| title | description | services | documentationcenter | author | manager | editor | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author | ms.reviewer | ms.custom |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Built-in roles for Azure resources | Microsoft Docs |
Describes the built-in roles for role-based access control (RBAC) and Azure resources. Lists the Actions, NotActions, DataActions, and NotDataActions. |
active-directory |
rolyon |
mtillman |
role-based-access-control |
reference |
identity |
12/05/2018 |
rolyon |
bagovind |
it-pro |
Role-based access control (RBAC) has several built-in role definitions that you can assign to users, groups, and service principals. Role assignments are the way you control access to resources in Azure. If the built-in roles don't meet the specific needs of your organization, you can create your own custom roles.
The built-in roles are always evolving. To get the latest role definitions, use Get-AzureRmRoleDefinition or az role definition list.
The following table provides brief descriptions of the built-in roles. Click the role name to see the list of Actions, NotActions, DataActions, and NotDataActions for each role.
| Built-in role | Description |
|---|---|
| Owner | Lets you manage everything, including access to resources. |
| Contributor | Lets you manage everything except access to resources. |
| Reader | Lets you view everything, but not make any changes. |
| AcrImageSigner | acr image signer |
| AcrQuarantineReader | acr quarantine data reader |
| AcrQuarantineWriter | acr quarantine data writer |
| API Management Service Contributor | Can manage service and the APIs |
| API Management Service Operator Role | Can manage service but not the APIs |
| API Management Service Reader Role | Read-only access to service and APIs |
| Application Insights Component Contributor | Can manage Application Insights components |
| Application Insights Snapshot Debugger | Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the Owner or Contributor roles. |
| Automation Job Operator | Create and Manage Jobs using Automation Runbooks. |
| Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs |
| Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. |
| Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. |
| Azure Kubernetes Service Cluster User Role | List cluster user credential action. |
| Azure Stack Registration Owner | Lets you manage Azure Stack registrations. |
| Backup Contributor | Lets you manage backup service,but can't create vaults and give access to others |
| Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others |
| Backup Reader | Can view backup services, but can't make changes |
| Billing Reader | Allows read access to billing data |
| BizTalk Contributor | Lets you manage BizTalk services, but not access to them. |
| CDN Endpoint Contributor | Can manage CDN endpoints, but can’t grant access to other users. |
| CDN Endpoint Reader | Can view CDN endpoints, but can’t make changes. |
| CDN Profile Contributor | Can manage CDN profiles and their endpoints, but can’t grant access to other users. |
| CDN Profile Reader | Can view CDN profiles and their endpoints, but can’t make changes. |
| Classic Network Contributor | Lets you manage classic networks, but not access to them. |
| Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. |
| Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts |
| Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. |
| Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. |
| Cognitive Services User | Lets you read and list keys of Cognitive Services. |
| Cosmos DB Account Reader Role | Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. |
| Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) |
| Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) |
| Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. |
| Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. |
| Data Factory Contributor | Create and manage data factories, as well as child resources within them. |
| Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. |
| Data Purger | Can purge analytics data |
| DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. |
| DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. |
| DocumentDB Account Contributor | Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. |
| EventGrid EventSubscription Contributor (Preview) | Lets you manage EventGrid event subscription operations. |
| EventGrid EventSubscription Reader (Preview) | Lets you read EventGrid event subscriptions. |
| HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package |
| Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. |
| Key Vault Contributor | Lets you manage key vaults, but not access to them. |
| Lab Creator | Lets you create, manage, delete your managed labs under your Azure Lab Accounts. |
| Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources. |
| Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. |
