterInstances/listAdminKubec
onfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Arc Cluster User Role

List cluster user credential action.

Learn more

ﾉ Expand table

Actions Description

Microsoft.HybridContainerService/provisionedC Gets the Hybrid AKS provisioned cluster

lusterInstances/read instances associated with the connected cluster

Microsoft.HybridContainerService/provisionedC Lists the AAD user credentials of a provisioned

lusterInstances/listUserKubeconfig/action cluster instance used only in direct mode.

Microsoft.Kubernetes/connectedClusters/Read Read connectedClusters

NotActions

none

DataActions

none

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/233ca253-b031-
42ff-9fba-87ef12d6b55f",
"name": "233ca253-b031-42ff-9fba-87ef12d6b55f",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/provisionedClusterInstances/read",

"Microsoft.HybridContainerService/provisionedClusterInstances/listUserKubeco
nfig/action",
"Microsoft.Kubernetes/connectedClusters/Read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Arc Contributor Role

Grants access to read and write Azure Kubernetes Services hybrid clusters

Learn more

ﾉ Expand table

Actions Description

Microsoft.HybridContainerService/Locations/op read operationStatuses

erationStatuses/read

Microsoft.HybridContainerService/Operations/r read Operations

ead
Actions Description

Microsoft.HybridContainerService/kubernetesV Lists the supported kubernetes versions from

ersions/read the underlying custom location

Microsoft.HybridContainerService/kubernetesV Puts the kubernetes version resource type

ersions/write

Microsoft.HybridContainerService/kubernetesV Delete the kubernetes versions resource type

ersions/delete

Microsoft.HybridContainerService/provisionedC Gets the Hybrid AKS provisioned cluster

lusterInstances/read instances associated with the connected cluster

Microsoft.HybridContainerService/provisionedC Creates the Hybrid AKS provisioned cluster

lusterInstances/write instance

Microsoft.HybridContainerService/provisionedC Deletes the Hybrid AKS provisioned cluster

lusterInstances/delete instance

Microsoft.HybridContainerService/provisionedC Gets the agent pools in the Hybrid AKS

lusterInstances/agentPools/read provisioned cluster instance

Microsoft.HybridContainerService/provisionedC Updates the agent pool in the Hybrid AKS

lusterInstances/agentPools/write provisioned cluster instance

Microsoft.HybridContainerService/provisionedC Deletes the agent pool in the Hybrid AKS

lusterInstances/agentPools/delete provisioned cluster instance

Microsoft.HybridContainerService/provisionedC read upgradeProfiles

lusterInstances/upgradeProfiles/read

Microsoft.HybridContainerService/skus/read Lists the supported VM SKUs from the

underlying custom location

Microsoft.HybridContainerService/skus/write Puts the VM SKUs resource type

Microsoft.HybridContainerService/skus/delete Deletes the Vm Sku resource type

Microsoft.HybridContainerService/virtualNetwo Lists the Hybrid AKS virtual networks by

rks/read subscription

Microsoft.HybridContainerService/virtualNetwo Patches the Hybrid AKS virtual network

rks/write

Microsoft.HybridContainerService/virtualNetwo Deletes the Hybrid AKS virtual network

rks/delete

Microsoft.ExtendedLocation/customLocations/d Deploy permissions to a Custom Location

eploy/action resource

Microsoft.ExtendedLocation/customLocations/r Gets an Custom Location resource

Actions Description

ead

Microsoft.Kubernetes/connectedClusters/Read Read connectedClusters

Microsoft.Kubernetes/connectedClusters/Write Writes connectedClusters

Microsoft.Kubernetes/connectedClusters/Delet Deletes connectedClusters

Microsoft.Kubernetes/connectedClusters/listClu List clusterUser credential

sterUserCredential/action

Microsoft.AzureStackHCI/clusters/read Gets clusters

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Services
hybrid clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d3f1697-4507-
4d08-bb4a-477695db5f82",
"name": "5d3f1697-4507-4d08-bb4a-477695db5f82",
"permissions": [
{
"actions": [
"Microsoft.HybridContainerService/Locations/operationStatuses/read",
"Microsoft.HybridContainerService/Operations/read",
"Microsoft.HybridContainerService/kubernetesVersions/read",
"Microsoft.HybridContainerService/kubernetesVersions/write",
"Microsoft.HybridContainerService/kubernetesVersions/delete",
"Microsoft.HybridContainerService/provisionedClusterInstances/read",

"Microsoft.HybridContainerService/provisionedClusterInstances/write",

"Microsoft.HybridContainerService/provisionedClusterInstances/delete",

"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/rea
d",

"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/wri
te",

"Microsoft.HybridContainerService/provisionedClusterInstances/agentPools/del
ete",

"Microsoft.HybridContainerService/provisionedClusterInstances/upgradeProfile
s/read",
"Microsoft.HybridContainerService/skus/read",
"Microsoft.HybridContainerService/skus/write",
"Microsoft.HybridContainerService/skus/delete",
"Microsoft.HybridContainerService/virtualNetworks/read",
"Microsoft.HybridContainerService/virtualNetworks/write",
"Microsoft.HybridContainerService/virtualNetworks/delete",
"Microsoft.ExtendedLocation/customLocations/deploy/action",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Kubernetes/connectedClusters/Read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/Delete",

"Microsoft.Kubernetes/connectedClusters/listClusterUserCredential/action",
"Microsoft.AzureStackHCI/clusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Arc Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Cluster Admin Role

List cluster admin credential action.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ContainerService/managedClusters/li List the clusterAdmin credential of a managed

stClusterAdminCredential/action cluster

Microsoft.ContainerService/managedClusters/a Get a managed cluster access profile by role

ccessProfiles/listCredential/action name using list credential
Actions Description

Microsoft.ContainerService/managedClusters/r Get a managed cluster

ead

Microsoft.ContainerService/managedClusters/r Run user issued command against managed

uncommand/action kubernetes server.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "List cluster admin credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-
4efd-b8c2-3ee1fb270be8",
"name": "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8",
"permissions": [
{
"actions": [

"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/actio
n",

"Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/ac
tion",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/runcommand/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Admin Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Kubernetes Service Cluster Monitoring
User
List cluster monitoring user credential action.

ﾉ Expand table

Actions Description

Microsoft.ContainerService/managedClusters/li List the clusterMonitoringUser credential of a

stClusterMonitoringUserCredential/action managed cluster

Microsoft.ContainerService/managedClusters/r Get a managed cluster

ead

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "List cluster monitoring user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1afdec4b-e479-
420e-99e7-f82237c7c5e6",
"name": "1afdec4b-e479-420e-99e7-f82237c7c5e6",
"permissions": [
{
"actions": [

"Microsoft.ContainerService/managedClusters/listClusterMonitoringUserCredent
ial/action",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster Monitoring User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Cluster User Role

List cluster user credential action.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ContainerService/managedClusters/li List the clusterUser credential of a managed

stClusterUserCredential/action cluster

Microsoft.ContainerService/managedClusters/r Get a managed cluster

ead

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "List cluster user credential action.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-
43d8-92c5-2d3f1bd2253f",
"name": "4abbcc35-e782-43d8-92c5-2d3f1bd2253f",
"permissions": [
{
"actions": [

"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
",
"Microsoft.ContainerService/managedClusters/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Cluster User Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service Contributor Role

Grants access to read and write Azure Kubernetes Service clusters

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.ContainerService/locations/* Read locations available to ContainerService

resources

Microsoft.ContainerService/managedClusters/* Create and manage a managed cluster

Microsoft.ContainerService/managedclustersna Create and manage a managed cluster

pshots/* snapshot

Microsoft.ContainerService/snapshots/* Create and manage a snapshot

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Grants access to read and write Azure Kubernetes Service
clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-
4dd4-9017-9adb7ce333f8",
"name": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerService/locations/*",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.ContainerService/managedclustersnapshots/*",
"Microsoft.ContainerService/snapshots/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC Admin

Lets you manage all resources under cluster/namespace, except update or delete
resource quotas and namespaces.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read
Actions Description

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ContainerService/managedClusters/li List the clusterUser credential of a managed

stClusterUserCredential/action cluster

NotActions

none

DataActions

Microsoft.ContainerService/managedClusters/*

NotDataActions

Microsoft.ContainerService/managedClusters/r Writes resourcequotas

esourcequotas/write

Microsoft.ContainerService/managedClusters/r Deletes resourcequotas

esourcequotas/delete

Microsoft.ContainerService/managedClusters/n Writes namespaces

amespaces/write

Microsoft.ContainerService/managedClusters/n Deletes namespaces

amespaces/delete

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources under cluster/namespace,
except update or delete resource quotas and namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-
435e-9b2c-8d77e338d7f7",
"name": "3498e952-d568-435e-9b2c-8d77e338d7f7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",

"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": [
"Microsoft.ContainerService/managedClusters/resourcequotas/write",
"Microsoft.ContainerService/managedClusters/resourcequotas/delete",
"Microsoft.ContainerService/managedClusters/namespaces/write",
"Microsoft.ContainerService/managedClusters/namespaces/delete"
]
}
],
"roleName": "Azure Kubernetes Service RBAC Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC Cluster Admin

Lets you manage all resources in the cluster.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.ContainerService/managedClusters/li List the clusterUser credential of a managed

stClusterUserCredential/action cluster

NotActions

none

DataActions

Microsoft.ContainerService/managedClusters/*

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage all resources in the cluster.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-
4dc4-8eb5-8693973ce19b",
"name": "b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",

"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC Reader

Allows read-only access to see most objects in a namespace. It does not allow viewing
roles or role bindings. This role does not allow viewing Secrets, since reading the
contents of Secrets enables access to ServiceAccount credentials in the namespace,
which would allow API access as any ServiceAccount in the namespace (a form of
privilege escalation). Applying this role at cluster scope will give access across all
namespaces.

Learn more
ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

Microsoft.ContainerService/managedClusters/a Reads controllerrevisions

pps/controllerrevisions/read

Microsoft.ContainerService/managedClusters/a Reads daemonsets

pps/daemonsets/read

Microsoft.ContainerService/managedClusters/a Reads deployments

pps/deployments/read

Microsoft.ContainerService/managedClusters/a Reads replicasets

pps/replicasets/read

Microsoft.ContainerService/managedClusters/a Reads statefulsets

pps/statefulsets/read

Microsoft.ContainerService/managedClusters/a Reads horizontalpodautoscalers

utoscaling/horizontalpodautoscalers/read

Microsoft.ContainerService/managedClusters/b Reads cronjobs

atch/cronjobs/read

Microsoft.ContainerService/managedClusters/b Reads jobs

atch/jobs/read

Microsoft.ContainerService/managedClusters/c Reads configmaps

onfigmaps/read

Microsoft.ContainerService/managedClusters/di Reads endpointslices

scovery.k8s.io/endpointslices/read

Microsoft.ContainerService/managedClusters/e Reads endpoints

ndpoints/read
Actions Description

Microsoft.ContainerService/managedClusters/e Reads events

vents.k8s.io/events/read

Microsoft.ContainerService/managedClusters/e Reads events

vents/read

Microsoft.ContainerService/managedClusters/e Reads daemonsets

xtensions/daemonsets/read

Microsoft.ContainerService/managedClusters/e Reads deployments

xtensions/deployments/read

Microsoft.ContainerService/managedClusters/e Reads ingresses

xtensions/ingresses/read

Microsoft.ContainerService/managedClusters/e Reads networkpolicies

xtensions/networkpolicies/read

Microsoft.ContainerService/managedClusters/e Reads replicasets

xtensions/replicasets/read

Microsoft.ContainerService/managedClusters/li Reads limitranges

mitranges/read

Microsoft.ContainerService/managedClusters/ Reads pods

metrics.k8s.io/pods/read

Microsoft.ContainerService/managedClusters/ Reads nodes

metrics.k8s.io/nodes/read

Microsoft.ContainerService/managedClusters/n Reads namespaces

amespaces/read

Microsoft.ContainerService/managedClusters/n Reads ingresses

etworking.k8s.io/ingresses/read

Microsoft.ContainerService/managedClusters/n Reads networkpolicies

etworking.k8s.io/networkpolicies/read

Microsoft.ContainerService/managedClusters/p Reads persistentvolumeclaims

ersistentvolumeclaims/read

Microsoft.ContainerService/managedClusters/p Reads pods

ods/read

Microsoft.ContainerService/managedClusters/p Reads poddisruptionbudgets

olicy/poddisruptionbudgets/read

Microsoft.ContainerService/managedClusters/r Reads replicationcontrollers

eplicationcontrollers/read
Actions Description

Microsoft.ContainerService/managedClusters/r Reads resourcequotas

esourcequotas/read

Microsoft.ContainerService/managedClusters/s Reads serviceaccounts

erviceaccounts/read

Microsoft.ContainerService/managedClusters/s Reads services

ervices/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to see most objects in a
namespace. It does not allow viewing roles or role bindings. This role does
not allow viewing Secrets, since reading the contents of Secrets enables
access to ServiceAccount credentials in the namespace, which would allow API
access as any ServiceAccount in the namespace (a form of privilege
escalation). Applying this role at cluster scope will give access across all
namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-
42ba-9220-52d62157d7db",
"name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [

"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
"Microsoft.ContainerService/managedClusters/apps/deployments/read",
"Microsoft.ContainerService/managedClusters/apps/replicasets/read",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/read",

"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautosca
lers/read",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
"Microsoft.ContainerService/managedClusters/batch/jobs/read",
"Microsoft.ContainerService/managedClusters/configmaps/read",
"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/
read",
"Microsoft.ContainerService/managedClusters/endpoints/read",

"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/read",

"Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",

"Microsoft.ContainerService/managedClusters/extensions/deployments/read",

"Microsoft.ContainerService/managedClusters/extensions/ingresses/read",

"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read"
,

"Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
"Microsoft.ContainerService/managedClusters/limitranges/read",

"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",

"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",

"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read
",

"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicie
s/read",

"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
"Microsoft.ContainerService/managedClusters/pods/read",

"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read
",

"Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/serviceaccounts/read",
"Microsoft.ContainerService/managedClusters/services/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Kubernetes Service RBAC Writer

Allows read/write access to most objects in a namespace. This role does not allow
viewing or modifying roles or role bindings. However, this role allows accessing Secrets
and running Pods as any ServiceAccount in the namespace, so it can be used to gain the
API access levels of any ServiceAccount in the namespace. Applying this role at cluster
scope will give access across all namespaces.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

Microsoft.ContainerService/managedClusters/a Reads controllerrevisions

pps/controllerrevisions/read

Microsoft.ContainerService/managedClusters/a
pps/daemonsets/*

Microsoft.ContainerService/managedClusters/a
pps/deployments/*

Microsoft.ContainerService/managedClusters/a
pps/replicasets/*

Microsoft.ContainerService/managedClusters/a
pps/statefulsets/*

Microsoft.ContainerService/managedClusters/a
utoscaling/horizontalpodautoscalers/*

Microsoft.ContainerService/managedClusters/b
atch/cronjobs/*

Microsoft.ContainerService/managedClusters/c Reads leases

Actions Description

oordination.k8s.io/leases/read

Microsoft.ContainerService/managedClusters/c Writes leases

oordination.k8s.io/leases/write

Microsoft.ContainerService/managedClusters/c Deletes leases

oordination.k8s.io/leases/delete

Microsoft.ContainerService/managedClusters/di Reads endpointslices

scovery.k8s.io/endpointslices/read

Microsoft.ContainerService/managedClusters/b
atch/jobs/*

Microsoft.ContainerService/managedClusters/c
onfigmaps/*

Microsoft.ContainerService/managedClusters/e
ndpoints/*

Microsoft.ContainerService/managedClusters/e Reads events

vents.k8s.io/events/read

Microsoft.ContainerService/managedClusters/e
vents/*

Microsoft.ContainerService/managedClusters/e
xtensions/daemonsets/*

Microsoft.ContainerService/managedClusters/e
xtensions/deployments/*

Microsoft.ContainerService/managedClusters/e
xtensions/ingresses/*

Microsoft.ContainerService/managedClusters/e
xtensions/networkpolicies/*

Microsoft.ContainerService/managedClusters/e
xtensions/replicasets/*

Microsoft.ContainerService/managedClusters/li Reads limitranges

mitranges/read

Microsoft.ContainerService/managedClusters/ Reads pods

metrics.k8s.io/pods/read

Microsoft.ContainerService/managedClusters/ Reads nodes

metrics.k8s.io/nodes/read
Actions Description

Microsoft.ContainerService/managedClusters/n Reads namespaces

amespaces/read

Microsoft.ContainerService/managedClusters/n
etworking.k8s.io/ingresses/*

Microsoft.ContainerService/managedClusters/n
etworking.k8s.io/networkpolicies/*

Microsoft.ContainerService/managedClusters/p
ersistentvolumeclaims/*

Microsoft.ContainerService/managedClusters/p
ods/*

Microsoft.ContainerService/managedClusters/p
olicy/poddisruptionbudgets/*

Microsoft.ContainerService/managedClusters/r
eplicationcontrollers/*

Microsoft.ContainerService/managedClusters/r Reads resourcequotas

esourcequotas/read

Microsoft.ContainerService/managedClusters/s
ecrets/*

Microsoft.ContainerService/managedClusters/s
erviceaccounts/*

Microsoft.ContainerService/managedClusters/s
ervices/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows read/write access to most objects in a
namespace.This role does not allow viewing or modifying roles or role
bindings. However, this role allows accessing Secrets and running Pods as
any ServiceAccount in the namespace, so it can be used to gain the API
access levels of any ServiceAccount in the namespace. Applying this role at
cluster scope will give access across all namespaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-
4b5c-8bdf-e2c188b2c0eb",
"name": "a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [

"Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
"Microsoft.ContainerService/managedClusters/apps/daemonsets/*",
"Microsoft.ContainerService/managedClusters/apps/deployments/*",
"Microsoft.ContainerService/managedClusters/apps/replicasets/*",
"Microsoft.ContainerService/managedClusters/apps/statefulsets/*",

"Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautosca
lers/*",
"Microsoft.ContainerService/managedClusters/batch/cronjobs/*",

"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/read"
,

"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/write
",

"Microsoft.ContainerService/managedClusters/coordination.k8s.io/leases/delet
e",

"Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/
read",
"Microsoft.ContainerService/managedClusters/batch/jobs/*",
"Microsoft.ContainerService/managedClusters/configmaps/*",
"Microsoft.ContainerService/managedClusters/endpoints/*",

"Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
"Microsoft.ContainerService/managedClusters/events/*",

"Microsoft.ContainerService/managedClusters/extensions/daemonsets/*",

"Microsoft.ContainerService/managedClusters/extensions/deployments/*",
"Microsoft.ContainerService/managedClusters/extensions/ingresses/*",

"Microsoft.ContainerService/managedClusters/extensions/networkpolicies/*",

"Microsoft.ContainerService/managedClusters/extensions/replicasets/*",
"Microsoft.ContainerService/managedClusters/limitranges/read",

"Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",

"Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
"Microsoft.ContainerService/managedClusters/namespaces/read",
"Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/*",

"Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicie
s/*",

"Microsoft.ContainerService/managedClusters/persistentvolumeclaims/*",
"Microsoft.ContainerService/managedClusters/pods/*",

"Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/*",

"Microsoft.ContainerService/managedClusters/replicationcontrollers/*",
"Microsoft.ContainerService/managedClusters/resourcequotas/read",
"Microsoft.ContainerService/managedClusters/secrets/*",
"Microsoft.ContainerService/managedClusters/serviceaccounts/*",
"Microsoft.ContainerService/managedClusters/services/*"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Connected Cluster Managed Identity

CheckAccess Reader
Built-in role that allows a Connected Cluster managed identity to call the checkAccess
API

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

NotActions

none

DataActions

none

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Built-in role that allows a Connected Cluster managed
identity to call the checkAccess API",
"id": "/providers/Microsoft.Authorization/roleDefinitions/65a14201-8f6c-
4c28-bec4-12619c5a9aaa",
"name": "65a14201-8f6c-4c28-bec4-12619c5a9aaa",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Connected Cluster Managed Identity CheckAccess Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Kubernetes Agentless Operator

Grants Microsoft Defender for Cloud access to Azure Kubernetes Services

Learn more

ﾉ Expand table

Actions Description

Microsoft.ContainerService/managedClusters/tr Create or update trusted access role bindings

ustedAccessRoleBindings/write for managed cluster

Microsoft.ContainerService/managedClusters/tr Get trusted access role bindings for managed

ustedAccessRoleBindings/read cluster

Microsoft.ContainerService/managedClusters/tr Delete trusted access role bindings for

ustedAccessRoleBindings/delete managed cluster
Actions Description

Microsoft.ContainerService/managedClusters/r Get a managed cluster

ead

Microsoft.Features/features/read Gets the features of a subscription.

Microsoft.Features/providers/features/read Gets the feature of a subscription in a given

resource provider.

Microsoft.Features/providers/features/register/ Registers the feature for a subscription in a

action given resource provider.

Microsoft.Security/pricings/securityoperators/re Gets the security operators for the scope

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants Microsoft Defender for Cloud access to Azure
Kubernetes Services",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-
4500-93be-660a0c5f5ca6",
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
"permissions": [
{
"actions": [

"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write"
,

"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",

"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete
",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Security/pricings/securityoperators/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Agentless Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Kubernetes Cluster - Azure Arc Onboarding

Role definition to authorize any user/service to create connectedClusters resource

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/write Creates or updates an deployment.

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Kubernetes/connectedClusters/Write Writes connectedClusters

Microsoft.Kubernetes/connectedClusters/read Read connectedClusters

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Role definition to authorize any user/service to create
connectedClusters resource",
"id": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-
4d01-b1a2-e0eac5743d41",
"name": "34e09817-6cbe-4d01-b1a2-e0eac5743d41",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Kubernetes/connectedClusters/Write",
"Microsoft.Kubernetes/connectedClusters/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Cluster - Azure Arc Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Kubernetes Extension Contributor

Can create, update, get, list and delete Kubernetes Extensions, and get extension async
operations

ﾉ Expand table
Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.KubernetesConfiguration/extensions/ Creates or updates extension resource.

write

Microsoft.KubernetesConfiguration/extensions/ Gets extension instance resource.

read

Microsoft.KubernetesConfiguration/extensions/ Deletes extension instance resource.

delete

Microsoft.KubernetesConfiguration/extensions/ Gets Async Operation status.

operations/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can create, update, get, list and delete Kubernetes
Extensions, and get extension async operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-
4c9b-8136-154b5a04f717",
"name": "85cb6faf-e071-4c9b-8136-154b5a04f717",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.KubernetesConfiguration/extensions/write",
"Microsoft.KubernetesConfiguration/extensions/read",
"Microsoft.KubernetesConfiguration/extensions/delete",
"Microsoft.KubernetesConfiguration/extensions/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Kubernetes Extension Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Service Fabric Cluster Contributor

Manage your Service Fabric Cluster resources. Includes clusters, application types,
application type versions, applications, and services. You will need additional
permissions to deploy and manage the cluster's underlying resources such as virtual
machine scale sets, storage accounts, networks, etc.

ﾉ Expand table

Actions Description

Microsoft.ServiceFabric/clusters/*

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Manage your Service Fabric Cluster resources. Includes
clusters, application types, application type versions, applications, and
services. You will need additional permissions to deploy and manage the
cluster's underlying resources such as virtual machine scale sets, storage
accounts, networks, etc.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b6efc156-f0da-
4e90-a50a-8c000140b017",
"name": "b6efc156-f0da-4e90-a50a-8c000140b017",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/clusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Service Fabric Managed Cluster Contributor

Deploy and manage your Service Fabric Managed Cluster resources. Includes managed
clusters, node types, application types, application type versions, applications, and
services.

ﾉ Expand table

Actions Description

Microsoft.ServiceFabric/managedclusters/*

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Actions Description

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Deploy and manage your Service Fabric Managed Cluster
resources. Includes managed clusters, node types, application types,
application type versions, applications, and services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/83f80186-3729-
438c-ad2d-39e94d718838",
"name": "83f80186-3729-438c-ad2d-39e94d718838",
"permissions": [
{
"actions": [
"Microsoft.ServiceFabric/managedclusters/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Service Fabric Managed Cluster Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Databases
Article • 09/20/2024

This article lists the Azure built-in roles in the Databases category.

Azure Connected SQL Server Onboarding

Allows for read and write access to Azure resources for SQL Server on Arc-enabled
servers.

Learn more

ﾉ Expand table

Actions Description

Microsoft.AzureArcData/sqlServerInstances/rea Retrieves a SQL Server Instance resource

Microsoft.AzureArcData/sqlServerInstances/writ Updates a SQL Server Instance resource

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description":
"Microsoft.AzureArcData service role to access the resources of Microsoft.Az
ureArcData stored with RPSAAS.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-
4d33-91fa-e9b972617508",
"name": "e8113dce-c529-4d33-91fa-e9b972617508",
"permissions": [
{
"actions": [
"Microsoft.AzureArcData/sqlServerInstances/read",
"Microsoft.AzureArcData/sqlServerInstances/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected SQL Server Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cosmos DB Account Reader Role

Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for
managing Azure Cosmos DB accounts.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.DocumentDB/*/read Read any collection

Microsoft.DocumentDB/databaseAccounts/rea Reads the database account readonly keys.

donlykeys/action

Microsoft.Insights/MetricDefinitions/read Read metric definitions

Microsoft.Insights/Metrics/read Read metrics

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can read Azure Cosmos DB Accounts data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-
467e-a4d2-9458aa1360c8",
"name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Insights/MetricDefinitions/read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Account Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cosmos DB Operator
Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents
access to account keys and connection strings.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DocumentDb/databaseAccounts/*

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Network/virtualNetworks/subnets/joi Joins resource such as storage account or SQL

nViaServiceEndpoint/action database to a subnet. Not alertable.

NotActions

Microsoft.DocumentDB/databaseAccounts/data
TransferJobs/*

Microsoft.DocumentDB/databaseAccounts/rea
donlyKeys/*

Microsoft.DocumentDB/databaseAccounts/reg
enerateKey/*

Microsoft.DocumentDB/databaseAccounts/listK
eys/*

Microsoft.DocumentDB/databaseAccounts/listC
onnectionStrings/*

Microsoft.DocumentDB/databaseAccounts/sqlR Create or update a SQL Role Definition

oleDefinitions/write

Microsoft.DocumentDB/databaseAccounts/sqlR Delete a SQL Role Definition

oleDefinitions/delete

Microsoft.DocumentDB/databaseAccounts/sqlR Create or update a SQL Role Assignment

oleAssignments/write

Microsoft.DocumentDB/databaseAccounts/sqlR Delete a SQL Role Assignment

oleAssignments/delete

Microsoft.DocumentDB/databaseAccounts/mo Create or update a Mongo Role Definition

ngodbRoleDefinitions/write

Microsoft.DocumentDB/databaseAccounts/mo Delete a MongoDB Role Definition

ngodbRoleDefinitions/delete
Actions Description

Microsoft.DocumentDB/databaseAccounts/mo Create or update a MongoDB User Definition

ngodbUserDefinitions/write

Microsoft.DocumentDB/databaseAccounts/mo Delete a MongoDB User Definition

ngodbUserDefinitions/delete

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Cosmos DB accounts, but not access
data in them. Prevents access to account keys and connection strings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-
4aae-9cb4-875f7bd000aa",
"name": "230815da-be43-4aae-9cb4-875f7bd000aa",
"permissions": [
{
"actions": [
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",

"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [
"Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/*",
"Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
"Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
"Microsoft.DocumentDB/databaseAccounts/listKeys/*",
"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete",

"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete",

"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write",

"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

CosmosBackupOperator
Can submit restore request for a Cosmos DB database or a container for an account

Learn more

ﾉ Expand table

Actions Description

Microsoft.DocumentDB/databaseAccounts/bac Submit a request to configure backup

kup/action

Microsoft.DocumentDB/databaseAccounts/rest Submit a restore request

ore/action

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can submit restore request for a Cosmos DB database or a
container for an account",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-
42da-9f96-f2ee17bab5cb",
"name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/databaseAccounts/backup/action",
"Microsoft.DocumentDB/databaseAccounts/restore/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosBackupOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

CosmosRestoreOperator
Can perform restore action for Cosmos DB database account with continuous backup
mode

ﾉ Expand table

Actions Description

Microsoft.DocumentDB/locations/restorableDat Submit a restore request

abaseAccounts/restore/action

Microsoft.DocumentDB/locations/restorableDat
abaseAccounts/*/read

Microsoft.DocumentDB/locations/restorableDat Read a restorable database account or List all

abaseAccounts/read the restorable database accounts

NotActions

none

DataActions

none

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Can perform restore action for Cosmos DB database account
with continuous backup mode",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-
444a-b7ba-57c5b0b5b34f",
"name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"permissions": [
{
"actions": [

"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosRestoreOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

DocumentDB Account Contributor

Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as
DocumentDB.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.DocumentDb/databaseAccounts/* Create and manage Azure Cosmos DB accounts

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Actions Description

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Network/virtualNetworks/subnets/joi Joins resource such as storage account or SQL

nViaServiceEndpoint/action database to a subnet. Not alertable.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage DocumentDB accounts, but not access to
them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-
4216-938b-f97437e15450",
"name": "5bd9cd88-fe45-4216-938b-f97437e15450",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",

"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DocumentDB Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

PostgreSQL Flexible Server Long Term

Retention Backup Role
Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long
Term Retention Backup.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DBforPostgreSQL/flexibleServers/ltrB Returns the list of PostgreSQL server long term

ackupOperations/read backup operation tracking.

Microsoft.DBforPostgreSQL/flexibleServers/ltrPr Checks if a server is ready for a long term

eBackup/action backup

Microsoft.DBforPostgreSQL/flexibleServers/start Start long term backup for a server

LtrBackup/action

Microsoft.DBforPostgreSQL/locations/azureAsy Return PostgreSQL Server Operation Results

ncOperation/read

Microsoft.DBforPostgreSQL/locations/operation Return PostgreSQL Server Operation Results

Results/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Role to allow backup vault to access PostgreSQL Flexible
Server Resource APIs for Long Term Retention Backup.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c088a766-074b-
43ba-90d4-1fb21feae531",
"name": "c088a766-074b-43ba-90d4-1fb21feae531",
"permissions": [
{
"actions": [

"Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read",
"Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action",
"Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action",
"Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read",
"Microsoft.DBforPostgreSQL/locations/operationResults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "PostgreSQL Flexible Server Long Term Retention Backup Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Redis Cache Contributor

Lets you manage Redis caches, but not access to them.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Cache/register/action Registers the 'Microsoft.Cache' resource

provider with a subscription

Microsoft.Cache/redis/* Create and manage Redis caches

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

Actions Description

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage Redis caches, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-
48ed-b826-c38b57376e17",
"name": "e0f68234-74aa-48ed-b826-c38b57376e17",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cache/register/action",
"Microsoft.Cache/redis/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Redis Cache Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

SQL DB Contributor
Lets you manage SQL databases, but not access to them. Also, you can't manage their
security-related policies or their parent SQL servers.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Sql/locations/*/read

Microsoft.Sql/servers/databases/* Create and manage SQL databases

Microsoft.Sql/servers/read Return the list of servers or gets the properties

for the specified server.

Microsoft.Support/* Create and update a support ticket

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/metricDefinitions/read Read metric definitions

NotActions

Microsoft.Sql/servers/databases/ledgerDigestU Enable uploading ledger digests

ploads/write

Microsoft.Sql/servers/databases/ledgerDigestU Disable uploading ledger digests

ploads/disable/action

Microsoft.Sql/managedInstances/databases/cur
rentSensitivityLabels/*
Actions Description

Microsoft.Sql/managedInstances/databases/rec
ommendedSensitivityLabels/*

Microsoft.Sql/managedInstances/databases/sch
emas/tables/columns/sensitivityLabels/*

Microsoft.Sql/managedInstances/databases/sec
urityAlertPolicies/*

Microsoft.Sql/managedInstances/databases/se
nsitivityLabels/*

Microsoft.Sql/managedInstances/databases/vul
nerabilityAssessments/*

Microsoft.Sql/managedInstances/securityAlertP
olicies/*

Microsoft.Sql/managedInstances/vulnerabilityA
ssessments/*

Microsoft.Sql/servers/databases/auditingSettin Edit audit settings

gs/*

Microsoft.Sql/servers/databases/auditRecords/r Retrieve the database blob audit records

ead

Microsoft.Sql/servers/databases/currentSensitiv
ityLabels/*

Microsoft.Sql/servers/databases/dataMaskingP Edit data masking policies

olicies/*

Microsoft.Sql/servers/databases/extendedAudit
ingSettings/*

Microsoft.Sql/servers/databases/recommended
SensitivityLabels/*

Microsoft.Sql/servers/databases/schemas/table
s/columns/sensitivityLabels/*

Microsoft.Sql/servers/databases/securityAlertPo Edit security alert policies

licies/*

Microsoft.Sql/servers/databases/securityMetrics Edit security metrics

Microsoft.Sql/servers/databases/sensitivityLabel
s/*
Actions Description

Microsoft.Sql/servers/databases/vulnerabilityAs
sessments/*

Microsoft.Sql/servers/databases/vulnerabilityAs
sessmentScans/*

Microsoft.Sql/servers/databases/vulnerabilityAs
sessmentSettings/*

Microsoft.Sql/servers/vulnerabilityAssessments/
*

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL databases, but not access to them.
Also, you can't manage their security-related policies or their parent SQL
servers.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-
47b0-bb0a-15c516ac86ec",
"name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/databases/*",
"Microsoft.Sql/servers/read",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/servers/databases/ledgerDigestUploads/write",

"Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",

"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",

"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivity
Labels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",

"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",

SQL Managed Instance Contributor

Lets you manage SQL Managed Instances and required network configuration, but can't
give access to others.

ﾉ Expand table

Actions Description

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope
Actions Description

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Network/networkSecurityGroups/*

Microsoft.Network/routeTables/*

Microsoft.Sql/locations/*/read

Microsoft.Sql/locations/instanceFailoverGroups
/*

Microsoft.Sql/managedInstances/*

Microsoft.Support/* Create and update a support ticket

Microsoft.Network/virtualNetworks/subnets/*

Microsoft.Network/virtualNetworks/*

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/metricDefinitions/read Read metric definitions

NotActions

Microsoft.Sql/managedInstances/azureADOnly Deletes a specific managed server Azure Active

Authentications/delete Directory only authentication object

Microsoft.Sql/managedInstances/azureADOnly Adds or updates a specific managed server

Authentications/write Azure Active Directory only authentication
object

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL Managed Instances and required network
configuration, but can't give access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-
4e48-a1e0-f2cbe897382d",
"name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"permissions": [
{
"actions": [
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/routeTables/*",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/locations/instanceFailoverGroups/*",
"Microsoft.Sql/managedInstances/*",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Managed Instance Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

SQL Security Manager

Lets you manage the security-related policies of SQL servers and databases, but not
access to them.

Learn more

ﾉ Expand table
Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Network/virtualNetworks/subnets/joi Joins resource such as storage account or SQL

nViaServiceEndpoint/action database to a subnet. Not alertable.

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Sql/locations/administratorAzureAsyn Gets the Managed instance azure async

cOperation/read administrator operations result.

Microsoft.Sql/managedInstances/advancedThre Retrieve a list of managed instance Advanced

atProtectionSettings/read Threat Protection settings configured for a
given instance

Microsoft.Sql/managedInstances/advancedThre Change the managed instance Advanced

atProtectionSettings/write Threat Protection settings for a given managed
instance

Microsoft.Sql/managedInstances/databases/ad Retrieve a list of the managed database

vancedThreatProtectionSettings/read Advanced Threat Protection settings configured
for a given managed database

Microsoft.Sql/managedInstances/databases/ad Change the database Advanced Threat

vancedThreatProtectionSettings/write Protection settings for a given managed
database

Microsoft.Sql/managedInstances/advancedThre Retrieve a list of managed instance Advanced

atProtectionSettings/read Threat Protection settings configured for a
given instance

Microsoft.Sql/managedInstances/advancedThre Change the managed instance Advanced

atProtectionSettings/write Threat Protection settings for a given managed
instance

Microsoft.Sql/managedInstances/databases/ad Retrieve a list of the managed database

vancedThreatProtectionSettings/read Advanced Threat Protection settings configured
for a given managed database

Microsoft.Sql/managedInstances/databases/ad Change the database Advanced Threat

vancedThreatProtectionSettings/write Protection settings for a given managed
database
Actions Description

Microsoft.Sql/managedInstances/databases/cur
rentSensitivityLabels/*

Microsoft.Sql/managedInstances/databases/rec
ommendedSensitivityLabels/*

Microsoft.Sql/managedInstances/databases/sch
emas/tables/columns/sensitivityLabels/*

Microsoft.Sql/managedInstances/databases/sec
urityAlertPolicies/*

Microsoft.Sql/managedInstances/databases/se
nsitivityLabels/*

Microsoft.Sql/managedInstances/databases/vul
nerabilityAssessments/*

Microsoft.Sql/servers/advancedThreatProtectio Retrieve a list of server Advanced Threat

nSettings/read Protection settings configured for a given
server

Microsoft.Sql/servers/advancedThreatProtectio Change the server Advanced Threat Protection

nSettings/write settings for a given server

Microsoft.Sql/managedInstances/securityAlertP
olicies/*

Microsoft.Sql/managedInstances/databases/tra
nsparentDataEncryption/*

Microsoft.Sql/managedInstances/vulnerabilityA
ssessments/*

Microsoft.Sql/managedInstances/serverConfigu Gets properties for the specified Azure SQL

rationOptions/read Managed Instance Server Configuration Option.

Microsoft.Sql/managedInstances/serverConfigu Updates Azure SQL Managed Instance's Server

rationOptions/write Configuration Option properties for the
specified instance.

Microsoft.Sql/locations/serverConfigurationOpt Gets the status of Azure SQL Managed Instance

ionAzureAsyncOperation/read Server Configuration Option Azure async
operation.

Microsoft.Sql/servers/advancedThreatProtectio Retrieve a list of server Advanced Threat

nSettings/read Protection settings configured for a given
server
Actions Description

Microsoft.Sql/servers/advancedThreatProtectio Change the server Advanced Threat Protection

nSettings/write settings for a given server

Microsoft.Sql/servers/auditingSettings/* Create and manage SQL server auditing setting

Microsoft.Sql/servers/extendedAuditingSettings Retrieve details of the extended server blob

/read auditing policy configured on a given server

Microsoft.Sql/servers/databases/advancedThre Retrieve a list of database Advanced Threat

atProtectionSettings/read Protection settings configured for a given
database

Microsoft.Sql/servers/databases/advancedThre Change the database Advanced Threat

atProtectionSettings/write Protection settings for a given database

Microsoft.Sql/servers/databases/advancedThre Retrieve a list of database Advanced Threat

atProtectionSettings/read Protection settings configured for a given
database

Microsoft.Sql/servers/databases/advancedThre Change the database Advanced Threat

atProtectionSettings/write Protection settings for a given database

Microsoft.Sql/servers/databases/auditingSettin Create and manage SQL server database

gs/* auditing settings

Microsoft.Sql/servers/databases/auditRecords/r Retrieve the database blob audit records

ead

Microsoft.Sql/servers/databases/currentSensitiv
ityLabels/*

Microsoft.Sql/servers/databases/dataMaskingP Create and manage SQL server database data

olicies/* masking policies

Microsoft.Sql/servers/databases/extendedAudit Retrieve details of the extended blob auditing

ingSettings/read policy configured on a given database

Microsoft.Sql/servers/databases/read Return the list of databases or gets the

properties for the specified database.

Microsoft.Sql/servers/databases/recommended
SensitivityLabels/*

Microsoft.Sql/servers/databases/schemas/read Get a database schema.

Microsoft.Sql/servers/databases/schemas/table Get a database column.

s/columns/read

Microsoft.Sql/servers/databases/schemas/table
s/columns/sensitivityLabels/*
Actions Description

Microsoft.Sql/servers/databases/schemas/table Get a database table.

s/read

Microsoft.Sql/servers/databases/securityAlertPo Create and manage SQL server database

licies/* security alert policies

Microsoft.Sql/servers/databases/securityMetrics Create and manage SQL server database

/* security metrics

Microsoft.Sql/servers/databases/sensitivityLabel
s/*

Microsoft.Sql/servers/databases/transparentDat
aEncryption/*

Microsoft.Sql/servers/databases/sqlvulnerability
Assessments/*

Microsoft.Sql/servers/databases/vulnerabilityAs
sessments/*

Microsoft.Sql/servers/databases/vulnerabilityAs
sessmentScans/*

Microsoft.Sql/servers/databases/vulnerabilityAs
sessmentSettings/*

Microsoft.Sql/servers/devOpsAuditingSettings/
*

Microsoft.Sql/servers/firewallRules/*

Microsoft.Sql/servers/read Return the list of servers or gets the properties

for the specified server.

Microsoft.Sql/servers/securityAlertPolicies/* Create and manage SQL server security alert

policies

Microsoft.Sql/servers/sqlvulnerabilityAssessmen
ts/*

Microsoft.Sql/servers/vulnerabilityAssessments/
*

Microsoft.Support/* Create and update a support ticket

Microsoft.Sql/servers/azureADOnlyAuthenticati
ons/*

Microsoft.Sql/managedInstances/read Return the list of managed instances or gets

the properties for the specified managed
Actions Description

instance.

Microsoft.Sql/managedInstances/azureADOnly
Authentications/*

Microsoft.Security/sqlVulnerabilityAssessments/
*

Microsoft.Sql/managedInstances/administrator Gets a list of managed instance administrators.

s/read

Microsoft.Sql/servers/administrators/read Gets a specific Azure Active Directory

administrator object

Microsoft.Sql/servers/databases/ledgerDigestU
ploads/*

Microsoft.Sql/locations/ledgerDigestUploadsAz Gets in-progress operations of ledger digest

ureAsyncOperation/read upload settings

Microsoft.Sql/locations/ledgerDigestUploadsO Gets in-progress operations of ledger digest

perationResults/read upload settings

Microsoft.Sql/servers/externalPolicyBasedAutho
rizations/*

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage the security-related policies of SQL
servers and databases, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-
42e1-933e-88ba6a50c9c3",
"name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",

"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",

"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",

"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/r
ead",

"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/w
rite",

"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",

"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",

"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/r
ead",

"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/w
rite",

"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",

"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",

"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",

"Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/read",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/write",

"Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",

"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",

"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",

"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/read",

"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*"
,
"Microsoft.Sql/servers/databases/schemas/tables/read",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/transparentDataEncryption/*",
"Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/firewallRules/*",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Support/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/*",
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
"Microsoft.Security/sqlVulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/administrators/read",
"Microsoft.Sql/servers/administrators/read",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/*",

"Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read",
"Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Security Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

SQL Server Contributor

Lets you manage SQL servers and databases, but not access to them, and not their
security-related policies.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Sql/locations/*/read

Microsoft.Sql/servers/* Create and manage SQL servers

Microsoft.Support/* Create and update a support ticket

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/metricDefinitions/read Read metric definitions

NotActions

Microsoft.Sql/managedInstances/databases/cur
rentSensitivityLabels/*

Microsoft.Sql/managedInstances/databases/rec
ommendedSensitivityLabels/*

Microsoft.Sql/managedInstances/databases/sch
emas/tables/columns/sensitivityLabels/*

Microsoft.Sql/managedInstances/databases/sec
urityAlertPolicies/*
Actions Description

Microsoft.Sql/managedInstances/databases/se
nsitivityLabels/*

Microsoft.Sql/managedInstances/databases/vul
nerabilityAssessments/*

Microsoft.Sql/managedInstances/securityAlertP
olicies/*

Microsoft.Sql/managedInstances/vulnerabilityA
ssessments/*

Microsoft.Sql/servers/auditingSettings/* Edit SQL server auditing settings

Microsoft.Sql/servers/databases/auditingSettin Edit SQL server database auditing settings

gs/*

Microsoft.Sql/servers/databases/auditRecords/r Retrieve the database blob audit records

ead

Microsoft.Sql/servers/databases/currentSensitiv
ityLabels/*

Microsoft.Sql/servers/databases/dataMaskingP Edit SQL server database data masking policies

olicies/*

Microsoft.Sql/servers/databases/extendedAudit
ingSettings/*

Microsoft.Sql/servers/databases/recommended
SensitivityLabels/*

Microsoft.Sql/servers/databases/schemas/table
s/columns/sensitivityLabels/*

Microsoft.Sql/servers/databases/securityAlertPo Edit SQL server database security alert policies

licies/*

Microsoft.Sql/servers/databases/securityMetrics Edit SQL server database security metrics

Microsoft.Sql/servers/databases/sensitivityLabel
s/*

Microsoft.Sql/servers/databases/vulnerabilityAs
sessments/*

Microsoft.Sql/servers/databases/vulnerabilityAs
sessmentScans/*
Actions Description

Microsoft.Sql/servers/databases/vulnerabilityAs
sessmentSettings/*

Microsoft.Sql/servers/devOpsAuditingSettings/
*

Microsoft.Sql/servers/extendedAuditingSettings
/*

Microsoft.Sql/servers/securityAlertPolicies/* Edit SQL server security alert policies

Microsoft.Sql/servers/vulnerabilityAssessments/
*

Microsoft.Sql/servers/azureADOnlyAuthenticati Deletes a specific server Azure Active Directory

ons/delete only authentication object

Microsoft.Sql/servers/azureADOnlyAuthenticati Adds or updates a specific server Azure Active

ons/write Directory only authentication object

Microsoft.Sql/servers/externalPolicyBasedAutho Deletes a specific server external policy based

rizations/delete authorization property

Microsoft.Sql/servers/externalPolicyBasedAutho Adds or updates a specific server external

rizations/write policy based authorization property

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL servers and databases, but not access
to them, and not their security -related policies.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-
4a1d-8b00-a9b17e38b437",
"name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [

"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",

"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",

"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",

"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*"
,
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/*",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/write",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Analytics
Article • 09/23/2024

This article lists the Azure built-in roles in the Analytics category.