| Logic App Contributor | Lets you manage logic app, but not access to them. |
| Logic App Operator | Lets you read, enable and disable logic app. |
| Managed Application Operator Role | Lets you read and perform actions on Managed Application resources |
| Managed Applications Reader | Lets you read resources in a managed app and request JIT access. |
| Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity |
| Managed Identity Operator | Read and Assign User Assigned Identity |
| Management Group Contributor | Management Group Contributor Role |
| Management Group Reader | Management Group Reader Role |
| Monitoring Contributor | Can read all monitoring data and edit monitoring settings. See also Get started with roles, permissions, and security with Azure Monitor. |
| Monitoring Metrics Publisher | Enables publishing metrics against Azure resources |
| Monitoring Reader | Can read all monitoring data (metrics, logs, etc.). See also Get started with roles, permissions, and security with Azure Monitor. |
| Network Contributor | Lets you manage networks, but not access to them. |
| New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. |
| Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. |
| Azure Cache for Redis Contributor | Lets you manage Azure Cache for Rediss, but not access to them. |
| Resource Policy Contributor (Preview) | (Preview) Backfilled users from EA, with rights to create/modify resource policy, create support ticket and read resources/hierarchy. |
| Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. |
| Search Service Contributor | Lets you manage Search services, but not access to them. |
| Security Admin | In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations |
| Security Manager (Legacy) | This is a legacy role. Please use Security Administrator instead |
| Security Reader | In Security Center only: Can view recommendations and alerts, view security policies, view security states, but cannot make changes |
| Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment |
| Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations |
| Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations |
| SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. |
| SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. |
| SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. |
| Storage Account Contributor | Lets you manage storage accounts, but not access to them. |
| Storage Account Key Operator Service Role | Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts |
| Storage Blob Data Contributor (Preview) | Allows for read, write and delete access to Azure Storage blob containers and data |
| Storage Blob Data Owner (Preview) | Allows for read, write, delete, and POSIX superuser access to Azure Storage blob containers and data |
| Storage Blob Data Reader (Preview) | Allows for read access to Azure Storage blob containers and data |
| Storage Queue Data Contributor (Preview) | Allows for read, write, and delete access to Azure Storage queues and queue messages |
| Storage Queue Data Reader (Preview) | Allows for read access to Azure Storage queues and queue messages |
| Support Request Contributor | Lets you create and manage Support requests |
| Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. |
| User Access Administrator | Lets you manage user access to Azure resources. |
| Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator |
| Virtual Machine Contributor | Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. |
| Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. |
| Web Plan Contributor | Lets you manage the web plans for websites, but not access to them. |
| Website Contributor | Lets you manage websites (not web plans), but not access to them. |
[!div class="mx-tableFixed"]
Description Lets you manage everything, including access to resources. Id 8e3af657-a8ff-443c-a75c-2fe8c4bcb635 Actions * Create and manage resources of all types
[!div class="mx-tableFixed"]
Description Lets you manage everything except access to resources. Id b24988ac-6180-42a0-ab88-20f7382dd24c Actions * Create and manage resources of all types NotActions Microsoft.Authorization/*/Delete Can't delete roles and role assignments Microsoft.Authorization/*/Write Can't create roles and role assignments Microsoft.Authorization/elevateAccess/Action Grants the caller User Access Administrator access at the tenant scope Microsoft.Blueprint/blueprintAssignments/write Create or update any blueprint artifacts Microsoft.Blueprint/blueprintAssignments/delete Delete any blueprint artifacts
[!div class="mx-tableFixed"]
Description Lets you view everything, but not make any changes. Id acdd72a7-3385-48ef-bd42-f606fba81ae7 Actions */read Read resources of all types, except secrets.
[!div class="mx-tableFixed"]
Description acr image signer Id 6cef56e8-d556-48e5-a04f-b8e64114680f Actions Microsoft.ContainerRegistry/registries/sign/write Push/Pull content trust metadata for a container registry.
[!div class="mx-tableFixed"]
Description acr quarantine data reader Id cdda3590-29a3-44f6-95f2-9f980659eb04 Actions Microsoft.ContainerRegistry/registries/quarantineRead/read Pull or Get quarantined images from container registry
[!div class="mx-tableFixed"]
Description acr quarantine data writer Id c8d4ff99-41c3-41a8-9f60-21dfdad59608 Actions Microsoft.ContainerRegistry/registries/quarantineRead/read Pull or Get quarantined images from container registry Microsoft.ContainerRegistry/registries/quarantineWrite/write Write/Modify quarantine state of quarantined images
[!div class="mx-tableFixed"]
Description Can manage service and the APIs Id 312a565d-c81f-4fd8-895a-4e21e48d571c Actions Microsoft.ApiManagement/service/* Create and manage API Management service Microsoft.Authorization/*/read Read authorization Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Can manage service but not the APIs Id e022efe7-f5ba-4159-bbe4-b44f577e9b61 Actions Microsoft.ApiManagement/service/*/read Read API Management Service instances Microsoft.ApiManagement/service/backup/action Backup API Management Service to the specified container in a user provided storage account Microsoft.ApiManagement/service/delete Delete API Management Service instance Microsoft.ApiManagement/service/managedeployments/action Change SKU/units, add/remove regional deployments of API Management Service Microsoft.ApiManagement/service/read Read metadata for an API Management Service instance Microsoft.ApiManagement/service/restore/action Restore API Management Service from the specified container in a user provided storage account Microsoft.ApiManagement/service/updatecertificate/action Upload SSL certificate for an API Management Service Microsoft.ApiManagement/service/updatehostname/action Setup, update or remove custom domain names for an API Management Service Microsoft.ApiManagement/service/write Create a new instance of API Management Service Microsoft.Authorization/*/read Read authorization Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets NotActions Microsoft.ApiManagement/service/users/keys/read Get list of user keys
[!div class="mx-tableFixed"]
Description Read-only access to service and APIs Id 71522526-b88f-4d52-b57f-d31fc3546d0d Actions Microsoft.ApiManagement/service/*/read Read API Management Service instances Microsoft.ApiManagement/service/read Read metadata for an API Management Service instance Microsoft.Authorization/*/read Read authorization Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets NotActions Microsoft.ApiManagement/service/users/keys/read Get list of user keys
[!div class="mx-tableFixed"]
Description Can manage Application Insights components Id ae349356-3a1b-4a5e-921d-050484c6347e Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.Insights/components/* Create and manage Insights components Microsoft.Insights/webtests/* Create and manage web tests Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the Owner or Contributor roles. Id 08954f03-6346-4c2e-81c0-ec3a5cfae23b Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Insights/components/*/read Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Create and Manage Jobs using Automation Runbooks. Id 4fe576fe-1146-4730-92eb-48519fa6bf9f Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read Reads Hybrid Runbook Worker Resources Microsoft.Automation/automationAccounts/jobs/read Gets an Azure Automation job Microsoft.Automation/automationAccounts/jobs/resume/action Resumes an Azure Automation job Microsoft.Automation/automationAccounts/jobs/stop/action Stops an Azure Automation job Microsoft.Automation/automationAccounts/jobs/streams/read Gets an Azure Automation job stream Microsoft.Automation/automationAccounts/jobs/suspend/action Suspends an Azure Automation job Microsoft.Automation/automationAccounts/jobs/write Creates an Azure Automation job Microsoft.Automation/automationAccounts/jobs/output/read Gets the output of a job Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Automation Operators are able to start, stop, suspend, and resume jobs Id d3881f73-407a-4167-8283-e981cbba0404 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Automation/automationAccounts/hybridRunbookWorkerGroups/read Reads Hybrid Runbook Worker Resources Microsoft.Automation/automationAccounts/jobs/read Gets an Azure Automation job Microsoft.Automation/automationAccounts/jobs/resume/action Resumes an Azure Automation job Microsoft.Automation/automationAccounts/jobs/stop/action Stops an Azure Automation job Microsoft.Automation/automationAccounts/jobs/streams/read Gets an Azure Automation job stream Microsoft.Automation/automationAccounts/jobs/suspend/action Suspends an Azure Automation job Microsoft.Automation/automationAccounts/jobs/write Creates an Azure Automation job Microsoft.Automation/automationAccounts/jobSchedules/read Gets an Azure Automation job schedule Microsoft.Automation/automationAccounts/jobSchedules/write Creates an Azure Automation job schedule Microsoft.Automation/automationAccounts/linkedWorkspace/read Gets the workspace linked to the automation account Microsoft.Automation/automationAccounts/read Gets an Azure Automation account Microsoft.Automation/automationAccounts/runbooks/read Gets an Azure Automation runbook Microsoft.Automation/automationAccounts/schedules/read Gets an Azure Automation schedule asset Microsoft.Automation/automationAccounts/schedules/write Creates or updates an Azure Automation schedule asset Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Automation/automationAccounts/jobs/output/read Gets the output of a job Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Read Runbook properties - to be able to create Jobs of the runbook. Id 5fb5aef8-1081-4b8e-bb16-9d5d0385bab5 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Automation/automationAccounts/runbooks/read Gets an Azure Automation runbook Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description List cluster admin credential action. Id 0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8 Actions Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action List the clusterAdmin credential of a managed cluster