Azure Event Hubs Data Owner

Allows for full access to Azure Event Hubs resources.

Learn more

ﾉ Expand table

Actions Description

Microsoft.EventHub/*

NotActions

none

DataActions

Microsoft.EventHub/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Event Hubs resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-
433a-b45c-95f59c4a2dec",
"name": "f526a384-b230-433a-b45c-95f59c4a2dec",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Event Hubs Data Receiver

Allows receive access to Azure Event Hubs resources.

Learn more

ﾉ Expand table

Actions Description

Microsoft.EventHub/*/eventhubs/consumergro
ups/read

NotActions

none

DataActions

Microsoft.EventHub/*/receive/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows receive access to Azure Event Hubs resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-
418d-83e6-5f17a39d4fde",
"name": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*/eventhubs/consumergroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*/receive/action"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Receiver",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Event Hubs Data Sender

Allows send access to Azure Event Hubs resources.

Learn more

ﾉ Expand table

Actions Description

Microsoft.EventHub/*/eventhubs/read

NotActions

none

DataActions

Microsoft.EventHub/*/send/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows send access to Azure Event Hubs resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-
4c01-ae53-ef4638d8f975",
"name": "2b629674-e913-4c01-ae53-ef4638d8f975",
"permissions": [
{
"actions": [
"Microsoft.EventHub/*/eventhubs/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Event Hubs Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Data Factory Contributor

Create and manage data factories, as well as child resources within them.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.DataFactory/dataFactories/* Create and manage data factories, and child

resources within them.

Microsoft.DataFactory/factories/* Create and manage data factories, and child

resources within them.

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.EventGrid/eventSubscriptions/write Create or update an eventSubscription

NotActions

none

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Create and manage data factories, as well as child
resources within them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-
48a0-acc6-0f60742d39f5",
"name": "673868aa-7521-48a0-acc6-0f60742d39f5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DataFactory/dataFactories/*",
"Microsoft.DataFactory/factories/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.EventGrid/eventSubscriptions/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Factory Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Data Purger
Delete private data from a Log Analytics workspace.

Learn more

ﾉ Expand table
Actions Description

Microsoft.Insights/components/*/read

Microsoft.Insights/components/purge/action Purging data from Application Insights

Microsoft.OperationalInsights/workspaces/*/re View log analytics data

Microsoft.OperationalInsights/workspaces/purg Delete specified data by query from workspace.

e/action

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can purge analytics data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-
4f03-8c7f-cf70034c4e90",
"name": "150f5e0c-0603-4f03-8c7f-cf70034c4e90",
"permissions": [
{
"actions": [
"Microsoft.Insights/components/*/read",
"Microsoft.Insights/components/purge/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/purge/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Data Purger",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
HDInsight Cluster Operator
Lets you read and modify HDInsight cluster configurations.

Learn more

ﾉ Expand table

Actions Description

Microsoft.HDInsight/*/read

Microsoft.HDInsight/clusters/getGatewaySettin Get gateway settings for HDInsight Cluster

gs/action

Microsoft.HDInsight/clusters/updateGatewaySe Update gateway settings for HDInsight Cluster

ttings/action

Microsoft.HDInsight/clusters/configurations/*

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you read and modify HDInsight cluster
configurations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-
44fd-b111-e24485cc132a",
"name": "61ed4efc-fab3-44fd-b111-e24485cc132a",
"permissions": [
{
"actions": [
"Microsoft.HDInsight/*/read",
"Microsoft.HDInsight/clusters/getGatewaySettings/action",
"Microsoft.HDInsight/clusters/updateGatewaySettings/action",
"Microsoft.HDInsight/clusters/configurations/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight Cluster Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

HDInsight Domain Services Contributor

Can Read, Create, Modify and Delete Domain Services related operations needed for
HDInsight Enterprise Security Package

Learn more

ﾉ Expand table

Actions Description

Microsoft.AAD/*/read

Microsoft.AAD/domainServices/*/read

Microsoft.AAD/domainServices/oucontainer/*

NotActions

none

DataActions
Actions Description

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can Read, Create, Modify and Delete Domain Services
related operations needed for HDInsight Enterprise Security Package",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-
4bda-a417-a08778121c7c",
"name": "8d8d5a11-05d3-4bda-a417-a08778121c7c",
"permissions": [
{
"actions": [
"Microsoft.AAD/*/read",
"Microsoft.AAD/domainServices/*/read",
"Microsoft.AAD/domainServices/oucontainer/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

HDInsight on AKS Cluster Admin

Grants a user/group the ability to create, delete and manage clusters within a given
cluster pool. Cluster Admin can also run workloads, monitor, and manage all user
activity on these clusters.

Learn more

ﾉ Expand table
Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.HDInsight/clusterPools/clusters/read Get details about HDInsight on AKS Cluster

Microsoft.HDInsight/clusterPools/clusters/write Create or Update HDInsight on AKS Cluster

Microsoft.HDInsight/clusterPools/clusters/delet Delete a HDInsight on AKS cluster

Microsoft.HDInsight/clusterPools/clusters/resiz Resize a HDInsight on AKS Cluster

e/action

Microsoft.HDInsight/clusterpools/clusters/insta Get details about HDInsight on AKS Cluster

nceviews/read Instance View

Microsoft.HDInsight/clusterPools/clusters/jobs/ List HDInsight on AKS Cluster Jobs

read

Microsoft.HDInsight/clusterPools/clusters/runjo Run HDInsight on AKS Cluster Job

b/action

Microsoft.HDInsight/clusterpools/clusters/servi Get details about HDInsight on AKS Cluster

ceconfigs/read Service Configurations

Microsoft.HDInsight/clusterPools/clusters/availa Get Avaliable Upgrades for HDInsight on AKS

bleupgrades/read Cluster

Microsoft.HDInsight/clusterPools/clusters/upgr Upgrade HDInsight on AKS Cluster

ade/action

Microsoft.HDInsight/clusterPools/clusters/rollb Rollback HDInsight on AKS Cluster Upgrade

ack/action

Microsoft.HDInsight/clusterPools/clusters/upgr Read HDInsight on AKS Cluster Upgrade

adehistories/read Histories

Microsoft.HDInsight/clusterPools/clusters/librar Read HDInsight on AKS Cluster Libaries

ies/read

Microsoft.HDInsight/clusterPools/clusters/mana Manage HDInsight on AKS Cluster Libaries

gelibraries/action

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/deployments/*/read
Actions Description

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Resources/deployments/validate/acti Validates an deployment.

Microsoft.Resources/deployments/write Creates or updates an deployment.

Microsoft.Resources/deployments/exportTempl Export template for a deployment

ate/action

Microsoft.Resources/subscriptions/resourcegro Gets or lists deployment operations.

ups/deployments/operations/read

Microsoft.Resources/subscriptions/resourcegro Gets or lists deployments.

ups/deployments/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Insights/AlertRules/Write Create or update a classic metric alert

Microsoft.Insights/AlertRules/Delete Delete a classic metric alert

Microsoft.Insights/AlertRules/Read Read a classic metric alert

Microsoft.Insights/AlertRules/Activated/Action Classic metric alert activated

Microsoft.Insights/AlertRules/Resolved/Action Classic metric alert resolved

Microsoft.Insights/AlertRules/Throttled/Action Classic metric alert rule throttled

Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/logs/read Reading data from all your logs

NotActions

none

DataActions

none

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Grants a user/group the ability to create, delete and
manage clusters within a given cluster pool. Cluster Admin can also run
workloads, monitor, and manage all user activity on these clusters.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fd036e6b-1266-
47a0-b0bb-a05d04831731",
"name": "fd036e6b-1266-47a0-b0bb-a05d04831731",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.HDInsight/clusterPools/clusters/read",
"Microsoft.HDInsight/clusterPools/clusters/write",
"Microsoft.HDInsight/clusterPools/clusters/delete",
"Microsoft.HDInsight/clusterPools/clusters/resize/action",
"Microsoft.HDInsight/clusterpools/clusters/instanceviews/read",
"Microsoft.HDInsight/clusterPools/clusters/jobs/read",
"Microsoft.HDInsight/clusterPools/clusters/runjob/action",
"Microsoft.HDInsight/clusterpools/clusters/serviceconfigs/read",
"Microsoft.HDInsight/clusterPools/clusters/availableupgrades/read",
"Microsoft.HDInsight/clusterPools/clusters/upgrade/action",
"Microsoft.HDInsight/clusterPools/clusters/rollback/action",
"Microsoft.HDInsight/clusterPools/clusters/upgradehistories/read",
"Microsoft.HDInsight/clusterPools/clusters/libraries/read",
"Microsoft.HDInsight/clusterPools/clusters/managelibraries/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/exportTemplate/action",

"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/rea
d",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/logs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight on AKS Cluster Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

HDInsight on AKS Cluster Pool Admin

Can read, create, modify and delete HDInsight on AKS cluster pools and create clusters

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.HDInsight/clusterPools/clusters/read Get details about HDInsight on AKS Cluster

Microsoft.HDInsight/clusterPools/clusters/write Create or Update HDInsight on AKS Cluster

Microsoft.HDInsight/clusterPools/delete Delete a HDInsight on AKS Cluster Pool

Microsoft.HDInsight/clusterPools/read Get details about HDInsight on AKS Cluster

Pool

Microsoft.HDInsight/clusterPools/write Create or Update HDInsight on AKS Cluster

Pool

Microsoft.HDInsight/clusterpools/availableupgr Get Avaliable Upgrades for HDInsight on AKS

ades/read Cluster Pool

Microsoft.HDInsight/clusterpools/upgrade/acti Upgrade HDInsight on AKS Cluster Pool

Microsoft.HDInsight/clusterPools/upgradehisto Read HDInsight on AKS Cluster Pool Upgrade

ries/read Histories

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/deployments/validate/acti Validates an deployment.

on
Actions Description

Microsoft.Resources/deployments/*/read

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Resources/deployments/write Creates or updates an deployment.

Microsoft.Resources/deployments/exportTempl Export template for a deployment

ate/action

Microsoft.Resources/deployments/validate/acti Validates an deployment.

Microsoft.Resources/subscriptions/resourcegro Gets or lists deployment operations.

ups/deployments/operations/read

Microsoft.Resources/subscriptions/resourcegro Gets or lists deployments.

ups/deployments/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Insights/AlertRules/Write Create or update a classic metric alert

Microsoft.Insights/AlertRules/Delete Delete a classic metric alert

Microsoft.Insights/AlertRules/Read Read a classic metric alert

Microsoft.Insights/AlertRules/Activated/Action Classic metric alert activated

Microsoft.Insights/AlertRules/Resolved/Action Classic metric alert resolved

Microsoft.Insights/AlertRules/Throttled/Action Classic metric alert rule throttled

Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/logs/read Reading data from all your logs

NotActions

none

DataActions

none

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can read, create, modify and delete HDInsight on AKS
cluster pools and create clusters",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7656b436-37d4-
490a-a4ab-d39f838f0042",
"name": "7656b436-37d4-490a-a4ab-d39f838f0042",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.HDInsight/clusterPools/clusters/read",
"Microsoft.HDInsight/clusterPools/clusters/write",
"Microsoft.HDInsight/clusterPools/delete",
"Microsoft.HDInsight/clusterPools/read",
"Microsoft.HDInsight/clusterPools/write",
"Microsoft.HDInsight/clusterpools/availableupgrades/read",
"Microsoft.HDInsight/clusterpools/upgrade/action",
"Microsoft.HDInsight/clusterPools/upgradehistories/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/validate/action",

"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/rea
d",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/logs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "HDInsight on AKS Cluster Pool Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Log Analytics Contributor

Log Analytics Contributor can read all monitoring data and edit monitoring settings.
Editing monitoring settings includes adding the VM extension to VMs; reading storage
account keys to be able to configure collection of logs from Azure Storage; adding
solutions; and configuring Azure diagnostics on all Azure resources.

Learn more

ﾉ Expand table

Actions Description

*/read Read resources of all types, except secrets.

Microsoft.ClassicCompute/virtualMachines/exte
nsions/*

Microsoft.ClassicStorage/storageAccounts/listK Lists the access keys for the storage accounts.

eys/action

Microsoft.Compute/virtualMachines/extensions
/*

Microsoft.HybridCompute/machines/extensions Installs or Updates an Azure Arc extensions

/write

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/diagnosticSettings/* Creates, updates, or reads the diagnostic

setting for Analysis Server

Microsoft.OperationalInsights/*

Microsoft.OperationsManagement/*

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourcegro
ups/deployments/*
Actions Description

Microsoft.Storage/storageAccounts/listKeys/act Returns the access keys for the specified

ion storage account.

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Log Analytics Contributor can read all monitoring data and
edit monitoring settings. Editing monitoring settings includes adding the VM
extension to VMs; reading storage account keys to be able to configure
collection of logs from Azure Storage; adding solutions; and configuring
Azure diagnostics on all Azure resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-
42b6-94a3-d43ce8d16293",
"name": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.ClassicCompute/virtualMachines/extensions/*",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.Compute/virtualMachines/extensions/*",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.OperationalInsights/*",
"Microsoft.OperationsManagement/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Log Analytics Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Log Analytics Reader

Log Analytics Reader can view and search all monitoring data as well as and view
monitoring settings, including viewing the configuration of Azure diagnostics on all
Azure resources.

Learn more

ﾉ Expand table

Actions Description

*/read Read resources of all types, except secrets.

Microsoft.OperationalInsights/workspaces/anal Search using new engine.

ytics/query/action

Microsoft.OperationalInsights/workspaces/sear Executes a search query

ch/action

Microsoft.Support/* Create and update a support ticket

NotActions

Microsoft.OperationalInsights/workspaces/shar Retrieves the shared keys for the workspace.

edKeys/read These keys are used to connect Microsoft
Operational Insights agents to the workspace.

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Log Analytics Reader can view and search all monitoring
data as well as and view monitoring settings, including viewing the
configuration of Azure diagnostics on all Azure resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-
492b-b04d-ab87d138a893",
"name": "73c42c96-874c-492b-b04d-ab87d138a893",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.OperationalInsights/workspaces/sharedKeys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Log Analytics Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Schema Registry Contributor (Preview)

Read, write, and delete Schema Registry groups and schemas.

ﾉ Expand table

Actions Description

Microsoft.EventHub/namespaces/schemagroup
s/*

NotActions

none

DataActions

Microsoft.EventHub/namespaces/schemas/*

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Read, write, and delete Schema Registry groups and
schemas.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5dffeca3-4936-
4216-b2bc-10343a5abb25",
"name": "5dffeca3-4936-4216-b2bc-10343a5abb25",
"permissions": [
{
"actions": [
"Microsoft.EventHub/namespaces/schemagroups/*"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/namespaces/schemas/*"
],
"notDataActions": []
}
],
"roleName": "Schema Registry Contributor (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Schema Registry Reader (Preview)

Read and list Schema Registry groups and schemas.

ﾉ Expand table

Actions Description

Microsoft.EventHub/namespaces/schemagroup Get list of SchemaGroup Resource Descriptions

s/read

NotActions

none

DataActions

Microsoft.EventHub/namespaces/schemas/read Retrieve schemas

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Read and list Schema Registry groups and schemas.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2c56ea50-c6b3-
40a6-83c0-9d98858bc7d2",
"name": "2c56ea50-c6b3-40a6-83c0-9d98858bc7d2",
"permissions": [
{
"actions": [
"Microsoft.EventHub/namespaces/schemagroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventHub/namespaces/schemas/read"
],
"notDataActions": []
}
],
"roleName": "Schema Registry Reader (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Stream Analytics Query Tester

Lets you perform query testing without creating a stream analytics job first

ﾉ Expand table

Actions Description

Microsoft.StreamAnalytics/locations/TestQuery/ Test Query for Stream Analytics Resource

action Provider

Microsoft.StreamAnalytics/locations/Operation Read Stream Analytics Operation Result

Results/read

Microsoft.StreamAnalytics/locations/SampleInp Sample Input for Stream Analytics Resource

ut/action Provider

Microsoft.StreamAnalytics/locations/CompileQ Compile Query for Stream Analytics Resource

uery/action Provider

NotActions

none
Actions Description

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you perform query testing without creating a stream
analytics job first",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-
4e25-8312-2acb3c3c5abf",
"name": "1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf",
"permissions": [
{
"actions": [
"Microsoft.StreamAnalytics/locations/TestQuery/action",
"Microsoft.StreamAnalytics/locations/OperationResults/read",
"Microsoft.StreamAnalytics/locations/SampleInput/action",
"Microsoft.StreamAnalytics/locations/CompileQuery/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Stream Analytics Query Tester",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No
Provide product feedback | Get help at Microsoft Q&A
Azure built-in roles for AI + machine
learning
Article • 10/28/2024

This article lists the Azure built-in roles in the AI + machine learning category.

AgFood Platform Sensor Partner Contributor

Provides contribute access to manage sensor related entities in AgFood Platform Service

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.AgFoodPlatform/farmBeats/sensorPa
rtnerScope/*

NotDataActions

Microsoft.AgFoodPlatform/farmBeats/sensorPa Deletes an existing AgFoodPlatform sensors

rtnerScope/sensors/delete resource restricted to caller's sensor partner
scope.

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides contribute access to manage sensor related
entities in AgFood Platform Service",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6b77f0a0-0d89-
41cc-acd1-579c22c17a67",
"name": "6b77f0a0-0d89-41cc-acd1-579c22c17a67",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/*"
],
"notDataActions": [

"Microsoft.AgFoodPlatform/farmBeats/sensorPartnerScope/sensors/delete"
]
}
],
"roleName": "AgFood Platform Sensor Partner Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AgFood Platform Service Admin

Provides admin access to AgFood Platform Service

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.AgFoodPlatform/* Create, update, read and delete any AgFood

Platform resources.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides admin access to AgFood Platform Service",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-
4747-ad80-a19b7f6079e3",
"name": "f8da80de-1ff9-4747-ad80-a19b7f6079e3",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AgFoodPlatform/*"
],
"notDataActions": []
}
],
"roleName": "AgFood Platform Service Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AgFood Platform Service Contributor

Provides contribute access to AgFood Platform Service

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.AgFoodPlatform/*/action

Microsoft.AgFoodPlatform/*/read Read any AgFood Platform resources.

Microsoft.AgFoodPlatform/*/write Create and update any AgFood Platform

resources.

NotDataActions

Microsoft.AgFoodPlatform/farmBeats/farmers/ Creates or Updates AgFoodPlatform farmers.

write

Microsoft.AgFoodPlatform/farmBeats/deletionJ
obs/*/write

Microsoft.AgFoodPlatform/farmBeats/parties/w Creates or Updates AgFoodPlatform parties.

rite
Actions Description

Microsoft.AgFoodPlatform/farmBeats/datasets/ Creates or Updates AgFoodPlatform datasets.

write

Microsoft.AgFoodPlatform/farmBeats/datasetR Creates or Updates AgFoodPlatform Dataset

ecords/write Records.

Microsoft.AgFoodPlatform/farmBeats/datasets/
access/*/action

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides contribute access to AgFood Platform Service",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-
4e45-963b-2518ee0bb728",
"name": "8508508a-4469-4e45-963b-2518ee0bb728",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AgFoodPlatform/*/action",
"Microsoft.AgFoodPlatform/*/read",
"Microsoft.AgFoodPlatform/*/write"
],
"notDataActions": [
"Microsoft.AgFoodPlatform/farmBeats/farmers/write",
"Microsoft.AgFoodPlatform/farmBeats/deletionJobs/*/write",
"Microsoft.AgFoodPlatform/farmBeats/parties/write",
"Microsoft.AgFoodPlatform/farmBeats/datasets/write",
"Microsoft.AgFoodPlatform/farmBeats/datasetRecords/write",
"Microsoft.AgFoodPlatform/farmBeats/datasets/access/*/action"
]
}
],
"roleName": "AgFood Platform Service Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AgFood Platform Service Reader

Provides read access to AgFood Platform Service

Learn more
ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.AgFoodPlatform/*/list/action

Microsoft.AgFoodPlatform/*/read Read any AgFood Platform resources.

Microsoft.AgFoodPlatform/*/search/action

Microsoft.AgFoodPlatform/*/download/action

Microsoft.AgFoodPlatform/*/overlap/action

Microsoft.AgFoodPlatform/*/checkConsent/acti
on

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides read access to AgFood Platform Service",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-
41fe-9aaf-980df0a44eba",
"name": "7ec7ccdc-f61e-41fe-9aaf-980df0a44eba",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AgFoodPlatform/*/list/action",
"Microsoft.AgFoodPlatform/*/read",
"Microsoft.AgFoodPlatform/*/search/action",
"Microsoft.AgFoodPlatform/*/download/action",
"Microsoft.AgFoodPlatform/*/overlap/action",
"Microsoft.AgFoodPlatform/*/checkConsent/action"
],
"notDataActions": []
}
],
"roleName": "AgFood Platform Service Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure AI Developer
Can perform all actions within an Azure AI resource besides managing the resource
itself.

Learn more

ﾉ Expand table

Actions Description

Microsoft.MachineLearningServices/workspaces
/*/read

Microsoft.MachineLearningServices/workspaces
/*/action

Microsoft.MachineLearningServices/workspaces
/*/delete

Microsoft.MachineLearningServices/workspaces
/*/write

Microsoft.MachineLearningServices/locations/*/
read

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

NotActions

Microsoft.MachineLearningServices/workspaces Deletes the Machine Learning Services

/delete Workspace(s)

Microsoft.MachineLearningServices/workspaces Creates or updates a Machine Learning Services

/write Workspace(s)

Microsoft.MachineLearningServices/workspaces List secrets for a Machine Learning Services

/listKeys/action Workspace

Microsoft.MachineLearningServices/workspaces Creates or updates a Machine Learning Services

/hubs/write Hub Workspace(s)
Actions Description

Microsoft.MachineLearningServices/workspaces Deletes the Machine Learning Services Hub

/hubs/delete Workspace(s)

Microsoft.MachineLearningServices/workspaces Creates or Updates the Machine Learning

/featurestores/write Services FeatureStore(s)

Microsoft.MachineLearningServices/workspaces Deletes the Machine Learning Services

/featurestores/delete FeatureStore(s)

DataActions

Microsoft.CognitiveServices/accounts/OpenAI/*

Microsoft.CognitiveServices/accounts/SpeechS
ervices/*

Microsoft.CognitiveServices/accounts/ContentS
afety/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can perform all actions within an Azure AI resource
besides managing the resource itself.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/64702f94-c441-
49e6-a78b-ef80e0188fee",
"name": "64702f94-c441-49e6-a78b-ef80e0188fee",
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/workspaces/*/read",
"Microsoft.MachineLearningServices/workspaces/*/action",
"Microsoft.MachineLearningServices/workspaces/*/delete",
"Microsoft.MachineLearningServices/workspaces/*/write",
"Microsoft.MachineLearningServices/locations/*/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*"
],
"notActions": [
"Microsoft.MachineLearningServices/workspaces/delete",
"Microsoft.MachineLearningServices/workspaces/write",
"Microsoft.MachineLearningServices/workspaces/listKeys/action",
"Microsoft.MachineLearningServices/workspaces/hubs/write",
"Microsoft.MachineLearningServices/workspaces/hubs/delete",
"Microsoft.MachineLearningServices/workspaces/featurestores/write",
"Microsoft.MachineLearningServices/workspaces/featurestores/delete"
],
"dataActions": [
"Microsoft.CognitiveServices/accounts/OpenAI/*",
"Microsoft.CognitiveServices/accounts/SpeechServices/*",
"Microsoft.CognitiveServices/accounts/ContentSafety/*"
],
"notDataActions": []
}
],
"roleName": "Azure AI Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure AI Enterprise Network Connection

Approver
Can approve private endpoint connections to Azure AI common dependency resources

Learn more

ﾉ Expand table

Actions Description

Microsoft.ContainerRegistry/registries/privateE Auto Approves a Private Endpoint Connection

ndpointConnectionsApproval/action

Microsoft.ContainerRegistry/registries/privateE Gets the properties of private endpoint

ndpointConnections/read connection or list all the private endpoint
connections for the specified container registry

Microsoft.ContainerRegistry/registries/privateE Approves/Rejects the private endpoint

ndpointConnections/write connection

Microsoft.Cache/redis/read View the Redis Cache's settings and

configuration in the management portal

Microsoft.Cache/redis/privateEndpointConnecti Read a private endpoint connection

ons/read

Microsoft.Cache/redis/privateEndpointConnecti Write a private endpoint connection

ons/write

Microsoft.Cache/redis/privateLinkResources/rea Read 'groupId' of redis subresource that a

d private link can be connected to
Actions Description

Microsoft.Cache/redis/privateEndpointConnecti Approve Private Endpoint Connections

onsApproval/action

Microsoft.Cache/redisEnterprise/read View the Redis Enterprise cache's settings and

configuration in the management portal

Microsoft.Cache/redisEnterprise/privateEndpoi Read a private endpoint connection

ntConnections/read

Microsoft.Cache/redisEnterprise/privateEndpoi Write a private endpoint connection

ntConnections/write

Microsoft.Cache/redisEnterprise/privateLinkRes Read 'groupId' of redis subresource that a

ources/read private link can be connected to

Microsoft.Cache/redisEnterprise/privateEndpoi Approve Private Endpoint Connections

ntConnectionsApproval/action

Microsoft.CognitiveServices/accounts/read Reads API accounts.

Microsoft.CognitiveServices/accounts/privateEn Reads private endpoint connections.

dpointConnections/read

Microsoft.CognitiveServices/accounts/privateEn Writes a private endpoint connections.

dpointConnections/write

Microsoft.CognitiveServices/accounts/privateLi Reads private link resources for an account.

nkResources/read

Microsoft.DocumentDB/databaseAccounts/priv Manage a private endpoint connection of

ateEndpointConnectionsApproval/action Database Account

Microsoft.DocumentDB/databaseAccounts/priv Read a private endpoint connection or list all

ateEndpointConnections/read the private endpoint connections of a Database
Account

Microsoft.DocumentDB/databaseAccounts/priv Create or update a private endpoint connection

ateEndpointConnections/write of a Database Account

Microsoft.DocumentDB/databaseAccounts/priv Read a private link resource or list all the

ateLinkResources/read private link resources of a Database Account

Microsoft.DocumentDB/databaseAccounts/rea Reads a database account.

Microsoft.KeyVault/vaults/privateEndpointConn Approve or reject a connection to a Private

ectionsApproval/action Endpoint resource of Microsoft.Network
provider
Actions Description

Microsoft.KeyVault/vaults/privateEndpointConn View the state of a connection to a Private

ections/read Endpoint resource of Microsoft.Network
provider

Microsoft.KeyVault/vaults/privateEndpointConn Change the state of a connection to a Private

ections/write Endpoint resource of Microsoft.Network
provider

Microsoft.KeyVault/vaults/privateLinkResources Get the available private link resources for the

/read specified instance of Key Vault

Microsoft.KeyVault/vaults/read View the properties of a key vault

Microsoft.MachineLearningServices/workspaces Approve or reject a connection to a Private

/privateEndpointConnectionsApproval/action Endpoint resource of Microsoft.Network
provider

Microsoft.MachineLearningServices/workspaces View the state of a connection to a Private

/privateEndpointConnections/read Endpoint resource of Microsoft.Network
provider

Microsoft.MachineLearningServices/workspaces Change the state of a connection to a Private

/privateEndpointConnections/write Endpoint resource of Microsoft.Network
provider

Microsoft.MachineLearningServices/workspaces Gets the available private link resources for the

/privateLinkResources/read specified instance of the Machine Learning
Services Workspace(s)

Microsoft.MachineLearningServices/workspaces Gets the Machine Learning Services

/read Workspace(s)

Microsoft.Storage/storageAccounts/privateEnd Get Private Endpoint Connection

pointConnections/read

Microsoft.Storage/storageAccounts/privateEnd Put Private Endpoint Connection

pointConnections/write

Microsoft.Storage/storageAccounts/privateLink Get StorageAccount groupids

Resources/read

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.Sql/servers/privateEndpointConnecti Determines if user is allowed to approve a

onsApproval/action private endpoint connection

Microsoft.Sql/servers/privateEndpointConnecti Returns the list of private endpoint connections

ons/read or gets the properties for the specified private
endpoint connection.
Actions Description

Microsoft.Sql/servers/privateEndpointConnecti Approves or rejects an existing private

ons/write endpoint connection

Microsoft.Sql/servers/privateLinkResources/rea Get the private link resources for the

d corresponding sql server

Microsoft.Sql/servers/read Return the list of servers or gets the properties

for the specified server.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can approve private endpoint connections to Azure AI
common dependency resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b556d68e-0be0-
4f35-a333-ad7ee1ce17ea",
"name": "b556d68e-0be0-4f35-a333-ad7ee1ce17ea",
"permissions": [
{
"actions": [

"Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/a
ction",

"Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",

"Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
"Microsoft.Cache/redis/read",
"Microsoft.Cache/redis/privateEndpointConnections/read",
"Microsoft.Cache/redis/privateEndpointConnections/write",
"Microsoft.Cache/redis/privateLinkResources/read",
"Microsoft.Cache/redis/privateEndpointConnectionsApproval/action",
"Microsoft.Cache/redisEnterprise/read",
"Microsoft.Cache/redisEnterprise/privateEndpointConnections/read",
"Microsoft.Cache/redisEnterprise/privateEndpointConnections/write",
"Microsoft.Cache/redisEnterprise/privateLinkResources/read",
"Microsoft.Cache/redisEnterprise/privateEndpointConnectionsApproval/action",
"Microsoft.CognitiveServices/accounts/read",

"Microsoft.CognitiveServices/accounts/privateEndpointConnections/read",

"Microsoft.CognitiveServices/accounts/privateEndpointConnections/write",
"Microsoft.CognitiveServices/accounts/privateLinkResources/read",

"Microsoft.DocumentDB/databaseAccounts/privateEndpointConnectionsApproval/ac
tion",

"Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/read",

"Microsoft.DocumentDB/databaseAccounts/privateEndpointConnections/write",
"Microsoft.DocumentDB/databaseAccounts/privateLinkResources/read",
"Microsoft.DocumentDB/databaseAccounts/read",

"Microsoft.KeyVault/vaults/privateEndpointConnectionsApproval/action",
"Microsoft.KeyVault/vaults/privateEndpointConnections/read",
"Microsoft.KeyVault/vaults/privateEndpointConnections/write",
"Microsoft.KeyVault/vaults/privateLinkResources/read",
"Microsoft.KeyVault/vaults/read",

"Microsoft.MachineLearningServices/workspaces/privateEndpointConnectionsAppr
oval/action",

"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/rea
d",

"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/wri
te",

"Microsoft.MachineLearningServices/workspaces/privateLinkResources/read",
"Microsoft.MachineLearningServices/workspaces/read",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/read",

"Microsoft.Storage/storageAccounts/privateEndpointConnections/write",
"Microsoft.Storage/storageAccounts/privateLinkResources/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Sql/servers/privateEndpointConnectionsApproval/action",
"Microsoft.Sql/servers/privateEndpointConnections/read",
"Microsoft.Sql/servers/privateEndpointConnections/write",
"Microsoft.Sql/servers/privateLinkResources/read",
"Microsoft.Sql/servers/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure AI Enterprise Network Connection Approver",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure AI Inference Deployment Operator
Can perform all actions required to create a resource deployment within a resource
group.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Insights/AutoscaleSettings/write Create or update an autoscale setting

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can perform all actions required to create a resource
deployment within a resource group.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3afb7f49-54cb-
416e-8c09-6dc049efa503",
"name": "3afb7f49-54cb-416e-8c09-6dc049efa503",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Insights/AutoscaleSettings/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure AI Inference Deployment Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AzureML Compute Operator

Can access and perform CRUD operations on Machine Learning Services managed
compute resources (including Notebook VMs).

Learn more

ﾉ Expand table

Actions Description

Microsoft.MachineLearningServices/workspaces
/computes/*

Microsoft.MachineLearningServices/workspaces
/notebooks/vm/*

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can access and perform CRUD operations on Machine Learning
Services managed compute resources (including Notebook VMs).",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e503ece1-11d0-
4e8e-8e2c-7a6c3bf38815",
"name": "e503ece1-11d0-4e8e-8e2c-7a6c3bf38815",
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/workspaces/computes/*",
"Microsoft.MachineLearningServices/workspaces/notebooks/vm/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AzureML Compute Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AzureML Data Scientist

Can perform all actions within an Azure Machine Learning workspace, except for
creating or deleting compute resources and modifying the workspace itself.

Learn more

ﾉ Expand table

Actions Description

Microsoft.MachineLearningServices/workspaces
/*/read

Microsoft.MachineLearningServices/workspaces
/*/action

Microsoft.MachineLearningServices/workspaces
/*/delete

Microsoft.MachineLearningServices/workspaces
/*/write

NotActions

Microsoft.MachineLearningServices/workspaces Deletes the Machine Learning Services

/delete Workspace(s)

Microsoft.MachineLearningServices/workspaces Creates or updates a Machine Learning Services

/write Workspace(s)

Microsoft.MachineLearningServices/workspaces
/computes/*/write
Actions Description

Microsoft.MachineLearningServices/workspaces
/computes/*/delete

Microsoft.MachineLearningServices/workspaces List secrets for compute resources in Machine

/computes/listKeys/action Learning Services Workspace

Microsoft.MachineLearningServices/workspaces List secrets for a Machine Learning Services

/listKeys/action Workspace

Microsoft.MachineLearningServices/workspaces Creates or updates a Machine Learning Services

/hubs/write Hub Workspace(s)

Microsoft.MachineLearningServices/workspaces Deletes the Machine Learning Services Hub

/hubs/delete Workspace(s)

Microsoft.MachineLearningServices/workspaces Creates or Updates the Machine Learning

/featurestores/write Services FeatureStore(s)

Microsoft.MachineLearningServices/workspaces Deletes the Machine Learning Services

/featurestores/delete FeatureStore(s)

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can perform all actions within an Azure Machine Learning
workspace, except for creating or deleting compute resources and modifying
the workspace itself.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-
469d-8ca1-694a8f32e121",
"name": "f6c7c914-8db3-469d-8ca1-694a8f32e121",
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/workspaces/*/read",
"Microsoft.MachineLearningServices/workspaces/*/action",
"Microsoft.MachineLearningServices/workspaces/*/delete",
"Microsoft.MachineLearningServices/workspaces/*/write"
],
"notActions": [
"Microsoft.MachineLearningServices/workspaces/delete",
"Microsoft.MachineLearningServices/workspaces/write",
"Microsoft.MachineLearningServices/workspaces/computes/*/write",
"Microsoft.MachineLearningServices/workspaces/computes/*/delete",

"Microsoft.MachineLearningServices/workspaces/computes/listKeys/action",
"Microsoft.MachineLearningServices/workspaces/listKeys/action",
"Microsoft.MachineLearningServices/workspaces/hubs/write",
"Microsoft.MachineLearningServices/workspaces/hubs/delete",
"Microsoft.MachineLearningServices/workspaces/featurestores/write",
"Microsoft.MachineLearningServices/workspaces/featurestores/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AzureML Data Scientist",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AzureML Metrics Writer (preview)

Lets you write metrics to AzureML workspace

Learn more

ﾉ Expand table

Actions Description

Microsoft.MachineLearningServices/workspaces
/metrics/*/write

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you write metrics to AzureML workspace",
"id": "/providers/Microsoft.Authorization/roleDefinitions/635dd51f-9968-
44d3-b7fb-6d9a6bd613ae",
"name": "635dd51f-9968-44d3-b7fb-6d9a6bd613ae",
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/workspaces/metrics/*/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AzureML Metrics Writer (preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

AzureML Registry User

Can perform all actions on Machine Learning Services Registry assets as well as get
Registry resources.

Learn more

ﾉ Expand table

Actions Description

Microsoft.MachineLearningServices/registries/r Gets the Machine Learning Services registry(ies)

ead

Microsoft.MachineLearningServices/registries/a
ssets/*

NotActions

none

DataActions

none

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Can perform all actions on Machine Learning Services
Registry assets as well as get Registry resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1823dd4f-9b8c-
4ab6-ab4e-7397a3684615",
"name": "1823dd4f-9b8c-4ab6-ab4e-7397a3684615",
"permissions": [
{
"actions": [
"Microsoft.MachineLearningServices/registries/read",
"Microsoft.MachineLearningServices/registries/assets/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "AzureML Registry User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Contributor

Lets you create, read, update, delete and manage keys of Cognitive Services.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.CognitiveServices/*

Microsoft.Features/features/read Gets the features of a subscription.

Microsoft.Features/providers/features/read Gets the feature of a subscription in a given

resource provider.

Microsoft.Features/providers/features/register/ Registers the feature for a subscription in a

action given resource provider.

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Actions Description

Microsoft.Insights/diagnosticSettings/* Creates, updates, or reads the diagnostic

setting for Analysis Server

Microsoft.Insights/logDefinitions/read Read log definitions

Microsoft.Insights/metricdefinitions/read Read metric definitions

Microsoft.Insights/metrics/read Read metrics

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourcegro
ups/deployments/*

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you create, read, update, delete and manage keys of
Cognitive Services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-
42a3-aa1a-3b75d497ee68",
"name": "25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.CognitiveServices/*",
"Microsoft.Features/features/read",
"Microsoft.Features/providers/features/read",
"Microsoft.Features/providers/features/register/action",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Insights/logDefinitions/read",
"Microsoft.Insights/metricdefinitions/read",
"Microsoft.Insights/metrics/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cognitive Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Custom Vision Contributor

Full access to the project, including the ability to view, create, edit, or delete projects.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

NotActions

none
Actions Description

DataActions

Microsoft.CognitiveServices/accounts/CustomV
ision/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Full access to the project, including the ability to view,
create, edit, or delete projects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-
46fe-8896-e0ef812ad9f3",
"name": "c1ff6cc2-c111-46fe-8896-e0ef812ad9f3",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Custom Vision Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Custom Vision Deployment

Publish, unpublish or export models. Deployment can view the project but can't update.

Learn more

ﾉ Expand table
Actions Description

Microsoft.CognitiveServices/*/read

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/CustomV
ision/*/read

Microsoft.CognitiveServices/accounts/CustomV
ision/projects/predictions/*

Microsoft.CognitiveServices/accounts/CustomV
ision/projects/iterations/publish/*

Microsoft.CognitiveServices/accounts/CustomV
ision/projects/iterations/export/*

Microsoft.CognitiveServices/accounts/CustomV
ision/projects/quicktest/*

Microsoft.CognitiveServices/accounts/CustomV
ision/classify/*

Microsoft.CognitiveServices/accounts/CustomV
ision/detect/*

NotDataActions

Microsoft.CognitiveServices/accounts/CustomV Exports a project.

ision/projects/export/read

JSON

{
"assignableScopes": [
"/"
],
"description": "Publish, unpublish or export models. Deployment can view
the project but can't update.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-
4d2f-b296-c1bc7137275f",
"name": "5c4089e1-6d96-4d2f-b296-c1bc7137275f",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",

"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/*",

"Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/publi
sh/*",

"Microsoft.CognitiveServices/accounts/CustomVision/projects/iterations/expor
t/*",

"Microsoft.CognitiveServices/accounts/CustomVision/projects/quicktest/*",
"Microsoft.CognitiveServices/accounts/CustomVision/classify/*",
"Microsoft.CognitiveServices/accounts/CustomVision/detect/*"
],
"notDataActions": [

"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Deployment",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Custom Vision Labeler

View, edit training images and create, add, remove, or delete the image tags. Labelers
can view the project but can't update anything other than training images and tags.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/CustomV
ision/*/read
Actions Description

Microsoft.CognitiveServices/accounts/CustomV Get images that were sent to your prediction

ision/projects/predictions/query/action endpoint.

Microsoft.CognitiveServices/accounts/CustomV
ision/projects/images/*

Microsoft.CognitiveServices/accounts/CustomV
ision/projects/tags/*

Microsoft.CognitiveServices/accounts/CustomV
ision/projects/images/suggested/*

Microsoft.CognitiveServices/accounts/CustomV This API will get suggested tags and regions for
ision/projects/tagsandregions/suggestions/acti an array/batch of untagged images along with
on confidences for the tags. It returns an empty
array if no tags are found.

NotDataActions

Microsoft.CognitiveServices/accounts/CustomV Exports a project.

ision/projects/export/read

JSON

{
"assignableScopes": [
"/"
],
"description": "View, edit training images and create, add, remove, or
delete the image tags. Labelers can view the project but can't update
anything other than training images and tags.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-
446f-bc41-7fa16989e96c",
"name": "88424f51-ebe7-446f-bc41-7fa16989e96c",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",

"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/quer
y/action",

"Microsoft.CognitiveServices/accounts/CustomVision/projects/images/*",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/tags/*",

"Microsoft.CognitiveServices/accounts/CustomVision/projects/images/suggested
/*",

"Microsoft.CognitiveServices/accounts/CustomVision/projects/tagsandregions/s
uggestions/action"
],
"notDataActions": [

"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Labeler",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Custom Vision Reader

Read-only actions in the project. Readers can't create or update the project.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/CustomV
ision/*/read

Microsoft.CognitiveServices/accounts/CustomV Get images that were sent to your prediction

ision/projects/predictions/query/action endpoint.

NotDataActions

Microsoft.CognitiveServices/accounts/CustomV Exports a project.

ision/projects/export/read

JSON

{
"assignableScopes": [
"/"
],
"description": "Read-only actions in the project. Readers can't create or
update the project.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-
4a6b-ba08-b9f0940c2d73",
"name": "93586559-c37d-4a6b-ba08-b9f0940c2d73",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*/read",

"Microsoft.CognitiveServices/accounts/CustomVision/projects/predictions/quer
y/action"
],
"notDataActions": [

"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Custom Vision Trainer

View, edit projects and train the models, including the ability to publish, unpublish,
export the models. Trainers can't create or delete the project.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/CustomV
ision/*
Actions Description

NotDataActions

Microsoft.CognitiveServices/accounts/CustomV Create a project.

ision/projects/action

Microsoft.CognitiveServices/accounts/CustomV Delete a specific project.

ision/projects/delete

Microsoft.CognitiveServices/accounts/CustomV Imports a project.

ision/projects/import/action

Microsoft.CognitiveServices/accounts/CustomV Exports a project.

ision/projects/export/read

JSON

{
"assignableScopes": [
"/"
],
"description": "View, edit projects and train the models, including the
ability to publish, unpublish, export the models. Trainers can't create or
delete the project.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-
4eeb-be61-29fc9b54394b",
"name": "0a5ae4ab-0d65-4eeb-be61-29fc9b54394b",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/*"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/CustomVision/projects/action",
"Microsoft.CognitiveServices/accounts/CustomVision/projects/delete",

"Microsoft.CognitiveServices/accounts/CustomVision/projects/import/action",

"Microsoft.CognitiveServices/accounts/CustomVision/projects/export/read"
]
}
],
"roleName": "Cognitive Services Custom Vision Trainer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Data Reader
Lets you read Cognitive Services data.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.CognitiveServices/*/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you read Cognitive Services data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-
499b-be73-45a86b5b3e1c",
"name": "b59867f0-fa02-499b-be73-45a86b5b3e1c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/*/read"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Face Recognizer
Lets you perform detect, verify, identify, group, and find similar operations on Face API.
This role does not allow create or delete operations, which makes it well suited for
endpoints that only need inferencing capabilities, following 'least privilege' best
practices.

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/Face/det Detect human faces in an image, return face

ect/action rectangles, and optionally with faceIds,
landmarks, and attributes.

Microsoft.CognitiveServices/accounts/Face/verif Verify whether two faces belong to a same

y/action person or whether one face belongs to a
person.

Microsoft.CognitiveServices/accounts/Face/ide 1-to-many identification to find the closest

ntify/action matches of the specific query person face from
a person group or large person group.

Microsoft.CognitiveServices/accounts/Face/gro Divide candidate faces into groups based on

up/action face similarity.

Microsoft.CognitiveServices/accounts/Face/find Given query face's faceId, to search the similar-

similars/action looking faces from a faceId array, a face list or a
large face list. faceId

Microsoft.CognitiveServices/accounts/Face/det Performs liveness detection on a target face in

ectliveness/multimodal/action a sequence of infrared, color and/or depth
images, and returns the liveness classification
of the target face as either ‘real face’, ‘spoof
face’, or ‘uncertain’ if a classification cannot be
made with the given inputs.

Microsoft.CognitiveServices/accounts/Face/det Performs liveness detection on a target face in

ectliveness/singlemodal/action a sequence of images of the same modality
(e.g. color or infrared), and returns the liveness
classification of the target face as either ‘real
face’, ‘spoof face’, or ‘uncertain’ if a
Actions Description

classification cannot be made with the given

inputs.

Microsoft.CognitiveServices/accounts/Face/det Detects liveness of a target face in a sequence

ectlivenesswithverify/singlemodal/action of images of the same stream type (e.g. color)
and then compares with VerifyImage to return
confidence score for identity scenarios.

Microsoft.CognitiveServices/accounts/Face/*/se
ssions/action

Microsoft.CognitiveServices/accounts/Face/*/se
ssions/delete

Microsoft.CognitiveServices/accounts/Face/*/se
ssions/read

Microsoft.CognitiveServices/accounts/Face/*/se
ssions/audit/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you perform detect, verify, identify, group, and find
similar operations on Face API. This role does not allow create or delete
operations, which makes it well suited for endpoints that only need
inferencing capabilities, following 'least privilege' best practices.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-
44aa-828b-cb588cd6f2d7",
"name": "9894cab4-e18a-44aa-828b-cb588cd6f2d7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/Face/detect/action",
"Microsoft.CognitiveServices/accounts/Face/verify/action",
"Microsoft.CognitiveServices/accounts/Face/identify/action",
"Microsoft.CognitiveServices/accounts/Face/group/action",
"Microsoft.CognitiveServices/accounts/Face/findsimilars/action",

"Microsoft.CognitiveServices/accounts/Face/detectliveness/multimodal/action"
,
"Microsoft.CognitiveServices/accounts/Face/detectliveness/singlemodal/action
",

"Microsoft.CognitiveServices/accounts/Face/detectlivenesswithverify/singlemo
dal/action",
"Microsoft.CognitiveServices/accounts/Face/*/sessions/action",
"Microsoft.CognitiveServices/accounts/Face/*/sessions/delete",
"Microsoft.CognitiveServices/accounts/Face/*/sessions/read",
"Microsoft.CognitiveServices/accounts/Face/*/sessions/audit/read"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Face Recognizer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Immersive Reader User

Provides access to create Immersive Reader sessions and call APIs

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/Immersiv Creates an Immersive Reader session

eReader/getcontentmodelforreader/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides access to create Immersive Reader sessions and
call APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b2de6794-95db-
4659-8781-7e080d3f2b9d",
"name": "b2de6794-95db-4659-8781-7e080d3f2b9d",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [

"Microsoft.CognitiveServices/accounts/ImmersiveReader/getcontentmodelforread
er/action"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Immersive Reader User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Language Owner

Has access to all Read, Test, Write, Deploy and Delete functions under Language portal

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.CognitiveServices/accounts/listkeys/a List keys

ction

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/Languag
eAuthoring/*

Microsoft.CognitiveServices/accounts/Conversa
Actions Description

tionalLanguageUnderstanding/*

Microsoft.CognitiveServices/accounts/Languag
e/*

Microsoft.CognitiveServices/accounts/TextAnaly
tics/*

NotDataActions

Microsoft.CognitiveServices/accounts/TextAnaly
tics/QnaMaker/*

JSON

{
"assignableScopes": [
"/"
],
"description": "Has access to all Read, Test, Write, Deploy and Delete
functions under Language portal",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f07febfe-79bc-
46b1-8b37-790e26e6e498",
"name": "f07febfe-79bc-46b1-8b37-790e26e6e498",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.CognitiveServices/accounts/listkeys/action",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/LanguageAuthoring/*",

"Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*"
,
"Microsoft.CognitiveServices/accounts/Language/*",
"Microsoft.CognitiveServices/accounts/TextAnalytics/*"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*"
]
}
],
"roleName": "Cognitive Services Language Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Language Reader
Has access to Read and Test functions under Language portal

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/Languag
eAuthoring/*/read

Microsoft.CognitiveServices/accounts/Conversa
tionalLanguageUnderstanding/*/read

Microsoft.CognitiveServices/accounts/Conversa Triggers a job to export project data in JSON

tionalLanguageUnderstanding/projects/export/ format.
action

Microsoft.CognitiveServices/accounts/Languag
e/*/read

Microsoft.CognitiveServices/accounts/Languag
e/*/projects/export/action

Microsoft.CognitiveServices/accounts/Languag Answer Text.

e/query-text/action

Microsoft.CognitiveServices/accounts/Languag Query Dataverse.

e/query-dataverse/action

Microsoft.CognitiveServices/accounts/Languag Submit a collection of text documents for

e/analyze-text/jobs/action analysis. Specify one or more unique tasks to
be executed.

Microsoft.CognitiveServices/accounts/Languag Submit a collection of text documents for

e/analyze-text/action analysis. Specify a single unique task to be
executed immediately.
Actions Description

Microsoft.CognitiveServices/accounts/Languag Cancel a long-running Text Analysis job.

e/analyze-text/jobscancel/action

Microsoft.CognitiveServices/accounts/Languag Analyzes the input conversation.

e/analyze-conversations/action

Microsoft.CognitiveServices/accounts/Languag Cancel a long-running analysis job on

e/analyze-conversations/jobscancel/action conversation.

Microsoft.CognitiveServices/accounts/Languag Submit a long conversation for analysis. Specify

e/analyze-conversations/jobs/action one or more unique tasks to be executed as a
long-running operation.

Microsoft.CognitiveServices/accounts/Languag Answer Knowledgebase.

e/query-knowledgebases/action

Microsoft.CognitiveServices/accounts/Languag Language generation.

e/generate/action

Microsoft.CognitiveServices/accounts/TextAnaly
tics/*

NotDataActions

Microsoft.CognitiveServices/accounts/TextAnaly
tics/QnaMaker/*

JSON

{
"assignableScopes": [
"/"
],
"description": "Has access to Read and Test functions under Language
portal",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7628b7b8-a8b2-
4cdc-b46f-e9b35248918e",
"name": "7628b7b8-a8b2-4cdc-b46f-e9b35248918e",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/LanguageAuthoring/*/read",

"Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/*/
read",

"Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/pr
ojects/export/action",
"Microsoft.CognitiveServices/accounts/Language/*/read",

"Microsoft.CognitiveServices/accounts/Language/*/projects/export/action",
"Microsoft.CognitiveServices/accounts/Language/query-text/action",
"Microsoft.CognitiveServices/accounts/Language/query-
dataverse/action",
"Microsoft.CognitiveServices/accounts/Language/analyze-
text/jobs/action",
"Microsoft.CognitiveServices/accounts/Language/analyze-text/action",
"Microsoft.CognitiveServices/accounts/Language/analyze-
text/jobscancel/action",
"Microsoft.CognitiveServices/accounts/Language/analyze-
conversations/action",
"Microsoft.CognitiveServices/accounts/Language/analyze-
conversations/jobscancel/action",
"Microsoft.CognitiveServices/accounts/Language/analyze-
conversations/jobs/action",
"Microsoft.CognitiveServices/accounts/Language/query-
knowledgebases/action",
"Microsoft.CognitiveServices/accounts/Language/generate/action",
"Microsoft.CognitiveServices/accounts/TextAnalytics/*"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*"
]
}
],
"roleName": "Cognitive Services Language Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Language Writer

Has access to all Read, Test, and Write functions under Language Portal

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Actions Description

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/Languag
eAuthoring/*

Microsoft.CognitiveServices/accounts/Conversa
tionalLanguageUnderstanding/*

Microsoft.CognitiveServices/accounts/Languag
e/*

Microsoft.CognitiveServices/accounts/TextAnaly
tics/*

NotDataActions

Microsoft.CognitiveServices/accounts/Languag Trigger publishing job.

eAuthoring/projects/publish/action

Microsoft.CognitiveServices/accounts/Conversa Trigger job to create new deployment or

tionalLanguageUnderstanding/projects/deploy replace an existing deployment.
ments/write

Microsoft.CognitiveServices/accounts/TextAnaly
tics/QnaMaker/*

Microsoft.CognitiveServices/accounts/Languag
e/*/projects/delete

Microsoft.CognitiveServices/accounts/Languag
e/*/projects/deployments/write

Microsoft.CognitiveServices/accounts/Languag
e/*/projects/deployments/delete

Microsoft.CognitiveServices/accounts/Languag
e/*/projects/deployments/swap/action

JSON

{
"assignableScopes": [
"/"
],
"description": " Has access to all Read, Test, and Write functions under
Language Portal",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f2310ca1-dc64-
4889-bb49-c8e0fa3d47a8",
"name": "f2310ca1-dc64-4889-bb49-c8e0fa3d47a8",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/LanguageAuthoring/*",

"Microsoft.CognitiveServices/accounts/LanguageAuthoring/projects/publish/act
ion",

"Microsoft.CognitiveServices/accounts/ConversationalLanguageUnderstanding/pr
ojects/deployments/write",
"Microsoft.CognitiveServices/accounts/TextAnalytics/QnaMaker/*",
"Microsoft.CognitiveServices/accounts/Language/*/projects/delete",

"Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/write"
,

"Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/delete
",

"Microsoft.CognitiveServices/accounts/Language/*/projects/deployments/swap/a
ction"
]
}
],
"roleName": "Cognitive Services Language Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services LUIS Owner

Has access to all Read, Test, Write, Deploy and Delete functions under LUIS

Learn more
ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.CognitiveServices/accounts/listkeys/a List keys

ction

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/LUIS/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": " Has access to all Read, Test, Write, Deploy and Delete
functions under LUIS",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f72c8140-2111-
481c-87ff-72b910f6e3f8",
"name": "f72c8140-2111-481c-87ff-72b910f6e3f8",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.CognitiveServices/accounts/listkeys/action",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/LUIS/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services LUIS Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services LUIS Reader

Has access to Read and Test functions under LUIS.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/LUIS/*/re
ad

Microsoft.CognitiveServices/accounts/LUIS/app Updates last test results of an exisiting batch

s/testdatasets/write test data set for a given application.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Has access to Read and Test functions under LUIS.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18e81cdc-4e98-
4e29-a639-e7d10c5a6226",
"name": "18e81cdc-4e98-4e29-a639-e7d10c5a6226",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/LUIS/*/read",
"Microsoft.CognitiveServices/accounts/LUIS/apps/testdatasets/write"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services LUIS Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services LUIS Writer

Has access to all Read, Test, and Write functions under LUIS

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/LUIS/*

NotDataActions

Microsoft.CognitiveServices/accounts/LUIS/app Deletes an application.

s/delete

Microsoft.CognitiveServices/accounts/LUIS/app Moves the app to a different LUIS authoring

s/move/action Azure resource.

Microsoft.CognitiveServices/accounts/LUIS/app Publishes a specific version of the application.

s/publish/action
Actions Description

Microsoft.CognitiveServices/accounts/LUIS/app Updates the application settings

s/settings/write

Microsoft.CognitiveServices/accounts/LUIS/app Assigns an Azure account to the application.

s/azureaccounts/action

Microsoft.CognitiveServices/accounts/LUIS/app Gets the LUIS Azure accounts for the user using
s/azureaccounts/delete his Azure Resource Manager token.

JSON

{
"assignableScopes": [
"/"
],
"description": "Has access to all Read, Test, and Write functions under
LUIS",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6322a993-d5c9-
4bed-b113-e49bbea25b27",
"name": "6322a993-d5c9-4bed-b113-e49bbea25b27",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/LUIS/*"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/LUIS/apps/delete",
"Microsoft.CognitiveServices/accounts/LUIS/apps/move/action",
"Microsoft.CognitiveServices/accounts/LUIS/apps/publish/action",
"Microsoft.CognitiveServices/accounts/LUIS/apps/settings/write",

"Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/action",

"Microsoft.CognitiveServices/accounts/LUIS/apps/azureaccounts/delete"
]
}
],
"roleName": "Cognitive Services LUIS Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cognitive Services Metrics Advisor
Administrator
Full access to the project, including the system level configuration.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/MetricsA
dvisor/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Full access to the project, including the system level
configuration.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-
4ec5-977c-e80c4affc34a",
"name": "cb43c632-a144-4ec5-977c-e80c4affc34a",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/MetricsAdvisor/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Metrics Advisor Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Metrics Advisor User

Access to the project.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/MetricsA
dvisor/*

NotDataActions

Microsoft.CognitiveServices/accounts/MetricsA
dvisor/stats/*

JSON

{
"assignableScopes": [
"/"
],
"description": "Access to the project.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-
43cb-8114-4bd2201156a8",
"name": "3b20f47b-3825-43cb-8114-4bd2201156a8",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/MetricsAdvisor/*"
],
"notDataActions": [
"Microsoft.CognitiveServices/accounts/MetricsAdvisor/stats/*"
]
}
],
"roleName": "Cognitive Services Metrics Advisor User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services OpenAI Contributor

Full access including the ability to fine-tune, deploy and generate text

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.CognitiveServices/accounts/deploym Writes deployments.

ents/write

Microsoft.CognitiveServices/accounts/deploym Deletes deployments.

ents/delete

Microsoft.CognitiveServices/accounts/raiPolicie Gets all applicable policies under the account

s/read including default policies.

Microsoft.CognitiveServices/accounts/raiPolicie Create or update a custom Responsible AI

s/write policy.

Microsoft.CognitiveServices/accounts/raiPolicie Deletes a custom Responsible AI policy that's

s/delete not referenced by an existing deployment.

Microsoft.CognitiveServices/accounts/commitm Reads commitment plans.

entplans/read

Microsoft.CognitiveServices/accounts/commitm Writes commitment plans.

entplans/write

Microsoft.CognitiveServices/accounts/commitm Deletes commitment plans.

entplans/delete

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions
Actions Description

none

DataActions

Microsoft.CognitiveServices/accounts/OpenAI/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Full access including the ability to fine-tune, deploy and
generate text",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a001fd3d-188f-
4b5d-821b-7da978bf7442",
"name": "a001fd3d-188f-4b5d-821b-7da978bf7442",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.CognitiveServices/accounts/deployments/write",
"Microsoft.CognitiveServices/accounts/deployments/delete",
"Microsoft.CognitiveServices/accounts/raiPolicies/read",
"Microsoft.CognitiveServices/accounts/raiPolicies/write",
"Microsoft.CognitiveServices/accounts/raiPolicies/delete",
"Microsoft.CognitiveServices/accounts/commitmentplans/read",
"Microsoft.CognitiveServices/accounts/commitmentplans/write",
"Microsoft.CognitiveServices/accounts/commitmentplans/delete",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/OpenAI/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services OpenAI Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services OpenAI User

Read access to view files, models, deployments. The ability to create completion and
embedding calls.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/OpenAI/*
/read

Microsoft.CognitiveServices/accounts/OpenAI/ Create a completion from a chosen model

engines/completions/action

Microsoft.CognitiveServices/accounts/OpenAI/ Search for the most relevant documents using

engines/search/action the current engine.

Microsoft.CognitiveServices/accounts/OpenAI/ (Intended for browsers only.) Stream generated

engines/generate/action text from the model via GET request. This
method is provided because the browser-native
EventSource method can only send GET
requests. It supports a more limited set of
configuration options than the POST variant.

Microsoft.CognitiveServices/accounts/OpenAI/ Return the transcript or translation for a given

deployments/audio/action audio file.

Microsoft.CognitiveServices/accounts/OpenAI/ Search for the most relevant documents using

deployments/search/action the current engine.

Microsoft.CognitiveServices/accounts/OpenAI/ Create a completion from a chosen model.

deployments/completions/action

Microsoft.CognitiveServices/accounts/OpenAI/ Creates a completion for the chat message

deployments/chat/completions/action

Microsoft.CognitiveServices/accounts/OpenAI/ Creates a completion for the chat message with

deployments/extensions/chat/completions/acti extensions
Actions Description

Microsoft.CognitiveServices/accounts/OpenAI/ Return the embeddings for a given prompt.

deployments/embeddings/action

Microsoft.CognitiveServices/accounts/OpenAI/i Create image generations.

mages/generations/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Ability to view files, models, deployments. Readers can't
make any changes They can inference and create images",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5e0bd9bd-7b93-
4f28-af87-19fc36ad61bd",
"name": "5e0bd9bd-7b93-4f28-af87-19fc36ad61bd",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/OpenAI/*/read",

"Microsoft.CognitiveServices/accounts/OpenAI/engines/completions/action",
"Microsoft.CognitiveServices/accounts/OpenAI/engines/search/action",

"Microsoft.CognitiveServices/accounts/OpenAI/engines/generate/action",

"Microsoft.CognitiveServices/accounts/OpenAI/deployments/audio/action",

"Microsoft.CognitiveServices/accounts/OpenAI/deployments/search/action",

"Microsoft.CognitiveServices/accounts/OpenAI/deployments/completions/action"
,

"Microsoft.CognitiveServices/accounts/OpenAI/deployments/chat/completions/ac
tion",

"Microsoft.CognitiveServices/accounts/OpenAI/deployments/extensions/chat/com
pletions/action",
"Microsoft.CognitiveServices/accounts/OpenAI/deployments/embeddings/action",

"Microsoft.CognitiveServices/accounts/OpenAI/images/generations/action"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services OpenAI User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services QnA Maker Editor

Let's you create, edit, import and export a KB. You cannot publish or delete a KB.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/QnAMak Gets List of Knowledgebases or details of a

er/knowledgebases/read specific knowledgebaser.

Microsoft.CognitiveServices/accounts/QnAMak Download the knowledgebase.

er/knowledgebases/download/read

Microsoft.CognitiveServices/accounts/QnAMak Asynchronous operation to create a new

er/knowledgebases/create/write knowledgebase.

Microsoft.CognitiveServices/accounts/QnAMak Asynchronous operation to modify a

er/knowledgebases/write knowledgebase or Replace knowledgebase
contents.

Microsoft.CognitiveServices/accounts/QnAMak GenerateAnswer call to query the

er/knowledgebases/generateanswer/action knowledgebase.
Actions Description

Microsoft.CognitiveServices/accounts/QnAMak Train call to add suggestions to the

er/knowledgebases/train/action knowledgebase.

Microsoft.CognitiveServices/accounts/QnAMak Download alterations from runtime.

er/alterations/read

Microsoft.CognitiveServices/accounts/QnAMak Replace alterations data.

er/alterations/write

Microsoft.CognitiveServices/accounts/QnAMak Gets endpoint keys for an endpoint

er/endpointkeys/read

Microsoft.CognitiveServices/accounts/QnAMak Re-generates an endpoint key.

er/endpointkeys/refreshkeys/action

Microsoft.CognitiveServices/accounts/QnAMak Gets endpoint settings for an endpoint

er/endpointsettings/read

Microsoft.CognitiveServices/accounts/QnAMak Update endpoint seettings for an endpoint.

er/endpointsettings/write

Microsoft.CognitiveServices/accounts/QnAMak Gets details of a specific long running

er/operations/read operation.

Microsoft.CognitiveServices/accounts/QnAMak Gets List of Knowledgebases or details of a

er.v2/knowledgebases/read specific knowledgebaser.

Microsoft.CognitiveServices/accounts/QnAMak Download the knowledgebase.

er.v2/knowledgebases/download/read

Microsoft.CognitiveServices/accounts/QnAMak Asynchronous operation to create a new

er.v2/knowledgebases/create/write knowledgebase.

Microsoft.CognitiveServices/accounts/QnAMak Asynchronous operation to modify a

er.v2/knowledgebases/write knowledgebase or Replace knowledgebase
contents.

Microsoft.CognitiveServices/accounts/QnAMak GenerateAnswer call to query the

er.v2/knowledgebases/generateanswer/action knowledgebase.

Microsoft.CognitiveServices/accounts/QnAMak Train call to add suggestions to the

er.v2/knowledgebases/train/action knowledgebase.

Microsoft.CognitiveServices/accounts/QnAMak Download alterations from runtime.

er.v2/alterations/read

Microsoft.CognitiveServices/accounts/QnAMak Replace alterations data.

er.v2/alterations/write
Actions Description

Microsoft.CognitiveServices/accounts/QnAMak Gets endpoint keys for an endpoint

er.v2/endpointkeys/read

Microsoft.CognitiveServices/accounts/QnAMak Re-generates an endpoint key.

er.v2/endpointkeys/refreshkeys/action

Microsoft.CognitiveServices/accounts/QnAMak Gets endpoint settings for an endpoint

er.v2/endpointsettings/read

Microsoft.CognitiveServices/accounts/QnAMak Update endpoint seettings for an endpoint.

er.v2/endpointsettings/write

Microsoft.CognitiveServices/accounts/QnAMak Gets details of a specific long running

er.v2/operations/read operation.

Microsoft.CognitiveServices/accounts/TextAnaly Gets List of Knowledgebases or details of a

tics/QnAMaker/knowledgebases/read specific knowledgebaser.

Microsoft.CognitiveServices/accounts/TextAnaly Download the knowledgebase.

tics/QnAMaker/knowledgebases/download/rea
d

Microsoft.CognitiveServices/accounts/TextAnaly Asynchronous operation to create a new

tics/QnAMaker/knowledgebases/create/write knowledgebase.

Microsoft.CognitiveServices/accounts/TextAnaly Asynchronous operation to modify a

tics/QnAMaker/knowledgebases/write knowledgebase or Replace knowledgebase
contents.

Microsoft.CognitiveServices/accounts/TextAnaly GenerateAnswer call to query the

tics/QnAMaker/knowledgebases/generateansw knowledgebase.
er/action

Microsoft.CognitiveServices/accounts/TextAnaly Train call to add suggestions to the

tics/QnAMaker/knowledgebases/train/action knowledgebase.

Microsoft.CognitiveServices/accounts/TextAnaly Download alterations from runtime.

tics/QnAMaker/alterations/read

Microsoft.CognitiveServices/accounts/TextAnaly Replace alterations data.

tics/QnAMaker/alterations/write

Microsoft.CognitiveServices/accounts/TextAnaly Gets endpoint keys for an endpoint

tics/QnAMaker/endpointkeys/read

Microsoft.CognitiveServices/accounts/TextAnaly Re-generates an endpoint key.

tics/QnAMaker/endpointkeys/refreshkeys/actio
n
Actions Description

Microsoft.CognitiveServices/accounts/TextAnaly Gets endpoint settings for an endpoint

tics/QnAMaker/endpointsettings/read

Microsoft.CognitiveServices/accounts/TextAnaly Update endpoint seettings for an endpoint.

tics/QnAMaker/endpointsettings/write

Microsoft.CognitiveServices/accounts/TextAnaly Gets details of a specific long running

tics/QnAMaker/operations/read operation.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Let's you create, edit, import and export a KB. You cannot
publish or delete a KB.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-
47a1-bdf1-5c5804381025",
"name": "f4cc2bf9-21be-47a1-bdf1-5c5804381025",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",

"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read"
,

"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/create/write",

"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/write",

"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer
/action",

"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/train/action",
"Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/alterations/write",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",

"Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/refreshkeys/acti
on",

"Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",

"Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/write",
"Microsoft.CognitiveServices/accounts/QnAMaker/operations/read",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/re
ad",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/create/writ
e",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/write",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateans
wer/action",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/train/actio
n",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/write",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/refreshkeys/a
ction",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/write",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/operations/read",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/
read",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/
download/read",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/
create/write",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/
write",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/
generateanswer/action",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/
train/action",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/rea
d",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/wri
te",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/re
ad",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/re
freshkeys/action",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsetting
s/read",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsetting
s/write",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/operations/read
"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services QnA Maker Editor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services QnA Maker Reader

Let's you read and test a KB only.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions

none

DataActions
Actions Description

Microsoft.CognitiveServices/accounts/QnAMak Gets List of Knowledgebases or details of a

er/knowledgebases/read specific knowledgebaser.

Microsoft.CognitiveServices/accounts/QnAMak Download the knowledgebase.

er/knowledgebases/download/read

Microsoft.CognitiveServices/accounts/QnAMak GenerateAnswer call to query the

er/knowledgebases/generateanswer/action knowledgebase.

Microsoft.CognitiveServices/accounts/QnAMak Download alterations from runtime.

er/alterations/read

Microsoft.CognitiveServices/accounts/QnAMak Gets endpoint keys for an endpoint

er/endpointkeys/read

Microsoft.CognitiveServices/accounts/QnAMak Gets endpoint settings for an endpoint

er/endpointsettings/read

Microsoft.CognitiveServices/accounts/QnAMak Gets List of Knowledgebases or details of a

er.v2/knowledgebases/read specific knowledgebaser.

Microsoft.CognitiveServices/accounts/QnAMak Download the knowledgebase.

er.v2/knowledgebases/download/read

Microsoft.CognitiveServices/accounts/QnAMak GenerateAnswer call to query the

er.v2/knowledgebases/generateanswer/action knowledgebase.

Microsoft.CognitiveServices/accounts/QnAMak Download alterations from runtime.

er.v2/alterations/read

Microsoft.CognitiveServices/accounts/QnAMak Gets endpoint keys for an endpoint

er.v2/endpointkeys/read

Microsoft.CognitiveServices/accounts/QnAMak Gets endpoint settings for an endpoint

er.v2/endpointsettings/read

Microsoft.CognitiveServices/accounts/TextAnaly Gets List of Knowledgebases or details of a

tics/QnAMaker/knowledgebases/read specific knowledgebaser.

Microsoft.CognitiveServices/accounts/TextAnaly Download the knowledgebase.

tics/QnAMaker/knowledgebases/download/rea
d

Microsoft.CognitiveServices/accounts/TextAnaly GenerateAnswer call to query the

tics/QnAMaker/knowledgebases/generateansw knowledgebase.
er/action

Microsoft.CognitiveServices/accounts/TextAnaly Download alterations from runtime.

tics/QnAMaker/alterations/read
Actions Description

Microsoft.CognitiveServices/accounts/TextAnaly Gets endpoint keys for an endpoint

tics/QnAMaker/endpointkeys/read

Microsoft.CognitiveServices/accounts/TextAnaly Gets endpoint settings for an endpoint

tics/QnAMaker/endpointsettings/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Let's you read and test a KB only.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-
4a11-b098-b4849f024126",
"name": "466ccd10-b268-4a11-b098-b4849f024126",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/read",

"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/download/read"
,

"Microsoft.CognitiveServices/accounts/QnAMaker/knowledgebases/generateanswer
/action",
"Microsoft.CognitiveServices/accounts/QnAMaker/alterations/read",
"Microsoft.CognitiveServices/accounts/QnAMaker/endpointkeys/read",

"Microsoft.CognitiveServices/accounts/QnAMaker/endpointsettings/read",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/read",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/download/re
ad",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/knowledgebases/generateans
wer/action",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/alterations/read",

"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointkeys/read",
"Microsoft.CognitiveServices/accounts/QnAMaker.v2/endpointsettings/read",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/
read",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/
download/read",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/knowledgebases/
generateanswer/action",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/alterations/rea
d",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointkeys/re
ad",

"Microsoft.CognitiveServices/accounts/TextAnalytics/QnAMaker/endpointsetting
s/read"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services QnA Maker Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Speech Contributor

Full access to Speech projects, including read, write and delete all entities, for real-time
speech recognition and batch transcription tasks, real-time speech synthesis and long
audio tasks, custom speech and custom voice.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions

none
Actions Description

DataActions

Microsoft.CognitiveServices/accounts/SpeechS
ervices/*

Microsoft.CognitiveServices/accounts/CustomV
oice/*

Microsoft.CognitiveServices/accounts/AudioCo
ntentCreation/*

Microsoft.CognitiveServices/accounts/VideoTra
nslation/*

Microsoft.CognitiveServices/accounts/CustomA
vatar/*

Microsoft.CognitiveServices/accounts/BatchAva
tar/*

Microsoft.CognitiveServices/accounts/BatchText
ToSpeech/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Full access to Speech projects, including read, write and
delete all entities, for real-time speech recognition and batch
transcription tasks, real-time speech synthesis and long audio tasks, custom
speech and custom voice.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-
4b4d-8b93-68208a576181",
"name": "0e75ca1e-0464-4b4d-8b93-68208a576181",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/SpeechServices/*",
"Microsoft.CognitiveServices/accounts/CustomVoice/*",
"Microsoft.CognitiveServices/accounts/AudioContentCreation/*",
"Microsoft.CognitiveServices/accounts/VideoTranslation/*",
"Microsoft.CognitiveServices/accounts/CustomAvatar/*",
"Microsoft.CognitiveServices/accounts/BatchAvatar/*",
"Microsoft.CognitiveServices/accounts/BatchTextToSpeech/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services Speech Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Speech User

Access to the real-time speech recognition and batch transcription APIs, real-time
speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint
for custom models, but can't create, delete or modify the data/test/model/endpoint for
custom models.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Authorization/roleDefinitions/read Get information about a role definition.

NotActions

none

DataActions

Microsoft.CognitiveServices/accounts/SpeechS
ervices/*/read

Microsoft.CognitiveServices/accounts/SpeechS
ervices/*/transcriptions/read

Microsoft.CognitiveServices/accounts/SpeechS
ervices/*/transcriptions/write
Actions Description

Microsoft.CognitiveServices/accounts/SpeechS
ervices/*/transcriptions/delete

Microsoft.CognitiveServices/accounts/SpeechS
ervices/*/transcriptions/action

Microsoft.CognitiveServices/accounts/SpeechS
ervices/*/frontend/action

Microsoft.CognitiveServices/accounts/SpeechS
ervices/text-dependent/*/action

Microsoft.CognitiveServices/accounts/SpeechS
ervices/text-independent/*/action

Microsoft.CognitiveServices/accounts/CustomV
oice/*/read

Microsoft.CognitiveServices/accounts/CustomV
oice/evaluations/*

Microsoft.CognitiveServices/accounts/CustomV
oice/longaudiosynthesis/*

Microsoft.CognitiveServices/accounts/AudioCo
ntentCreation/*

Microsoft.CognitiveServices/accounts/VideoTra
nslation/*

Microsoft.CognitiveServices/accounts/CustomA
vatar/*/read

Microsoft.CognitiveServices/accounts/BatchAva
tar/*

Microsoft.CognitiveServices/accounts/BatchText
ToSpeech/*

NotDataActions

Microsoft.CognitiveServices/accounts/CustomV Gets the files of the dataset identified by the

oice/datasets/files/read given ID.

Microsoft.CognitiveServices/accounts/CustomV Gets utterances of the specified training set.

oice/datasets/utterances/read

JSON
{
"assignableScopes": [
"/"
],
"description": "Access to the real-time speech recognition and batch
transcription APIs, real-time speech synthesis and long audio APIs, as well
as to read the data/test/model/endpoint for custom models, but can't create,
delete or modify the data/test/model/endpoint for custom models.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-
4938-bd23-fe263f013447",
"name": "f2dc8367-1007-4938-bd23-fe263f013447",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleDefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/accounts/SpeechServices/*/read",

"Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/read",

"Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/write"
,

"Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/delete
",

"Microsoft.CognitiveServices/accounts/SpeechServices/*/transcriptions/action
",

"Microsoft.CognitiveServices/accounts/SpeechServices/*/frontend/action",
"Microsoft.CognitiveServices/accounts/SpeechServices/text-
dependent/*/action",
"Microsoft.CognitiveServices/accounts/SpeechServices/text-
independent/*/action",
"Microsoft.CognitiveServices/accounts/CustomVoice/*/read",
"Microsoft.CognitiveServices/accounts/CustomVoice/evaluations/*",

"Microsoft.CognitiveServices/accounts/CustomVoice/longaudiosynthesis/*",
"Microsoft.CognitiveServices/accounts/AudioContentCreation/*",
"Microsoft.CognitiveServices/accounts/VideoTranslation/*",
"Microsoft.CognitiveServices/accounts/CustomAvatar/*/read",
"Microsoft.CognitiveServices/accounts/BatchAvatar/*",
"Microsoft.CognitiveServices/accounts/BatchTextToSpeech/*"
],
"notDataActions": [

"Microsoft.CognitiveServices/accounts/CustomVoice/datasets/files/read",

"Microsoft.CognitiveServices/accounts/CustomVoice/datasets/utterances/read"
]
}
],
"roleName": "Cognitive Services Speech User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services Usages Reader

Minimal permission to view Cognitive Services usages.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/locations/usages/r Read all usages data

ead

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Minimal permission to view Cognitive Services usages.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bba48692-92b0-
4667-a9ad-c31c7b334ac2",
"name": "bba48692-92b0-4667-a9ad-c31c7b334ac2",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/locations/usages/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cognitive Services Usages Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cognitive Services User

Lets you read and list keys of Cognitive Services.

Learn more

ﾉ Expand table

Actions Description

Microsoft.CognitiveServices/*/read

Microsoft.CognitiveServices/accounts/listkeys/a List keys

ction

Microsoft.Insights/alertRules/read Read a classic metric alert

Microsoft.Insights/diagnosticSettings/read Read a resource diagnostic setting

Microsoft.Insights/logDefinitions/read Read log definitions

Microsoft.Insights/metricdefinitions/read Read metric definitions

Microsoft.Insights/metrics/read Read metrics

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions
Actions Description

none

DataActions

Microsoft.CognitiveServices/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you read and list keys of Cognitive Services.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-
4388-baec-2e87135dc908",
"name": "a97b65f3-24c7-4388-baec-2e87135dc908",
"permissions": [
{
"actions": [
"Microsoft.CognitiveServices/*/read",
"Microsoft.CognitiveServices/accounts/listkeys/action",
"Microsoft.Insights/alertRules/read",
"Microsoft.Insights/diagnosticSettings/read",
"Microsoft.Insights/logDefinitions/read",
"Microsoft.Insights/metricdefinitions/read",
"Microsoft.Insights/metrics/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.CognitiveServices/*"
],
"notDataActions": []
}
],
"roleName": "Cognitive Services User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Health Bot Admin
Users with admin access can sign in, view and edit all of the bot resources, scenarios and
configuration setting including the bot instance keys & secrets.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthBot/healthBots/Admin/Action Sign in to the management portal, view and

edit all of the bot resources, scenarios,
configuration settings, instance keys & secrets.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Users with admin access can sign in, view and edit all of
the bot resources, scenarios and configuration setting including the bot
instance keys & secrets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f1082fec-a70f-
419f-9230-885d2550fb38",
"name": "f1082fec-a70f-419f-9230-885d2550fb38",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthBot/healthBots/Admin/Action"
],
"notDataActions": []
}
],
"roleName": "Health Bot Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Health Bot Editor

Users with editor access can sign in, view and edit all the bot resources, scenarios and
configuration setting except for the bot instance keys & secrets and the end-user inputs
(including Feedback, Unrecognized utterances and Conversation logs). A read-only
access to the bot skills and channels.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthBot/healthBots/Editor/Action Sign in to the management portal, view and

edit all the bot resources, scenarios and
configuration settings except for the bot
instance keys & secrets and the end-user
inputs. Read-only access to the bot skills and
channels.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Users with editor access can sign in, view and edit all
the bot resources, scenarios and configuration setting except for the bot
instance keys & secrets and the end-user inputs (including Feedback,
Unrecognized utterances and Conversation logs). A read-only access to the
bot skills and channels.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/af854a69-80ce-
4ff7-8447-f1118a2e0ca8",
"name": "af854a69-80ce-4ff7-8447-f1118a2e0ca8",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthBot/healthBots/Editor/Action"
],
"notDataActions": []
}
],
"roleName": "Health Bot Editor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Health Bot Reader

Users with reader access can sign in, have read-only access to the bot resources,
scenarios and configuration setting except for the bot instance keys & secrets (including
Authentication, Data Connection and Channels keys) and the end-user inputs (including
Feedback, Unrecognized utterances and Conversation logs).

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthBot/healthBots/Reader/Action Sign in to the management portal, with read-

only access to resources, scenarios and
configuration settings except for the bot
instance keys & secrets and the end-user
inputs.

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Users with reader access can sign in, have read-only
access to the bot resources, scenarios and configuration setting except for
the bot instance keys & secrets (including Authentication, Data Connection
and Channels keys) and the end-user inputs (including Feedback, Unrecognized
utterances and Conversation logs).",
"id": "/providers/Microsoft.Authorization/roleDefinitions/eb5a76d5-50e7-
4c33-a449-070e7c9c4cf2",
"name": "eb5a76d5-50e7-4c33-a449-070e7c9c4cf2",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthBot/healthBots/Reader/Action"
],
"notDataActions": []
}
],
"roleName": "Health Bot Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Search Index Data Contributor

Grants full access to Azure Cognitive Search index data.

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Search/searchServices/indexes/docu
ments/*

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Grants full access to Azure Cognitive Search index data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-
43f5-93ac-243d3dce84a7",
"name": "8ebe5a00-799e-43f5-93ac-243d3dce84a7",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Search/searchServices/indexes/documents/*"
],
"notDataActions": []
}
],
"roleName": "Search Index Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Search Index Data Reader

Grants read access to Azure Cognitive Search index data.

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Search/searchServices/indexes/docu Read documents or suggested query terms

ments/read from an index.

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Grants read access to Azure Cognitive Search index data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-
4202-b7e9-c0e197c71c8f",
"name": "1407120a-92aa-4202-b7e9-c0e197c71c8f",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Search/searchServices/indexes/documents/read"
],
"notDataActions": []
}
],
"roleName": "Search Index Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Search Service Contributor

Lets you manage Search services, but not access to them.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Search/searchServices/* Create and manage search services

Microsoft.Support/* Create and update a support ticket

Actions Description

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage Search services, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-
4471-8644-bb5ff32d4ba0",
"name": "7ca78c08-252a-4471-8644-bb5ff32d4ba0",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Search/searchServices/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Search Service Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal
Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Internet of
Things
Article • 09/23/2024

This article lists the Azure built-in roles in the Internet of Things category.