[!div class="mx-tableFixed"]
Description List cluster user credential action. Id 4abbcc35-e782-43d8-92c5-2d3f1bd2253f Actions Microsoft.ContainerService/managedClusters/listClusterUserCredential/action List the clusterUser credential of a managed cluster
[!div class="mx-tableFixed"]
Description Lets you manage Azure Stack registrations. Id 6f12a6df-dd06-4f3e-bcb1-ce8be600526a Actions Microsoft.AzureStack/registrations/products/listDetails/action Retrieves extended details for an Azure Stack Marketplace product Microsoft.AzureStack/registrations/products/read Gets the properties of an Azure Stack Marketplace product Microsoft.AzureStack/registrations/read Gets the properties of an Azure Stack registration
[!div class="mx-tableFixed"]
Description Lets you manage backup service,but can't create vaults and give access to others Id 5e467623-bb1f-42f4-a55d-6e525e11384b Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Network/virtualNetworks/read Get the virtual network definition Microsoft.RecoveryServices/locations/* Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/* Manage results of operation on backup management Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/* Create and manage backup containers inside backup fabrics of Recovery Services vault Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action Refreshes the container list Microsoft.RecoveryServices/Vaults/backupJobs/* Create and manage backup jobs Microsoft.RecoveryServices/Vaults/backupJobsExport/action Export Jobs Microsoft.RecoveryServices/Vaults/backupJobsExport/operationResults/read Returns the Result of Export Job Operation. Microsoft.RecoveryServices/Vaults/backupManagementMetaData/* Create and manage meta data related to backup management Microsoft.RecoveryServices/Vaults/backupOperationResults/* Create and manage Results of backup management operations Microsoft.RecoveryServices/Vaults/backupPolicies/* Create and manage backup policies Microsoft.RecoveryServices/Vaults/backupProtectableItems/* Create and manage items which can be backed up Microsoft.RecoveryServices/Vaults/backupProtectedItems/* Create and manage backed up items Microsoft.RecoveryServices/Vaults/backupProtectionContainers/* Create and manage containers holding backup items Microsoft.RecoveryServices/Vaults/backupSecurityPIN/* Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Returns summaries for Protected Items and Protected Servers for a Recovery Services . Microsoft.RecoveryServices/Vaults/certificates/* Create and manage certificates related to backup in Recovery Services vault Microsoft.RecoveryServices/Vaults/extendedInformation/* Create and manage extended info related to vault Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Gets the alerts for the Recovery services vault. Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices/Vaults/registeredIdentities/* Create and manage registered identities Microsoft.RecoveryServices/Vaults/usages/* Create and manage usage of Recovery Services vault Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.RecoveryServices/Vaults/backupstorageconfig/* Microsoft.RecoveryServices/Vaults/backupconfig/* Microsoft.RecoveryServices/Vaults/backupValidateOperation/action Validate Operation on Protected Item Microsoft.RecoveryServices/Vaults/write Create Vault operation creates an Azure resource of type 'vault' Microsoft.RecoveryServices/Vaults/backupOperations/read Returns Backup Operation Status for Recovery Services Vault. Microsoft.RecoveryServices/Vaults/backupEngines/read Returns all the backup management servers registered with vault. Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/* Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read Get all protectable containers Microsoft.RecoveryServices/locations/backupStatus/action Check Backup Status for Recovery Services Vaults Microsoft.RecoveryServices/locations/backupPreValidateProtection/action Microsoft.RecoveryServices/locations/backupValidateFeatures/action Validate Features Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Resolves the alert. Microsoft.RecoveryServices/operations/read Operation returns the list of Operations for a Resource Provider Microsoft.RecoveryServices/locations/operationStatus/read Gets Operation Status for a given Operation Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read List all backup Protection Intents Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage backup services, except removal of backup, vault creation and giving access to others Id 00c29273-979b-4161-815c-10b084fb9324 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Network/virtualNetworks/read Get the virtual network definition Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read Returns status of the operation Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read Gets result of Operation performed on Protection Container. Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/backup/action Performs Backup for Protected Item. Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read Gets Result of Operation Performed on Protected Items. Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read Returns the status of Operation performed on Protected Items. Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Returns object details of the Protected Item Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/provisionInstantItemRecovery/action Provision Instant Item Recovery for Protected Item Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read Get Recovery Points for Protected Items. Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/restore/action Restore Recovery Points for Protected Items. Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/revokeInstantItemRecovery/action Revoke Instant Item Recovery for Protected Item Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write Create a backup Protected Item Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read Returns all registered containers Microsoft.RecoveryServices/Vaults/backupFabrics/refreshContainers/action Refreshes the container list Microsoft.RecoveryServices/Vaults/backupJobs/* Create and manage backup jobs Microsoft.RecoveryServices/Vaults/backupJobsExport/action Export Jobs Microsoft.RecoveryServices/Vaults/backupJobsExport/operationResults/read Returns the Result of Export Job Operation. Microsoft.RecoveryServices/Vaults/backupManagementMetaData/read Returns Backup Management Metadata for Recovery Services Vault. Microsoft.RecoveryServices/Vaults/backupOperationResults/* Create and manage Results of backup management operations Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read Get Results of Policy Operation. Microsoft.RecoveryServices/Vaults/backupPolicies/read Returns all Protection Policies Microsoft.RecoveryServices/Vaults/backupProtectableItems/* Create and manage items which can be backed up Microsoft.RecoveryServices/Vaults/backupProtectedItems/read Returns the list of all Protected Items. Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read Returns all containers belonging to the subscription Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Returns summaries for Protected Items and Protected Servers for a Recovery Services . Microsoft.RecoveryServices/Vaults/certificates/write The Update Resource Certificate operation updates the resource/vault credential certificate. Microsoft.RecoveryServices/Vaults/extendedInformation/read The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? Microsoft.RecoveryServices/Vaults/extendedInformation/write The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Gets the alerts for the Recovery services vault. Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation Microsoft.RecoveryServices/Vaults/registeredIdentities/read The Get Containers operation can be used get the containers registered for a resource. Microsoft.RecoveryServices/Vaults/registeredIdentities/write The Register Service Container operation can be used to register a container with Recovery Service. Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services Vault. Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.RecoveryServices/Vaults/backupstorageconfig/* Microsoft.RecoveryServices/Vaults/backupValidateOperation/action Validate Operation on Protected Item Microsoft.RecoveryServices/Vaults/backupOperations/read Returns Backup Operation Status for Recovery Services Vault. Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read Get Status of Policy Operation. Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/write Creates a registered container Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/inquire/action Do inquiry for workloads within a container Microsoft.RecoveryServices/Vaults/backupEngines/read Returns all the backup management servers registered with vault. Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write Create a backup Protection Intent Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read Get a backup Protection Intent Microsoft.RecoveryServices/Vaults/backupFabrics/protectableContainers/read Get all protectable containers Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read Get all items in a container Microsoft.RecoveryServices/locations/backupStatus/action Check Backup Status for Recovery Services Vaults Microsoft.RecoveryServices/locations/backupPreValidateProtection/action Microsoft.RecoveryServices/locations/backupValidateFeatures/action Validate Features Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Resolves the alert. Microsoft.RecoveryServices/operations/read Operation returns the list of Operations for a Resource Provider Microsoft.RecoveryServices/locations/operationStatus/read Gets Operation Status for a given Operation Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read List all backup Protection Intents Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Can view backup services, but can't make changes Id a795c7a0-d4a2-40c1-ae25-d81f01202912 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.RecoveryServices/locations/allocatedStamp/read GetAllocatedStamp is internal operation used by service Microsoft.RecoveryServices/Vaults/backupFabrics/operationResults/read Returns status of the operation Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/operationResults/read Gets result of Operation performed on Protection Container. Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationResults/read Gets Result of Operation Performed on Protected Items. Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/operationsStatus/read Returns the status of Operation performed on Protected Items. Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Returns object details of the Protected Item Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/recoveryPoints/read Get Recovery Points for Protected Items. Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/read Returns all registered containers Microsoft.RecoveryServices/Vaults/backupJobs/operationResults/read Returns the Result of Job Operation. Microsoft.RecoveryServices/Vaults/backupJobs/read Returns all Job Objects Microsoft.RecoveryServices/Vaults/backupJobsExport/action Export Jobs Microsoft.RecoveryServices/Vaults/backupJobsExport/operationResults/read Returns the Result of Export Job Operation. Microsoft.RecoveryServices/Vaults/backupManagementMetaData/read Returns Backup Management Metadata for Recovery Services Vault. Microsoft.RecoveryServices/Vaults/backupOperationResults/read Returns Backup Operation Result for Recovery Services Vault. Microsoft.RecoveryServices/Vaults/backupPolicies/operationResults/read Get Results of Policy Operation. Microsoft.RecoveryServices/Vaults/backupPolicies/read Returns all Protection Policies Microsoft.RecoveryServices/Vaults/backupProtectedItems/read Returns the list of all Protected Items. Microsoft.RecoveryServices/Vaults/backupProtectionContainers/read Returns all containers belonging to the subscription Microsoft.RecoveryServices/Vaults/backupUsageSummaries/read Returns summaries for Protected Items and Protected Servers for a Recovery Services . Microsoft.RecoveryServices/Vaults/extendedInformation/read The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Gets the alerts for the Recovery services vault. Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation Microsoft.RecoveryServices/Vaults/registeredIdentities/read The Get Containers operation can be used get the containers registered for a resource. Microsoft.RecoveryServices/Vaults/backupstorageconfig/read Returns Storage Configuration for Recovery Services Vault. Microsoft.RecoveryServices/Vaults/backupconfig/read Returns Configuration for Recovery Services Vault. Microsoft.RecoveryServices/Vaults/backupOperations/read Returns Backup Operation Status for Recovery Services Vault. Microsoft.RecoveryServices/Vaults/backupPolicies/operations/read Get Status of Policy Operation. Microsoft.RecoveryServices/Vaults/backupEngines/read Returns all the backup management servers registered with vault. Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/read Get a backup Protection Intent Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/items/read Get all items in a container Microsoft.RecoveryServices/locations/backupStatus/action Check Backup Status for Recovery Services Vaults Microsoft.RecoveryServices/Vaults/monitoringConfigurations/* Microsoft.RecoveryServices/Vaults/monitoringAlerts/write Resolves the alert. Microsoft.RecoveryServices/operations/read Operation returns the list of Operations for a Resource Provider Microsoft.RecoveryServices/locations/operationStatus/read Gets Operation Status for a given Operation Microsoft.RecoveryServices/Vaults/backupProtectionIntents/read List all backup Protection Intents Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services Vault.
[!div class="mx-tableFixed"]
Description Allows read access to billing data Id fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Billing/*/read Read Billing information Microsoft.Commerce/*/read Microsoft.Consumption/*/read Microsoft.Management/managementGroups/read List management groups for the authenticated user. Microsoft.CostManagement/*/read Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage BizTalk services, but not access to them. Id 5e3c6656-6cfa-4708-81fe-0de47ac73342 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.BizTalkServices/BizTalk/* Create and manage BizTalk services Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Can manage CDN endpoints, but can’t grant access to other users. Id 426e0c7f-0c7e-4658-b36f-ff54d6c29b45 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/endpoints/* Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Can view CDN endpoints, but can’t make changes. Id 871e35f6-b5c1-49cc-a043-bde969a0f2cd Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/endpoints/*/read Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Can manage CDN profiles and their endpoints, but can’t grant access to other users. Id ec156ff8-a8d1-4d15-830c-5b80698ca432 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/* Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Can view CDN profiles and their endpoints, but can’t make changes. Id 8f96442b-4075-438f-813d-ad51ab4019af Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Cdn/edgenodes/read Microsoft.Cdn/operationresults/* Microsoft.Cdn/profiles/*/read Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage classic networks, but not access to them. Id b34d265f-36f7-4a0d-a4d4-e158ca92e90f Actions Microsoft.Authorization/*/read Read authorization Microsoft.ClassicNetwork/* Create and manage classic networks Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage classic storage accounts, but not access to them. Id 86e8f5dc-a6e9-4c67-9d15-de283e8eac25 Actions Microsoft.Authorization/*/read Read authorization Microsoft.ClassicStorage/storageAccounts/* Create and manage storage accounts Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts Id 985d6b00-f706-48f5-a6fe-d0ca12fb668d Actions Microsoft.ClassicStorage/storageAccounts/listkeys/action Lists the access keys for the storage accounts. Microsoft.ClassicStorage/storageAccounts/regeneratekey/action Regenerates the existing access keys for the storage account.