Azure Digital Twins Data Owner

Full access role for Digital Twins data-plane

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.DigitalTwins/digitaltwins/* Read, create, update, or delete any Digital Twin

Microsoft.DigitalTwins/digitaltwins/commands/ Invoke any Command on a Digital Twin

Microsoft.DigitalTwins/digitaltwins/relationship Read, create, update, or delete any Digital Twin

s/* Relationship

Microsoft.DigitalTwins/eventroutes/* Read, delete, create, or update any Event Route

Microsoft.DigitalTwins/jobs/*

Microsoft.DigitalTwins/models/* Read, create, update, or delete any Model

Microsoft.DigitalTwins/query/* Query any Digital Twins Graph

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Full access role for Digital Twins data-plane",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-
457b-83e1-cceb9e632ffe",
"name": "bcd981a7-7f74-457b-83e1-cceb9e632ffe",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.DigitalTwins/digitaltwins/*",
"Microsoft.DigitalTwins/digitaltwins/commands/*",
"Microsoft.DigitalTwins/digitaltwins/relationships/*",
"Microsoft.DigitalTwins/eventroutes/*",
"Microsoft.DigitalTwins/jobs/*",
"Microsoft.DigitalTwins/models/*",
"Microsoft.DigitalTwins/query/*"
],
"notDataActions": []
}
],
"roleName": "Azure Digital Twins Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Digital Twins Data Reader

Read-only role for Digital Twins data-plane properties

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.DigitalTwins/digitaltwins/read Read any Digital Twin

Actions Description

Microsoft.DigitalTwins/digitaltwins/relationship Read any Digital Twin Relationship

s/read

Microsoft.DigitalTwins/eventroutes/read Read any Event Route

Microsoft.DigitalTwins/jobs/import/read Read any Bulk Import Job

Microsoft.DigitalTwins/jobs/imports/read Read any Bulk Import Job

Microsoft.DigitalTwins/jobs/deletions/read Read any Bulk Delete Job

Microsoft.DigitalTwins/models/read Read any Model

Microsoft.DigitalTwins/query/action Query any Digital Twins Graph

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read-only role for Digital Twins data-plane properties",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-
48b1-8587-93c323f6a5a3",
"name": "d57506d4-4c8d-48b1-8587-93c323f6a5a3",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.DigitalTwins/digitaltwins/read",
"Microsoft.DigitalTwins/digitaltwins/relationships/read",
"Microsoft.DigitalTwins/eventroutes/read",
"Microsoft.DigitalTwins/jobs/import/read",
"Microsoft.DigitalTwins/jobs/imports/read",
"Microsoft.DigitalTwins/jobs/deletions/read",
"Microsoft.DigitalTwins/models/read",
"Microsoft.DigitalTwins/query/action"
],
"notDataActions": []
}
],
"roleName": "Azure Digital Twins Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Device Provisioning Service Data Contributor
Allows for full access to Device Provisioning Service data-plane operations.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Devices/provisioningServices/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Device Provisioning Service
data-plane operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-
4bd1-a6d1-04996ec95633",
"name": "dfce44e4-17b7-4bd1-a6d1-04996ec95633",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/provisioningServices/*"
],
"notDataActions": []
}
],
"roleName": "Device Provisioning Service Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Device Provisioning Service Data Reader
Allows for full read access to Device Provisioning Service data-plane properties.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Devices/provisioningServices/*/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for full read access to Device Provisioning Service
data-plane properties.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-
44a1-a5ce-3a4353c0bbd8",
"name": "10745317-c249-44a1-a5ce-3a4353c0bbd8",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/provisioningServices/*/read"
],
"notDataActions": []
}
],
"roleName": "Device Provisioning Service Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Device Update Administrator
Gives you full access to management and content operations

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

NotActions

none

DataActions

Microsoft.DeviceUpdate/accounts/instances/up Performs a read operation related to updates

dates/read

Microsoft.DeviceUpdate/accounts/instances/up Performs a write operation related to updates

dates/write

Microsoft.DeviceUpdate/accounts/instances/up Performs a delete operation related to updates

dates/delete

Microsoft.DeviceUpdate/accounts/instances/m Performs a read operation related to

anagement/read management

Microsoft.DeviceUpdate/accounts/instances/m Performs a write operation related to

anagement/write management

Microsoft.DeviceUpdate/accounts/instances/m Performs a delete operation related to

anagement/delete management

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Gives you full access to management and content
operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-
47a5-a61e-5c618b76e64a",
"name": "02ca0879-e8e4-47a5-a61e-5c618b76e64a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read",
"Microsoft.DeviceUpdate/accounts/instances/updates/write",
"Microsoft.DeviceUpdate/accounts/instances/updates/delete",
"Microsoft.DeviceUpdate/accounts/instances/management/read",
"Microsoft.DeviceUpdate/accounts/instances/management/write",
"Microsoft.DeviceUpdate/accounts/instances/management/delete"
],
"notDataActions": []
}
],
"roleName": "Device Update Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Device Update Content Administrator

Gives you full access to content operations

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Actions Description

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

NotActions

none

DataActions

Microsoft.DeviceUpdate/accounts/instances/up Performs a read operation related to updates

dates/read

Microsoft.DeviceUpdate/accounts/instances/up Performs a write operation related to updates

dates/write

Microsoft.DeviceUpdate/accounts/instances/up Performs a delete operation related to updates

dates/delete

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Gives you full access to content operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-
44ab-8323-f5b22f9f3c98",
"name": "0378884a-3af5-44ab-8323-f5b22f9f3c98",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read",
"Microsoft.DeviceUpdate/accounts/instances/updates/write",
"Microsoft.DeviceUpdate/accounts/instances/updates/delete"
],
"notDataActions": []
}
],
"roleName": "Device Update Content Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Device Update Content Reader

Gives you read access to content operations, but does not allow making changes

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

NotActions

none

DataActions

Microsoft.DeviceUpdate/accounts/instances/up Performs a read operation related to updates

dates/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Gives you read access to content operations, but does not
allow making changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-
47f0-bdc2-f4a351625a7b",
"name": "d1ee9a80-8b14-47f0-bdc2-f4a351625a7b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Content Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Device Update Deployments Administrator

Gives you full access to management operations

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

NotActions

none

DataActions
Actions Description

Microsoft.DeviceUpdate/accounts/instances/m Performs a read operation related to

anagement/read management

Microsoft.DeviceUpdate/accounts/instances/m Performs a write operation related to

anagement/write management

Microsoft.DeviceUpdate/accounts/instances/m Performs a delete operation related to

anagement/delete management

Microsoft.DeviceUpdate/accounts/instances/up Performs a read operation related to updates

dates/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Gives you full access to management operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-
4a46-8fda-70bc94856432",
"name": "e4237640-0e3d-4a46-8fda-70bc94856432",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/management/read",
"Microsoft.DeviceUpdate/accounts/instances/management/write",
"Microsoft.DeviceUpdate/accounts/instances/management/delete",
"Microsoft.DeviceUpdate/accounts/instances/updates/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Deployments Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Device Update Deployments Reader
Gives you read access to management operations, but does not allow making changes

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

NotActions

none

DataActions

Microsoft.DeviceUpdate/accounts/instances/m Performs a read operation related to

anagement/read management

Microsoft.DeviceUpdate/accounts/instances/up Performs a read operation related to updates

dates/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Gives you read access to management operations, but does
not allow making changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-
4835-8efa-19e1fe35e47f",
"name": "49e2f5d2-7741-4835-8efa-19e1fe35e47f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/management/read",
"Microsoft.DeviceUpdate/accounts/instances/updates/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Deployments Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Device Update Reader

Gives you read access to management and content operations, but does not allow
making changes

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

NotActions

none

DataActions

Microsoft.DeviceUpdate/accounts/instances/up Performs a read operation related to updates

dates/read
Actions Description

Microsoft.DeviceUpdate/accounts/instances/m Performs a read operation related to

anagement/read management

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Gives you read access to management and content
operations, but does not allow making changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-
4cf0-bce3-f06ce71b9e0f",
"name": "e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.DeviceUpdate/accounts/instances/updates/read",
"Microsoft.DeviceUpdate/accounts/instances/management/read"
],
"notDataActions": []
}
],
"roleName": "Device Update Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Firmware Analysis Admin

Upload and analyze firmware images in Defender for IoT

Learn more

ﾉ Expand table
Actions Description

Microsoft.IoTFirmwareDefense/*

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Upload and analyze firmware images in Defender for IoT",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9c1607d1-791d-
4c68-885d-c7b7aaff7c8a",
"name": "9c1607d1-791d-4c68-885d-c7b7aaff7c8a",
"permissions": [
{
"actions": [
"Microsoft.IoTFirmwareDefense/*",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Firmware Analysis Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
IoT Hub Data Contributor
Allows for full access to IoT Hub data plane operations.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Devices/IotHubs/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for full access to IoT Hub data plane operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-
4a07-842e-c321cc9d413f",
"name": "4fc6c259-987e-4a07-842e-c321cc9d413f",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/*"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
IoT Hub Data Reader
Allows for full read access to IoT Hub data-plane properties

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Devices/IotHubs/*/read

Microsoft.Devices/IotHubs/fileUpload/notificati Receive, complete, or abandon file upload

ons/action notifications

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for full read access to IoT Hub data-plane
properties",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-
41ec-983d-d8bf3b1c77e3",
"name": "b447c946-2db7-41ec-983d-d8bf3b1c77e3",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/*/read",
"Microsoft.Devices/IotHubs/fileUpload/notifications/action"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

IoT Hub Registry Contributor

Allows for full access to IoT Hub device registry.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Devices/IotHubs/devices/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for full access to IoT Hub device registry.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-
4a8e-910b-273211f9ce47",
"name": "4ea46cd5-c1b2-4a8e-910b-273211f9ce47",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/devices/*"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Registry Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

IoT Hub Twin Contributor

Allows for read and write access to all IoT Hub device and module twins.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Devices/IotHubs/twins/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for read and write access to all IoT Hub device and
module twins.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-
4f31-a0a1-191d2f7c028c",
"name": "494bdba2-168f-4f31-a0a1-191d2f7c028c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Devices/IotHubs/twins/*"
],
"notDataActions": []
}
],
"roleName": "IoT Hub Twin Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Mixed reality
Article • 09/20/2024

This article lists the Azure built-in roles in the Mixed reality category.

Remote Rendering Administrator

Provides user with conversion, manage session, rendering and diagnostics capabilities
for Azure Remote Rendering

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.MixedReality/RemoteRenderingAccou Start asset conversion

nts/convert/action

Microsoft.MixedReality/RemoteRenderingAccou Get asset conversion properties

nts/convert/read

Microsoft.MixedReality/RemoteRenderingAccou Stop asset conversion

nts/convert/delete

Microsoft.MixedReality/RemoteRenderingAccou Get session properties

nts/managesessions/read

Microsoft.MixedReality/RemoteRenderingAccou Start sessions

nts/managesessions/action

Microsoft.MixedReality/RemoteRenderingAccou Stop sessions

nts/managesessions/delete

Microsoft.MixedReality/RemoteRenderingAccou Connect to a session

nts/render/read

Microsoft.MixedReality/RemoteRenderingAccou Connect to the Remote Rendering inspector

nts/diagnostic/read
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides user with conversion, manage session, rendering
and diagnostics capabilities for Azure Remote Rendering",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-
47c7-8cc5-360e9b272a7e",
"name": "3df8b902-2a6f-47c7-8cc5-360e9b272a7e",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/RemoteRenderingAccounts/convert/action",
"Microsoft.MixedReality/RemoteRenderingAccounts/convert/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/convert/delete",

"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",

"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",

"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
"Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
],
"notDataActions": []
}
],
"roleName": "Remote Rendering Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Remote Rendering Client

Provides user with manage session, rendering and diagnostics capabilities for Azure
Remote Rendering.

Learn more
ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.MixedReality/RemoteRenderingAccou Get session properties

nts/managesessions/read

Microsoft.MixedReality/RemoteRenderingAccou Start sessions

nts/managesessions/action

Microsoft.MixedReality/RemoteRenderingAccou Stop sessions

nts/managesessions/delete

Microsoft.MixedReality/RemoteRenderingAccou Connect to a session

nts/render/read

Microsoft.MixedReality/RemoteRenderingAccou Connect to the Remote Rendering inspector

nts/diagnostic/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides user with manage session, rendering and
diagnostics capabilities for Azure Remote Rendering.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-
43c9-ab0a-63eed9795f0a",
"name": "d39065c4-c120-43c9-ab0a-63eed9795f0a",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [

"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/read",

"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/action",

"Microsoft.MixedReality/RemoteRenderingAccounts/managesessions/delete",
"Microsoft.MixedReality/RemoteRenderingAccounts/render/read",
"Microsoft.MixedReality/RemoteRenderingAccounts/diagnostic/read"
],
"notDataActions": []
}
],
"roleName": "Remote Rendering Client",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Spatial Anchors Account Contributor

Lets you manage spatial anchors in your account, but not delete them

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.MixedReality/SpatialAnchorsAccounts Create spatial anchors

/create/action

Microsoft.MixedReality/SpatialAnchorsAccounts Discover nearby spatial anchors

/discovery/read

Microsoft.MixedReality/SpatialAnchorsAccounts Get properties of spatial anchors

/properties/read

Microsoft.MixedReality/SpatialAnchorsAccounts Locate spatial anchors

/query/read

Microsoft.MixedReality/SpatialAnchorsAccounts Submit diagnostics data to help improve the

/submitdiag/read quality of the Azure Spatial Anchors service

Microsoft.MixedReality/SpatialAnchorsAccounts Update spatial anchors properties

/write

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage spatial anchors in your account, but not
delete them",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-
4df7-8cb4-4e04d4e5c827",
"name": "8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
"Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/write"
],
"notDataActions": []
}
],
"roleName": "Spatial Anchors Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Spatial Anchors Account Owner

Lets you manage spatial anchors in your account, including deleting them

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions
Actions Description

Microsoft.MixedReality/SpatialAnchorsAccounts Create spatial anchors

/create/action

Microsoft.MixedReality/SpatialAnchorsAccounts Delete spatial anchors

/delete

Microsoft.MixedReality/SpatialAnchorsAccounts Discover nearby spatial anchors

/discovery/read

Microsoft.MixedReality/SpatialAnchorsAccounts Get properties of spatial anchors

/properties/read

Microsoft.MixedReality/SpatialAnchorsAccounts Locate spatial anchors

/query/read

Microsoft.MixedReality/SpatialAnchorsAccounts Submit diagnostics data to help improve the

/submitdiag/read quality of the Azure Spatial Anchors service

Microsoft.MixedReality/SpatialAnchorsAccounts Update spatial anchors properties

/write

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage spatial anchors in your account, including
deleting them",
"id": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-
447d-afdd-19eb3167307c",
"name": "70bbe301-9835-447d-afdd-19eb3167307c",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/SpatialAnchorsAccounts/create/action",
"Microsoft.MixedReality/SpatialAnchorsAccounts/delete",
"Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/write"
],
"notDataActions": []
}
],
"roleName": "Spatial Anchors Account Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Spatial Anchors Account Reader

Lets you locate and read properties of spatial anchors in your account

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.MixedReality/SpatialAnchorsAccounts Discover nearby spatial anchors

/discovery/read

Microsoft.MixedReality/SpatialAnchorsAccounts Get properties of spatial anchors

/properties/read

Microsoft.MixedReality/SpatialAnchorsAccounts Locate spatial anchors

/query/read

Microsoft.MixedReality/SpatialAnchorsAccounts Submit diagnostics data to help improve the

/submitdiag/read quality of the Azure Spatial Anchors service

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you locate and read properties of spatial anchors in
your account",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-
4b1c-b86a-2ec626c49413",
"name": "5d51204f-eb77-4b1c-b86a-2ec626c49413",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.MixedReality/SpatialAnchorsAccounts/discovery/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/properties/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/query/read",
"Microsoft.MixedReality/SpatialAnchorsAccounts/submitdiag/read"
],
"notDataActions": []
}
],
"roleName": "Spatial Anchors Account Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Integration
Article • 09/23/2024

This article lists the Azure built-in roles in the Integration category.

API Management Developer Portal Content

Editor
Can customize the developer portal, edit its content, and publish it.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ApiManagement/service/portalRevisi Lists a collection of developer portal revision

ons/read entities. or Gets developer portal revision
specified by its identifier.

Microsoft.ApiManagement/service/portalRevisi Creates a new developer portal revision. or

ons/write Updates the description of specified portal
revision or makes it current.

Microsoft.ApiManagement/service/contentType Returns list of content types or Returns content

s/read type

Microsoft.ApiManagement/service/contentType Removes content type.

s/delete

Microsoft.ApiManagement/service/contentType Creates new content type

s/write

Microsoft.ApiManagement/service/contentType Returns list of content items or Returns content

s/contentItems/read item details

Microsoft.ApiManagement/service/contentType Creates new content item or Updates specified

s/contentItems/write content item

Microsoft.ApiManagement/service/contentType Removes specified content item.

s/contentItems/delete

NotActions

none

DataActions
Actions Description

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can customize the developer portal, edit its content, and
publish it.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-
4de0-8d69-4706a7ed3729",
"name": "c031e6a8-4391-4de0-8d69-4706a7ed3729",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/portalRevisions/read",
"Microsoft.ApiManagement/service/portalRevisions/write",
"Microsoft.ApiManagement/service/contentTypes/read",
"Microsoft.ApiManagement/service/contentTypes/delete",
"Microsoft.ApiManagement/service/contentTypes/write",
"Microsoft.ApiManagement/service/contentTypes/contentItems/read",
"Microsoft.ApiManagement/service/contentTypes/contentItems/write",
"Microsoft.ApiManagement/service/contentTypes/contentItems/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Developer Portal Content Editor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

API Management Service Contributor

Can manage service and the APIs

Learn more

ﾉ Expand table
Actions Description

Microsoft.ApiManagement/service/* Create and manage API Management service

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can manage service and the APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-
4fd8-895a-4e21e48d571c",
"name": "312a565d-c81f-4fd8-895a-4e21e48d571c",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

API Management Service Operator Role

Can manage service but not the APIs

Learn more

ﾉ Expand table

Actions Description

Microsoft.ApiManagement/service/*/read Read API Management Service instances

Microsoft.ApiManagement/service/backup/acti Backup API Management Service to the

on specified container in a user provided storage
account

Microsoft.ApiManagement/service/delete Delete API Management Service instance

Microsoft.ApiManagement/service/managedepl Change SKU/units, add/remove regional

oyments/action deployments of API Management Service

Microsoft.ApiManagement/service/read Read metadata for an API Management Service

instance

Microsoft.ApiManagement/service/restore/acti Restore API Management Service from the

on specified container in a user provided storage
account

Microsoft.ApiManagement/service/updatecertif Upload TLS/SSL certificate for an API

icate/action Management Service

Microsoft.ApiManagement/service/updatehost Setup, update or remove custom domain

name/action names for an API Management Service

Microsoft.ApiManagement/service/write Create or Update API Management Service

instance

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Actions Description

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

Microsoft.ApiManagement/service/users/keys/r Get keys associated with user

ead

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can manage service but not the APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-
4159-bbe4-b44f577e9b61",
"name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*/read",
"Microsoft.ApiManagement/service/backup/action",
"Microsoft.ApiManagement/service/delete",
"Microsoft.ApiManagement/service/managedeployments/action",
"Microsoft.ApiManagement/service/read",
"Microsoft.ApiManagement/service/restore/action",
"Microsoft.ApiManagement/service/updatecertificate/action",
"Microsoft.ApiManagement/service/updatehostname/action",
"Microsoft.ApiManagement/service/write",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.ApiManagement/service/users/keys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Operator Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

API Management Service Reader Role

Read-only access to service and APIs

Learn more

ﾉ Expand table

Actions Description

Microsoft.ApiManagement/service/*/read Read API Management Service instances

Microsoft.ApiManagement/service/read Read metadata for an API Management Service

instance

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

Microsoft.ApiManagement/service/users/keys/r Get keys associated with user

ead

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read-only access to service and APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-
4d52-b57f-d31fc3546d0d",
"name": "71522526-b88f-4d52-b57f-d31fc3546d0d",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*/read",
"Microsoft.ApiManagement/service/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.ApiManagement/service/users/keys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

API Management Service Workspace API

Developer
Has read access to tags and products and write access to allow: assigning APIs to
products, assigning tags to products and APIs. This role should be assigned on the
service scope.

Learn more
ﾉ Expand table

Actions Description

Microsoft.ApiManagement/service/tags/read Lists a collection of tags defined within a

service instance. or Gets the details of the tag
specified by its identifier.

Microsoft.ApiManagement/service/tags/apiLink
s/*

Microsoft.ApiManagement/service/tags/operati
onLinks/*

Microsoft.ApiManagement/service/tags/produc
tLinks/*

Microsoft.ApiManagement/service/products/re Lists a collection of products in the specified

ad service instance. or Gets the details of the
product specified by its identifier.

Microsoft.ApiManagement/service/products/ap
iLinks/*

Microsoft.ApiManagement/service/read Read metadata for an API Management Service

instance

Microsoft.ApiManagement/service/authorizatio Lists a collection of authorization servers

nServers/read defined within a service instance. or Gets the
details of the authorization server without
secrets.

Microsoft.Authorization/*/read Read roles and role assignments

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Has read access to tags and products and write access to
allow: assigning APIs to products, assigning tags to products and APIs. This
role should be assigned on the service scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9565a273-41b9-
4368-97d2-aeb0c976a9b3",
"name": "9565a273-41b9-4368-97d2-aeb0c976a9b3",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/tags/read",
"Microsoft.ApiManagement/service/tags/apiLinks/*",
"Microsoft.ApiManagement/service/tags/operationLinks/*",
"Microsoft.ApiManagement/service/tags/productLinks/*",
"Microsoft.ApiManagement/service/products/read",
"Microsoft.ApiManagement/service/products/apiLinks/*",
"Microsoft.ApiManagement/service/read",
"Microsoft.ApiManagement/service/authorizationServers/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Workspace API Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

API Management Service Workspace API

Product Manager
Has the same access as API Management Service Workspace API Developer as well as
read access to users and write access to allow assigning users to groups. This role
should be assigned on the service scope.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ApiManagement/service/users/read Lists a collection of registered users in the

specified service instance. or Gets the details of
the user specified by its identifier.

Microsoft.ApiManagement/service/tags/read Lists a collection of tags defined within a

service instance. or Gets the details of the tag
Actions Description

specified by its identifier.

Microsoft.ApiManagement/service/tags/apiLink
s/*

Microsoft.ApiManagement/service/tags/operati
onLinks/*

Microsoft.ApiManagement/service/tags/produc
tLinks/*

Microsoft.ApiManagement/service/products/re Lists a collection of products in the specified

ad service instance. or Gets the details of the
product specified by its identifier.

Microsoft.ApiManagement/service/products/ap
iLinks/*

Microsoft.ApiManagement/service/groups/read Lists a collection of groups defined within a

service instance. or Gets the details of the
group specified by its identifier.

Microsoft.ApiManagement/service/groups/user
s/*

Microsoft.ApiManagement/service/read Read metadata for an API Management Service

instance

Microsoft.ApiManagement/service/authorizatio Lists a collection of authorization servers

nServers/read defined within a service instance. or Gets the
details of the authorization server without
secrets.

Microsoft.Authorization/*/read Read roles and role assignments

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Has the same access as API Management Service Workspace
API Developer as well as read access to users and write access to allow
assigning users to groups. This role should be assigned on the service
scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d59a3e9c-6d52-
4a5a-aeed-6bf3cf0e31da",
"name": "d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/users/read",
"Microsoft.ApiManagement/service/tags/read",
"Microsoft.ApiManagement/service/tags/apiLinks/*",
"Microsoft.ApiManagement/service/tags/operationLinks/*",
"Microsoft.ApiManagement/service/tags/productLinks/*",
"Microsoft.ApiManagement/service/products/read",
"Microsoft.ApiManagement/service/products/apiLinks/*",
"Microsoft.ApiManagement/service/groups/read",
"Microsoft.ApiManagement/service/groups/users/*",
"Microsoft.ApiManagement/service/read",
"Microsoft.ApiManagement/service/authorizationServers/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Workspace API Product Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

API Management Workspace API Developer

Has read access to entities in the workspace and read and write access to entities for
editing APIs. This role should be assigned on the workspace scope.

Learn more

ﾉ Expand table
Actions Description

Microsoft.ApiManagement/service/workspaces/
*/read

Microsoft.ApiManagement/service/workspaces/
apis/*

Microsoft.ApiManagement/service/workspaces/
apiVersionSets/*

Microsoft.ApiManagement/service/workspaces/
policies/*

Microsoft.ApiManagement/service/workspaces/
schemas/*

Microsoft.ApiManagement/service/workspaces/
products/*

Microsoft.ApiManagement/service/workspaces/
policyFragments/*

Microsoft.ApiManagement/service/workspaces/
namedValues/*

Microsoft.ApiManagement/service/workspaces/
tags/*

Microsoft.ApiManagement/service/workspaces/
backends/*

Microsoft.ApiManagement/service/workspaces/
certificates/*

Microsoft.ApiManagement/service/workspaces/
diagnostics/*

Microsoft.ApiManagement/service/workspaces/
loggers/*

Microsoft.Authorization/*/read Read roles and role assignments

NotActions

none

DataActions

none

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Has read access to entities in the workspace and read and
write access to entities for editing APIs. This role should be assigned on
the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/56328988-075d-
4c6a-8766-d93edd6725b6",
"name": "56328988-075d-4c6a-8766-d93edd6725b6",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*/read",
"Microsoft.ApiManagement/service/workspaces/apis/*",
"Microsoft.ApiManagement/service/workspaces/apiVersionSets/*",
"Microsoft.ApiManagement/service/workspaces/policies/*",
"Microsoft.ApiManagement/service/workspaces/schemas/*",
"Microsoft.ApiManagement/service/workspaces/products/*",
"Microsoft.ApiManagement/service/workspaces/policyFragments/*",
"Microsoft.ApiManagement/service/workspaces/namedValues/*",
"Microsoft.ApiManagement/service/workspaces/tags/*",
"Microsoft.ApiManagement/service/workspaces/backends/*",
"Microsoft.ApiManagement/service/workspaces/certificates/*",
"Microsoft.ApiManagement/service/workspaces/diagnostics/*",
"Microsoft.ApiManagement/service/workspaces/loggers/*",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace API Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

API Management Workspace API Product

Manager
Has read access to entities in the workspace and read and write access to entities for
publishing APIs. This role should be assigned on the workspace scope.
Learn more

ﾉ Expand table

Actions Description

Microsoft.ApiManagement/service/workspaces/
*/read

Microsoft.ApiManagement/service/workspaces/
products/*

Microsoft.ApiManagement/service/workspaces/
subscriptions/*

Microsoft.ApiManagement/service/workspaces/
groups/*

Microsoft.ApiManagement/service/workspaces/
tags/*

Microsoft.ApiManagement/service/workspaces/
notifications/*

Microsoft.Authorization/*/read Read roles and role assignments

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Has read access to entities in the workspace and read and
write access to entities for publishing APIs. This role should be assigned
on the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/73c2c328-d004-
4c5e-938c-35c6f5679a1f",
"name": "73c2c328-d004-4c5e-938c-35c6f5679a1f",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*/read",
"Microsoft.ApiManagement/service/workspaces/products/*",
"Microsoft.ApiManagement/service/workspaces/subscriptions/*",
"Microsoft.ApiManagement/service/workspaces/groups/*",
"Microsoft.ApiManagement/service/workspaces/tags/*",
"Microsoft.ApiManagement/service/workspaces/notifications/*",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace API Product Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

API Management Workspace Contributor

Can manage the workspace and view, but not modify its members. This role should be
assigned on the workspace scope.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ApiManagement/service/workspaces/
*

Microsoft.Authorization/*/read Read roles and role assignments

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Can manage the workspace and view, but not modify its
members. This role should be assigned on the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0c34c906-8d99-
4cb7-8bb7-33f5b0a1a799",
"name": "0c34c906-8d99-4cb7-8bb7-33f5b0a1a799",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

API Management Workspace Reader

Has read-only access to entities in the workspace. This role should be assigned on the
workspace scope.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ApiManagement/service/workspaces/
*/read

Microsoft.Authorization/*/read Read roles and role assignments

NotActions

none

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Has read-only access to entities in the workspace. This
role should be assigned on the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ef1c2c96-4a77-
49e8-b9a4-6179fe1d2fd2",
"name": "ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

App Configuration Contributor

Grants permission for all management operations, except purge, for App Configuration
resources.

ﾉ Expand table

Actions Description

Microsoft.AppConfiguration/*

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Actions Description

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

Microsoft.AppConfiguration/locations/deletedC Purge the specified deleted configuration store.

onfigurationStores/purge/action

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants permission for all management operations, except
purge, for App Configuration resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fe86443c-f201-
4fc4-9d2a-ac61149fbda0",
"name": "fe86443c-f201-4fc4-9d2a-ac61149fbda0",
"permissions": [
{
"actions": [
"Microsoft.AppConfiguration/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [

"Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/actio
n"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Configuration Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
App Configuration Data Owner
Allows full access to App Configuration data.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.AppConfiguration/configurationStore
s/*/read

Microsoft.AppConfiguration/configurationStore
s/*/write

Microsoft.AppConfiguration/configurationStore
s/*/delete

Microsoft.AppConfiguration/configurationStore
s/*/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows full access to App Configuration data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-
40e7-96ff-dc2bfa4b606b",
"name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppConfiguration/configurationStores/*/read",
"Microsoft.AppConfiguration/configurationStores/*/write",
"Microsoft.AppConfiguration/configurationStores/*/delete",
"Microsoft.AppConfiguration/configurationStores/*/action"
],
"notDataActions": []
}
],
"roleName": "App Configuration Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

App Configuration Data Reader

Allows read access to App Configuration data.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.AppConfiguration/configurationStore
s/*/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows read access to App Configuration data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-
4d78-a4de-a74fb236a071",
"name": "516239f1-63e1-4d78-a4de-a74fb236a071",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppConfiguration/configurationStores/*/read"
],
"notDataActions": []
}
],
"roleName": "App Configuration Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

App Configuration Reader

Grants permission for read operations for App Configuration resources.

ﾉ Expand table

Actions Description

Microsoft.AppConfiguration/*/read

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/read Read a classic metric alert

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Grants permission for read operations for App
Configuration resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/175b81b9-6e0d-
490a-85e4-0d422273c10c",
"name": "175b81b9-6e0d-490a-85e4-0d422273c10c",
"permissions": [
{
"actions": [
"Microsoft.AppConfiguration/*/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Configuration Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure API Center Compliance Manager

Allows managing API compliance in Azure API Center service.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ApiCenter/services/*/read

Microsoft.ApiCenter/services/workspaces/apis/ Updates analysis results for specified API

versions/definitions/updateAnalysisState/action definition.

Microsoft.ApiCenter/services/workspaces/apis/ Exports API definition file.

versions/definitions/exportSpecification/action

NotActions

none

DataActions

none

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows managing API compliance in Azure API Center
service.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ede9aaa3-4627-
494e-be13-4aa7c256148d",
"name": "ede9aaa3-4627-494e-be13-4aa7c256148d",
"permissions": [
{
"actions": [
"Microsoft.ApiCenter/services/*/read",

"Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAna
lysisState/action",

"Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpe
cification/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure API Center Compliance Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure API Center Data Reader

Allows for access to Azure API Center data plane read operations.

Learn more

ﾉ Expand table

Actions Description

none

NotActions
Actions Description

none

DataActions

Microsoft.ApiCenter/services/*/read

Microsoft.ApiCenter/services/workspaces/apis/ Exports API definition file.

versions/definitions/exportSpecification/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for access to Azure API Center data plane read
operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c7244dfb-f447-
457d-b2ba-3999044d1706",
"name": "c7244dfb-f447-457d-b2ba-3999044d1706",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ApiCenter/services/*/read",

"Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpe
cification/action"
],
"notDataActions": []
}
],
"roleName": "Azure API Center Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure API Center Service Contributor

Allows managing Azure API Center service.

ﾉ Expand table
Actions Description

Microsoft.ApiCenter/services/*

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

Microsoft.ApiCenter/services/workspaces/apis/ Updates analysis results for specified API

versions/definitions/updateAnalysisState/action definition.

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows managing Azure API Center service.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dd24193f-ef65-
44e5-8a7e-6fa6e03f7713",
"name": "dd24193f-ef65-44e5-8a7e-6fa6e03f7713",
"permissions": [
{
"actions": [
"Microsoft.ApiCenter/services/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [

"Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAna
lysisState/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure API Center Service Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure API Center Service Reader

Allows read-only access to Azure API Center service.

ﾉ Expand table

Actions Description

Microsoft.ApiCenter/services/*/read

Microsoft.ApiCenter/services/workspaces/apis/ Exports API definition file.

versions/definitions/exportSpecification/action

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to Azure API Center service.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cba8790-29c5-
48e5-bab1-c7541b01cb04",
"name": "6cba8790-29c5-48e5-bab1-c7541b01cb04",
"permissions": [
{
"actions": [
"Microsoft.ApiCenter/services/*/read",

"Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpe
cification/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure API Center Service Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Relay Listener

Allows for listen access to Azure Relay resources.

ﾉ Expand table

Actions Description

Microsoft.Relay/*/wcfRelays/read

Microsoft.Relay/*/hybridConnections/read

NotActions

none

DataActions

Microsoft.Relay/*/listen/action
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for listen access to Azure Relay resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-
4085-9386-aadae190014d",
"name": "26e0b698-aa6d-4085-9386-aadae190014d",
"permissions": [
{
"actions": [
"Microsoft.Relay/*/wcfRelays/read",
"Microsoft.Relay/*/hybridConnections/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*/listen/action"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Listener",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Relay Owner

Allows for full access to Azure Relay resources.

ﾉ Expand table

Actions Description

Microsoft.Relay/*

NotActions

none

DataActions
Actions Description

Microsoft.Relay/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Relay resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-
4bfe-8383-c8a24483ee38",
"name": "2787bf04-f1f5-4bfe-8383-c8a24483ee38",
"permissions": [
{
"actions": [
"Microsoft.Relay/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Relay Sender

Allows for send access to Azure Relay resources.

ﾉ Expand table

Actions Description

Microsoft.Relay/*/wcfRelays/read

Microsoft.Relay/*/hybridConnections/read

NotActions
Actions Description

none

DataActions

Microsoft.Relay/*/send/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for send access to Azure Relay resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-
41f1-98f4-1762cc7f685d",
"name": "26baccc8-eea7-41f1-98f4-1762cc7f685d",
"permissions": [
{
"actions": [
"Microsoft.Relay/*/wcfRelays/read",
"Microsoft.Relay/*/hybridConnections/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Resource Notifications System Topics

Subscriber
Lets you create system topics and event subscriptions on all system topics exposed
currently and in the future by Azure Resource Notifications

Learn more
ﾉ Expand table

Actions Description

Microsoft.ResourceNotifications/systemTopics/s Permission to perform creation and event

ubscribeToResources/action subscription creation on a Resources system
topic

Microsoft.ResourceNotifications/systemTopics/s Permission to perform creation and event

ubscribeToHealthResources/action subscription creation on a HealthResources
system topic

Microsoft.ResourceNotifications/systemTopics/s Permission to perform creation and event

ubscribeToMaintenanceResources/action subscription creation on a
MaintenanceResources system topic

Microsoft.ResourceNotifications/systemTopics/s Permission to perform creation and event

ubscribeToComputeResources/action subscription creation on a ComputeResources
system topic

Microsoft.ResourceNotifications/systemTopics/s Permission to perform creation and event

ubscribeToComputeScheduleResources/action subscription creation on a
ComputeScheduleResources system topic

Microsoft.EventGrid/eventSubscriptions/write Create or update an eventSubscription

Microsoft.EventGrid/systemTopics/eventSubscri Create or update a SystemTopic

ptions/write eventSubscription

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you create system topics and event subscriptions on
all system topics exposed currently and in the future by Azure Resource
Notifications",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0b962ed2-6d56-
471c-bd5f-3477d83a7ba4",
"name": "0b962ed2-6d56-471c-bd5f-3477d83a7ba4",
"permissions": [
{
"actions": [

"Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action",

"Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/act
ion",

"Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResource
s/action",

"Microsoft.ResourceNotifications/systemTopics/subscribeToComputeResources/ac
tion",

"Microsoft.ResourceNotifications/systemTopics/subscribeToComputeScheduleReso
urces/action",
"Microsoft.EventGrid/eventSubscriptions/write",
"Microsoft.EventGrid/systemTopics/eventSubscriptions/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Resource Notifications System Topics Subscriber",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Service Bus Data Owner

Allows for full access to Azure Service Bus resources.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ServiceBus/*

NotActions

none

DataActions

Microsoft.ServiceBus/*
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Service Bus resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-
490a-894a-3ce6f1109419",
"name": "090c5cfd-751d-490a-894a-3ce6f1109419",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Service Bus Data Receiver

Allows for receive access to Azure Service Bus resources.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ServiceBus/*/queues/read

Microsoft.ServiceBus/*/topics/read

Microsoft.ServiceBus/*/topics/subscriptions/rea
d
Actions Description

NotActions

none

DataActions

Microsoft.ServiceBus/*/receive/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for receive access to Azure Service Bus
resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-
4f4c-9142-0e5a2a2247e0",
"name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*/queues/read",
"Microsoft.ServiceBus/*/topics/read",
"Microsoft.ServiceBus/*/topics/subscriptions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*/receive/action"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Receiver",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Service Bus Data Sender

Allows for send access to Azure Service Bus resources.

Learn more
ﾉ Expand table

Actions Description

Microsoft.ServiceBus/*/queues/read

Microsoft.ServiceBus/*/topics/read

Microsoft.ServiceBus/*/topics/subscriptions/rea
d

NotActions

none

DataActions

Microsoft.ServiceBus/*/send/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for send access to Azure Service Bus resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-
44d8-bc22-1f3c2cd27a39",
"name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*/queues/read",
"Microsoft.ServiceBus/*/topics/read",
"Microsoft.ServiceBus/*/topics/subscriptions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
BizTalk Contributor
Lets you manage BizTalk services, but not access to them.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.BizTalkServices/BizTalk/* Create and manage BizTalk services

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage BizTalk services, but not access to
them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-
4708-81fe-0de47ac73342",
"name": "5e3c6656-6cfa-4708-81fe-0de47ac73342",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.BizTalkServices/BizTalk/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "BizTalk Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Chamber Admin
Lets you manage everything under your Modeling and Simulation Workbench chamber.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ModSimWorkbench/*/read

Microsoft.ModSimWorkbench/workbenches/ch
ambers/*

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

Microsoft.ModSimWorkbench/workbenches/ch manage fileRequests

ambers/fileRequests/manage/action

Microsoft.ModSimWorkbench/workbenches/ch
ambers/connector/setCopyPaste/action

DataActions

Microsoft.ModSimWorkbench/workbenches/ch
ambers/upload/action
Actions Description

Microsoft.ModSimWorkbench/workbenches/ch
ambers/files/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage everything under your Modeling and
Simulation Workbench chamber.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4e9b8407-af2e-
495b-ae54-bb60a55b1b5a",
"name": "4e9b8407-af2e-495b-ae54-bb60a55b1b5a",
"permissions": [
{
"actions": [
"Microsoft.ModSimWorkbench/*/read",
"Microsoft.ModSimWorkbench/workbenches/chambers/*",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [

"Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/manage/action",

"Microsoft.ModSimWorkbench/workbenches/chambers/connector/setCopyPaste/actio
n"
],
"dataActions": [
"Microsoft.ModSimWorkbench/workbenches/chambers/upload/action",
"Microsoft.ModSimWorkbench/workbenches/chambers/files/*"
],
"notDataActions": []
}
],
"roleName": "Chamber Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Chamber User
Lets you view everything under your Modeling and Simulation Workbench chamber, but
not make any changes.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ModSimWorkbench/workbenches/ch
ambers/*/read

Microsoft.ModSimWorkbench/workbenches/ch
ambers/workloads/*

Microsoft.ModSimWorkbench/workbenches/ch getUploadUri chambers

ambers/getUploadUri/action

Microsoft.ModSimWorkbench/workbenches/ch getDownloadUri fileRequests

ambers/fileRequests/getDownloadUri/action

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

Microsoft.ModSimWorkbench/workbenches/ch
ambers/upload/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you view everything under your Modeling and
Simulation Workbench chamber, but not make any changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4447db05-44ed-
4da3-ae60-6cbece780e32",
"name": "4447db05-44ed-4da3-ae60-6cbece780e32",
"permissions": [
{
"actions": [
"Microsoft.ModSimWorkbench/workbenches/chambers/*/read",
"Microsoft.ModSimWorkbench/workbenches/chambers/workloads/*",

"Microsoft.ModSimWorkbench/workbenches/chambers/getUploadUri/action",

"Microsoft.ModSimWorkbench/workbenches/chambers/fileRequests/getDownloadUri/
action",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ModSimWorkbench/workbenches/chambers/upload/action"
],
"notDataActions": []
}
],
"roleName": "Chamber User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

DeID Batch Data Owner

Create and manage DeID batch jobs. This role is in preview and subject to change.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthDataAIServices/DeidServices/B Creates batches

atch/write

Microsoft.HealthDataAIServices/DeidServices/B Deletes a batch

atch/delete
Actions Description

Microsoft.HealthDataAIServices/DeidServices/B Reads a batch

atch/read

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Create and manage DeID batch jobs. This role is in preview
and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8a90fa6b-6997-
4a07-8a95-30633a7c97b9",
"name": "8a90fa6b-6997-4a07-8a95-30633a7c97b9",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthDataAIServices/DeidServices/Batch/write",
"Microsoft.HealthDataAIServices/DeidServices/Batch/delete",
"Microsoft.HealthDataAIServices/DeidServices/Batch/read"
],
"notDataActions": []
}
],
"roleName": "DeID Batch Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

DeID Batch Data Reader

Read DeID batch jobs. This role is in preview and subject to change.

Learn more

ﾉ Expand table

Actions Description

none
Actions Description

NotActions

none

DataActions

Microsoft.HealthDataAIServices/DeidServices/B Reads a batch

atch/read

NotDataActions

Microsoft.HealthDataAIServices/DeidServices/B Creates batches

atch/write

Microsoft.HealthDataAIServices/DeidServices/B Deletes a batch

atch/delete

JSON

{
"assignableScopes": [
"/"
],
"description": "Read DeID batch jobs. This role is in preview and subject
to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b73a14ee-91f5-
41b7-bd81-920e12466be9",
"name": "b73a14ee-91f5-41b7-bd81-920e12466be9",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthDataAIServices/DeidServices/Batch/read"
],
"notDataActions": [
"Microsoft.HealthDataAIServices/DeidServices/Batch/write",
"Microsoft.HealthDataAIServices/DeidServices/Batch/delete"
]
}
],
"roleName": "DeID Batch Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

DeID Data Owner

Full access to DeID data. This role is in preview and subject to change

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthDataAIServices/DeidServices/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Full access to DeID data. This role is in preview and
subject to change",
"id": "/providers/Microsoft.Authorization/roleDefinitions/78e4b983-1a0b-
472e-8b7d-8d770f7c5890",
"name": "78e4b983-1a0b-472e-8b7d-8d770f7c5890",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthDataAIServices/DeidServices/*"
],
"notDataActions": []
}
],
"roleName": "DeID Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

DeID Realtime Data User

Execute requests against DeID realtime endpoint. This role is in preview and subject to
change.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthDataAIServices/DeidServices/R Allows access to the realtime endpoint

ealtime/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Execute requests against DeID realtime endpoint. This role
is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bb6577c4-ea0a-
40b2-8962-ea18cb8ecd4e",
"name": "bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthDataAIServices/DeidServices/Realtime/action"
],
"notDataActions": []
}
],
"roleName": "DeID Realtime Data User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DICOM Data Owner
Full access to DICOM data.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthcareApis/workspaces/dicomser
vices/resources/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Full access to DICOM data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-
4c20-983a-32417c86fbc8",
"name": "58a3b984-7adf-4c20-983a-32417c86fbc8",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/workspaces/dicomservices/resources/*"
],
"notDataActions": []
}
],
"roleName": "DICOM Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DICOM Data Reader
Read and search DICOM data.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthcareApis/workspaces/dicomser Read DICOM resources (includes searching and

vices/resources/read change feed).

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read and search DICOM data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-
4fa1-a847-3e4c9ba4283a",
"name": "e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/workspaces/dicomservices/resources/read"
],
"notDataActions": []
}
],
"roleName": "DICOM Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
EventGrid Contributor
Lets you manage EventGrid operations.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.EventGrid/* Create and manage Event Grid resources

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage EventGrid operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-
49ea-94dc-649edcd759de",
"name": "1e241071-0855-49ea-94dc-649edcd759de",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid Data Sender

Allows send access to event grid events.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.EventGrid/topics/read Read a topic

Microsoft.EventGrid/domains/read Read a domain

Microsoft.EventGrid/partnerNamespaces/read Read a partner namespace

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.EventGrid/namespaces/read Read a namespace

NotActions

none

DataActions

Microsoft.EventGrid/events/send/action Send events to topics

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows send access to event grid events.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-
47e2-a06b-3470a27159e7",
"name": "d5a91429-5739-47e2-a06b-3470a27159e7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/topics/read",
"Microsoft.EventGrid/domains/read",
"Microsoft.EventGrid/partnerNamespaces/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.EventGrid/namespaces/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventGrid/events/send/action"
],
"notDataActions": []
}
],
"roleName": "EventGrid Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid EventSubscription Contributor

Lets you manage EventGrid event subscription operations.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.EventGrid/eventSubscriptions/* Create and manage regional event

subscriptions

Microsoft.EventGrid/topicTypes/eventSubscripti List global event subscriptions by topic type

ons/read

Microsoft.EventGrid/locations/eventSubscriptio List regional event subscriptions

ns/read

Microsoft.EventGrid/locations/topicTypes/event List regional event subscriptions by topictype

Subscriptions/read
Actions Description

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage EventGrid event subscription operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-
4d9c-a221-2c70d0e0a443",
"name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/eventSubscriptions/*",
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
"Microsoft.EventGrid/locations/eventSubscriptions/read",
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid EventSubscription Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid EventSubscription Reader

Lets you read EventGrid event subscriptions.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.EventGrid/eventSubscriptions/read Read an eventSubscription

Microsoft.EventGrid/topicTypes/eventSubscripti List global event subscriptions by topic type

ons/read

Microsoft.EventGrid/locations/eventSubscriptio List regional event subscriptions

ns/read

Microsoft.EventGrid/locations/topicTypes/event List regional event subscriptions by topictype

Subscriptions/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you read EventGrid event subscriptions.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-
4faf-8c65-045460748405",
"name": "2414bbcf-6497-4faf-8c65-045460748405",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/eventSubscriptions/read",
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
"Microsoft.EventGrid/locations/eventSubscriptions/read",
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid EventSubscription Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid TopicSpaces Publisher

Lets you publish messages on topicspaces.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.EventGrid/*/read

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

Microsoft.EventGrid/topicSpaces/publish/action Publish to a topic space

Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you publish messages on topicspaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a12b0b94-b317-
4dcd-84a8-502ce99884c6",
"name": "a12b0b94-b317-4dcd-84a8-502ce99884c6",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventGrid/topicSpaces/publish/action"
],
"notDataActions": []
}
],
"roleName": "EventGrid TopicSpaces Publisher",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

EventGrid TopicSpaces Subscriber

Lets you subscribe messages on topicspaces.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Actions Description

Microsoft.EventGrid/*/read

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

Microsoft.EventGrid/topicSpaces/subscribe/acti Subscribe to a topic space

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you subscribe messages on topicspaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4b0f2fd7-60b4-
4eca-896f-4435034f8bf5",
"name": "4b0f2fd7-60b4-4eca-896f-4435034f8bf5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventGrid/topicSpaces/subscribe/action"
],
"notDataActions": []
}
],
"roleName": "EventGrid TopicSpaces Subscriber",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

FHIR Data Contributor

Role allows user or principal full access to FHIR Data

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthcareApis/services/fhir/resource
s/*

Microsoft.HealthcareApis/workspaces/fhirservic
es/resources/*

NotDataActions

Microsoft.HealthcareApis/services/fhir/resource Allows user to access FHIR Service according to

s/smart/action SMART on FHIR specification.

Microsoft.HealthcareApis/workspaces/fhirservic Allows user to access FHIR Service according to

es/resources/smart/action SMART on FHIR specification.

JSON

{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal full access to FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-
4951-a576-89034ee01acd",
"name": "5a1fc7df-4bf1-4951-a576-89034ee01acd",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/*",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/*"
],
"notDataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/smart/action",

"Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action"
]
}
],
"roleName": "FHIR Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

FHIR Data Converter

Role allows user or principal to convert data from legacy format to FHIR

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthcareApis/services/fhir/resource Data convert operation ($convert-data)

s/convertData/action

Microsoft.HealthcareApis/workspaces/fhirservic Data convert operation ($convert-data)

es/resources/convertData/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to convert data from legacy
format to FHIR",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-
45a5-8683-466fcfd5cc24",
"name": "a1705bd2-3a8f-45a5-8683-466fcfd5cc24",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [

"Microsoft.HealthcareApis/services/fhir/resources/convertData/action",

"Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/acti
on"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Converter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

FHIR Data Exporter

Role allows user or principal to read and export FHIR Data

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthcareApis/services/fhir/resource Read FHIR resources (includes searching and

s/read versioned history).

Microsoft.HealthcareApis/services/fhir/resource Export operation ($export).

s/export/action

Microsoft.HealthcareApis/workspaces/fhirservic Read FHIR resources (includes searching and

es/resources/read versioned history).
Actions Description

Microsoft.HealthcareApis/workspaces/fhirservic Export operation ($export).

es/resources/export/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read and export FHIR
Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-
4567-8da5-1501d4e7e843",
"name": "3db33094-8700-4567-8da5-1501d4e7e843",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/services/fhir/resources/export/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",

"Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Exporter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

FHIR Data Importer

Role allows user or principal to read and import FHIR Data

Learn more

ﾉ Expand table
Actions Description

none

NotActions

none

DataActions

Microsoft.HealthcareApis/workspaces/fhirservic Read FHIR resources (includes searching and

es/resources/read versioned history).

Microsoft.HealthcareApis/workspaces/fhirservic Import FHIR resources in batch.

es/resources/import/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read and import FHIR
Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-
4406-a58e-0f6e3f3b530b",
"name": "4465e953-8ced-4406-a58e-0f6e3f3b530b",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",

"Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Importer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

FHIR Data Reader

Role allows user or principal to read FHIR Data

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthcareApis/services/fhir/resource Read FHIR resources (includes searching and

s/read versioned history).

Microsoft.HealthcareApis/workspaces/fhirservic Read FHIR resources (includes searching and

es/resources/read versioned history).

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-
4935-991f-5f3c56d81508",
"name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
FHIR Data Writer
Role allows user or principal to read and write FHIR Data

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.HealthcareApis/services/fhir/resource Read FHIR resources (includes searching and

s/read versioned history).

Microsoft.HealthcareApis/services/fhir/resource Write FHIR resources (includes create and

s/write update).

Microsoft.HealthcareApis/services/fhir/resource Delete FHIR resources (soft delete).

s/delete

Microsoft.HealthcareApis/services/fhir/resource Export operation ($export).

s/export/action

Microsoft.HealthcareApis/services/fhir/resource Validate operation ($validate).

s/resourceValidate/action

Microsoft.HealthcareApis/services/fhir/resource Allows user to run Reindex job to index any

s/reindex/action search parameters that haven't yet been
indexed.

Microsoft.HealthcareApis/services/fhir/resource Data convert operation ($convert-data)

s/convertData/action

Microsoft.HealthcareApis/services/fhir/resource Allows user to perform Create Update Delete

s/editProfileDefinitions/action operations on profile resources.

Microsoft.HealthcareApis/services/fhir/resource Import FHIR resources in batch.

s/import/action

Microsoft.HealthcareApis/workspaces/fhirservic Read FHIR resources (includes searching and

es/resources/read versioned history).

Microsoft.HealthcareApis/workspaces/fhirservic Write FHIR resources (includes create and

es/resources/write update).
Actions Description

Microsoft.HealthcareApis/workspaces/fhirservic Delete FHIR resources (soft delete).

es/resources/delete

Microsoft.HealthcareApis/workspaces/fhirservic Export operation ($export).

es/resources/export/action

Microsoft.HealthcareApis/workspaces/fhirservic Validate operation ($validate).

es/resources/resourceValidate/action

Microsoft.HealthcareApis/workspaces/fhirservic Allows user to run Reindex job to index any

es/resources/reindex/action search parameters that haven't yet been
indexed.

Microsoft.HealthcareApis/workspaces/fhirservic Data convert operation ($convert-data)

es/resources/convertData/action

Microsoft.HealthcareApis/workspaces/fhirservic Allows user to perform Create Update Delete

es/resources/editProfileDefinitions/action operations on profile resources.

Microsoft.HealthcareApis/workspaces/fhirservic Import FHIR resources in batch.

es/resources/import/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read and write FHIR
Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-
4214-ae73-ba5294559913",
"name": "3f88fce4-5892-4214-ae73-ba5294559913",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/services/fhir/resources/write",
"Microsoft.HealthcareApis/services/fhir/resources/delete",
"Microsoft.HealthcareApis/services/fhir/resources/export/action",

"Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action",
"Microsoft.HealthcareApis/services/fhir/resources/reindex/action",
"Microsoft.HealthcareApis/services/fhir/resources/convertData/action",

"Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/act
ion",
"Microsoft.HealthcareApis/services/fhir/resources/import/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/write",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete",

"Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action",

"Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate
/action",

"Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action",

"Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/acti
on",

"Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefin
itions/action",

"Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

FHIR SMART User

Role allows user to access FHIR Service according to SMART on FHIR specification

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions
Actions Description

Microsoft.HealthcareApis/services/fhir/resource Read FHIR resources (includes searching and

s/read versioned history).

Microsoft.HealthcareApis/workspaces/fhirservic Read FHIR resources (includes searching and

es/resources/read versioned history).

Microsoft.HealthcareApis/services/fhir/resource Allows user to access FHIR Service according to

s/smart/action SMART on FHIR specification.

Microsoft.HealthcareApis/workspaces/fhirservic Allows user to access FHIR Service according to

es/resources/smart/action SMART on FHIR specification.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Role allows user to access FHIR Service according to SMART
on FHIR specification",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-
485c-a643-ff00808643f0",
"name": "4ba50f17-9666-485c-a643-ff00808643f0",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
"Microsoft.HealthcareApis/services/fhir/resources/smart/action",

"Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action"
],
"notDataActions": []
}
],
"roleName": "FHIR SMART User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Integration Service Environment Contributor

Lets you manage integration service environments, but not access to them.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Support/* Create and update a support ticket

Microsoft.Logic/integrationServiceEnvironment
s/*

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage integration service environments, but not
access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-
4a07-88f4-9bf657a760b8",
"name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Support/*",
"Microsoft.Logic/integrationServiceEnvironments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Integration Service Environment Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Integration Service Environment Developer

Allows developers to create and update workflows, integration accounts and API
connections in integration service environments.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Support/* Create and update a support ticket

Microsoft.Logic/integrationServiceEnvironment Reads the integration service environment.

s/read

Microsoft.Logic/integrationServiceEnvironment
s/*/join/action

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows developers to create and update workflows,
integration accounts and API connections in integration service
environments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-
444a-a5ca-5e51e485d6ec",
"name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Support/*",
"Microsoft.Logic/integrationServiceEnvironments/read",
"Microsoft.Logic/integrationServiceEnvironments/*/join/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Integration Service Environment Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Intelligent Systems Account Contributor

Lets you manage Intelligent Systems accounts, but not access to them.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.IntelligentSystems/accounts/* Create and manage intelligent systems

accounts

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage Intelligent Systems accounts, but not
access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-
4b3d-88af-7477090a9e5e",
"name": "03a6d094-3444-4b3d-88af-7477090a9e5e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.IntelligentSystems/accounts/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Intelligent Systems Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Logic App Contributor

Lets you manage logic apps, but not change access to them.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Actions Description

Microsoft.ClassicStorage/storageAccounts/listK Lists the access keys for the storage accounts.

eys/action

Microsoft.ClassicStorage/storageAccounts/read Return the storage account with the given

account.

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/metricAlerts/*

Microsoft.Insights/diagnosticSettings/* Creates, updates, or reads the diagnostic

setting for Analysis Server

Microsoft.Insights/logdefinitions/* This permission is necessary for users who need

access to Activity Logs via the portal. List log
categories in Activity Log.

Microsoft.Insights/metricDefinitions/* Read metric definitions (list of available metric

types for a resource).

Microsoft.Logic/* Manages Logic Apps resources.

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Storage/storageAccounts/listkeys/acti Returns the access keys for the specified

on storage account.

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.Support/* Create and update a support ticket

Microsoft.Web/connectionGateways/* Create and manages a Connection Gateway.

Microsoft.Web/connections/* Create and manages a Connection.

Microsoft.Web/customApis/* Creates and manages a Custom API.

Microsoft.Web/serverFarms/join/action Joins an App Service Plan

Microsoft.Web/serverFarms/read Get the properties on an App Service Plan

Microsoft.Web/sites/functions/listSecrets/actio List Function secrets.

n
Actions Description

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage logic app, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-
424a-814c-f7e04687dc9e",
"name": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metricAlerts/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Insights/logdefinitions/*",
"Microsoft.Insights/metricDefinitions/*",
"Microsoft.Logic/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*",
"Microsoft.Web/connectionGateways/*",
"Microsoft.Web/connections/*",
"Microsoft.Web/customApis/*",
"Microsoft.Web/serverFarms/join/action",
"Microsoft.Web/serverFarms/read",
"Microsoft.Web/sites/functions/listSecrets/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic App Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Logic App Operator

Lets you read, enable, and disable logic apps, but not edit or update them.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/*/read Read Insights alert rules

Microsoft.Insights/metricAlerts/*/read

Microsoft.Insights/diagnosticSettings/*/read Gets diagnostic settings for Logic Apps

Microsoft.Insights/metricDefinitions/*/read Gets the available metrics for Logic Apps.

Microsoft.Logic/*/read Reads Logic Apps resources.

Microsoft.Logic/workflows/disable/action Disables the workflow.

Microsoft.Logic/workflows/enable/action Enables the workflow.

Microsoft.Logic/workflows/validate/action Validates the workflow.

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Web/connectionGateways/*/read Read Connection Gateways.

Microsoft.Web/connections/*/read Read Connections.

Microsoft.Web/customApis/*/read Read Custom API.

Actions Description

Microsoft.Web/serverFarms/read Get the properties on an App Service Plan

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you read, enable and disable logic app.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-
4321-b1b9-bd0c9a0f79fe",
"name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*/read",
"Microsoft.Insights/metricAlerts/*/read",
"Microsoft.Insights/diagnosticSettings/*/read",
"Microsoft.Insights/metricDefinitions/*/read",
"Microsoft.Logic/*/read",
"Microsoft.Logic/workflows/disable/action",
"Microsoft.Logic/workflows/enable/action",
"Microsoft.Logic/workflows/validate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/connectionGateways/*/read",
"Microsoft.Web/connections/*/read",
"Microsoft.Web/customApis/*/read",
"Microsoft.Web/serverFarms/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic App Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Logic Apps Standard Contributor (Preview)

You can manage all aspects of a Standard logic app and workflows. You can't change
access or ownership.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Web/*/read

Microsoft.Web/certificates/* Create and manage a certificate.

Microsoft.Web/connectionGateways/* Create and manages a Connection Gateway.

Microsoft.Web/connections/* Create and manages a Connection.

Microsoft.Web/customApis/* Creates and manages a Custom API.

Microsoft.Web/serverFarms/* Create and manage an App Service Plan.

Microsoft.Web/sites/* Create and manage a web app.

NotActions

none

DataActions
Actions Description

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "You can manage all aspects of a Standard logic app and
workflows. You can't change access or ownership.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ad710c24-b039-
4e85-a019-deb4a06e8570",
"name": "ad710c24-b039-4e85-a019-deb4a06e8570",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/*/read",
"Microsoft.Web/certificates/*",
"Microsoft.Web/connectionGateways/*",
"Microsoft.Web/connections/*",
"Microsoft.Web/customApis/*",
"Microsoft.Web/serverFarms/*",
"Microsoft.Web/sites/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic Apps Standard Contributor (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Logic Apps Standard Developer (Preview)

You can create and edit workflows, connections, and settings for a Standard logic app.
You can't make changes outside the workflow scope.
Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Web/*/read

Microsoft.Web/connections/* Create and manages a Connection.

Microsoft.Web/customApis/* Creates and manages a Custom API.

Microsoft.Web/sites/config/list/Action List Web App's security sensitive settings, such

as publishing credentials, app settings and
connection strings

microsoft.web/sites/config/Write Update Web App's configuration settings

microsoft.web/sites/config/web/appsettings/de Delete Web Apps App Setting

lete

microsoft.web/sites/config/web/appsettings/wr Create or Update Web App Single App setting

ite

microsoft.web/sites/deployWorkflowArtifacts/a Create the artifacts in a Logic App.

ction

microsoft.web/sites/hostruntime/* Get or list hostruntime artifacts for the web app

or function app.

microsoft.web/sites/listworkflowsconnections/a List logic app's connections by its ID in a Logic

ction App.

Microsoft.Web/sites/publish/Action Publish a Web App

microsoft.web/sites/slots/config/appsettings/w Create or Update Web App Slot's Single App

rite setting
Actions Description

Microsoft.Web/sites/slots/config/list/Action List Web App Slot's security sensitive settings,

such as publishing credentials, app settings and
connection strings

microsoft.web/sites/slots/config/web/appsettin Delete Web App Slot's App Setting

gs/delete

microsoft.web/sites/slots/deployWorkflowArtifa Create the artifacts in a deployment slot in a

cts/action Logic App.

microsoft.web/sites/slots/listworkflowsconnecti List logic app's connections by its ID in a

ons/action deployment slot in a Logic App.

Microsoft.Web/sites/slots/publish/Action Publish a Web App Slot

microsoft.web/sites/workflows/*

microsoft.web/sites/workflowsconfiguration/*

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "You can create and edit workflows, connections, and
settings for a Standard logic app. You can't make changes outside the
workflow scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/523776ba-4eb2-
4600-a3c8-f2dc93da4bdb",
"name": "523776ba-4eb2-4600-a3c8-f2dc93da4bdb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/*/read",
"Microsoft.Web/connections/*",
"Microsoft.Web/customApis/*",
"Microsoft.Web/sites/config/list/Action",
"microsoft.web/sites/config/Write",
"microsoft.web/sites/config/web/appsettings/delete",
"microsoft.web/sites/config/web/appsettings/write",
"microsoft.web/sites/deployWorkflowArtifacts/action",
"microsoft.web/sites/hostruntime/*",
"microsoft.web/sites/listworkflowsconnections/action",
"Microsoft.Web/sites/publish/Action",
"microsoft.web/sites/slots/config/appsettings/write",
"Microsoft.Web/sites/slots/config/list/Action",
"microsoft.web/sites/slots/config/web/appsettings/delete",
"microsoft.web/sites/slots/deployWorkflowArtifacts/action",
"microsoft.web/sites/slots/listworkflowsconnections/action",
"Microsoft.Web/sites/slots/publish/Action",
"microsoft.web/sites/workflows/*",
"microsoft.web/sites/workflowsconfiguration/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic Apps Standard Developer (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Logic Apps Standard Operator (Preview)

You can enable and disable the logic app, resubmit workflow runs, as well as create
connections. You can't edit workflows or settings.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead
Actions Description

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Web/*/read

Microsoft.Web/sites/applySlotConfig/Action Apply web app slot configuration from target

slot to the current web app

microsoft.web/sites/hostruntime/* Get or list hostruntime artifacts for the web app

or function app.

Microsoft.Web/sites/restart/Action Restart a Web App

Microsoft.Web/sites/slots/restart/Action Restart a Web App Slot

Microsoft.Web/sites/slots/slotsswap/Action Swap Web App deployment slots

Microsoft.Web/sites/slots/start/Action Start a Web App Slot

Microsoft.Web/sites/slots/stop/Action Stop a Web App Slot

Microsoft.Web/sites/slotsdiffs/Action Get differences in configuration between web

app and slots

Microsoft.Web/sites/slotsswap/Action Swap Web App deployment slots

Microsoft.Web/sites/start/Action Start a Web App

Microsoft.Web/sites/stop/Action Stop a Web App

Microsoft.Web/sites/write Create a new Web App or update an existing

one

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "You can enable and disable the logic app, resubmit
workflow runs, as well as create connections. You can't edit workflows or
settings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b70c96e9-66fe-
4c09-b6e7-c98e69c98555",
"name": "b70c96e9-66fe-4c09-b6e7-c98e69c98555",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/*/read",
"Microsoft.Web/sites/applySlotConfig/Action",
"microsoft.web/sites/hostruntime/*",
"Microsoft.Web/sites/restart/Action",
"Microsoft.Web/sites/slots/restart/Action",
"Microsoft.Web/sites/slots/slotsswap/Action",
"Microsoft.Web/sites/slots/start/Action",
"Microsoft.Web/sites/slots/stop/Action",
"Microsoft.Web/sites/slotsdiffs/Action",
"Microsoft.Web/sites/slotsswap/Action",
"Microsoft.Web/sites/start/Action",
"Microsoft.Web/sites/stop/Action",
"Microsoft.Web/sites/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic Apps Standard Operator (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Logic Apps Standard Reader (Preview)

You have read-only access to all resources in a Standard logic app and workflows,
including the workflow runs and their history.

Learn more
ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/subscriptions/operationres Get the subscription operation results.

ults/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Web/*/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "You have read-only access to all resources in a Standard
logic app and workflows, including the workflow runs and their history.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4accf36b-2c05-
432f-91c8-5c532dff4c73",
"name": "4accf36b-2c05-432f-91c8-5c532dff4c73",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic Apps Standard Reader (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Scheduler Job Collections Contributor

Lets you manage Scheduler job collections, but not access to them.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Scheduler/jobcollections/* Create and manage job collections

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Scheduler job collections, but not access
to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-
469b-ae67-2aa5ce574b94",
"name": "188a0f2f-5c9e-469b-ae67-2aa5ce574b94",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Scheduler/jobcollections/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Scheduler Job Collections Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Services Hub Operator

Services Hub Operator allows you to perform all read, write, and deletion operations
related to Services Hub Connectors.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.ServicesHub/connectors/write Create or update a Services Hub Connector

Actions Description

Microsoft.ServicesHub/connectors/read View or List Services Hub Connectors

Microsoft.ServicesHub/connectors/delete Delete Services Hub Connectors

Microsoft.ServicesHub/connectors/checkAssess Lists the Assessment Entitlements for a given

mentEntitlement/action Services Hub Workspace

Microsoft.ServicesHub/supportOfferingEntitlem View the Support Offering Entitlements for a

ent/read given Services Hub Workspace

Microsoft.ServicesHub/workspaces/read List the Services Hub Workspaces for a given

User

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Services Hub Operator allows you to perform all read,
write, and deletion operations related to Services Hub Connectors.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-
47a5-b665-6d8765ee745b",
"name": "82200a5b-e217-47a5-b665-6d8765ee745b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.ServicesHub/connectors/write",
"Microsoft.ServicesHub/connectors/read",
"Microsoft.ServicesHub/connectors/delete",

"Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action",
"Microsoft.ServicesHub/supportOfferingEntitlement/read",
"Microsoft.ServicesHub/workspaces/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Services Hub Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Identity
Article • 09/20/2024

This article lists the Azure built-in roles in the Identity category.

Domain Services Contributor

Can manage Azure AD Domain Services and related network configurations

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Resources/deployments/write Creates or updates an deployment.

Microsoft.Resources/deployments/delete Deletes a deployment.

Microsoft.Resources/deployments/cancel/actio Cancels a deployment.

Microsoft.Resources/deployments/validate/acti Validates an deployment.

Microsoft.Resources/deployments/whatIf/actio Predicts template deployment changes.

Microsoft.Resources/deployments/exportTempl Export template for a deployment

ate/action

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/deployments/operationsta Gets or lists deployment operation statuses.

tuses/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Insights/AlertRules/Write Create or update a classic metric alert

Microsoft.Insights/AlertRules/Delete Delete a classic metric alert

Actions Description

Microsoft.Insights/AlertRules/Read Read a classic metric alert

Microsoft.Insights/AlertRules/Activated/Action Classic metric alert activated

Microsoft.Insights/AlertRules/Resolved/Action Classic metric alert resolved

Microsoft.Insights/AlertRules/Throttled/Action Classic metric alert rule throttled

Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident

Microsoft.Insights/Logs/Read Reading data from all your logs

Microsoft.Insights/Metrics/Read Read metrics

Microsoft.Insights/DiagnosticSettings/* Creates, updates, or reads the diagnostic

setting for Analysis Server

Microsoft.Insights/DiagnosticSettingsCategorie Read diagnostic settings categories

s/Read

Microsoft.AAD/register/action Register Domain Service

Microsoft.AAD/unregister/action Unregister Domain Service

Microsoft.AAD/domainServices/*

Microsoft.Network/register/action Registers the subscription

Microsoft.Network/unregister/action Unregisters the subscription

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/virtualNetworks/write Creates a virtual network or updates an existing

virtual network

Microsoft.Network/virtualNetworks/delete Deletes a virtual network

Microsoft.Network/virtualNetworks/peer/action Peers a virtual network with another virtual

network

Microsoft.Network/virtualNetworks/join/action Joins a virtual network. Not Alertable.

Microsoft.Network/virtualNetworks/subnets/rea Gets a virtual network subnet definition

Microsoft.Network/virtualNetworks/subnets/wri Creates a virtual network subnet or updates an

te existing virtual network subnet

Microsoft.Network/virtualNetworks/subnets/del Deletes a virtual network subnet

ete
Actions Description

Microsoft.Network/virtualNetworks/subnets/joi Joins a virtual network. Not Alertable.

n/action

Microsoft.Network/virtualNetworks/virtualNetw Gets a virtual network peering definition

orkPeerings/read

Microsoft.Network/virtualNetworks/virtualNetw Creates a virtual network peering or updates an

orkPeerings/write existing virtual network peering

Microsoft.Network/virtualNetworks/virtualNetw Deletes a virtual network peering

orkPeerings/delete

Microsoft.Network/virtualNetworks/providers/ Get the diagnostic settings of Virtual Network

Microsoft.Insights/diagnosticSettings/read

Microsoft.Network/virtualNetworks/providers/ Gets available metrics for the PingMesh

Microsoft.Insights/metricDefinitions/read

Microsoft.Network/azureFirewalls/read Get Azure Firewall

Microsoft.Network/ddosProtectionPlans/read Gets a DDoS Protection Plan

Microsoft.Network/ddosProtectionPlans/join/ac Joins a DDoS Protection Plan. Not alertable.

tion

Microsoft.Network/loadBalancers/read Gets a load balancer definition

Microsoft.Network/loadBalancers/delete Deletes a load balancer

Microsoft.Network/loadBalancers/*/read

Microsoft.Network/loadBalancers/backendAddr Joins a load balancer backend address pool.

essPools/join/action Not Alertable.

Microsoft.Network/loadBalancers/inboundNatR Joins a load balancer inbound nat rule. Not

ules/join/action Alertable.

Microsoft.Network/natGateways/join/action Joins a NAT Gateway

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Microsoft.Network/networkInterfaces/write Creates a network interface or updates an

existing network interface.

Microsoft.Network/networkInterfaces/delete Deletes a network interface

Microsoft.Network/networkInterfaces/join/actio Joins a Virtual Machine to a network interface.

n Not Alertable.

Microsoft.Network/networkSecurityGroups/def Gets a default security rule definition

Actions Description

aultSecurityRules/read

Microsoft.Network/networkSecurityGroups/rea Gets a network security group definition

Microsoft.Network/networkSecurityGroups/writ Creates a network security group or updates an

e existing network security group

Microsoft.Network/networkSecurityGroups/del Deletes a network security group

ete

Microsoft.Network/networkSecurityGroups/join Joins a network security group. Not Alertable.

/action

Microsoft.Network/networkSecurityGroups/sec Gets a security rule definition

urityRules/read

Microsoft.Network/networkSecurityGroups/sec Creates a security rule or updates an existing

urityRules/write security rule

Microsoft.Network/networkSecurityGroups/sec Deletes a security rule

urityRules/delete

Microsoft.Network/routeTables/read Gets a route table definition

Microsoft.Network/routeTables/write Creates a route table or Updates an existing

route table

Microsoft.Network/routeTables/delete Deletes a route table definition

Microsoft.Network/routeTables/join/action Joins a route table. Not Alertable.

Microsoft.Network/routeTables/routes/read Gets a route definition

Microsoft.Network/routeTables/routes/write Creates a route or Updates an existing route

Microsoft.Network/routeTables/routes/delete Deletes a route definition

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Can manage Azure AD Domain Services and related network
configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/eeaeda52-9324-
47f6-8069-5d5bade478b2",
"name": "eeaeda52-9324-47f6-8069-5d5bade478b2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.Insights/DiagnosticSettings/*",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/register/action",
"Microsoft.AAD/unregister/action",
"Microsoft.AAD/domainServices/*",
"Microsoft.Network/register/action",
"Microsoft.Network/unregister/action",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/write",
"Microsoft.Network/virtualNetworks/delete",
"Microsoft.Network/virtualNetworks/peer/action",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/delete",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete",

"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSe
ttings/read",
"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefini
tions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/ddosProtectionPlans/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/natGateways/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/networkSecurityGroups/securityRules/delete",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/write",
"Microsoft.Network/routeTables/delete",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/routes/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Domain Services Reader

Can view Azure AD Domain Services and related network configurations

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Actions Description

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/deployments/operationsta Gets or lists deployment operation statuses.

tuses/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Insights/AlertRules/Read Read a classic metric alert

Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident

Microsoft.Insights/Logs/Read Reading data from all your logs

Microsoft.Insights/Metrics/read Read metrics

Microsoft.Insights/DiagnosticSettings/read Read a resource diagnostic setting

Microsoft.Insights/DiagnosticSettingsCategorie Read diagnostic settings categories

s/Read

Microsoft.AAD/domainServices/*/read

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/virtualNetworks/subnets/rea Gets a virtual network subnet definition

Microsoft.Network/virtualNetworks/virtualNetw Gets a virtual network peering definition

orkPeerings/read

Microsoft.Network/virtualNetworks/providers/ Get the diagnostic settings of Virtual Network

Microsoft.Insights/diagnosticSettings/read

Microsoft.Network/virtualNetworks/providers/ Gets available metrics for the PingMesh

Microsoft.Insights/metricDefinitions/read

Microsoft.Network/azureFirewalls/read Get Azure Firewall

Microsoft.Network/ddosProtectionPlans/read Gets a DDoS Protection Plan

Microsoft.Network/loadBalancers/read Gets a load balancer definition

Microsoft.Network/loadBalancers/*/read

Microsoft.Network/natGateways/read Gets a Nat Gateway Definition

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Actions Description

Microsoft.Network/networkSecurityGroups/def Gets a default security rule definition

aultSecurityRules/read

Microsoft.Network/networkSecurityGroups/rea Gets a network security group definition

Microsoft.Network/networkSecurityGroups/sec Gets a security rule definition

urityRules/read

Microsoft.Network/routeTables/read Gets a route table definition

Microsoft.Network/routeTables/routes/read Gets a route definition

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can view Azure AD Domain Services and related network
configurations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/361898ef-9ed1-
48c2-849c-a832951106bb",
"name": "361898ef-9ed1-48c2-849c-a832951106bb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Insights/Logs/Read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Insights/DiagnosticSettings/read",
"Microsoft.Insights/DiagnosticSettingsCategories/Read",
"Microsoft.AAD/domainServices/*/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read",

"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/diagnosticSe
ttings/read",

"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefini
tions/read",
"Microsoft.Network/azureFirewalls/read",
"Microsoft.Network/ddosProtectionPlans/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/*/read",
"Microsoft.Network/natGateways/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/routes/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Domain Services Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Managed Identity Contributor

Create, Read, Update, and Delete User Assigned Identity

Learn more

ﾉ Expand table

Actions Description

Microsoft.ManagedIdentity/userAssignedIdentit Gets an existing user assigned identity

ies/read

Microsoft.ManagedIdentity/userAssignedIdentit Creates a new user assigned identity or updates

ies/write the tags associated with an existing user
assigned identity

Microsoft.ManagedIdentity/userAssignedIdentit Deletes an existing user assigned identity

ies/delete
Actions Description

Microsoft.ManagedIdentity/userAssignedIdentit Get or list Federated Identity Credentials

ies/federatedIdentityCredentials/read

Microsoft.ManagedIdentity/userAssignedIdentit Add or update a Federated Identity Credential

ies/federatedIdentityCredentials/write

Microsoft.ManagedIdentity/userAssignedIdentit Delete a Federated Identity Credential

ies/federatedIdentityCredentials/delete

Microsoft.ManagedIdentity/userAssignedIdentit Revoked all the existing tokens on a user

ies/revokeTokens/action assigned identity

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Create, Read, Update, and Delete User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-
45a2-b4ff-59039f2c2b59",
"name": "e40ec5ca-96e0-45a2-b4ff-59039f2c2b59",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/delete",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentia
ls/read",

"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentia
ls/write",

"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentia
ls/delete",

"Microsoft.ManagedIdentity/userAssignedIdentities/revokeTokens/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Managed Identity Operator

Read and Assign User Assigned Identity

Learn more

ﾉ Expand table

Actions Description

Microsoft.ManagedIdentity/userAssignedIdentit
ies/*/read

Microsoft.ManagedIdentity/userAssignedIdentit
ies/*/assign/action

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read
Actions Description

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read and Assign User Assigned Identity",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-
45cb-824c-7a7467783830",
"name": "f1a07417-d97a-45cb-824c-7a7467783830",
"permissions": [
{
"actions": [
"Microsoft.ManagedIdentity/userAssignedIdentities/*/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Identity Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Security
Article • 09/20/2024

This article lists the Azure built-in roles in the Security category.

App Compliance Automation Administrator

Create, read, download, modify and delete reports objects and related other resource
objects.

Learn more

ﾉ Expand table

Actions Description

Microsoft.AppComplianceAutomation/*

Microsoft.Storage/storageAccounts/blobService Returns the result of put blob service properties

s/write

Microsoft.Storage/storageAccounts/fileservices Put file service properties

/write

Microsoft.Storage/storageAccounts/listKeys/act Returns the access keys for the specified

ion storage account.

Microsoft.Storage/storageAccounts/write Creates a storage account with the specified

parameters or update the properties or tags or
adds custom domain for the specified storage
account.

Microsoft.Storage/storageAccounts/blobService Returns a user delegation key for the blob

s/generateUserDelegationKey/action service

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.Storage/storageAccounts/blobService Returns list of containers

s/containers/read

Microsoft.Storage/storageAccounts/blobService Returns the result of put blob container

s/containers/write

Microsoft.Storage/storageAccounts/blobService Returns blob service properties or statistics

s/read
Actions Description

Microsoft.PolicyInsights/policyStates/queryResu Query information about policy states.

lts/action

Microsoft.PolicyInsights/policyStates/triggerEva Triggers a new compliance evaluation for the

luation/action selected scope.

Microsoft.Resources/resources/read Get the list of resources based upon filters.

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/subscriptions/resourceGro Gets the resources for the resource group.

ups/resources/read

Microsoft.Resources/subscriptions/resources/re Gets resources of a subscription.

Microsoft.Resources/subscriptions/resourceGro Deletes a resource group and all its resources.

ups/delete

Microsoft.Resources/subscriptions/resourceGro Creates or updates a resource group.

ups/write

Microsoft.Resources/tags/read Gets all the tags on a resource.

Microsoft.Resources/deployments/validate/acti Validates an deployment.

Microsoft.Security/automations/read Gets the automations for the scope

Microsoft.Resources/deployments/write Creates or updates an deployment.

Microsoft.Security/automations/delete Deletes the automation for the scope

Microsoft.Security/automations/write Creates or updates the automation for the

scope

Microsoft.Security/register/action Registers the subscription for Azure Security

Center

Microsoft.Security/unregister/action Unregisters the subscription from Azure

Security Center

*/read Read resources of all types, except secrets.

NotActions

none
Actions Description

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Create, read, download, modify and delete reports objects
and related other resource objects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0f37683f-2463-
46b6-9ce7-9b788b988ba2",
"name": "0f37683f-2463-46b6-9ce7-9b788b988ba2",
"permissions": [
{
"actions": [
"Microsoft.AppComplianceAutomation/*",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/fileservices/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/write",

"Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/ac
tion",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.PolicyInsights/policyStates/queryResults/action",
"Microsoft.PolicyInsights/policyStates/triggerEvaluation/action",
"Microsoft.Resources/resources/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/resources/read",
"Microsoft.Resources/subscriptions/resources/read",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/tags/read",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Security/automations/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Security/automations/delete",
"Microsoft.Security/automations/write",
"Microsoft.Security/register/action",
"Microsoft.Security/unregister/action",
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Compliance Automation Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

App Compliance Automation Reader

Read, download the reports objects and related other resource objects.

Learn more

ﾉ Expand table

Actions Description

*/read Read resources of all types, except secrets.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read, download the reports objects and related other
resource objects.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ffc6bbe0-e443-
4c3b-bf54-26581bb2f78e",
"name": "ffc6bbe0-e443-4c3b-bf54-26581bb2f78e",
"permissions": [
{
"actions": [
"*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Compliance Automation Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Attestation Contributor
Can read write or delete the attestation provider instance

Learn more

ﾉ Expand table

Actions Description

Microsoft.Attestation/attestationProviders/attes Gets the attestation service status.

tation/read

Microsoft.Attestation/attestationProviders/attes Adds attestation service.

tation/write

Microsoft.Attestation/attestationProviders/attes Removes attestation service.

tation/delete

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can read write or delete the attestation provider
instance",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-
4cce-96e4-18cddf81d86e",
"name": "bbf86eb8-f7b4-4cce-96e4-18cddf81d86e",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read",
"Microsoft.Attestation/attestationProviders/attestation/write",
"Microsoft.Attestation/attestationProviders/attestation/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Attestation Reader
Can read the attestation provider properties

Learn more

ﾉ Expand table

Actions Description

Microsoft.Attestation/attestationProviders/attes Gets the attestation service status.

tation/read

Microsoft.Attestation/attestationProviders/read Gets the attestation service status.

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Can read the attestation provider properties",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-
40bc-a0bc-69b95687b9f3",
"name": "fd1bd22b-8476-40bc-a0bc-69b95687b9f3",
"permissions": [
{
"actions": [
"Microsoft.Attestation/attestationProviders/attestation/read",
"Microsoft.Attestation/attestationProviders/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Attestation Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault Administrator

Perform all data plane operations on a key vault and all objects in it, including
certificates, keys, and secrets. Cannot manage key vault resources or manage role
assignments. Only works for key vaults that use the 'Azure role-based access control'
permission model.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Actions Description

Microsoft.KeyVault/checkNameAvailability/read Checks that a key vault name is valid and is not

in use

Microsoft.KeyVault/deletedVaults/read View the properties of soft deleted key vaults

Microsoft.KeyVault/locations/*/read

Microsoft.KeyVault/vaults/*/read

Microsoft.KeyVault/operations/read Lists operations available on Microsoft.KeyVault

resource provider

NotActions

none

DataActions

Microsoft.KeyVault/vaults/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Perform all data plane operations on a key vault and all
objects in it, including certificates, keys, and secrets. Cannot manage key
vault resources or manage role assignments. Only works for key vaults that
use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-
4fb3-b363-3b7fe8e74483",
"name": "00482a5a-887f-4fb3-b363-3b7fe8e74483",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault Certificate User

Read certificate contents. Only works for key vaults that use the 'Azure role-based access
control' permission model.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.KeyVault/vaults/certificates/read List certificates in a specified key vault, or get

information about a certificate.

Microsoft.KeyVault/vaults/secrets/getSecret/act Gets the value of a secret.

ion

Microsoft.KeyVault/vaults/secrets/readMetadat List or view the properties of a secret, but not

a/action its value.

Microsoft.KeyVault/vaults/keys/read List keys in the specified vault, or read

properties and public material of a key. For
asymmetric keys, this operation exposes public
key and includes ability to perform public key
algorithms such as encrypt and verify signature.
Private keys and symmetric keys are never
exposed.

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read certificate contents. Only works for key vaults that
use the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-
4b58-9aeb-b90e7c24fcba",
"name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificates/read",
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action",
"Microsoft.KeyVault/vaults/keys/read"
],
"notDataActions": []
}
],
"roleName": "Key Vault Certificate User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault Certificates Officer

Perform any action on the certificates of a key vault, except manage permissions. Only
works for key vaults that use the 'Azure role-based access control' permission model.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Actions Description

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.KeyVault/checkNameAvailability/read Checks that a key vault name is valid and is not

in use

Microsoft.KeyVault/deletedVaults/read View the properties of soft deleted key vaults

Microsoft.KeyVault/locations/*/read

Microsoft.KeyVault/vaults/*/read

Microsoft.KeyVault/operations/read Lists operations available on Microsoft.KeyVault

resource provider

NotActions

none

DataActions

Microsoft.KeyVault/vaults/certificatecas/*

Microsoft.KeyVault/vaults/certificates/*

Microsoft.KeyVault/vaults/certificatecontacts/wr Manage Certificate Contact

ite

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Perform any action on the certificates of a key vault,
except manage permissions. Only works for key vaults that use the 'Azure
role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-
4de8-b567-7b0420556985",
"name": "a4417e6f-fecd-4de8-b567-7b0420556985",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/certificatecas/*",
"Microsoft.KeyVault/vaults/certificates/*",
"Microsoft.KeyVault/vaults/certificatecontacts/write"
],
"notDataActions": []
}
],
"roleName": "Key Vault Certificates Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault Contributor

Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not
allow you to access secrets, keys, or certificates.

Learn more

） Important

When using the Access Policy permission model, a user with the Contributor , Key
Vault Contributor , or any other role that includes
Microsoft.KeyVault/vaults/write permissions for the key vault management plane

can grant themselves data plane access by setting a Key Vault access policy. To
prevent unauthorized access and management of your key vaults, keys, secrets, and
certificates, it's essential to limit Contributor role access to key vaults under the
Access Policy permission model. To mitigate this risk, we recommend you use the
Role-Based Access Control (RBAC) permission model, which restricts permission
management to the 'Owner' and 'User Access Administrator' roles, allowing a clear
separation between security operations and administrative duties. See the Key
Vault RBAC Guide and What is Azure RBAC? for more information.
ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.KeyVault/*

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

Microsoft.KeyVault/locations/deletedVaults/pur Purge a soft deleted key vault

ge/action

Microsoft.KeyVault/hsmPools/*

Microsoft.KeyVault/managedHsms/*

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage key vaults, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-
4377-a976-54943a77a395",
"name": "f25e0fa2-a7c8-4377-a976-54943a77a395",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.KeyVault/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.KeyVault/locations/deletedVaults/purge/action",
"Microsoft.KeyVault/hsmPools/*",
"Microsoft.KeyVault/managedHsms/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Key Vault Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault Crypto Officer

Perform any action on the keys of a key vault, except manage permissions. Only works
for key vaults that use the 'Azure role-based access control' permission model.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.KeyVault/checkNameAvailability/read Checks that a key vault name is valid and is not

in use

Microsoft.KeyVault/deletedVaults/read View the properties of soft deleted key vaults

Microsoft.KeyVault/locations/*/read

Microsoft.KeyVault/vaults/*/read

Microsoft.KeyVault/operations/read Lists operations available on Microsoft.KeyVault

resource provider

NotActions
Actions Description

none

DataActions

Microsoft.KeyVault/vaults/keys/*

Microsoft.KeyVault/vaults/keyrotationpolicies/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Perform any action on the keys of a key vault, except
manage permissions. Only works for key vaults that use the 'Azure role-based
access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-
41b4-b07b-48a6ebf60603",
"name": "14b46e9e-c2b7-41b4-b07b-48a6ebf60603",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/*",
"Microsoft.KeyVault/vaults/keyrotationpolicies/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault Crypto Service Encryption User
Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults
that use the 'Azure role-based access control' permission model.

Learn more

ﾉ Expand table

Actions Description

Microsoft.EventGrid/eventSubscriptions/write Create or update an eventSubscription

Microsoft.EventGrid/eventSubscriptions/read Read an eventSubscription

Microsoft.EventGrid/eventSubscriptions/delete Delete an eventSubscription

NotActions

none

DataActions

Microsoft.KeyVault/vaults/keys/read List keys in the specified vault, or read

Microsoft.KeyVault/vaults/keys/wrap/action Wraps a symmetric key with a Key Vault key.

Note that if the Key Vault key is asymmetric,
this operation can be performed by principals
with read access.

Microsoft.KeyVault/vaults/keys/unwrap/action Unwraps a symmetric key with a Key Vault key.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Read metadata of keys and perform wrap/unwrap operations.
Only works for key vaults that use the 'Azure role-based access control'
permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-
4113-8e2d-b22465e65bf6",
"name": "e147488a-f6f5-4113-8e2d-b22465e65bf6",
"permissions": [
{
"actions": [
"Microsoft.EventGrid/eventSubscriptions/write",
"Microsoft.EventGrid/eventSubscriptions/read",
"Microsoft.EventGrid/eventSubscriptions/delete"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Service Encryption User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault Crypto Service Release User

Release keys. Only works for key vaults that use the 'Azure role-based access control'
permission model.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.KeyVault/vaults/keys/release/action Release a key using public part of KEK from

attestation token.

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Release keys. Only works for key vaults that use the
'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08bbd89e-9f13-
488c-ac41-acfcb10c90ab",
"name": "08bbd89e-9f13-488c-ac41-acfcb10c90ab",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/release/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto Service Release User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault Crypto User

Perform cryptographic operations using keys. Only works for key vaults that use the
'Azure role-based access control' permission model.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.KeyVault/vaults/keys/read List keys in the specified vault, or read

Private keys and symmetric keys are never

exposed.

Microsoft.KeyVault/vaults/keys/update/action Updates the specified attributes associated with

the given key.

Microsoft.KeyVault/vaults/keys/backup/action Creates the backup file of a key. The file can

used to restore the key in a Key Vault of same
subscription. Restrictions may apply.