[!div class="mx-tableFixed"]
Description Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. Id d73bb868-a0df-4d4d-bd69-98a00b01fccb Actions Microsoft.Authorization/*/read Read authorization Microsoft.ClassicCompute/domainNames/* Create and manage classic compute domain names Microsoft.ClassicCompute/virtualMachines/* Create and manage virtual machines Microsoft.ClassicNetwork/networkSecurityGroups/join/action Microsoft.ClassicNetwork/reservedIps/link/action Link a reserved Ip Microsoft.ClassicNetwork/reservedIps/read Gets the reserved Ips Microsoft.ClassicNetwork/virtualNetworks/join/action Joins the virtual network. Microsoft.ClassicNetwork/virtualNetworks/read Get the virtual network. Microsoft.ClassicStorage/storageAccounts/disks/read Returns the storage account disk. Microsoft.ClassicStorage/storageAccounts/images/read Returns the storage account image. (Deprecated. Use 'Microsoft.ClassicStorage/storageAccounts/vmImages') Microsoft.ClassicStorage/storageAccounts/listKeys/action Lists the access keys for the storage accounts. Microsoft.ClassicStorage/storageAccounts/read Return the storage account with the given account. Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you create, read, update, delete and manage keys of Cognitive Services. Id 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.CognitiveServices/* Microsoft.Features/features/read Gets the features of a subscription. Microsoft.Features/providers/features/read Gets the feature of a subscription in a given resource provider. Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Insights/diagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.Insights/logDefinitions/read Read log definitions Microsoft.Insights/metricdefinitions/read Read metric definitions Microsoft.Insights/metrics/read Read metrics Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/deployments/operations/read Gets or lists deployment operations. Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources/subscriptions/read Gets the list of subscriptions. Microsoft.Resources/subscriptions/resourcegroups/deployments/* Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you read and list keys of Cognitive Services. Id a97b65f3-24c7-4388-baec-2e87135dc908 Actions Microsoft.CognitiveServices/*/read Microsoft.CognitiveServices/accounts/listkeys/action List Keys Microsoft.Insights/metricdefinitions/read Read metric definitions Microsoft.Insights/metrics/read Read metrics Microsoft.Insights/alertRules/read Read a classic metric alert Microsoft.Insights/diagnosticSettings/read Read a resource diagnostic setting Microsoft.Insights/logDefinitions/read Read log definitions Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/operations/read Gets or lists deployment operations. Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources/subscriptions/read Gets the list of subscriptions. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. Id fbdf93bf-df7d-467e-a4d2-9458aa1360c8 Actions Microsoft.Authorization/*/read Read roles and role assignments, can read permissions given to each user Microsoft.DocumentDB/*/read Read any collection Microsoft.DocumentDB/databaseAccounts/readonlykeys/action Reads the database account readonly keys. Microsoft.Insights/MetricDefinitions/read Read metric definitions Microsoft.Insights/Metrics/read Read metrics Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Can view costs and manage cost configuration (e.g. budgets, exports) Id 434105ed-43f6-45c7-a02f-909b2ba83430 Actions Microsoft.Consumption/* Microsoft.CostManagement/* Microsoft.Billing/billingPeriods/read Lists available billing periods Microsoft.Resources/subscriptions/read Gets the list of subscriptions. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Can view cost data and configuration (e.g. budgets, exports) Id 72fafb9e-0641-4937-9268-a91bfd8191a3 Actions Microsoft.Consumption/*/read Microsoft.CostManagement/*/read Microsoft.Billing/billingPeriods/read Lists available billing periods Microsoft.Resources/subscriptions/read Gets the list of subscriptions. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage everything under Data Box Service except giving access to others. Id add466c9-e687-43fc-8d98-dfcf8d720be5 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets Microsoft.Databox/*
[!div class="mx-tableFixed"]
Description Lets you manage Data Box Service except creating order or editing order details and giving access to others. Id 028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Databox/*/read Microsoft.Databox/jobs/listsecrets/action Microsoft.Databox/jobs/listcredentials/action Lists the unencrypted credentials related to the order. Microsoft.Databox/locations/availableSkus/action This method returns the list of available skus. Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Create and manage data factories, as well as child resources within them. Id 673868aa-7521-48a0-acc6-0f60742d39f5 Actions Microsoft.Authorization/*/read Read roles and role Assignments Microsoft.DataFactory/dataFactories/* Create and manage data factories, and child resources within them. Microsoft.DataFactory/factories/* Create and manage data factories, and child resources within them. Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. Id 47b7735b-770e-4598-a7da-8b91488b4c88 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.BigAnalytics/accounts/* Microsoft.DataLakeAnalytics/accounts/* Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets NotActions Microsoft.BigAnalytics/accounts/Delete Microsoft.BigAnalytics/accounts/TakeOwnership/action Microsoft.BigAnalytics/accounts/Write Microsoft.DataLakeAnalytics/accounts/Delete Delete a DataLakeAnalytics account. Microsoft.DataLakeAnalytics/accounts/TakeOwnership/action Grant permissions to cancel jobs submitted by other users. Microsoft.DataLakeAnalytics/accounts/Write Create or update a DataLakeAnalytics account. Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Write Create or update a linked DataLakeStore account of a DataLakeAnalytics account. Microsoft.DataLakeAnalytics/accounts/dataLakeStoreAccounts/Delete Unlink a DataLakeStore account from a DataLakeAnalytics account. Microsoft.DataLakeAnalytics/accounts/storageAccounts/Write Create or update a linked Storage account of a DataLakeAnalytics account. Microsoft.DataLakeAnalytics/accounts/storageAccounts/Delete Unlink a Storage account from a DataLakeAnalytics account. Microsoft.DataLakeAnalytics/accounts/firewallRules/Write Create or update a firewall rule. Microsoft.DataLakeAnalytics/accounts/firewallRules/Delete Delete a firewall rule. Microsoft.DataLakeAnalytics/accounts/computePolicies/Write Create or update a compute policy. Microsoft.DataLakeAnalytics/accounts/computePolicies/Delete Delete a compute policy.