Microsoft.KeyVault/vaults/keys/encrypt/action Encrypts plaintext with a key. Note that if the

key is asymmetric, this operation can be
performed by principals with read access.

Microsoft.KeyVault/vaults/keys/decrypt/action Decrypts ciphertext with a key.

Microsoft.KeyVault/vaults/keys/wrap/action Wraps a symmetric key with a Key Vault key.

Note that if the Key Vault key is asymmetric,
this operation can be performed by principals
with read access.

Microsoft.KeyVault/vaults/keys/unwrap/action Unwraps a symmetric key with a Key Vault key.

Microsoft.KeyVault/vaults/keys/sign/action Signs a message digest (hash) with a key.

Microsoft.KeyVault/vaults/keys/verify/action Verifies the signature of a message digest

(hash) with a key. Note that if the key is
asymmetric, this operation can be performed
by principals with read access.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Perform cryptographic operations using keys. Only works
for key vaults that use the 'Azure role-based access control' permission
model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-
4776-bea7-57ae8d297424",
"name": "12338af0-0e69-4776-bea7-57ae8d297424",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/keys/read",
"Microsoft.KeyVault/vaults/keys/update/action",
"Microsoft.KeyVault/vaults/keys/backup/action",
"Microsoft.KeyVault/vaults/keys/encrypt/action",
"Microsoft.KeyVault/vaults/keys/decrypt/action",
"Microsoft.KeyVault/vaults/keys/wrap/action",
"Microsoft.KeyVault/vaults/keys/unwrap/action",
"Microsoft.KeyVault/vaults/keys/sign/action",
"Microsoft.KeyVault/vaults/keys/verify/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Crypto User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault Data Access Administrator

Manage access to Azure Key Vault by adding or removing role assignments for the Key
Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault
Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault
Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain
role assignments.

ﾉ Expand table

Actions Description

Microsoft.Authorization/roleAssignments/write Create a role assignment at the specified scope.

Microsoft.Authorization/roleAssignments/delet Delete a role assignment at the specified scope.

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Management/managementGroups/re List management groups for the authenticated

ad user.

Microsoft.Resources/deployments/* Create and manage a deployment

Actions Description

Microsoft.Support/* Create and update a support ticket

Microsoft.KeyVault/vaults/*/read

NotActions

none

DataActions

none

NotDataActions

none

Condition

((! Add or remove role assignments for the

(ActionMatches{'Microsoft.Authorization/roleAs following roles:
signments/write'})) OR Key Vault Administrator
(@Request[Microsoft.Authorization/roleAssign Key Vault Certificates Officer
ments:RoleDefinitionId] Key Vault Crypto Officer
ForAnyOfAnyValues:GuidEquals{00482a5a- Key Vault Crypto Service Encryption User
887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd- Key Vault Crypto User
4de8-b567-7b0420556985, 14b46e9e-c2b7- Key Vault Reader
41b4-b07b-48a6ebf60603, e147488a-f6f5- Key Vault Secrets Officer
4113-8e2d-b22465e65bf6, 12338af0-0e69- Key Vault Secrets User
4776-bea7-57ae8d297424, 21090545-7ca7-
4776-b22c-e363652d74d2, b86a8fe4-44ce-
4948-aee5-eccb2c155cd7, 4633458b-17de-
408a-b874-0445c86b69e6})) AND ((!
(ActionMatches{'Microsoft.Authorization/roleAs
signments/delete'})) OR
(@Resource[Microsoft.Authorization/roleAssign
ments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{00482a5a-
887f-4fb3-b363-3b7fe8e74483, a4417e6f-fecd-
4de8-b567-7b0420556985, 14b46e9e-c2b7-
41b4-b07b-48a6ebf60603, e147488a-f6f5-
4113-8e2d-b22465e65bf6, 12338af0-0e69-
4776-bea7-57ae8d297424, 21090545-7ca7-
4776-b22c-e363652d74d2, b86a8fe4-44ce-
4948-aee5-eccb2c155cd7, 4633458b-17de-
408a-b874-0445c86b69e6}))

JSON
{
"assignableScopes": [
"/"
],
"description": "Manage access to Azure Key Vault by adding or removing
role assignments for the Key Vault Administrator, Key Vault Certificates
Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User,
Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key
Vault Secrets User roles. Includes an ABAC condition to constrain role
assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8b54135c-b56d-
4d72-a534-26097cfdc8d8",
"name": "8b54135c-b56d-4d72-a534-26097cfdc8d8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*",
"Microsoft.KeyVault/vaults/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!
(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR
(@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-
fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-
f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-
7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-
17de-408a-b874-0445c86b69e6})) AND ((!
(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR
(@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId]
ForAnyOfAnyValues:GuidEquals{00482a5a-887f-4fb3-b363-3b7fe8e74483, a4417e6f-
fecd-4de8-b567-7b0420556985, 14b46e9e-c2b7-41b4-b07b-48a6ebf60603, e147488a-
f6f5-4113-8e2d-b22465e65bf6, 12338af0-0e69-4776-bea7-57ae8d297424, 21090545-
7ca7-4776-b22c-e363652d74d2, b86a8fe4-44ce-4948-aee5-eccb2c155cd7, 4633458b-
17de-408a-b874-0445c86b69e6}))"
}
],
"roleName": "Key Vault Data Access Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Key Vault Reader
Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive
values such as secret contents or key material. Only works for key vaults that use the
'Azure role-based access control' permission model.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.KeyVault/checkNameAvailability/read Checks that a key vault name is valid and is not

in use

Microsoft.KeyVault/deletedVaults/read View the properties of soft deleted key vaults

Microsoft.KeyVault/locations/*/read

Microsoft.KeyVault/vaults/*/read

Microsoft.KeyVault/operations/read Lists operations available on Microsoft.KeyVault

resource provider

NotActions

none

DataActions

Microsoft.KeyVault/vaults/*/read

Microsoft.KeyVault/vaults/secrets/readMetadat List or view the properties of a secret, but not

a/action its value.

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Read metadata of key vaults and its certificates, keys,
and secrets. Cannot read sensitive values such as secret contents or key
material. Only works for key vaults that use the 'Azure role-based access
control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-
4776-b22c-e363652d74d2",
"name": "21090545-7ca7-4776-b22c-e363652d74d2",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault Secrets Officer

Perform any action on the secrets of a key vault, except manage permissions. Only
works for key vaults that use the 'Azure role-based access control' permission model.

Learn more

ﾉ Expand table
Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.KeyVault/checkNameAvailability/read Checks that a key vault name is valid and is not

in use

Microsoft.KeyVault/deletedVaults/read View the properties of soft deleted key vaults

Microsoft.KeyVault/locations/*/read

Microsoft.KeyVault/vaults/*/read

Microsoft.KeyVault/operations/read Lists operations available on Microsoft.KeyVault

resource provider

NotActions

none

DataActions

Microsoft.KeyVault/vaults/secrets/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Perform any action on the secrets of a key vault, except
manage permissions. Only works for key vaults that use the 'Azure role-based
access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-
4948-aee5-eccb2c155cd7",
"name": "b86a8fe4-44ce-4948-aee5-eccb2c155cd7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.KeyVault/checkNameAvailability/read",
"Microsoft.KeyVault/deletedVaults/read",
"Microsoft.KeyVault/locations/*/read",
"Microsoft.KeyVault/vaults/*/read",
"Microsoft.KeyVault/operations/read"
],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/*"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets Officer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Key Vault Secrets User

Read secret contents. Only works for key vaults that use the 'Azure role-based access
control' permission model.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.KeyVault/vaults/secrets/getSecret/act Gets the value of a secret.

ion

Microsoft.KeyVault/vaults/secrets/readMetadat List or view the properties of a secret, but not

a/action its value.

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Read secret contents. Only works for key vaults that use
the 'Azure role-based access control' permission model.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-
408a-b874-0445c86b69e6",
"name": "4633458b-17de-408a-b874-0445c86b69e6",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notDataActions": []
}
],
"roleName": "Key Vault Secrets User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Managed HSM contributor

Lets you manage managed HSM pools, but not access to them.

Learn more

ﾉ Expand table

Actions Description

Microsoft.KeyVault/managedHSMs/*

Microsoft.KeyVault/deletedManagedHsms/read View the properties of a deleted managed hsm

Microsoft.KeyVault/locations/deletedManaged View the properties of a deleted managed hsm

Hsms/read

Microsoft.KeyVault/locations/deletedManaged Purge a soft deleted managed hsm

Hsms/purge/action

Microsoft.KeyVault/locations/managedHsmOpe Check the result of a long run operation

rationResults/read
Actions Description

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage managed HSM pools, but not access to
them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-
46b2-a342-b16a415e101d",
"name": "18500a29-7fe2-46b2-a342-b16a415e101d",
"permissions": [
{
"actions": [
"Microsoft.KeyVault/managedHSMs/*",
"Microsoft.KeyVault/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/read",
"Microsoft.KeyVault/locations/deletedManagedHsms/purge/action",
"Microsoft.KeyVault/locations/managedHsmOperationResults/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed HSM contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel Automation Contributor

Learn more
ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Logic/workflows/triggers/read Reads the trigger.

Microsoft.Logic/workflows/triggers/listCallback Gets the callback URL for trigger.

Url/action

Microsoft.Logic/workflows/runs/read Reads the workflow run.

Microsoft.Web/sites/hostruntime/webhooks/ap List Web Apps Hostruntime Workflow Triggers.

i/workflows/triggers/read

Microsoft.Web/sites/hostruntime/webhooks/ap Get Web Apps Hostruntime Workflow Trigger

i/workflows/triggers/listCallbackUrl/action Uri.

Microsoft.Web/sites/hostruntime/webhooks/ap List Web Apps Hostruntime Workflow Runs.

i/workflows/runs/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Automation Contributor",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-
4d62-a7ee-b3f1f648599a",
"name": "f4c81013-99ee-4d62-a7ee-b3f1f648599a",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Logic/workflows/triggers/read",
"Microsoft.Logic/workflows/triggers/listCallbackUrl/action",
"Microsoft.Logic/workflows/runs/read",

"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/read",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbac
kUrl/action",
"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/runs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Automation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel Contributor

Learn more

ﾉ Expand table

Actions Description

Microsoft.SecurityInsights/*

Microsoft.OperationalInsights/workspaces/anal Search using new engine.

ytics/query/action

Microsoft.OperationalInsights/workspaces/*/re View log analytics data

Microsoft.OperationalInsights/workspaces/save
dSearches/*

Microsoft.OperationsManagement/solutions/re Get existing OMS solution

Microsoft.OperationalInsights/workspaces/quer Run queries over the data in the workspace

y/read

Microsoft.OperationalInsights/workspaces/quer
y/*/read

Microsoft.OperationalInsights/workspaces/data Get data source under a workspace.

Sources/read

Microsoft.OperationalInsights/querypacks/*/rea
d
Actions Description

Microsoft.Insights/workbooks/*

Microsoft.Insights/myworkbooks/read

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

Microsoft.SecurityInsights/ConfidentialWatchlist
s/*

Microsoft.OperationalInsights/workspaces/quer
y/ConfidentialWatchlist/*

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Contributor",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-
4a29-9ba8-549422addade",
"name": "ab8e14d6-4a74-4a29-9ba8-549422addade",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/*",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/*",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",

"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel Playbook Operator

Learn more

ﾉ Expand table

Actions Description

Microsoft.Logic/workflows/read Reads the workflow.

Microsoft.Logic/workflows/triggers/listCallback Gets the callback URL for trigger.

Url/action

Microsoft.Web/sites/hostruntime/webhooks/ap Get Web Apps Hostruntime Workflow Trigger

i/workflows/triggers/listCallbackUrl/action Uri.

Microsoft.Web/sites/read Get the properties of a Web App

NotActions

none

DataActions
Actions Description

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Playbook Operator",
"id": "/providers/Microsoft.Authorization/roleDefinitions/51d6186e-6489-
4900-b93f-92e23144cca5",
"name": "51d6186e-6489-4900-b93f-92e23144cca5",
"permissions": [
{
"actions": [
"Microsoft.Logic/workflows/read",
"Microsoft.Logic/workflows/triggers/listCallbackUrl/action",

"Microsoft.Web/sites/hostruntime/webhooks/api/workflows/triggers/listCallbac
kUrl/action",
"Microsoft.Web/sites/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Playbook Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel Reader

Learn more

ﾉ Expand table

Actions Description

Microsoft.SecurityInsights/*/read
Actions Description

Microsoft.SecurityInsights/dataConnectorsChec Check user authorization and license

kRequirements/action

Microsoft.SecurityInsights/threatIntelligence/in Query Threat Intelligence Indicators

dicators/query/action

Microsoft.SecurityInsights/threatIntelligence/qu Query Threat Intelligence Indicators

eryIndicators/action

Microsoft.OperationalInsights/workspaces/anal Search using new engine.

ytics/query/action

Microsoft.OperationalInsights/workspaces/*/re View log analytics data

Microsoft.OperationalInsights/workspaces/Link Get linked services under given workspace.

edServices/read

Microsoft.OperationalInsights/workspaces/save Gets a saved search query.

dSearches/read

Microsoft.OperationsManagement/solutions/re Get existing OMS solution

Microsoft.OperationalInsights/workspaces/quer Run queries over the data in the workspace

y/read

Microsoft.OperationalInsights/workspaces/quer
y/*/read

Microsoft.OperationalInsights/querypacks/*/rea
d

Microsoft.OperationalInsights/workspaces/data Get data source under a workspace.

Sources/read

Microsoft.Insights/workbooks/read Read a workbook

Microsoft.Insights/myworkbooks/read

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/templateSpecs/*/read Get or list template specs and template spec

Actions Description

versions

Microsoft.Support/* Create and update a support ticket

NotActions

Microsoft.SecurityInsights/ConfidentialWatchlist
s/*

Microsoft.OperationalInsights/workspaces/quer
y/ConfidentialWatchlist/*

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Reader",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-
46d4-8554-54e1e3d8b5cb",
"name": "8d289c81-5878-46d4-8554-54e1e3d8b5cb",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",

"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",

"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/LinkedServices/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/templateSpecs/*/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",

"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Microsoft Sentinel Responder

Learn more

ﾉ Expand table

Actions Description

Microsoft.SecurityInsights/*/read

Microsoft.SecurityInsights/dataConnectorsChec Check user authorization and license

kRequirements/action

Microsoft.SecurityInsights/automationRules/*

Microsoft.SecurityInsights/cases/*

Microsoft.SecurityInsights/incidents/*

Microsoft.SecurityInsights/entities/runPlaybook Run playbook on entity

/action

Microsoft.SecurityInsights/threatIntelligence/in Append tags to Threat Intelligence Indicator

dicators/appendTags/action

Microsoft.SecurityInsights/threatIntelligence/in Query Threat Intelligence Indicators

dicators/query/action
Actions Description

Microsoft.SecurityInsights/threatIntelligence/bu Bulk Tags Threat Intelligence

lkTag/action

Microsoft.SecurityInsights/threatIntelligence/in Append tags to Threat Intelligence Indicator

dicators/appendTags/action

Microsoft.SecurityInsights/threatIntelligence/in Replace Tags of Threat Intelligence Indicator

dicators/replaceTags/action

Microsoft.SecurityInsights/threatIntelligence/qu Query Threat Intelligence Indicators

eryIndicators/action

Microsoft.SecurityInsights/businessApplication Undoes an action

Agents/systems/undoAction/action

Microsoft.OperationalInsights/workspaces/anal Search using new engine.

ytics/query/action

Microsoft.OperationalInsights/workspaces/*/re View log analytics data

Microsoft.OperationalInsights/workspaces/data Get data source under a workspace.

Sources/read

Microsoft.OperationalInsights/workspaces/save Gets a saved search query.

dSearches/read

Microsoft.OperationsManagement/solutions/re Get existing OMS solution

Microsoft.OperationalInsights/workspaces/quer Run queries over the data in the workspace

y/read

Microsoft.OperationalInsights/workspaces/quer
y/*/read

Microsoft.OperationalInsights/workspaces/data Get data source under a workspace.

Sources/read

Microsoft.OperationalInsights/querypacks/*/rea
d

Microsoft.Insights/workbooks/read Read a workbook

Microsoft.Insights/myworkbooks/read

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Actions Description

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

Microsoft.SecurityInsights/cases/*/Delete

Microsoft.SecurityInsights/incidents/*/Delete

Microsoft.SecurityInsights/ConfidentialWatchlist
s/*

Microsoft.OperationalInsights/workspaces/quer
y/ConfidentialWatchlist/*

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Microsoft Sentinel Responder",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-
4cfb-8069-0eaf05ecd056",
"name": "3e150937-b8fe-4cfb-8069-0eaf05ecd056",
"permissions": [
{
"actions": [
"Microsoft.SecurityInsights/*/read",
"Microsoft.SecurityInsights/dataConnectorsCheckRequirements/action",
"Microsoft.SecurityInsights/automationRules/*",
"Microsoft.SecurityInsights/cases/*",
"Microsoft.SecurityInsights/incidents/*",
"Microsoft.SecurityInsights/entities/runPlaybook/action",

"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action"
,

"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
"Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",

"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action"
,

"Microsoft.SecurityInsights/threatIntelligence/indicators/replaceTags/action
",

"Microsoft.SecurityInsights/threatIntelligence/queryIndicators/action",

"Microsoft.SecurityInsights/businessApplicationAgents/systems/undoAction/act
ion",
"Microsoft.OperationalInsights/workspaces/analytics/query/action",
"Microsoft.OperationalInsights/workspaces/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/workspaces/savedSearches/read",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.OperationalInsights/workspaces/query/read",
"Microsoft.OperationalInsights/workspaces/query/*/read",
"Microsoft.OperationalInsights/workspaces/dataSources/read",
"Microsoft.OperationalInsights/querypacks/*/read",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/myworkbooks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.SecurityInsights/cases/*/Delete",
"Microsoft.SecurityInsights/incidents/*/Delete",
"Microsoft.SecurityInsights/ConfidentialWatchlists/*",

"Microsoft.OperationalInsights/workspaces/query/ConfidentialWatchlist/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Microsoft Sentinel Responder",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Security Admin
View and update permissions for Microsoft Defender for Cloud. Same permissions as
the Security Reader role and can also update the security policy and dismiss alerts and
recommendations.
For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT
monitoring.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Authorization/policyAssignments/* Create and manage policy assignments

Microsoft.Authorization/policyDefinitions/* Create and manage policy definitions

Microsoft.Authorization/policyExemptions/* Create and manage policy exemptions

Microsoft.Authorization/policySetDefinitions/* Create and manage policy sets

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Management/managementGroups/re List management groups for the authenticated

ad user.

Microsoft.operationalInsights/workspaces/*/rea View log analytics data

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Security/* Create and manage security components and

policies

Microsoft.IoTSecurity/*

Microsoft.IoTFirmwareDefense/*

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Security Admin Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-
48eb-b624-b4c8fea62acd",
"name": "fb1c8493-542b-48eb-b624-b4c8fea62acd",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Authorization/policyAssignments/*",
"Microsoft.Authorization/policyDefinitions/*",
"Microsoft.Authorization/policyExemptions/*",
"Microsoft.Authorization/policySetDefinitions/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Management/managementGroups/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.IoTSecurity/*",
"Microsoft.IoTFirmwareDefense/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Security Assessment Contributor

Lets you push assessments to Microsoft Defender for Cloud

ﾉ Expand table

Actions Description

Microsoft.Security/assessments/write Create or update security assessments on your

subscription

NotActions
Actions Description

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you push assessments to Security Center",
"id": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-
443b-ac28-3ab7272de6f5",
"name": "612c2aa1-cb24-443b-ac28-3ab7272de6f5",
"permissions": [
{
"actions": [
"Microsoft.Security/assessments/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Assessment Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Security Manager (Legacy)

This is a legacy role. Please use Security Admin instead.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.ClassicCompute/*/read Read configuration information classic virtual

machines
Actions Description

Microsoft.ClassicCompute/virtualMachines/*/wr Write configuration for classic virtual machines

ite

Microsoft.ClassicNetwork/*/read Read configuration information about classic

network

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Security/* Create and manage security components and

policies

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "This is a legacy role. Please use Security Administrator
instead",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-
482e-ba6b-9b8433878d10",
"name": "e3d13bf0-dd5a-482e-ba6b-9b8433878d10",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/*/read",
"Microsoft.ClassicCompute/virtualMachines/*/write",
"Microsoft.ClassicNetwork/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Manager (Legacy)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Security Reader
View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a
security policy, and security states, but cannot make changes.

For Microsoft Defender for IoT, see Azure user roles for OT and Enterprise IoT
monitoring.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/read Read a classic metric alert

Microsoft.operationalInsights/workspaces/*/rea View log analytics data

Microsoft.Resources/deployments/*/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Security/*/read Read security components and policies

Microsoft.IoTSecurity/*/read

Microsoft.Support/*/read
Actions Description

Microsoft.Security/iotDefenderSettings/packag Gets downloadable IoT Defender packages

eDownloads/action information

Microsoft.Security/iotDefenderSettings/downlo Download manager activation file with

adManagerActivation/action subscription quota data

Microsoft.Security/iotSensors/downloadResetPa Downloads reset password file for IoT Sensors

ssword/action

Microsoft.IoTSecurity/defenderSettings/packag Gets downloadable IoT Defender packages

eDownloads/action information

Microsoft.IoTSecurity/defenderSettings/downlo Download manager activation file

adManagerActivation/action

Microsoft.Management/managementGroups/re List management groups for the authenticated

ad user.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Security Reader Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-
49c7-9d2c-d95423bc2eb4",
"name": "39bc4728-0917-49c7-9d2c-d95423bc2eb4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.operationalInsights/workspaces/*/read",
"Microsoft.Resources/deployments/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Security/*/read",
"Microsoft.IoTSecurity/*/read",
"Microsoft.Support/*/read",
"Microsoft.Security/iotDefenderSettings/packageDownloads/action",

"Microsoft.Security/iotDefenderSettings/downloadManagerActivation/action",
"Microsoft.Security/iotSensors/downloadResetPassword/action",
"Microsoft.IoTSecurity/defenderSettings/packageDownloads/action",

"Microsoft.IoTSecurity/defenderSettings/downloadManagerActivation/action",
"Microsoft.Management/managementGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Security Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for DevOps
Article • 09/23/2024

This article lists the Azure built-in roles in the DevOps category.

Deployment Environments Reader

Provides read access to environment resources.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DevCenter/projects/read Gets a specific project.

Microsoft.DevCenter/projects/*/read

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

Microsoft.DevCenter/projects/pools/read Gets a machine pool

Microsoft.DevCenter/projects/pools/schedules/ Gets a schedule resource.

read

DataActions

Microsoft.DevCenter/projects/users/environme Allows a project administrator to read all of the

nts/adminRead/action environments in a project.

Microsoft.DevCenter/projects/users/environme Allows an admin to read environment actions.

nts/adminActionRead/action

Microsoft.DevCenter/projects/users/environme Allows an admin to read Output values from

nts/adminOutputsRead/action environment deployment.

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Provides read access to environment resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/eb960402-bf75-
4cc3-8d68-35b34f960f72",
"name": "eb960402-bf75-4cc3-8d68-35b34f960f72",
"permissions": [
{
"actions": [
"Microsoft.DevCenter/projects/read",
"Microsoft.DevCenter/projects/*/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
"Microsoft.DevCenter/projects/pools/read",
"Microsoft.DevCenter/projects/pools/schedules/read"
],
"dataActions": [
"Microsoft.DevCenter/projects/users/environments/adminRead/action",

"Microsoft.DevCenter/projects/users/environments/adminActionRead/action",

"Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action"
],
"notDataActions": []
}
],
"roleName": "Deployment Environments Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Deployment Environments User

Provides access to manage environment resources.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DevCenter/projects/read Gets a specific project.

Microsoft.DevCenter/projects/*/read
Actions Description

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Authorization/*/read Read roles and role assignments

NotActions

Microsoft.DevCenter/projects/pools/read Gets a machine pool

Microsoft.DevCenter/projects/pools/schedules/ Gets a schedule resource.

read

DataActions

Microsoft.DevCenter/projects/users/environme Allows a user to read the environments they

nts/userRead/action have access to in a project.

Microsoft.DevCenter/projects/users/environme Allows a user to write the environments they

nts/userWrite/action have access to in a project.

Microsoft.DevCenter/projects/users/environme Allows a user to delete the environments they

nts/userDelete/action have access to in a project.

Microsoft.DevCenter/projects/users/environme Allows a user to skip, delay etc. environment

nts/userActionManage/action actions.

Microsoft.DevCenter/projects/users/environme Allows a user to read Output values from

nts/userOutputsRead/action environment deployment.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides access to manage environment resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/18e40d4e-8d2e-
438d-97e1-9528336e149c",
"name": "18e40d4e-8d2e-438d-97e1-9528336e149c",
"permissions": [
{
"actions": [
"Microsoft.DevCenter/projects/read",
"Microsoft.DevCenter/projects/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Authorization/*/read"
],
"notActions": [
"Microsoft.DevCenter/projects/pools/read",
"Microsoft.DevCenter/projects/pools/schedules/read"
],
"dataActions": [
"Microsoft.DevCenter/projects/users/environments/userRead/action",
"Microsoft.DevCenter/projects/users/environments/userWrite/action",
"Microsoft.DevCenter/projects/users/environments/userDelete/action",

"Microsoft.DevCenter/projects/users/environments/userActionManage/action",

"Microsoft.DevCenter/projects/users/environments/userOutputsRead/action"
],
"notDataActions": []
}
],
"roleName": "Deployment Environments User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

DevCenter Dev Box User

Provides access to create and manage dev boxes.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DevCenter/projects/read Gets a specific project.

Microsoft.DevCenter/projects/*/read

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to stop their own Dev Box

userStop/action resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to start their own Dev Box

Actions Description

userStart/action resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to get the RDP connection

userGetRemoteConnection/action information for their own Dev Box resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to read their own Dev Box

userRead/action resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to create and update their own

userWrite/action Dev Box resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to delete their own Dev Box

userDelete/action resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to read upcoming actions.

userUpcomingActionRead/action

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to skip or delay upcoming

userUpcomingActionManage/action actions.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to read dev box actions.

userActionRead/action

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to skip or delay dev box actions.

userActionManage/action

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to customize their own Dev Box

userCustomize/action resources.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides access to create and manage dev boxes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/45d50f46-0b78-
4001-a660-4198cbe8cd05",
"name": "45d50f46-0b78-4001-a660-4198cbe8cd05",
"permissions": [
{
"actions": [
"Microsoft.DevCenter/projects/read",
"Microsoft.DevCenter/projects/*/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.DevCenter/projects/users/devboxes/userStop/action",
"Microsoft.DevCenter/projects/users/devboxes/userStart/action",

"Microsoft.DevCenter/projects/users/devboxes/userGetRemoteConnection/action"
,
"Microsoft.DevCenter/projects/users/devboxes/userRead/action",
"Microsoft.DevCenter/projects/users/devboxes/userWrite/action",
"Microsoft.DevCenter/projects/users/devboxes/userDelete/action",

"Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionRead/action",

"Microsoft.DevCenter/projects/users/devboxes/userUpcomingActionManage/action
",
"Microsoft.DevCenter/projects/users/devboxes/userActionRead/action",

"Microsoft.DevCenter/projects/users/devboxes/userActionManage/action",
"Microsoft.DevCenter/projects/users/devboxes/userCustomize/action"
],
"notDataActions": []
}
],
"roleName": "DevCenter Dev Box User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

DevCenter Project Admin

Provides access to manage project resources.

Learn more

ﾉ Expand table

Actions Description

Microsoft.DevCenter/projects/*

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

Microsoft.DevCenter/projects/write Partially updates a project.

Actions Description

Microsoft.DevCenter/projects/delete Deletes a project resource.

DataActions

Microsoft.DevCenter/projects/users/devboxes/a Allows a user to start any Dev Box resource.

dminStart/action

Microsoft.DevCenter/projects/users/devboxes/a Allows a user to stop any Dev Box resource.

dminStop/action

Microsoft.DevCenter/projects/users/devboxes/a Allows a user read access to any Dev Box

dminRead/action resource.

Microsoft.DevCenter/projects/users/devboxes/a Allows a user write access to any Dev Box

dminWrite/action resource.

Microsoft.DevCenter/projects/users/devboxes/a Allows a user to delete any Dev Box resource.

dminDelete/action

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to stop their own Dev Box

userStop/action resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to start their own Dev Box

userStart/action resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to get the RDP connection

userGetRemoteConnection/action information for their own Dev Box resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to read their own Dev Box

userRead/action resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to create and update their own

userWrite/action Dev Box resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to delete their own Dev Box

userDelete/action resources.

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to read dev box actions.

userActionRead/action

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to skip or delay dev box actions.

userActionManage/action

Microsoft.DevCenter/projects/users/devboxes/ Allows a user to customize their own Dev Box

userCustomize/action resources.

Microsoft.DevCenter/projects/users/environme Allows a project administrator to read all of the

nts/adminRead/action environments in a project.

Microsoft.DevCenter/projects/users/environme Allows a user to write the environments they

Actions Description

nts/userWrite/action have access to in a project.

Microsoft.DevCenter/projects/users/environme Allows a project administrator to write all of the

nts/adminWrite/action environments in a project.

Microsoft.DevCenter/projects/users/environme Allows a user to delete the environments they

nts/userDelete/action have access to in a project.

Microsoft.DevCenter/projects/users/environme Allows a project administrator to delete all of

nts/adminDelete/action the environments in a project.

Microsoft.DevCenter/projects/users/environme Allows a project administrator to perform an

nts/adminAction/action action on all of the environments in a project.

Microsoft.DevCenter/projects/users/environme Allows an admin to read environment actions.

nts/adminActionRead/action

Microsoft.DevCenter/projects/users/environme Allows an admin to skip, delay etc. environment

nts/adminActionManage/action actions.

Microsoft.DevCenter/projects/users/environme Allows an admin to read Output values from

nts/adminOutputsRead/action environment deployment.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides access to manage project resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/331c37c6-af14-
46d9-b9f4-e1909e1b95a0",
"name": "331c37c6-af14-46d9-b9f4-e1909e1b95a0",
"permissions": [
{
"actions": [
"Microsoft.DevCenter/projects/*",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
"Microsoft.DevCenter/projects/write",
"Microsoft.DevCenter/projects/delete"
],
"dataActions": [
"Microsoft.DevCenter/projects/users/devboxes/adminStart/action",
"Microsoft.DevCenter/projects/users/devboxes/adminStop/action",
"Microsoft.DevCenter/projects/users/devboxes/adminRead/action",
"Microsoft.DevCenter/projects/users/devboxes/adminWrite/action",
"Microsoft.DevCenter/projects/users/devboxes/adminDelete/action",
"Microsoft.DevCenter/projects/users/devboxes/userStop/action",
"Microsoft.DevCenter/projects/users/devboxes/userStart/action",

"Microsoft.DevCenter/projects/users/devboxes/userActionManage/action",
"Microsoft.DevCenter/projects/users/devboxes/userCustomize/action",
"Microsoft.DevCenter/projects/users/environments/adminRead/action",
"Microsoft.DevCenter/projects/users/environments/userWrite/action",
"Microsoft.DevCenter/projects/users/environments/adminWrite/action",
"Microsoft.DevCenter/projects/users/environments/userDelete/action",

"Microsoft.DevCenter/projects/users/environments/adminDelete/action",

"Microsoft.DevCenter/projects/users/environments/adminAction/action",

"Microsoft.DevCenter/projects/users/environments/adminActionRead/action",

"Microsoft.DevCenter/projects/users/environments/adminActionManage/action",

"Microsoft.DevCenter/projects/users/environments/adminOutputsRead/action"
],
"notDataActions": []
}
],
"roleName": "DevCenter Project Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

DevTest Labs User

Lets you connect, start, restart, and shutdown your virtual machines in your Azure
DevTest Labs.

Learn more

ﾉ Expand table
Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Compute/availabilitySets/read Get the properties of an availability set

Microsoft.Compute/virtualMachines/*/read Read the properties of a virtual machine (VM

sizes, runtime status, VM extensions, etc.)

Microsoft.Compute/virtualMachines/deallocate Powers off the virtual machine and releases the

/action compute resources

Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Microsoft.Compute/virtualMachines/restart/acti Restarts the virtual machine

Microsoft.Compute/virtualMachines/start/actio Starts the virtual machine

Microsoft.DevTestLab/*/read Read the properties of a lab

Microsoft.DevTestLab/labs/claimAnyVm/action Claim a random claimable virtual machine in

the lab.

Microsoft.DevTestLab/labs/createEnvironment/ Create virtual machines in a lab.

action

Microsoft.DevTestLab/labs/ensureCurrentUserP Ensure the current user has a valid profile in the

rofile/action lab.

Microsoft.DevTestLab/labs/formulas/delete Delete formulas.

Microsoft.DevTestLab/labs/formulas/read Read formulas.

Microsoft.DevTestLab/labs/formulas/write Add or modify formulas.

Microsoft.DevTestLab/labs/policySets/evaluateP Evaluates lab policy.

olicies/action

Microsoft.DevTestLab/labs/virtualMachines/clai Take ownership of an existing virtual machine

m/action

Microsoft.DevTestLab/labs/virtualmachines/list Lists the applicable start/stop schedules, if any.

ApplicableSchedules/action

Microsoft.DevTestLab/labs/virtualMachines/get Gets a string that represents the contents of

RdpFileContents/action the RDP file for the virtual machine

Microsoft.Network/loadBalancers/backendAddr Joins a load balancer backend address pool.

essPools/join/action Not Alertable.
Actions Description

Microsoft.Network/loadBalancers/inboundNatR Joins a load balancer inbound nat rule. Not

ules/join/action Alertable.

Microsoft.Network/networkInterfaces/*/read Read the properties of a network interface (for

example, all the load balancers that the
network interface is a part of)

Microsoft.Network/networkInterfaces/join/actio Joins a Virtual Machine to a network interface.

n Not Alertable.

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Microsoft.Network/networkInterfaces/write Creates a network interface or updates an

existing network interface.

Microsoft.Network/publicIPAddresses/*/read Read the properties of a public IP address

Microsoft.Network/publicIPAddresses/join/actio Joins a public IP address. Not Alertable.

Microsoft.Network/publicIPAddresses/read Gets a public IP address definition.

Microsoft.Network/virtualNetworks/subnets/joi Joins a virtual network. Not Alertable.

n/action

Microsoft.Resources/deployments/operations/r Gets or lists deployment operations.

ead

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Storage/storageAccounts/listKeys/act Returns the access keys for the specified

ion storage account.

NotActions

Microsoft.Compute/virtualMachines/vmSizes/re Lists available sizes the virtual machine can be

ad updated to

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Lets you connect, start, restart, and shutdown your
virtual machines in your Azure DevTest Labs.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-
4c54-8f91-bcf1374a3c64",
"name": "76283e04-6283-4c54-8f91-bcf1374a3c64",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.DevTestLab/*/read",
"Microsoft.DevTestLab/labs/claimAnyVm/action",
"Microsoft.DevTestLab/labs/createEnvironment/action",
"Microsoft.DevTestLab/labs/ensureCurrentUserProfile/action",
"Microsoft.DevTestLab/labs/formulas/delete",
"Microsoft.DevTestLab/labs/formulas/read",
"Microsoft.DevTestLab/labs/formulas/write",
"Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action",
"Microsoft.DevTestLab/labs/virtualMachines/claim/action",

"Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action",

"Microsoft.DevTestLab/labs/virtualMachines/getRdpFileContents/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/networkInterfaces/*/read",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/publicIPAddresses/*/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listKeys/action"
],
"notActions": [
"Microsoft.Compute/virtualMachines/vmSizes/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DevTest Labs User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Lab Assistant
Enables you to view an existing lab, perform actions on the lab VMs and send invitations
to the lab.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.LabServices/labPlans/images/read Get the properties of an image.

Microsoft.LabServices/labPlans/read Get the properties of a lab plan.

Microsoft.LabServices/labs/read Get the properties of a lab.

Microsoft.LabServices/labs/schedules/read Get the properties of a schedule.

Microsoft.LabServices/labs/users/read Get the properties of a user.

Microsoft.LabServices/labs/users/invite/action Send email invitation to a user to join the lab.

Microsoft.LabServices/labs/virtualMachines/rea Get the properties of a virtual machine.

Microsoft.LabServices/labs/virtualMachines/star Start a virtual machine.

t/action

Microsoft.LabServices/labs/virtualMachines/sto Stop and deallocate a virtual machine.

p/action

Microsoft.LabServices/labs/virtualMachines/rei Reimage a virtual machine to the last published

mage/action image.

Microsoft.LabServices/labs/virtualMachines/red Redeploy a virtual machine to a different

eploy/action compute node.

Microsoft.LabServices/locations/usages/read Get Usage in a location

Microsoft.LabServices/skus/read Get the properties of a Lab Services SKU.

Actions Description

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "The lab assistant role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ce40b423-cede-
4313-a93f-9b28290b72e1",
"name": "ce40b423-cede-4313-a93f-9b28290b72e1",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.LabServices/labPlans/images/read",
"Microsoft.LabServices/labPlans/read",
"Microsoft.LabServices/labs/read",
"Microsoft.LabServices/labs/schedules/read",
"Microsoft.LabServices/labs/users/read",
"Microsoft.LabServices/labs/users/invite/action",
"Microsoft.LabServices/labs/virtualMachines/read",
"Microsoft.LabServices/labs/virtualMachines/start/action",
"Microsoft.LabServices/labs/virtualMachines/stop/action",
"Microsoft.LabServices/labs/virtualMachines/reimage/action",
"Microsoft.LabServices/labs/virtualMachines/redeploy/action",
"Microsoft.LabServices/locations/usages/read",
"Microsoft.LabServices/skus/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Lab Assistant",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Lab Contributor
Applied at lab level, enables you to manage the lab. Applied at a resource group,
enables you to create and manage labs.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.LabServices/labPlans/images/read Get the properties of an image.

Microsoft.LabServices/labPlans/read Get the properties of a lab plan.

Microsoft.LabServices/labPlans/saveImage/acti Create an image from a virtual machine in the

on gallery attached to the lab plan.

Microsoft.LabServices/labs/read Get the properties of a lab.

Microsoft.LabServices/labs/write Create new or update an existing lab.

Microsoft.LabServices/labs/delete Delete the lab and all its users, schedules and
virtual machines.

Microsoft.LabServices/labs/publish/action Publish a lab by propagating image of the

template virtual machine to all virtual machines
in the lab.

Microsoft.LabServices/labs/syncGroup/action Updates the list of users from the Active

Directory group assigned to the lab.

Microsoft.LabServices/labs/schedules/read Get the properties of a schedule.

Microsoft.LabServices/labs/schedules/write Create new or update an existing schedule.

Microsoft.LabServices/labs/schedules/delete Delete the schedule.

Microsoft.LabServices/labs/users/read Get the properties of a user.

Actions Description

Microsoft.LabServices/labs/users/write Create new or update an existing user.

Microsoft.LabServices/labs/users/delete Delete the user.

Microsoft.LabServices/labs/users/invite/action Send email invitation to a user to join the lab.

Microsoft.LabServices/labs/virtualMachines/rea Get the properties of a virtual machine.

Microsoft.LabServices/labs/virtualMachines/star Start a virtual machine.

t/action

Microsoft.LabServices/labs/virtualMachines/sto Stop and deallocate a virtual machine.

p/action

Microsoft.LabServices/labs/virtualMachines/rei Reimage a virtual machine to the last published

mage/action image.

Microsoft.LabServices/labs/virtualMachines/red Redeploy a virtual machine to a different

eploy/action compute node.

Microsoft.LabServices/labs/virtualMachines/res Reset local user's password on a virtual

etPassword/action machine.

Microsoft.LabServices/locations/usages/read Get Usage in a location

Microsoft.LabServices/skus/read Get the properties of a Lab Services SKU.

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

Microsoft.LabServices/labPlans/createLab/actio Create a new lab from a lab plan.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "The lab contributor role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5daaa2af-1fe8-
407c-9122-bba179798270",
"name": "5daaa2af-1fe8-407c-9122-bba179798270",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.LabServices/labPlans/images/read",
"Microsoft.LabServices/labPlans/read",
"Microsoft.LabServices/labPlans/saveImage/action",
"Microsoft.LabServices/labs/read",
"Microsoft.LabServices/labs/write",
"Microsoft.LabServices/labs/delete",
"Microsoft.LabServices/labs/publish/action",
"Microsoft.LabServices/labs/syncGroup/action",
"Microsoft.LabServices/labs/schedules/read",
"Microsoft.LabServices/labs/schedules/write",
"Microsoft.LabServices/labs/schedules/delete",
"Microsoft.LabServices/labs/users/read",
"Microsoft.LabServices/labs/users/write",
"Microsoft.LabServices/labs/users/delete",
"Microsoft.LabServices/labs/users/invite/action",
"Microsoft.LabServices/labs/virtualMachines/read",
"Microsoft.LabServices/labs/virtualMachines/start/action",
"Microsoft.LabServices/labs/virtualMachines/stop/action",
"Microsoft.LabServices/labs/virtualMachines/reimage/action",
"Microsoft.LabServices/labs/virtualMachines/redeploy/action",
"Microsoft.LabServices/labs/virtualMachines/resetPassword/action",
"Microsoft.LabServices/locations/usages/read",
"Microsoft.LabServices/skus/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.LabServices/labPlans/createLab/action"
],
"notDataActions": []
}
],
"roleName": "Lab Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Lab Creator
Lets you create new labs under your Azure Lab Accounts.
Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.LabServices/labAccounts/*/read

Microsoft.LabServices/labAccounts/createLab/a Create a lab in a lab account.

ction

Microsoft.LabServices/labAccounts/getPricingA Get the pricing and availability of combinations

ndAvailability/action of sizes, geographies, and operating systems
for the lab account.

Microsoft.LabServices/labAccounts/getRestricti Get core restrictions and usage for this

onsAndUsage/action subscription

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.LabServices/labPlans/images/read Get the properties of an image.

Microsoft.LabServices/labPlans/read Get the properties of a lab plan.

Microsoft.LabServices/labPlans/saveImage/acti Create an image from a virtual machine in the

on gallery attached to the lab plan.

Microsoft.LabServices/labs/read Get the properties of a lab.

Microsoft.LabServices/labs/schedules/read Get the properties of a schedule.

Microsoft.LabServices/labs/users/read Get the properties of a user.

Microsoft.LabServices/labs/virtualMachines/rea Get the properties of a virtual machine.

Microsoft.LabServices/locations/usages/read Get Usage in a location

Microsoft.LabServices/skus/read Get the properties of a Lab Services SKU.

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none
Actions Description

DataActions

Microsoft.LabServices/labPlans/createLab/actio Create a new lab from a lab plan.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you create new labs under your Azure Lab Accounts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-
4522-a38b-dd33c7e65ead",
"name": "b97fb8bc-a8b2-4522-a38b-dd33c7e65ead",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.LabServices/labAccounts/*/read",
"Microsoft.LabServices/labAccounts/createLab/action",

"Microsoft.LabServices/labAccounts/getPricingAndAvailability/action",
"Microsoft.LabServices/labAccounts/getRestrictionsAndUsage/action",
"Microsoft.Insights/alertRules/*",
"Microsoft.LabServices/labPlans/images/read",
"Microsoft.LabServices/labPlans/read",
"Microsoft.LabServices/labPlans/saveImage/action",
"Microsoft.LabServices/labs/read",
"Microsoft.LabServices/labs/schedules/read",
"Microsoft.LabServices/labs/users/read",
"Microsoft.LabServices/labs/virtualMachines/read",
"Microsoft.LabServices/locations/usages/read",
"Microsoft.LabServices/skus/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [
"Microsoft.LabServices/labPlans/createLab/action"
],
"notDataActions": []
}
],
"roleName": "Lab Creator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Lab Operator
Gives you limited ability to manage existing labs.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.LabServices/labPlans/images/read Get the properties of an image.

Microsoft.LabServices/labPlans/read Get the properties of a lab plan.

Microsoft.LabServices/labPlans/saveImage/acti Create an image from a virtual machine in the

on gallery attached to the lab plan.

Microsoft.LabServices/labs/publish/action Publish a lab by propagating image of the

template virtual machine to all virtual machines
in the lab.

Microsoft.LabServices/labs/read Get the properties of a lab.

Microsoft.LabServices/labs/schedules/read Get the properties of a schedule.

Microsoft.LabServices/labs/schedules/write Create new or update an existing schedule.

Microsoft.LabServices/labs/schedules/delete Delete the schedule.

Microsoft.LabServices/labs/users/read Get the properties of a user.

Microsoft.LabServices/labs/users/write Create new or update an existing user.

Microsoft.LabServices/labs/users/delete Delete the user.

Microsoft.LabServices/labs/users/invite/action Send email invitation to a user to join the lab.

Microsoft.LabServices/labs/virtualMachines/rea Get the properties of a virtual machine.

Microsoft.LabServices/labs/virtualMachines/star Start a virtual machine.

t/action
Actions Description

Microsoft.LabServices/labs/virtualMachines/sto Stop and deallocate a virtual machine.

p/action

Microsoft.LabServices/labs/virtualMachines/rei Reimage a virtual machine to the last published

mage/action image.

Microsoft.LabServices/labs/virtualMachines/red Redeploy a virtual machine to a different

eploy/action compute node.

Microsoft.LabServices/labs/virtualMachines/res Reset local user's password on a virtual

etPassword/action machine.

Microsoft.LabServices/locations/usages/read Get Usage in a location

Microsoft.LabServices/skus/read Get the properties of a Lab Services SKU.

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "The lab operator role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a36e6959-b6be-
4b12-8e9f-ef4b474d304d",
"name": "a36e6959-b6be-4b12-8e9f-ef4b474d304d",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.LabServices/labPlans/images/read",
"Microsoft.LabServices/labPlans/read",
"Microsoft.LabServices/labPlans/saveImage/action",
"Microsoft.LabServices/labs/publish/action",
"Microsoft.LabServices/labs/read",
"Microsoft.LabServices/labs/schedules/read",
"Microsoft.LabServices/labs/schedules/write",
"Microsoft.LabServices/labs/schedules/delete",
"Microsoft.LabServices/labs/users/read",
"Microsoft.LabServices/labs/users/write",
"Microsoft.LabServices/labs/users/delete",
"Microsoft.LabServices/labs/users/invite/action",
"Microsoft.LabServices/labs/virtualMachines/read",
"Microsoft.LabServices/labs/virtualMachines/start/action",
"Microsoft.LabServices/labs/virtualMachines/stop/action",
"Microsoft.LabServices/labs/virtualMachines/reimage/action",
"Microsoft.LabServices/labs/virtualMachines/redeploy/action",
"Microsoft.LabServices/labs/virtualMachines/resetPassword/action",
"Microsoft.LabServices/locations/usages/read",
"Microsoft.LabServices/skus/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Lab Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Lab Services Contributor

Enables you to fully control all Lab Services scenarios in the resource group.

Learn more

ﾉ Expand table

Actions Description

Microsoft.LabServices/* Create and manage lab services components

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read
Actions Description

NotActions

none

DataActions

Microsoft.LabServices/labPlans/createLab/actio Create a new lab from a lab plan.

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "The lab services contributor role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f69b8690-cc87-
41d6-b77a-a4bc3c0a966f",
"name": "f69b8690-cc87-41d6-b77a-a4bc3c0a966f",
"permissions": [
{
"actions": [
"Microsoft.LabServices/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.LabServices/labPlans/createLab/action"
],
"notDataActions": []
}
],
"roleName": "Lab Services Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Lab Services Reader

Enables you to view, but not change, all lab plans and lab resources.
Learn more

ﾉ Expand table

Actions Description

Microsoft.LabServices/*/read Read lab services properties

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "The lab services reader role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2a5c394f-5eb7-
4d4f-9c8e-e8eae39faebc",
"name": "2a5c394f-5eb7-4d4f-9c8e-e8eae39faebc",
"permissions": [
{
"actions": [
"Microsoft.LabServices/*/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Lab Services Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Load Test Contributor

View, create, update, delete and execute load tests. View and list load test resources but
can not make any changes.

Learn more

ﾉ Expand table

Actions Description

Microsoft.LoadTestService/*/read Read load testing resources

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

NotActions

none

DataActions

Microsoft.LoadTestService/loadtests/* Create and manage load tests

Microsoft.LoadTestService/testProfiles/*

Microsoft.LoadTestService/testProfileRuns/*

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "View, create, update, delete and execute load tests. View
and list load test resources but can not make any changes.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/749a398d-560b-
491b-bb21-08924219302e",
"name": "749a398d-560b-491b-bb21-08924219302e",
"permissions": [
{
"actions": [
"Microsoft.LoadTestService/*/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.LoadTestService/loadtests/*",
"Microsoft.LoadTestService/testProfiles/*",
"Microsoft.LoadTestService/testProfileRuns/*"
],
"notDataActions": []
}
],
"roleName": "Load Test Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Load Test Owner

Execute all operations on load test resources and load tests

Learn more

ﾉ Expand table

Actions Description

Microsoft.LoadTestService/* Create and manage load testing resources

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

NotActions

none
Actions Description

DataActions

Microsoft.LoadTestService/* Create and manage load testing resources

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Execute all operations on load test resources and load
tests",
"id": "/providers/Microsoft.Authorization/roleDefinitions/45bb0b16-2f0c-
4e78-afaa-a07599b003f6",
"name": "45bb0b16-2f0c-4e78-afaa-a07599b003f6",
"permissions": [
{
"actions": [
"Microsoft.LoadTestService/*",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.LoadTestService/*"
],
"notDataActions": []
}
],
"roleName": "Load Test Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Load Test Reader

View and list all load tests and load test resources but can not make any changes

Learn more

ﾉ Expand table
Actions Description

Microsoft.LoadTestService/*/read Read load testing resources

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

NotActions

none

DataActions

Microsoft.LoadTestService/loadtests/readTest/a Read Load Tests

ction

Microsoft.LoadTestService/testProfiles/read Read Test Profiles

Microsoft.LoadTestService/testProfileRuns/read Read Test Profile Runs

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "View and list all load tests and load test resources but
can not make any changes",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3ae3fb29-0000-
4ccd-bf80-542e7b26e081",
"name": "3ae3fb29-0000-4ccd-bf80-542e7b26e081",
"permissions": [
{
"actions": [
"Microsoft.LoadTestService/*/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*"
],
"notActions": [],
"dataActions": [
"Microsoft.LoadTestService/loadtests/readTest/action",
"Microsoft.LoadTestService/testProfiles/read",
"Microsoft.LoadTestService/testProfileRuns/read"
],
"notDataActions": []
}
],
"roleName": "Load Test Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Monitor
Article • 09/22/2024

This article lists the Azure built-in roles in the Monitor category.

Application Insights Component Contributor

Can manage Application Insights components

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage classic alert rules

Microsoft.Insights/generateLiveToken/read Live Metrics get token

Microsoft.Insights/metricAlerts/* Create and manage new alert rules

Microsoft.Insights/components/* Create and manage Insights components

Microsoft.Insights/scheduledqueryrules/*

Microsoft.Insights/topology/read Read Topology

Microsoft.Insights/transactions/read Read Transactions

Microsoft.Insights/webtests/* Create and manage Insights web tests

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions
Actions Description

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can manage Application Insights components",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-
4a5e-921d-050484c6347e",
"name": "ae349356-3a1b-4a5e-921d-050484c6347e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/generateLiveToken/read",
"Microsoft.Insights/metricAlerts/*",
"Microsoft.Insights/components/*",
"Microsoft.Insights/scheduledqueryrules/*",
"Microsoft.Insights/topology/read",
"Microsoft.Insights/transactions/read",
"Microsoft.Insights/webtests/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Application Insights Component Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Application Insights Snapshot Debugger

Gives user permission to view and download debug snapshots collected with the
Application Insights Snapshot Debugger. Note that these permissions are not included
in the Owner or Contributor roles. When giving users the Application Insights Snapshot
Debugger role, you must grant the role directly to the user. The role is not recognized
when it is added to a custom role.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/components/*/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Gives user permission to use Application Insights Snapshot
Debugger features",
"id": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-
4c2e-81c0-ec3a5cfae23b",
"name": "08954f03-6346-4c2e-81c0-ec3a5cfae23b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/components/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Application Insights Snapshot Debugger",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Grafana Admin
Manage server-wide settings and manage access to resources such as organizations,
users, and licenses.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Dashboard/grafana/ActAsGrafanaAd Act as Grafana Admin role

min/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Manage server-wide settings and manage access to resources
such as organizations, users, and licenses.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-
42b3-bc55-97df8dab3e41",
"name": "22926164-76b3-42b3-bc55-97df8dab3e41",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Dashboard/grafana/ActAsGrafanaAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Grafana Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Grafana Editor
Create, edit, delete, or view dashboards; create, edit, or delete folders; and edit or view
playlists.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Dashboard/grafana/ActAsGrafanaEdit Act as Grafana Editor role

or/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Create, edit, delete, or view dashboards; create, edit, or
delete folders; and edit or view playlists.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-
4973-a920-486035ffd60f",
"name": "a79a5197-3a5c-4973-a920-486035ffd60f",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Dashboard/grafana/ActAsGrafanaEditor/action"
],
"notDataActions": []
}
],
"roleName": "Grafana Editor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Grafana Limited Viewer

View home page.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Dashboard/grafana/ActAsGrafanaLim Act as Grafana Limited Viewer role

itedViewer/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "View home page.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/41e04612-9dac-
4699-a02b-c82ff2cc3fb5",
"name": "41e04612-9dac-4699-a02b-c82ff2cc3fb5",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Dashboard/grafana/ActAsGrafanaLimitedViewer/action"
],
"notDataActions": []
}
],
"roleName": "Grafana Limited Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Grafana Viewer
View dashboards, playlists, and query data sources.

Learn more

ﾉ Expand table

Actions Description

none

NotActions

none

DataActions

Microsoft.Dashboard/grafana/ActAsGrafanaVie Act as Grafana Viewer role

wer/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "View dashboards, playlists, and query data sources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-
4a43-9b16-a26c52ad4769",
"name": "60921a7e-fef1-4a43-9b16-a26c52ad4769",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Dashboard/grafana/ActAsGrafanaViewer/action"
],
"notDataActions": []
}
],
"roleName": "Grafana Viewer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Monitoring Contributor
Can read all monitoring data and edit monitoring settings. See also Get started with
roles, permissions, and security with Azure Monitor.

Learn more

ﾉ Expand table

Actions Description

*/read Read resources of all types, except secrets.

Microsoft.AlertsManagement/alerts/*

Microsoft.AlertsManagement/alertsSummary/*

Microsoft.Insights/actiongroups/*

Microsoft.Insights/activityLogAlerts/*

Microsoft.Insights/AlertRules/* Create and manage a classic metric alert

Microsoft.Insights/components/* Create and manage Insights components

Microsoft.Insights/createNotifications/*

Microsoft.Insights/dataCollectionEndpoints/*

Microsoft.Insights/dataCollectionRules/*

Microsoft.Insights/dataCollectionRuleAssociatio
ns/*
Actions Description

Microsoft.Insights/DiagnosticSettings/* Creates, updates, or reads the diagnostic

setting for Analysis Server

Microsoft.Insights/eventtypes/* List Activity Log events (management events) in

a subscription. This permission is applicable to
both programmatic and portal access to the
Activity Log.

Microsoft.Insights/LogDefinitions/* This permission is necessary for users who need

access to Activity Logs via the portal. List log
categories in Activity Log.

Microsoft.Insights/metricalerts/*

Microsoft.Insights/MetricDefinitions/* Read metric definitions (list of available metric

types for a resource).

Microsoft.Insights/Metrics/* Read metrics for a resource.

Microsoft.Insights/notificationStatus/*

Microsoft.Insights/Register/Action Register the Microsoft Insights provider

Microsoft.Insights/scheduledqueryrules/*

Microsoft.Insights/webtests/* Create and manage Insights web tests

Microsoft.Insights/workbooks/*

Microsoft.Insights/workbooktemplates/*

Microsoft.Insights/privateLinkScopes/*

Microsoft.Insights/privateLinkScopeOperationSt
atuses/*

Microsoft.Monitor/accounts/*

Microsoft.OperationalInsights/workspaces/writ Creates a new workspace or links to an existing

e workspace by providing the customer id from
the existing workspace.

Microsoft.OperationalInsights/workspaces/intell Read/write/delete log analytics solution packs.

igencepacks/*

Microsoft.OperationalInsights/workspaces/save Read/write/delete log analytics saved searches.

dSearches/*

Microsoft.OperationalInsights/workspaces/sear Executes a search query

ch/action
Actions Description

Microsoft.OperationalInsights/workspaces/shar Retrieves the shared keys for the workspace.

edKeys/action These keys are used to connect Microsoft
Operational Insights agents to the workspace.

Microsoft.OperationalInsights/workspaces/stor Read/write/delete log analytics storage insight

ageinsightconfigs/* configurations.

Microsoft.Support/* Create and update a support ticket

Microsoft.AlertsManagement/smartDetectorAle
rtRules/*

Microsoft.AlertsManagement/actionRules/*

Microsoft.AlertsManagement/smartGroups/*

Microsoft.AlertsManagement/migrateFromSma
rtDetection/*

Microsoft.AlertsManagement/investigations/*

Microsoft.AlertsManagement/prometheusRule
Groups/*

Microsoft.Monitor/investigations/*

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can read all monitoring data and update monitoring
settings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-
40b8-bcfc-e573ddc772fa",
"name": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.AlertsManagement/alerts/*",
"Microsoft.AlertsManagement/alertsSummary/*",
"Microsoft.Insights/actiongroups/*",
"Microsoft.Insights/activityLogAlerts/*",
"Microsoft.Insights/AlertRules/*",
"Microsoft.Insights/components/*",
"Microsoft.Insights/createNotifications/*",
"Microsoft.Insights/dataCollectionEndpoints/*",
"Microsoft.Insights/dataCollectionRules/*",
"Microsoft.Insights/dataCollectionRuleAssociations/*",
"Microsoft.Insights/DiagnosticSettings/*",
"Microsoft.Insights/eventtypes/*",
"Microsoft.Insights/LogDefinitions/*",
"Microsoft.Insights/metricalerts/*",
"Microsoft.Insights/MetricDefinitions/*",
"Microsoft.Insights/Metrics/*",
"Microsoft.Insights/notificationStatus/*",
"Microsoft.Insights/Register/Action",
"Microsoft.Insights/scheduledqueryrules/*",
"Microsoft.Insights/webtests/*",
"Microsoft.Insights/workbooks/*",
"Microsoft.Insights/workbooktemplates/*",
"Microsoft.Insights/privateLinkScopes/*",
"Microsoft.Insights/privateLinkScopeOperationStatuses/*",
"Microsoft.Monitor/accounts/*",
"Microsoft.OperationalInsights/workspaces/write",
"Microsoft.OperationalInsights/workspaces/intelligencepacks/*",
"Microsoft.OperationalInsights/workspaces/savedSearches/*",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.OperationalInsights/workspaces/sharedKeys/action",
"Microsoft.OperationalInsights/workspaces/storageinsightconfigs/*",
"Microsoft.Support/*",
"Microsoft.AlertsManagement/smartDetectorAlertRules/*",
"Microsoft.AlertsManagement/actionRules/*",
"Microsoft.AlertsManagement/smartGroups/*",
"Microsoft.AlertsManagement/migrateFromSmartDetection/*",
"Microsoft.AlertsManagement/investigations/*",
"Microsoft.AlertsManagement/prometheusRuleGroups/*",
"Microsoft.Monitor/investigations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Monitoring Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Monitoring Metrics Publisher
Enables publishing metrics against Azure resources

Learn more

ﾉ Expand table

Actions Description

Microsoft.Insights/Register/Action Register the Microsoft Insights provider

Microsoft.Support/* Create and update a support ticket

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

Microsoft.Insights/Metrics/Write Write metrics

Microsoft.Insights/Telemetry/Write Write telemetry

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Enables publishing metrics against Azure resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-
4e42-8a64-420c390055eb",
"name": "3913510d-42f4-4e42-8a64-420c390055eb",
"permissions": [
{
"actions": [
"Microsoft.Insights/Register/Action",
"Microsoft.Support/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Insights/Metrics/Write",
"Microsoft.Insights/Telemetry/Write"
],
"notDataActions": []
}
],
"roleName": "Monitoring Metrics Publisher",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Monitoring Reader
Can read all monitoring data (metrics, logs, etc.). See also Get started with roles,
permissions, and security with Azure Monitor.

Learn more

ﾉ Expand table

Actions Description

*/read Read resources of all types, except secrets.

Microsoft.OperationalInsights/workspaces/sear Executes a search query

ch/action

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can read all monitoring data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-
4714-9337-8ba259a9fe05",
"name": "43d0d8ad-25c7-4714-9337-8ba259a9fe05",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.OperationalInsights/workspaces/search/action",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Monitoring Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Workbook Contributor
Can save shared workbooks.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Insights/workbooks/write Create or update a workbook

Microsoft.Insights/workbooks/delete Delete a workbook

Microsoft.Insights/workbooks/read Read a workbook

Microsoft.Insights/workbooks/revisions/read Get the workbook revisions

Microsoft.Insights/workbooktemplates/write Create or update a workbook template

Microsoft.Insights/workbooktemplates/delete Delete a workbook template

Microsoft.Insights/workbooktemplates/read Read a workbook template

NotActions

none

DataActions

none

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can save shared workbooks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-
4f9f-9844-4100522f16ad",
"name": "e8ddcd69-c73f-4f9f-9844-4100522f16ad",
"permissions": [
{
"actions": [
"Microsoft.Insights/workbooks/write",
"Microsoft.Insights/workbooks/delete",
"Microsoft.Insights/workbooks/read",
"Microsoft.Insights/workbooks/revisions/read",
"Microsoft.Insights/workbooktemplates/write",
"Microsoft.Insights/workbooktemplates/delete",
"Microsoft.Insights/workbooktemplates/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Workbook Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Workbook Reader
Can read workbooks.

Learn more

ﾉ Expand table

Actions Description

microsoft.insights/workbooks/read Read a workbook

microsoft.insights/workbooks/revisions/read Get the workbook revisions

Actions Description

microsoft.insights/workbooktemplates/read Read a workbook template

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can read workbooks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-
42a0-92ae-8b3cf002ec4d",
"name": "b279062a-9be3-42a0-92ae-8b3cf002ec4d",
"permissions": [
{
"actions": [
"microsoft.insights/workbooks/read",
"microsoft.insights/workbooks/revisions/read",
"microsoft.insights/workbooktemplates/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Workbook Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Next steps
Assign Azure roles using the Azure portal

Feedback
Was this page helpful?  Yes  No

Provide product feedback | Get help at Microsoft Q&A

Azure built-in roles for Management
and governance
Article • 09/23/2024

This article lists the Azure built-in roles in the Management and governance category.

Advisor Recommendations Contributor

(Assessments and Reviews)
View assessment recommendations, accepted review recommendations, and manage
the recommendations lifecycle (mark recommendations as completed, postponed or
dismissed, in progress, or not started).

Learn more

ﾉ Expand table

Actions Description

Microsoft.Advisor/recommendations/read Reads recommendations

Microsoft.Advisor/recommendations/write Writes recommendations

Microsoft.Advisor/recommendations/available/ New recommendation is available in Microsoft

action Advisor

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "View assessment recommendations, accepted review
recommendations, and manage the recommendations lifecycle (mark
recommendations as completed, postponed or dismissed, in progress, or not
started).",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6b534d80-e337-
47c4-864f-140f5c7f593d",
"name": "6b534d80-e337-47c4-864f-140f5c7f593d",
"permissions": [
{
"actions": [
"Microsoft.Advisor/recommendations/read",
"Microsoft.Advisor/recommendations/write",
"Microsoft.Advisor/recommendations/available/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Advisor Recommendations Contributor (Assessments and
Reviews)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Advisor Reviews Contributor

View reviews for a workload and triage recommendations linked to them.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Advisor/resiliencyReviews/read Read resiliencyReviews

Microsoft.Advisor/triageRecommendations/rea Read triageRecommendations

Microsoft.Advisor/triageRecommendations/app Approve triageRecommendations

rove/action

Microsoft.Advisor/triageRecommendations/reje Reject triageRecommendations

ct/action

Microsoft.Advisor/triageRecommendations/res Reset triageRecommendations

et/action

Microsoft.Authorization/*/read Read roles and role assignments

Actions Description

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "View reviews for a workload and triage recommendations
linked to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8aac15f0-d885-
4138-8afa-bfb5872f7d13",
"name": "8aac15f0-d885-4138-8afa-bfb5872f7d13",
"permissions": [
{
"actions": [
"Microsoft.Advisor/resiliencyReviews/read",
"Microsoft.Advisor/triageRecommendations/read",
"Microsoft.Advisor/triageRecommendations/approve/action",
"Microsoft.Advisor/triageRecommendations/reject/action",
"Microsoft.Advisor/triageRecommendations/reset/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Advisor Reviews Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Advisor Reviews Reader

View reviews for a workload and recommendations linked to them.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Advisor/resiliencyReviews/read Read resiliencyReviews

Microsoft.Advisor/triageRecommendations/rea Read triageRecommendations

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "View reviews for a workload and recommendations linked to
them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c64499e0-74c3-
47ad-921c-13865957895c",
"name": "c64499e0-74c3-47ad-921c-13865957895c",
"permissions": [
{
"actions": [
"Microsoft.Advisor/resiliencyReviews/read",
"Microsoft.Advisor/triageRecommendations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Advisor Reviews Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Automation Contributor
Manage Azure Automation resources and other resources using Azure Automation.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Automation/automationAccounts/*

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Insights/ActionGroups/*

Microsoft.Insights/ActivityLogAlerts/*

Microsoft.Insights/MetricAlerts/*

Microsoft.Insights/ScheduledQueryRules/*

Microsoft.Insights/diagnosticSettings/* Creates, updates, or reads the diagnostic

setting for Analysis Server

Microsoft.OperationalInsights/workspaces/shar Retrieves the shared keys for the workspace.

edKeys/action These keys are used to connect Microsoft
Operational Insights agents to the workspace.

NotActions

none

DataActions

none
Actions Description

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Manage azure automation resources and other resources
using azure automation.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-
484e-a77a-8050b599b867",
"name": "f353d9bd-d4a6-484e-a77a-8050b599b867",
"permissions": [
{
"actions": [
"Microsoft.Automation/automationAccounts/*",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Insights/ActionGroups/*",
"Microsoft.Insights/ActivityLogAlerts/*",
"Microsoft.Insights/MetricAlerts/*",
"Microsoft.Insights/ScheduledQueryRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.OperationalInsights/workspaces/sharedKeys/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Automation Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Automation Job Operator

Create and Manage Jobs using Automation Runbooks.

Learn more

ﾉ Expand table
Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Automation/automationAccounts/hy Reads a Hybrid Runbook Worker Group

bridRunbookWorkerGroups/read

Microsoft.Automation/automationAccounts/job Gets an Azure Automation job

s/read

Microsoft.Automation/automationAccounts/job Resumes an Azure Automation job

s/resume/action

Microsoft.Automation/automationAccounts/job Stops an Azure Automation job

s/stop/action

Microsoft.Automation/automationAccounts/job Gets an Azure Automation job stream

s/streams/read

Microsoft.Automation/automationAccounts/job Suspends an Azure Automation job

s/suspend/action

Microsoft.Automation/automationAccounts/job Creates an Azure Automation job

s/write

Microsoft.Automation/automationAccounts/job Gets the output of a job

s/output/read

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Create and Manage Jobs using Automation Runbooks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-
4730-92eb-48519fa6bf9f",
"name": "4fe576fe-1146-4730-92eb-48519fa6bf9f",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",

Automation Operator
Automation Operators are able to start, stop, suspend, and resume jobs

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Automation/automationAccounts/hy Reads a Hybrid Runbook Worker Group

Actions Description

bridRunbookWorkerGroups/read

Microsoft.Automation/automationAccounts/job Gets an Azure Automation job

s/read

Microsoft.Automation/automationAccounts/job Resumes an Azure Automation job

s/resume/action

Microsoft.Automation/automationAccounts/job Stops an Azure Automation job

s/stop/action

Microsoft.Automation/automationAccounts/job Gets an Azure Automation job stream

s/streams/read

Microsoft.Automation/automationAccounts/job Suspends an Azure Automation job

s/suspend/action

Microsoft.Automation/automationAccounts/job Creates an Azure Automation job

s/write

Microsoft.Automation/automationAccounts/job Gets an Azure Automation job schedule

Schedules/read

Microsoft.Automation/automationAccounts/job Creates an Azure Automation job schedule

Schedules/write

Microsoft.Automation/automationAccounts/lin Gets the workspace linked to the automation

kedWorkspace/read account

Microsoft.Automation/automationAccounts/rea Gets an Azure Automation account

Microsoft.Automation/automationAccounts/run Gets an Azure Automation runbook

books/read

Microsoft.Automation/automationAccounts/sch Gets an Azure Automation schedule asset

edules/read

Microsoft.Automation/automationAccounts/sch Creates or updates an Azure Automation

edules/write schedule asset

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Automation/automationAccounts/job Gets the output of a job

s/output/read
Actions Description

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Automation Operators are able to start, stop, suspend, and
resume jobs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-
4167-8283-e981cbba0404",
"name": "d3881f73-407a-4167-8283-e981cbba0404",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",

"Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read",
"Microsoft.Automation/automationAccounts/jobs/read",
"Microsoft.Automation/automationAccounts/jobs/resume/action",
"Microsoft.Automation/automationAccounts/jobs/stop/action",
"Microsoft.Automation/automationAccounts/jobs/streams/read",
"Microsoft.Automation/automationAccounts/jobs/suspend/action",
"Microsoft.Automation/automationAccounts/jobs/write",
"Microsoft.Automation/automationAccounts/jobSchedules/read",
"Microsoft.Automation/automationAccounts/jobSchedules/write",
"Microsoft.Automation/automationAccounts/linkedWorkspace/read",
"Microsoft.Automation/automationAccounts/read",
"Microsoft.Automation/automationAccounts/runbooks/read",
"Microsoft.Automation/automationAccounts/schedules/read",
"Microsoft.Automation/automationAccounts/schedules/write",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Automation/automationAccounts/jobs/output/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Automation Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Automation Runbook Operator

Read Runbook properties - to be able to create Jobs of the runbook.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Automation/automationAccounts/run Gets an Azure Automation runbook

books/read

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON
{
"assignableScopes": [
"/"
],
"description": "Read Runbook properties - to be able to create Jobs of the
runbook.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-
4b8e-bb16-9d5d0385bab5",
"name": "5fb5aef8-1081-4b8e-bb16-9d5d0385bab5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Automation/automationAccounts/runbooks/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Automation Runbook Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Center for SAP solutions administrator

This role provides read and write access to all capabilities of Azure Center for SAP
solutions.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Advisor/configurations/read Get configurations

Microsoft.Advisor/recommendations/read Reads recommendations

Microsoft.Workloads/sapvirtualInstances/*/read

Microsoft.Workloads/sapVirtualInstances/*/writ
e
Actions Description

Microsoft.Workloads/sapVirtualInstances/*/dele
te

Microsoft.Workloads/Locations/*/action

Microsoft.Workloads/Locations/*/read

Microsoft.Workloads/sapVirtualInstances/*/star
t/action

Microsoft.Workloads/sapVirtualInstances/*/sto
p/action

Microsoft.Workloads/connectors/*/read

Microsoft.Workloads/connectors/*/write

Microsoft.Workloads/connectors/*/delete

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/metricDefinitions/read Read metric definitions

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Creates or updates a resource group.

ups/write

Microsoft.Resources/subscriptions/resourcegro
ups/deployments/*

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/virtualNetworks/providers/ Gets available metrics for the PingMesh

Microsoft.Insights/metricDefinitions/read

Microsoft.Network/virtualNetworks/subnets/rea Gets a virtual network subnet definition

d
Actions Description

Microsoft.Network/virtualNetworks/subnets/wri Creates a virtual network subnet or updates an

te existing virtual network subnet

Microsoft.Network/virtualNetworks/subnets/vir Gets references to all the virtual machines in a

tualMachines/read virtual network subnet

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Microsoft.Network/networkInterfaces/ipconfigu Gets a network interface ip configuration

rations/read definition.

Microsoft.Network/networkInterfaces/loadBala Gets all the load balancers that the network

ncers/read interface is part of

Microsoft.Network/networkInterfaces/providers Gets available metrics for the Network Interface

/Microsoft.Insights/metricDefinitions/read

Microsoft.Network/loadBalancers/read Gets a load balancer definition

Microsoft.Network/loadBalancers/backendAddr Gets a load balancer backend address pool

essPools/read definition

Microsoft.Network/loadBalancers/frontendIPCo Gets a load balancer frontend IP configuration

nfigurations/read definition

Microsoft.Network/loadBalancers/loadBalancin Gets a load balancer load balancing rule

gRules/read definition

Microsoft.Network/loadBalancers/inboundNatR Gets a load balancer inbound nat rule

ules/read definition

Microsoft.Network/loadBalancers/providers/Mi Gets the events for Load Balancer

crosoft.Insights/logDefinitions/read

Microsoft.Network/loadBalancers/networkInterf Gets references to all the network interfaces

aces/read under a load balancer

Microsoft.Network/loadBalancers/outboundRul Gets a load balancer outbound rule definition

es/read

Microsoft.Network/loadBalancers/virtualMachin Gets references to all the virtual machines

es/read under a load balancer

Microsoft.Network/loadBalancers/providers/Mi Gets the available metrics for Load Balancer

crosoft.Insights/metricDefinitions/read

Microsoft.Network/privateEndpoints/read Gets an private endpoint resource.

Microsoft.Network/networkSecurityGroups/join Joins a network security group. Not Alertable.

/action
Actions Description

Microsoft.Network/routeTables/join/action Joins a route table. Not Alertable.

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.Storage/storageAccounts/blobService Returns blob service properties or statistics

s/read

Microsoft.Storage/storageAccounts/blobService Returns list of containers

s/containers/read

Microsoft.Storage/storageAccounts/fileServices Get file service properties

/read

Microsoft.Storage/storageAccounts/fileServices List file shares

/shares/read

Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Microsoft.Compute/availabilitySets/read Get the properties of an availability set

Microsoft.Compute/sshPublicKeys/read Get the properties of an SSH public key

Microsoft.Compute/sshPublicKeys/write Creates a new SSH public key or updates an

existing SSH public key

Microsoft.Compute/sshPublicKeys/*/generateK
eyPair/action

Microsoft.Compute/virtualMachines/extensions Get the properties of a virtual machine

/read extension

Microsoft.Compute/virtualMachines/extensions Deletes the virtual machine extension

/delete

Microsoft.Compute/disks/read Get the properties of a Disk

NotActions

none

DataActions

Microsoft.Storage/storageAccounts/blobService Returns a blob or a list of blobs

s/containers/blobs/read

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "This role provides read and write access to all
capabilities of Azure Center for SAP solutions.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7b0c7e81-271f-
4c71-90bf-e30bdfdbc2f7",
"name": "7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7",
"permissions": [
{
"actions": [
"Microsoft.Advisor/configurations/read",
"Microsoft.Advisor/recommendations/read",
"Microsoft.Workloads/sapvirtualInstances/*/read",
"Microsoft.Workloads/sapVirtualInstances/*/write",
"Microsoft.Workloads/sapVirtualInstances/*/delete",
"Microsoft.Workloads/Locations/*/action",
"Microsoft.Workloads/Locations/*/read",
"Microsoft.Workloads/sapVirtualInstances/*/start/action",
"Microsoft.Workloads/sapVirtualInstances/*/stop/action",
"Microsoft.Workloads/connectors/*/read",
"Microsoft.Workloads/connectors/*/write",
"Microsoft.Workloads/connectors/*/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Network/virtualNetworks/read",

"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefini
tions/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/ipconfigurations/read",
"Microsoft.Network/networkInterfaces/loadBalancers/read",

"Microsoft.Network/networkInterfaces/providers/Microsoft.Insights/metricDefi
nitions/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/backendAddressPools/read",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/read",
"Microsoft.Network/loadBalancers/loadBalancingRules/read",
"Microsoft.Network/loadBalancers/inboundNatRules/read",
"Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions
/read",
"Microsoft.Network/loadBalancers/networkInterfaces/read",
"Microsoft.Network/loadBalancers/outboundRules/read",
"Microsoft.Network/loadBalancers/virtualMachines/read",

"Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefiniti
ons/read",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/routeTables/join/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/fileServices/read",
"Microsoft.Storage/storageAccounts/fileServices/shares/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/sshPublicKeys/read",
"Microsoft.Compute/sshPublicKeys/write",
"Microsoft.Compute/sshPublicKeys/*/generateKeyPair/action",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/extensions/delete",
"Microsoft.Compute/disks/read"
],
"notActions": [],
"dataActions": [

"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
],
"notDataActions": []
}
],
"roleName": "Azure Center for SAP solutions administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Center for SAP solutions reader

This role provides read access to all capabilities of Azure Center for SAP solutions.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Advisor/configurations/read Get configurations

Actions Description

Microsoft.Advisor/recommendations/read Reads recommendations

Microsoft.Workloads/sapvirtualInstances/*/read

Microsoft.Workloads/Locations/*/read

Microsoft.Workloads/Operations/read read Operations

Microsoft.Workloads/Locations/OperationStatu read OperationStatuses

ses/read

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Insights/alertRules/read Read a classic metric alert

Microsoft.Insights/metrics/read Read metrics

Microsoft.Insights/metricDefinitions/read Read metric definitions

Microsoft.Resources/deployments/read Gets or lists deployments.

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourcegro Gets or lists deployments.

ups/deployments/read

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/virtualNetworks/providers/ Gets available metrics for the PingMesh

Microsoft.Insights/metricDefinitions/read

Microsoft.Network/virtualNetworks/subnets/rea Gets a virtual network subnet definition

Microsoft.Network/virtualNetworks/subnets/vir Gets references to all the virtual machines in a

tualMachines/read virtual network subnet

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Microsoft.Network/networkInterfaces/ipconfigu Gets a network interface ip configuration

rations/read definition.

Microsoft.Network/networkInterfaces/loadBala Gets all the load balancers that the network

ncers/read interface is part of
Actions Description

Microsoft.Network/networkInterfaces/providers Gets available metrics for the Network Interface

/Microsoft.Insights/metricDefinitions/read

Microsoft.Network/loadBalancers/read Gets a load balancer definition

Microsoft.Network/loadBalancers/backendAddr Gets a load balancer backend address pool

essPools/read definition

Microsoft.Network/loadBalancers/frontendIPCo Gets a load balancer frontend IP configuration

nfigurations/read definition

Microsoft.Network/loadBalancers/loadBalancin Gets a load balancer load balancing rule

gRules/read definition

Microsoft.Network/loadBalancers/inboundNatR Gets a load balancer inbound nat rule

ules/read definition

Microsoft.Network/loadBalancers/providers/Mi Gets the events for Load Balancer

crosoft.Insights/logDefinitions/read

Microsoft.Network/loadBalancers/networkInterf Gets references to all the network interfaces

aces/read under a load balancer

Microsoft.Network/loadBalancers/outboundRul Gets a load balancer outbound rule definition

es/read

Microsoft.Network/loadBalancers/virtualMachin Gets references to all the virtual machines

es/read under a load balancer

Microsoft.Network/loadBalancers/providers/Mi Gets the available metrics for Load Balancer

crosoft.Insights/metricDefinitions/read

Microsoft.Network/privateEndpoints/read Gets an private endpoint resource.

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.Storage/storageAccounts/blobService Returns blob service properties or statistics

s/read

Microsoft.Storage/storageAccounts/blobService Returns list of containers

s/containers/read

Microsoft.Storage/storageAccounts/fileServices Get file service properties

/read

Microsoft.Storage/storageAccounts/fileServices List file shares

/shares/read

Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Actions Description

Microsoft.Compute/availabilitySets/read Get the properties of an availability set

Microsoft.Compute/virtualMachines/extensions Get the properties of a virtual machine

/read extension

Microsoft.Compute/disks/read Get the properties of a Disk

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "This role provides read access to all capabilities of
Azure Center for SAP solutions.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/05352d14-a920-
4328-a0de-4cbe7430e26b",
"name": "05352d14-a920-4328-a0de-4cbe7430e26b",
"permissions": [
{
"actions": [
"Microsoft.Advisor/configurations/read",
"Microsoft.Advisor/recommendations/read",
"Microsoft.Workloads/sapvirtualInstances/*/read",
"Microsoft.Workloads/Locations/*/read",
"Microsoft.Workloads/Operations/read",
"Microsoft.Workloads/Locations/OperationStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Network/virtualNetworks/read",

"Microsoft.Network/virtualNetworks/providers/Microsoft.Insights/metricDefini
tions/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/ipconfigurations/read",
"Microsoft.Network/networkInterfaces/loadBalancers/read",

"Microsoft.Network/loadBalancers/providers/Microsoft.Insights/logDefinitions
/read",
"Microsoft.Network/loadBalancers/networkInterfaces/read",
"Microsoft.Network/loadBalancers/outboundRules/read",
"Microsoft.Network/loadBalancers/virtualMachines/read",

"Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefiniti
ons/read",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/fileServices/read",
"Microsoft.Storage/storageAccounts/fileServices/shares/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/disks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Center for SAP solutions reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Center for SAP solutions service role

Azure Center for SAP solutions service role - This role is intended to be used for
providing the permissions to user assigned managed identity. Azure Center for SAP
solutions will use this identity to deploy and manage SAP systems.

Learn more
ﾉ Expand table

Actions Description

Microsoft.Resources/subscriptions/resourceGro Creates or updates a resource group.

ups/write

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourcegro
ups/deployments/*

Microsoft.Network/loadBalancers/read Gets a load balancer definition

Microsoft.Network/loadBalancers/write Creates a load balancer or updates an existing

load balancer

Microsoft.Network/loadBalancers/backendAddr Gets a load balancer backend address pool

essPools/read definition

Microsoft.Network/loadBalancers/backendAddr Creates a load balancer backend address pool

essPools/write or updates an existing load balancer backend
address pool

Microsoft.Network/loadBalancers/frontendIPCo Gets a load balancer frontend IP configuration

nfigurations/read definition

Microsoft.Network/loadBalancers/loadBalancin Gets a load balancer load balancing rule

gRules/read definition

Microsoft.Network/loadBalancers/inboundNatR Gets a load balancer inbound nat rule

ules/read definition

Microsoft.Network/loadBalancers/providers/Mi Gets the events for Load Balancer

crosoft.Insights/logDefinitions/read

Microsoft.Network/loadBalancers/networkInterf Gets references to all the network interfaces

aces/read under a load balancer

Microsoft.Network/loadBalancers/outboundRul Gets a load balancer outbound rule definition

es/read

Microsoft.Network/loadBalancers/virtualMachin Gets references to all the virtual machines

es/read under a load balancer

Microsoft.Network/loadBalancers/providers/Mi Gets the available metrics for Load Balancer

crosoft.Insights/metricDefinitions/read
Actions Description

Microsoft.Network/networkInterfaces/read Gets a network interface definition.

Microsoft.Network/networkInterfaces/write Creates a network interface or updates an

existing network interface.

Microsoft.Network/networkInterfaces/ipconfigu Gets a network interface ip configuration

rations/read definition.

Microsoft.Network/networkInterfaces/loadBala Gets all the load balancers that the network

ncers/read interface is part of

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.Network/virtualNetworks/checkIpAdd Check if IP Address is available at the specified

ressAvailability/read virtual network

Microsoft.Network/virtualNetworks/subnets/rea Gets a virtual network subnet definition

Microsoft.Network/virtualNetworks/subnets/vir Gets references to all the virtual machines in a

tualMachines/read virtual network subnet

Microsoft.Network/virtualNetworks/virtualMach Gets references to all the virtual machines in a

ines/read virtual network

Microsoft.Network/networkInterfaces/ipconfigu Joins a Network Interface IP Configuration. Not

rations/join/action alertable.

Microsoft.Network/privateEndpoints/read Gets an private endpoint resource.

Microsoft.Network/privateEndpoints/write Creates a new private endpoint, or updates an

existing private endpoint.

Microsoft.Network/networkInterfaces/join/actio Joins a Virtual Machine to a network interface.

n Not Alertable.

Microsoft.Network/loadBalancers/backendAddr Joins a load balancer backend address pool.

essPools/join/action Not Alertable.

Microsoft.Network/loadBalancers/frontendIPCo Joins a Load Balancer Frontend IP

nfigurations/join/action Configuration. Not alertable.

Microsoft.Network/virtualNetworks/subnets/joi Joins a virtual network. Not Alertable.

n/action

Microsoft.Network/virtualNetworks/subnets/joi Joins a load balancer to virtual network subnets

nLoadBalancer/action

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.
Actions Description

Microsoft.Storage/storageAccounts/write Creates a storage account with the specified

parameters or update the properties or tags or
adds custom domain for the specified storage
account.

Microsoft.Storage/storageAccounts/PrivateEnd Approve Private Endpoint Connections

pointConnectionsApproval/action

Microsoft.Storage/storageAccounts/blobService Returns blob service properties or statistics

s/read

Microsoft.Storage/storageAccounts/blobService Returns list of containers

s/containers/read

Microsoft.Storage/storageAccounts/fileServices Get file service properties

/read

Microsoft.Storage/storageAccounts/fileServices Put file service properties

/write

Microsoft.Storage/storageAccounts/fileServices List file shares

/shares/read

Microsoft.Storage/storageAccounts/fileServices Create or update file share

/shares/write

Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine

Microsoft.Compute/virtualMachines/write Creates a new virtual machine or updates an

existing virtual machine

Microsoft.Compute/virtualMachines/instanceVi Gets the detailed runtime status of the virtual

ew/read machine and its resources

Microsoft.Compute/availabilitySets/read Get the properties of an availability set

Microsoft.Compute/availabilitySets/write Creates a new availability set or updates an

existing one

Microsoft.Compute/skus/read Gets the list of Microsoft.Compute SKUs

available for your Subscription

Microsoft.Compute/sshPublicKeys/read Get the properties of an SSH public key

Microsoft.Compute/virtualMachines/extensions Get the properties of a virtual machine

/read extension

Microsoft.Compute/virtualMachines/extensions Creates a new virtual machine extension or

/write updates an existing one
Actions Description

Microsoft.Compute/virtualMachines/extensions Deletes the virtual machine extension

/delete

Microsoft.Compute/disks/read Get the properties of a Disk

Microsoft.Compute/disks/write Creates a new Disk or updates an existing one

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Azure Center for SAP solutions service role - This role is
intended to be used for providing the permissions to user assigned managed
identity. Azure Center for SAP solutions will use this identity to deploy
and manage SAP systems.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/aabbc5dd-1af0-
458b-a942-81af88f9c138",
"name": "aabbc5dd-1af0-458b-a942-81af88f9c138",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/*",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/write",
"Microsoft.Network/loadBalancers/backendAddressPools/read",
"Microsoft.Network/loadBalancers/backendAddressPools/write",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/read",
"Microsoft.Network/loadBalancers/loadBalancingRules/read",
"Microsoft.Network/loadBalancers/inboundNatRules/read",

"Microsoft.Network/loadBalancers/providers/Microsoft.Insights/metricDefiniti
ons/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/ipconfigurations/read",
"Microsoft.Network/networkInterfaces/loadBalancers/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
"Microsoft.Network/virtualNetworks/virtualMachines/read",
"Microsoft.Network/networkInterfaces/ipconfigurations/join/action",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/privateEndpoints/write",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",

"Microsoft.Network/loadBalancers/frontendIPConfigurations/join/action",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/joinLoadBalancer/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",

"Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action
",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/fileServices/read",
"Microsoft.Storage/storageAccounts/fileServices/write",
"Microsoft.Storage/storageAccounts/fileServices/shares/read",
"Microsoft.Storage/storageAccounts/fileServices/shares/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/write",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/sshPublicKeys/read",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Compute/virtualMachines/extensions/delete",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Center for SAP solutions service role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Connected Machine Onboarding

Can onboard Azure Connected Machines.

Learn more

ﾉ Expand table

Actions Description

Microsoft.HybridCompute/machines/read Read any Azure Arc machines

Microsoft.HybridCompute/machines/write Writes an Azure Arc machines

Microsoft.HybridCompute/privateLinkScopes/re Read any Azure Arc privateLinkScopes

Microsoft.GuestConfiguration/guestConfigurati Get guest configuration assignment.

onAssignments/read

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can onboard Azure Connected Machines.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-
4cdf-9dc9-5b892992bee7",
"name": "b64e21ea-ac4e-4cdf-9dc9-5b892992bee7",
"permissions": [
{
"actions": [
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/privateLinkScopes/read",
"Microsoft.GuestConfiguration/guestConfigurationAssignments/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected Machine Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Connected Machine Resource

Administrator
Can read, write, delete and re-onboard Azure Connected Machines.

Learn more

ﾉ Expand table

Actions Description

Microsoft.HybridCompute/machines/*

Microsoft.HybridCompute/machines/extensions
/*

Microsoft.HybridCompute/machines/licensePro
files/*

Microsoft.HybridCompute/machines/runComm
ands/*

Microsoft.HybridCompute/machines/UpgradeE Upgrades Extensions on Azure Arc machines

xtensions/action

Microsoft.HybridCompute/privateLinkScopes/*

Microsoft.HybridCompute/licenses/*

Microsoft.HybridCompute/locations/*

Microsoft.HybridCompute/*/read

Microsoft.Resources/deployments/* Create and manage a deployment

NotActions
Actions Description

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can read, write, delete and re-onboard Azure Connected
Machines.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-
42ad-bac8-bafd67325302",
"name": "cd570a14-e51a-42ad-bac8-bafd67325302",
"permissions": [
{
"actions": [
"Microsoft.HybridCompute/machines/*",
"Microsoft.HybridCompute/machines/extensions/*",
"Microsoft.HybridCompute/machines/licenseProfiles/*",
"Microsoft.HybridCompute/machines/runCommands/*",
"Microsoft.HybridCompute/machines/UpgradeExtensions/action",
"Microsoft.HybridCompute/privateLinkScopes/*",
"Microsoft.HybridCompute/licenses/*",
"Microsoft.HybridCompute/locations/*",
"Microsoft.HybridCompute/*/read",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected Machine Resource Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Connected Machine Resource Manager

Custom Role for AzureStackHCI RP to manage hybrid compute machines and hybrid
connectivity endpoints in a resource group

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.GuestConfiguration/guestConfigurati
onAssignments/*/read

Microsoft.GuestConfiguration/guestConfigurati Get guest configuration assignment.

onAssignments/read

Microsoft.GuestConfiguration/guestConfigurati Create new guest configuration assignment.

onAssignments/write

Microsoft.HybridCompute/machines/read Read any Azure Arc machines

Microsoft.HybridCompute/machines/extensions Reads any Azure Arc extensions

/read

Microsoft.HybridCompute/*/read

Microsoft.HybridCompute/machines/delete Deletes an Azure Arc machines

Microsoft.HybridCompute/machines/extensions Deletes an Azure Arc extensions

/delete

Microsoft.HybridCompute/machines/extensions Installs or Updates an Azure Arc extensions

/write

Microsoft.HybridCompute/machines/licensePro Deletes an Azure Arc licenseProfiles

files/delete

Microsoft.HybridCompute/machines/licensePro Reads any Azure Arc licenseProfiles

files/read

Microsoft.HybridCompute/machines/licensePro Installs or Updates an Azure Arc licenseProfiles

files/write

Microsoft.HybridCompute/machines/UpgradeE Upgrades Extensions on Azure Arc machines

xtensions/action

Microsoft.HybridCompute/machines/write Writes an Azure Arc machines

Microsoft.HybridConnectivity/endpoints/read Get or list of endpoints to the target resource.

Actions Description

Microsoft.HybridConnectivity/endpoints/service Get or list of serviceConfigurations to the

Configurations/read endpoints resource.

Microsoft.HybridConnectivity/endpoints/service Create or update the serviceConfigurations to

Configurations/write the endpoints resource.

Microsoft.HybridConnectivity/endpoints/write Create or update the endpoint to the target

resource.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.EdgeMarketplace/locations/operatio read operationStatuses

nStatuses/read

Microsoft.EdgeMarketPlace/offers/getAccessTo get access token.

ken/action

Microsoft.EdgeMarketPlace/offers/generateAcc A long-running resource action.

essToken/action

Microsoft.EdgeMarketplace/publishers/read Get a Publisher

Microsoft.EdgeMarketplace/offers/read Get a Offer

Microsoft.ExtendedLocation/customLocations/r Gets an Custom Location resource

ead

Microsoft.Attestation/attestationProviders/write Adds attestation service.

Microsoft.Attestation/attestationProviders/read Gets the attestation service status.

Microsoft.Attestation/attestationProviders/dele Removes attestation service.

Microsoft.Attestation/attestationProviders/attes Gets the attestation service status.

tation/read

Microsoft.Attestation/attestationProviders/attes Adds attestation service.

tation/write

Microsoft.Attestation/attestationProviders/attes Removes attestation service.

tation/delete

NotActions

none

DataActions
Actions Description

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Custom Role for AzureStackHCI RP to manage hybrid compute
machines and hybrid connectivity endpoints in a resource group",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f5819b54-e033-
4d82-ac66-4fec3cbf3f4c",
"name": "f5819b54-e033-4d82-ac66-4fec3cbf3f4c",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.GuestConfiguration/guestConfigurationAssignments/*/read",
"Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
"Microsoft.GuestConfiguration/guestConfigurationAssignments/write",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/extensions/read",
"Microsoft.HybridCompute/*/read",
"Microsoft.HybridCompute/machines/delete",
"Microsoft.HybridCompute/machines/extensions/delete",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.HybridCompute/machines/licenseProfiles/delete",
"Microsoft.HybridCompute/machines/licenseProfiles/read",
"Microsoft.HybridCompute/machines/licenseProfiles/write",
"Microsoft.HybridCompute/machines/UpgradeExtensions/action",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridConnectivity/endpoints/read",
"Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read",

"Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write",
"Microsoft.HybridConnectivity/endpoints/write",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.EdgeMarketplace/locations/operationStatuses/read",
"Microsoft.EdgeMarketPlace/offers/getAccessToken/action",
"Microsoft.EdgeMarketPlace/offers/generateAccessToken/action",
"Microsoft.EdgeMarketplace/publishers/read",
"Microsoft.EdgeMarketplace/offers/read",
"Microsoft.ExtendedLocation/customLocations/read",
"Microsoft.Attestation/attestationProviders/write",
"Microsoft.Attestation/attestationProviders/read",
"Microsoft.Attestation/attestationProviders/delete",
"Microsoft.Attestation/attestationProviders/attestation/read",
"Microsoft.Attestation/attestationProviders/attestation/write",
"Microsoft.Attestation/attestationProviders/attestation/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected Machine Resource Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Azure Customer Lockbox Approver for

Subscription
Can approve Microsoft support requests to access specific resources contained within a
subscription, or the subscription itself, when Customer Lockbox for Microsoft Azure is
enabled on the tenant where the subscription resides.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.CustomerLockbox/requests/UpdateA Update Approval Microsoft.CustomerLockbox

pproval/action

Microsoft.CustomerLockbox/requests/read Read Lockbox Request

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Insights/eventtypes/values/read Read Activity Log events

NotActions

none

DataActions

none

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can approve Microsoft support requests to access specific
resources contained within a subscription, or the subscription itself, when
Customer Lockbox for Microsoft Azure is enabled on the tenant where the
subscription resides.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4dae6930-7baf-
46f5-909e-0383bc931c46",
"name": "4dae6930-7baf-46f5-909e-0383bc931c46",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/read",
"Microsoft.CustomerLockbox/requests/UpdateApproval/action",
"Microsoft.CustomerLockbox/requests/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/eventtypes/values/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Customer Lockbox Approver for Subscription",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Billing Reader
Allows read access to billing data

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Actions Description

Microsoft.Billing/*/read Read Billing information

Microsoft.Commerce/*/read

Microsoft.Consumption/*/read

Microsoft.Management/managementGroups/re List management groups for the authenticated

ad user.

Microsoft.CostManagement/*/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows read access to billing data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-
40d8-ac0c-ce449e1d2c64",
"name": "fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Billing/*/read",
"Microsoft.Commerce/*/read",
"Microsoft.Consumption/*/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.CostManagement/*/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Billing Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Blueprint Contributor
Can manage blueprint definitions, but not assign them.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Blueprint/blueprints/* Create and manage blueprint definitions or

blueprint artifacts.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can manage blueprint definitions, but not assign them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-
4205-871c-5a86e6a753b4",
"name": "41077137-e803-4205-871c-5a86e6a753b4",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Blueprint/blueprints/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Blueprint Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Blueprint Operator
Can assign existing published blueprints, but cannot create new blueprints. Note that
this only works if the assignment is done with a user-assigned managed identity.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Blueprint/blueprintAssignments/* Create and manage blueprint assignments.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions
Actions Description

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can assign existing published blueprints, but cannot
create new blueprints. NOTE: this only works if the assignment is done with
a user-assigned managed identity.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-
4302-8479-ed2bcb43d090",
"name": "437d2ced-4a38-4302-8479-ed2bcb43d090",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Blueprint/blueprintAssignments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Blueprint Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Carbon Optimization Reader

Allow read access to Azure Carbon Optimization data

Learn more

ﾉ Expand table

Actions Description

Microsoft.Carbon/carbonEmissionReports/actio API for Carbon Emissions Reports

NotActions
Actions Description

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allow read access to Azure Carbon Optimization data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fa0d39e6-28e5-
40cf-8521-1eb320653a4c",
"name": "fa0d39e6-28e5-40cf-8521-1eb320653a4c",
"permissions": [
{
"actions": [
"Microsoft.Carbon/carbonEmissionReports/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Carbon Optimization Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cost Management Contributor

Can view costs and manage cost configuration (e.g. budgets, exports)

Learn more

ﾉ Expand table

Actions Description

Microsoft.Consumption/*
Actions Description

Microsoft.CostManagement/*

Microsoft.Billing/billingPeriods/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Advisor/configurations/read Get configurations

Microsoft.Advisor/recommendations/read Reads recommendations

Microsoft.Management/managementGroups/re List management groups for the authenticated

ad user.

Microsoft.Billing/billingProperty/read Gets the billing properties for a subscription

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can view costs and manage cost configuration (e.g.
budgets, exports)",
"id": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-
45c7-a02f-909b2ba83430",
"name": "434105ed-43f6-45c7-a02f-909b2ba83430",
"permissions": [
{
"actions": [
"Microsoft.Consumption/*",
"Microsoft.CostManagement/*",
"Microsoft.Billing/billingPeriods/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Advisor/configurations/read",
"Microsoft.Advisor/recommendations/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Billing/billingProperty/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cost Management Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Cost Management Reader

Can view cost data and configuration (e.g. budgets, exports)

Learn more

ﾉ Expand table

Actions Description

Microsoft.Consumption/*/read

Microsoft.CostManagement/*/read

Microsoft.Billing/billingPeriods/read

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

Microsoft.Advisor/configurations/read Get configurations

Microsoft.Advisor/recommendations/read Reads recommendations

Microsoft.Management/managementGroups/re List management groups for the authenticated

ad user.

Microsoft.Billing/billingProperty/read Gets the billing properties for a subscription

NotActions
Actions Description

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Can view cost data and configuration (e.g. budgets,
exports)",
"id": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-
4937-9268-a91bfd8191a3",
"name": "72fafb9e-0641-4937-9268-a91bfd8191a3",
"permissions": [
{
"actions": [
"Microsoft.Consumption/*/read",
"Microsoft.CostManagement/*/read",
"Microsoft.Billing/billingPeriods/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Advisor/configurations/read",
"Microsoft.Advisor/recommendations/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Billing/billingProperty/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cost Management Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Hierarchy Settings Administrator

Allows users to edit and delete Hierarchy Settings
ﾉ Expand table

Actions Description

Microsoft.Management/managementGroups/se Creates or updates management group

ttings/write hierarchy settings.

Microsoft.Management/managementGroups/se Deletes management group hierarchy settings.

ttings/delete

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows users to edit and delete Hierarchy Settings",
"id": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-
4448-8ae1-157740a3936d",
"name": "350f8d15-c687-4448-8ae1-157740a3936d",
"permissions": [
{
"actions": [
"Microsoft.Management/managementGroups/settings/write",
"Microsoft.Management/managementGroups/settings/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Hierarchy Settings Administrator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Managed Application Contributor Role

Allows for creating managed application resources.

ﾉ Expand table

Actions Description

*/read Read resources of all types, except secrets.

Microsoft.Solutions/applications/*

Microsoft.Solutions/register/action Register the subscription for

Microsoft.Solutions

Microsoft.Resources/subscriptions/resourceGro
ups/*

Microsoft.Resources/deployments/* Create and manage a deployment

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows for creating managed application resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-
45b9-a033-47bc880bb21e",
"name": "641177b8-a67a-45b9-a033-47bc880bb21e",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Solutions/applications/*",
"Microsoft.Solutions/register/action",
"Microsoft.Resources/subscriptions/resourceGroups/*",
"Microsoft.Resources/deployments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Application Contributor Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Managed Application Operator Role

Lets you read and perform actions on Managed Application resources

ﾉ Expand table

Actions Description

*/read Read resources of all types, except secrets.

Microsoft.Solutions/applications/read Lists all the applications within a subscription.

Microsoft.Solutions/*/action

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you read and perform actions on Managed Application
resources",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-
406f-901b-d8cf2b17e6ae",
"name": "c7393b34-138c-406f-901b-d8cf2b17e6ae",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Solutions/applications/read",
"Microsoft.Solutions/*/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Application Operator Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Managed Applications Reader

Lets you read resources in a managed app and request JIT access.

ﾉ Expand table

Actions Description

*/read Read resources of all types, except secrets.

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Solutions/jitRequests/*

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you read resources in a managed app and request JIT
access.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-
4f8c-b097-4f54124fdb44",
"name": "b9331d33-8a36-4f8c-b097-4f54124fdb44",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Solutions/jitRequests/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Applications Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Managed Services Registration assignment

Delete Role
Managed Services Registration Assignment Delete Role allows the managing tenant
users to delete the registration assignment assigned to their tenant.

Learn more

ﾉ Expand table

Actions Description

Microsoft.ManagedServices/registrationAssign Retrieves a list of Managed Services registration

ments/read assignments.

Microsoft.ManagedServices/registrationAssign Removes Managed Services registration

ments/delete assignment.

Microsoft.ManagedServices/operationStatuses/ Reads the operation status for the resource.

read

NotActions

none

DataActions

none

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Managed Services Registration Assignment Delete Role
allows the managing tenant users to delete the registration assignment
assigned to their tenant.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-
4fae-b103-61d183457e46",
"name": "91c1777a-f3dc-4fae-b103-61d183457e46",
"permissions": [
{
"actions": [
"Microsoft.ManagedServices/registrationAssignments/read",
"Microsoft.ManagedServices/registrationAssignments/delete",
"Microsoft.ManagedServices/operationStatuses/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Managed Services Registration assignment Delete Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Management Group Contributor

Management Group Contributor Role

Learn more

ﾉ Expand table

Actions Description

Microsoft.Management/managementGroups/d Delete management group.

elete

Microsoft.Management/managementGroups/re List management groups for the authenticated

ad user.

Microsoft.Management/managementGroups/s De-associates subscription from the

ubscriptions/delete management group.

Microsoft.Management/managementGroups/s Associates existing subscription with the

ubscriptions/write management group.
Actions Description

Microsoft.Management/managementGroups/w Create or update a management group.

rite

Microsoft.Management/managementGroups/s Lists subscription under the given management

ubscriptions/read group.

Microsoft.Authorization/*/read Read roles and role assignments

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Management Group Contributor Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-
4b20-bdb6-eed9f69fbe4c",
"name": "5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c",
"permissions": [
{
"actions": [
"Microsoft.Management/managementGroups/delete",
"Microsoft.Management/managementGroups/read",
"Microsoft.Management/managementGroups/subscriptions/delete",
"Microsoft.Management/managementGroups/subscriptions/write",
"Microsoft.Management/managementGroups/write",
"Microsoft.Management/managementGroups/subscriptions/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Management Group Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Management Group Reader
Management Group Reader Role

ﾉ Expand table

Actions Description

Microsoft.Management/managementGroups/re List management groups for the authenticated

ad user.

Microsoft.Management/managementGroups/s Lists subscription under the given management

ubscriptions/read group.

Microsoft.Authorization/*/read Read roles and role assignments

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Management Group Reader Role",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-
497d-ac71-919bf39d939d",
"name": "ac63b705-f282-497d-ac71-919bf39d939d",
"permissions": [
{
"actions": [
"Microsoft.Management/managementGroups/read",
"Microsoft.Management/managementGroups/subscriptions/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Management Group Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

New Relic APM Account Contributor

Lets you manage New Relic Application Performance Management accounts and
applications, but not access to them.

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NewRelic.APM/accounts/*

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage New Relic Application Performance
Management accounts and applications, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-
4476-8438-e587778df237",
"name": "5d28c62d-5b37-4476-8438-e587778df237",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"NewRelic.APM/accounts/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "New Relic APM Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Policy Insights Data Writer (Preview)

Allows read access to resource policies and write access to resource component policy
events.

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/policyassignments/rea Get information about a policy assignment.

Microsoft.Authorization/policydefinitions/read Get information about a policy definition.

Microsoft.Authorization/policyexemptions/read Get information about a policy exemption.

Microsoft.Authorization/policysetdefinitions/re Get information about a policy set definition.

NotActions

none

DataActions
Actions Description

Microsoft.PolicyInsights/checkDataPolicyCompli Check the compliance status of a given

ance/action component against data policies.

Microsoft.PolicyInsights/policyEvents/logDataEv Log the resource component policy events.

ents/action

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Allows read access to resource policies and write access
to resource component policy events.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-
4a94-8249-4c0511c2be84",
"name": "66bb4e9e-b016-4a94-8249-4c0511c2be84",
"permissions": [
{
"actions": [
"Microsoft.Authorization/policyassignments/read",
"Microsoft.Authorization/policydefinitions/read",
"Microsoft.Authorization/policyexemptions/read",
"Microsoft.Authorization/policysetdefinitions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.PolicyInsights/checkDataPolicyCompliance/action",
"Microsoft.PolicyInsights/policyEvents/logDataEvents/action"
],
"notDataActions": []
}
],
"roleName": "Policy Insights Data Writer (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Quota Request Operator

Read and create quota requests, get quota request status, and create support tickets.

Learn more
ﾉ Expand table

Actions Description

Microsoft.Capacity/resourceProviders/locations Get the current service limit or quota of the

/serviceLimits/read specified resource and location

Microsoft.Capacity/resourceProviders/locations Create service limit or quota for the specified

/serviceLimits/write resource and location

Microsoft.Capacity/resourceProviders/locations Get any service limit request for the specified

/serviceLimitsRequests/read resource and location

Microsoft.Capacity/register/action Registers the Capacity resource provider and

enables the creation of Capacity resources.

Microsoft.Quota/usages/read Get the usages for resource providers

Microsoft.Quota/quotas/read Get the current Service limit or quota of the

specified resource

Microsoft.Quota/quotas/write Creates the service limit or quota request for

the specified resource

Microsoft.Quota/quotaRequests/read Get any service limit request for the specified

resource

Microsoft.Quota/register/action Register the subscription with Microsoft.Quota

Resource Provider

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none
JSON

{
"assignableScopes": [
"/"
],
"description": "Read and create quota requests, get quota request status,
and create support tickets.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-
446b-b98d-1e2157c94125",
"name": "0e5f05e5-9ab9-446b-b98d-1e2157c94125",
"permissions": [
{
"actions": [
"Microsoft.Capacity/resourceProviders/locations/serviceLimits/read",

"Microsoft.Capacity/resourceProviders/locations/serviceLimits/write",

"Microsoft.Capacity/resourceProviders/locations/serviceLimitsRequests/read",
"Microsoft.Capacity/register/action",
"Microsoft.Quota/usages/read",
"Microsoft.Quota/quotas/read",
"Microsoft.Quota/quotas/write",
"Microsoft.Quota/quotaRequests/read",
"Microsoft.Quota/register/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Quota Request Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Reservation Purchaser
Lets you purchase reservations

Learn more

ﾉ Expand table
Actions Description

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.Capacity/catalogs/read Read catalog of Reservation

Microsoft.Capacity/register/action Registers the Capacity resource provider and

enables the creation of Capacity resources.

Microsoft.Compute/register/action Registers Subscription with Microsoft.Compute

resource provider

Microsoft.Consumption/register/action Register to Consumption RP

Microsoft.Consumption/reservationRecommen List Reservation Recommendation Details

dationDetails/read

Microsoft.Consumption/reservationRecommen List single or shared recommendations for

dations/read Reserved instances for a subscription.

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.SQL/register/action Registers the subscription for the Microsoft SQL

Database resource provider and enables the
creation of Microsoft SQL Databases.

Microsoft.Support/supporttickets/write Allows creating and updating a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you purchase reservations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-
4b75-91c3-6b41c27c1689",
"name": "f7b75c60-3036-4b75-91c3-6b41c27c1689",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Capacity/catalogs/read",
"Microsoft.Capacity/register/action",
"Microsoft.Compute/register/action",
"Microsoft.Consumption/register/action",
"Microsoft.Consumption/reservationRecommendationDetails/read",
"Microsoft.Consumption/reservationRecommendations/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.SQL/register/action",
"Microsoft.Support/supporttickets/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reservation Purchaser",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Reservations Reader
Lets one read all the reservations in a tenant

Learn more

ﾉ Expand table

Actions Description

Microsoft.Capacity/*/read

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

NotActions

none

DataActions

none

NotDataActions

none
JSON

{
"assignableScopes": [
"/providers/Microsoft.Capacity"
],
"description": "Lets one read all the reservations in a tenant",
"id": "/providers/Microsoft.Authorization/roleDefinitions/582fc458-8989-
419f-a480-75249bc5db7e",
"name": "582fc458-8989-419f-a480-75249bc5db7e",
"permissions": [
{
"actions": [
"Microsoft.Capacity/*/read",
"Microsoft.Authorization/roleAssignments/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Reservations Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Resource Policy Contributor

Users with rights to create/modify resource policy, create support ticket and read
resources/hierarchy.

Learn more

ﾉ Expand table

Actions Description

*/read Read resources of all types, except secrets.

Microsoft.Authorization/policyassignments/* Create and manage policy assignments

Microsoft.Authorization/policydefinitions/* Create and manage policy definitions

Microsoft.Authorization/policyexemptions/* Create and manage policy exemptions

Microsoft.Authorization/policysetdefinitions/* Create and manage policy sets

Microsoft.PolicyInsights/*

Microsoft.Resources/deployments/* Create and manage a deployment

Actions Description

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Users with rights to create/modify resource policy, create
support ticket and read resources/hierarchy.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-
498c-9df9-86d9f8d28608",
"name": "36243c78-bf99-498c-9df9-86d9f8d28608",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Authorization/policyassignments/*",
"Microsoft.Authorization/policydefinitions/*",
"Microsoft.Authorization/policyexemptions/*",
"Microsoft.Authorization/policysetdefinitions/*",
"Microsoft.PolicyInsights/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Resource Policy Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Savings plan Purchaser

Lets you purchase savings plans

Learn more

ﾉ Expand table

Actions Description

Microsoft.Resources/subscriptions/read Gets the list of subscriptions.

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Capacity/register/action Registers the Capacity resource provider and

enables the creation of Capacity resources.

Microsoft.Capacity/catalogs/read Read catalog of Reservation

Microsoft.Authorization/roleAssignments/read Get information about a role assignment.

Microsoft.BillingBenefits/savingsPlanOrders/wri Create a savings plan orders

Microsoft.BIllingBenefits/register/action Registers the BillingBenefits resource provider

and enables the creation of BillingBenefits
resources.

Microsoft.Support/supporttickets/write Allows creating and updating a support ticket

Microsoft.Billing/billingProperty/read Gets the billing properties for a subscription

Microsoft.CostManagement/benefitRecommen List single or shared recommendations for

dations/read Microsoft benefits.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you purchase savings plans",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3d24a3a0-c154-
4f6f-a5ed-adc8e01ddb74",
"name": "3d24a3a0-c154-4f6f-a5ed-adc8e01ddb74",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Capacity/register/action",
"Microsoft.Capacity/catalogs/read",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.BillingBenefits/savingsPlanOrders/write",
"Microsoft.BIllingBenefits/register/action",
"Microsoft.Support/supporttickets/write",
"Microsoft.Billing/billingProperty/read",
"Microsoft.CostManagement/benefitRecommendations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Savings plan Purchaser",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Scheduled Patching Contributor

Provides access to manage maintenance configurations with maintenance scope
InGuestPatch and corresponding configuration assignments

Learn more

ﾉ Expand table

Actions Description

Microsoft.Maintenance/maintenanceConfigurat Read maintenance configuration.

ions/read

Microsoft.Maintenance/maintenanceConfigurat Create or update maintenance configuration.

ions/write

Microsoft.Maintenance/maintenanceConfigurat Delete maintenance configuration.

ions/delete

Microsoft.Maintenance/configurationAssignme Read maintenance configuration assignment.

nts/read
Actions Description

Microsoft.Maintenance/configurationAssignme Create or update maintenance configuration

nts/write assignment.

Microsoft.Maintenance/configurationAssignme Delete maintenance configuration assignment.

nts/delete

Microsoft.Maintenance/configurationAssignme Read maintenance configuration assignment

nts/maintenanceScope/InGuestPatch/read for InGuestPatch maintenance scope.

Microsoft.Maintenance/configurationAssignme Create or update a maintenance configuration

nts/maintenanceScope/InGuestPatch/write assignment for InGuestPatch maintenance
scope.

Microsoft.Maintenance/configurationAssignme Delete maintenance configuration assignment

nts/maintenanceScope/InGuestPatch/delete for InGuestPatch maintenance scope.

Microsoft.Maintenance/maintenanceConfigurat Read maintenance configuration for

ions/maintenanceScope/InGuestPatch/read InGuestPatch maintenance scope.

Microsoft.Maintenance/maintenanceConfigurat Create or update a maintenance configuration

ions/maintenanceScope/InGuestPatch/write for InGuestPatch maintenance scope.

Microsoft.Maintenance/maintenanceConfigurat Delete maintenance configuration for

ions/maintenanceScope/InGuestPatch/delete InGuestPatch maintenance scope.

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Provides access to manage maintenance configurations with
maintenance scope InGuestPatch and corresponding configuration assignments",
"id": "/providers/Microsoft.Authorization/roleDefinitions/cd08ab90-6b14-
449c-ad9a-8f8e549482c6",
"name": "cd08ab90-6b14-449c-ad9a-8f8e549482c6",
"permissions": [
{
"actions": [
"Microsoft.Maintenance/maintenanceConfigurations/read",
"Microsoft.Maintenance/maintenanceConfigurations/write",
"Microsoft.Maintenance/maintenanceConfigurations/delete",
"Microsoft.Maintenance/configurationAssignments/read",
"Microsoft.Maintenance/configurationAssignments/write",
"Microsoft.Maintenance/configurationAssignments/delete",

"Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatc
h/read",

"Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatc
h/write",

"Microsoft.Maintenance/configurationAssignments/maintenanceScope/InGuestPatc
h/delete",

"Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPat
ch/read",

"Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPat
ch/write",

"Microsoft.Maintenance/maintenanceConfigurations/maintenanceScope/InGuestPat
ch/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Scheduled Patching Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Site Recovery Contributor

Lets you manage Site Recovery service except vault creation and role assignment

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Actions Description

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.RecoveryServices/locations/allocated GetAllocatedStamp is internal operation used

Stamp/read by service

Microsoft.RecoveryServices/locations/allocateSt AllocateStamp is internal operation used by

amp/action service

Microsoft.RecoveryServices/Vaults/certificates/ The Update Resource Certificate operation

write updates the resource/vault credential
certificate.

Microsoft.RecoveryServices/Vaults/extendedInf Create and manage extended info related to

ormation/* vault

Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object

representing the Azure resource of type 'vault'

Microsoft.RecoveryServices/Vaults/refreshConta
iners/read

Microsoft.RecoveryServices/Vaults/registeredId Create and manage registered identities

entities/*

Microsoft.RecoveryServices/vaults/replicationAl Create or Update replication alert settings

ertSettings/*

Microsoft.RecoveryServices/vaults/replicationEv Read any Events

ents/read

Microsoft.RecoveryServices/vaults/replicationFa Create and manage replication fabrics

brics/*

Microsoft.RecoveryServices/vaults/replicationJo Create and manage replication jobs

bs/*

Microsoft.RecoveryServices/vaults/replicationPo Create and manage replication policies

licies/*

Microsoft.RecoveryServices/vaults/replicationRe Create and manage recovery plans

coveryPlans/*

Microsoft.RecoveryServices/vaults/replicationVa
ultSettings/*

Microsoft.RecoveryServices/Vaults/storageConfi Create and manage storage configuration of

g/* Recovery Services vault

Microsoft.RecoveryServices/Vaults/tokenInfo/re
ad
Actions Description

Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services

Vault.

Microsoft.RecoveryServices/Vaults/vaultTokens/ The Vault Token operation can be used to get

read Vault Token for vault level backend operations.

Microsoft.RecoveryServices/Vaults/monitoringA Read alerts for the Recovery services vault

lerts/*

Microsoft.RecoveryServices/Vaults/monitoringC
onfigurations/notificationConfiguration/read

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.RecoveryServices/vaults/replicationO Read any Vault Replication Operation Status

perationStatus/read

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you manage Site Recovery service except vault
creation and role assignment",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-
4917-ac9b-5d6ab1be4567",
"name": "6670b86e-a3f7-4917-ac9b-5d6ab1be4567",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",
"Microsoft.RecoveryServices/locations/allocateStamp/action",
"Microsoft.RecoveryServices/Vaults/certificates/write",
"Microsoft.RecoveryServices/Vaults/extendedInformation/*",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/refreshContainers/read",
"Microsoft.RecoveryServices/Vaults/registeredIdentities/*",
"Microsoft.RecoveryServices/vaults/replicationAlertSettings/*",
"Microsoft.RecoveryServices/vaults/replicationEvents/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/*",
"Microsoft.RecoveryServices/vaults/replicationJobs/*",
"Microsoft.RecoveryServices/vaults/replicationPolicies/*",
"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/*",
"Microsoft.RecoveryServices/vaults/replicationVaultSettings/*",
"Microsoft.RecoveryServices/Vaults/storageConfig/*",
"Microsoft.RecoveryServices/Vaults/tokenInfo/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/vaultTokens/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/*",

"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConf
iguration/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.RecoveryServices/vaults/replicationOperationStatus/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Site Recovery Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}

Site Recovery Operator

Lets you failover and failback but not perform other Site Recovery management
operations
Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.Insights/alertRules/* Create and manage a classic metric alert

Microsoft.Network/virtualNetworks/read Get the virtual network definition

Microsoft.RecoveryServices/locations/allocated GetAllocatedStamp is internal operation used

Stamp/read by service

Microsoft.RecoveryServices/locations/allocateSt AllocateStamp is internal operation used by

amp/action service

Microsoft.RecoveryServices/Vaults/extendedInf The Get Extended Info operation gets an

ormation/read object's Extended Info representing the Azure
resource of type ?vault?

Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object

representing the Azure resource of type 'vault'

Microsoft.RecoveryServices/Vaults/refreshConta
iners/read

Microsoft.RecoveryServices/Vaults/registeredId The Get Operation Results operation can be

entities/operationResults/read used get the operation status and result for the
asynchronously submitted operation

Microsoft.RecoveryServices/Vaults/registeredId The Get Containers operation can be used get

entities/read the containers registered for a resource.

Microsoft.RecoveryServices/vaults/replicationAl Read any Alerts Settings

ertSettings/read

Microsoft.RecoveryServices/vaults/replicationEv Read any Events

ents/read

Microsoft.RecoveryServices/vaults/replicationFa Checks Consistency of the Fabric

brics/checkConsistency/action

Microsoft.RecoveryServices/vaults/replicationFa Read any Fabrics

brics/read

Microsoft.RecoveryServices/vaults/replicationFa Reassociate Gateway

brics/reassociateGateway/action

Microsoft.RecoveryServices/vaults/replicationFa Renew Certificate for Fabric

Actions Description

brics/renewcertificate/action

Microsoft.RecoveryServices/vaults/replicationFa Read any Networks

brics/replicationNetworks/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Network Mappings

brics/replicationNetworks/replicationNetworkM
appings/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Protection Containers

brics/replicationProtectionContainers/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Protectable Items

brics/replicationProtectionContainers/replicatio
nProtectableItems/read

Microsoft.RecoveryServices/vaults/replicationFa Apply Recovery Point

brics/replicationProtectionContainers/replicatio
nProtectedItems/applyRecoveryPoint/action

Microsoft.RecoveryServices/vaults/replicationFa Failover Commit

brics/replicationProtectionContainers/replicatio
nProtectedItems/failoverCommit/action

Microsoft.RecoveryServices/vaults/replicationFa Planned Failover

brics/replicationProtectionContainers/replicatio
nProtectedItems/plannedFailover/action

Microsoft.RecoveryServices/vaults/replicationFa Read any Protected Items

brics/replicationProtectionContainers/replicatio
nProtectedItems/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Replication Recovery Points

brics/replicationProtectionContainers/replicatio
nProtectedItems/recoveryPoints/read

Microsoft.RecoveryServices/vaults/replicationFa Repair replication

brics/replicationProtectionContainers/replicatio
nProtectedItems/repairReplication/action

Microsoft.RecoveryServices/vaults/replicationFa ReProtect Protected Item

brics/replicationProtectionContainers/replicatio
nProtectedItems/reProtect/action

Microsoft.RecoveryServices/vaults/replicationFa Switch Protection Container

brics/replicationProtectionContainers/switchpro
tection/action

Microsoft.RecoveryServices/vaults/replicationFa Test Failover

brics/replicationProtectionContainers/replicatio
Actions Description

nProtectedItems/testFailover/action

Microsoft.RecoveryServices/vaults/replicationFa Test Failover Cleanup

brics/replicationProtectionContainers/replicatio
nProtectedItems/testFailoverCleanup/action

Microsoft.RecoveryServices/vaults/replicationFa Failover
brics/replicationProtectionContainers/replicatio
nProtectedItems/unplannedFailover/action

Microsoft.RecoveryServices/vaults/replicationFa Update Mobility Service

brics/replicationProtectionContainers/replicatio
nProtectedItems/updateMobilityService/action

Microsoft.RecoveryServices/vaults/replicationFa Read any Protection Container Mappings

brics/replicationProtectionContainers/replicatio
nProtectionContainerMappings/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Recovery Services Providers

brics/replicationRecoveryServicesProviders/read

Microsoft.RecoveryServices/vaults/replicationFa Refresh Provider

brics/replicationRecoveryServicesProviders/refr
eshProvider/action

Microsoft.RecoveryServices/vaults/replicationFa Read any Storage Classifications

brics/replicationStorageClassifications/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Storage Classification Mappings

brics/replicationStorageClassifications/replicati
onStorageClassificationMappings/read

Microsoft.RecoveryServices/vaults/replicationFa Read any vCenters

brics/replicationvCenters/read

Microsoft.RecoveryServices/vaults/replicationJo Create and manage replication jobs

bs/*

Microsoft.RecoveryServices/vaults/replicationPo Read any Policies

licies/read

Microsoft.RecoveryServices/vaults/replicationRe Failover Commit Recovery Plan

coveryPlans/failoverCommit/action

Microsoft.RecoveryServices/vaults/replicationRe Planned Failover Recovery Plan

coveryPlans/plannedFailover/action

Microsoft.RecoveryServices/vaults/replicationRe Read any Recovery Plans

coveryPlans/read
Actions Description

Microsoft.RecoveryServices/vaults/replicationRe ReProtect Recovery Plan

coveryPlans/reProtect/action

Microsoft.RecoveryServices/vaults/replicationRe Test Failover Recovery Plan

coveryPlans/testFailover/action

Microsoft.RecoveryServices/vaults/replicationRe Test Failover Cleanup Recovery Plan

coveryPlans/testFailoverCleanup/action

Microsoft.RecoveryServices/vaults/replicationRe Failover Recovery Plan

coveryPlans/unplannedFailover/action

Microsoft.RecoveryServices/vaults/replicationVa Read any

ultSettings/read

Microsoft.RecoveryServices/Vaults/monitoringA Read alerts for the Recovery services vault

lerts/*

Microsoft.RecoveryServices/Vaults/monitoringC
onfigurations/notificationConfiguration/read

Microsoft.RecoveryServices/Vaults/storageConfi
g/read

Microsoft.RecoveryServices/Vaults/tokenInfo/re
ad

Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services

Vault.

Microsoft.RecoveryServices/Vaults/vaultTokens/ The Vault Token operation can be used to get

read Vault Token for vault level backend operations.

Microsoft.ResourceHealth/availabilityStatuses/r Gets the availability statuses for all resources in

ead the specified scope

Microsoft.Resources/deployments/* Create and manage a deployment

Microsoft.Resources/subscriptions/resourceGro Gets or lists resource groups.

ups/read

Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the

properties for the specified storage account.

Microsoft.Support/* Create and update a support ticket

NotActions

none
Actions Description

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you failover and failback but not perform other Site
Recovery management operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-
4328-bf46-533a6560a3ca",
"name": "494ae006-db33-4328-bf46-533a6560a3ca",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",
"Microsoft.RecoveryServices/locations/allocateStamp/action",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/refreshContainers/read",

"Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/actio
n",
"Microsoft.RecoveryServices/vaults/replicationFabrics/read",

"Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/act
ion",

"Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/actio
n",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/re
ad",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/re
plicationNetworkMappings/read",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/read",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectableItems/read",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectedItems/applyRecoveryPoint/action",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectedItems/failoverCommit/action",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectedItems/plannedFailover/action",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectedItems/read",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectedItems/recoveryPoints/read",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectedItems/repairReplication/action",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectedItems/reProtect/action",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/switchprotection/action",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectedItems/testFailover/action",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectedItems/testFailoverCleanup/action",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectedItems/unplannedFailover/action",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectedItems/updateMobilityService/action",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionC
ontainers/replicationProtectionContainerMappings/read",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoverySer
vicesProviders/read",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoverySer
vicesProviders/refreshProvider/action",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClas
sifications/read",
"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClas
sifications/replicationStorageClassificationMappings/read",

"Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/re
ad",
"Microsoft.RecoveryServices/vaults/replicationJobs/*",
"Microsoft.RecoveryServices/vaults/replicationPolicies/read",

"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/a
ction",

"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/
action",
"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read",

"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action
",

"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/act
ion",

"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverClea
nup/action",

"Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailove
r/action",
"Microsoft.RecoveryServices/vaults/replicationVaultSettings/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/*",

"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConf
iguration/read",
"Microsoft.RecoveryServices/Vaults/storageConfig/read",
"Microsoft.RecoveryServices/Vaults/tokenInfo/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/vaultTokens/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Site Recovery Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Site Recovery Reader
Lets you view Site Recovery status but not perform other management operations

Learn more

ﾉ Expand table

Actions Description

Microsoft.Authorization/*/read Read roles and role assignments

Microsoft.RecoveryServices/locations/allocated GetAllocatedStamp is internal operation used

Stamp/read by service

Microsoft.RecoveryServices/Vaults/extendedInf The Get Extended Info operation gets an

ormation/read object's Extended Info representing the Azure
resource of type ?vault?

Microsoft.RecoveryServices/Vaults/monitoringA Gets the alerts for the Recovery services vault.

lerts/read

Microsoft.RecoveryServices/Vaults/monitoringC
onfigurations/notificationConfiguration/read

Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object

representing the Azure resource of type 'vault'

Microsoft.RecoveryServices/Vaults/refreshConta
iners/read

Microsoft.RecoveryServices/Vaults/registeredId The Get Operation Results operation can be

entities/operationResults/read used get the operation status and result for the
asynchronously submitted operation

Microsoft.RecoveryServices/Vaults/registeredId The Get Containers operation can be used get

entities/read the containers registered for a resource.

Microsoft.RecoveryServices/vaults/replicationAl Read any Alerts Settings

ertSettings/read

Microsoft.RecoveryServices/vaults/replicationEv Read any Events

ents/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Fabrics

brics/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Networks

brics/replicationNetworks/read
Actions Description

Microsoft.RecoveryServices/vaults/replicationFa Read any Network Mappings

brics/replicationNetworks/replicationNetworkM
appings/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Protection Containers

brics/replicationProtectionContainers/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Protectable Items

brics/replicationProtectionContainers/replicatio
nProtectableItems/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Protected Items

brics/replicationProtectionContainers/replicatio
nProtectedItems/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Replication Recovery Points

brics/replicationProtectionContainers/replicatio
nProtectedItems/recoveryPoints/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Protection Container Mappings

brics/replicationProtectionContainers/replicatio
nProtectionContainerMappings/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Recovery Services Providers

brics/replicationRecoveryServicesProviders/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Storage Classifications

brics/replicationStorageClassifications/read

Microsoft.RecoveryServices/vaults/replicationFa Read any Storage Classification Mappings

brics/replicationStorageClassifications/replicati
onStorageClassificationMappings/read

Microsoft.RecoveryServices/vaults/replicationFa Read any vCenters

brics/replicationvCenters/read

Microsoft.RecoveryServices/vaults/replicationJo Read any Jobs

bs/read

Microsoft.RecoveryServices/vaults/replicationPo Read any Policies

licies/read

Microsoft.RecoveryServices/vaults/replicationRe Read any Recovery Plans

coveryPlans/read

Microsoft.RecoveryServices/vaults/replicationVa Read any

ultSettings/read

Microsoft.RecoveryServices/Vaults/storageConfi
g/read
Actions Description

Microsoft.RecoveryServices/Vaults/tokenInfo/re
ad

Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services

Vault.

Microsoft.RecoveryServices/Vaults/vaultTokens/ The Vault Token operation can be used to get

read Vault Token for vault level backend operations.

Microsoft.Support/* Create and update a support ticket

NotActions

none

DataActions

none

NotDataActions

none

JSON

{
"assignableScopes": [
"/"
],
"description": "Lets you view Site Recovery status but not perform other
management operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-
4179-9fb3-46319faa6149",
"name": "dbaa88c4-0c30-4179-9fb3-46319faa6149",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.RecoveryServices/locations/allocatedStamp/read",
"Microsoft.RecoveryServices/Vaults/extendedInformation/read",
"Microsoft.RecoveryServices/Vaults/monitoringAlerts/read",

"Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConf
iguration/read",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/refreshContainers/read",