[!div class="mx-tableFixed"]
Description Can purge analytics data Id 150f5e0c-0603-4f03-8c7f-cf70034c4e90 Actions Microsoft.Insights/components/*/read Microsoft.Insights/components/purge/action Purging data from Application Insights Microsoft.OperationalInsights/workspaces/*/read Microsoft.OperationalInsights/workspaces/purge/action Delete specified data from workspace
[!div class="mx-tableFixed"]
Description Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. Id 76283e04-6283-4c54-8f91-bcf1374a3c64 Actions Microsoft.Authorization/*/read Read roles and role Assignments Microsoft.Compute/availabilitySets/read Get the properties of an availability set Microsoft.Compute/virtualMachines/*/read Read the properties of a virtual machine (VM sizes, runtime status, VM extensions, etc.) Microsoft.Compute/virtualMachines/deallocate/action Powers off the virtual machine and releases the compute resources Microsoft.Compute/virtualMachines/read Get the properties of a virtual machine Microsoft.Compute/virtualMachines/restart/action Restarts the virtual machine Microsoft.Compute/virtualMachines/start/action Starts the virtual machine Microsoft.DevTestLab/*/read Read the properties of a lab Microsoft.DevTestLab/labs/claimAnyVm/action Claim a random claimable virtual machine in the lab. Microsoft.DevTestLab/labs/createEnvironment/action Create virtual machines in a lab. Microsoft.DevTestLab/labs/formulas/delete Delete formulas. Microsoft.DevTestLab/labs/formulas/read Read formulas. Microsoft.DevTestLab/labs/formulas/write Add or modify formulas. Microsoft.DevTestLab/labs/policySets/evaluatePolicies/action Evaluates lab policy. Microsoft.DevTestLab/labs/virtualMachines/claim/action Take ownership of an existing virtual machine Microsoft.DevTestLab/labs/virtualmachines/listApplicableSchedules/action Lists the applicable start/stop schedules, if any. Microsoft.Network/loadBalancers/backendAddressPools/join/action Joins a load balancer backend address pool Microsoft.Network/loadBalancers/inboundNatRules/join/action Joins a load balancer inbound nat rule Microsoft.Network/networkInterfaces/*/read Read the properties of a network interface (for example, all the load balancers that the network interface is a part of) Microsoft.Network/networkInterfaces/join/action Joins a Virtual Machine to a network interface Microsoft.Network/networkInterfaces/read Gets a network interface definition. Microsoft.Network/networkInterfaces/write Creates a network interface or updates an existing network interface. Microsoft.Network/publicIPAddresses/*/read Read the properties of a public IP address Microsoft.Network/publicIPAddresses/join/action Joins a public ip address Microsoft.Network/publicIPAddresses/read Gets a public ip address definition. Microsoft.Network/virtualNetworks/subnets/join/action Joins a virtual network Microsoft.Resources/deployments/operations/read Gets or lists deployment operations. Microsoft.Resources/deployments/read Gets or lists deployments. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage/storageAccounts/listKeys/action Returns the access keys for the specified storage account. NotActions Microsoft.Compute/virtualMachines/vmSizes/read Lists available sizes the virtual machine can be updated to
[!div class="mx-tableFixed"]
Description Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. Id befefa01-2a29-4197-83a8-272ff33ce314 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.Network/dnsZones/* Create and manage DNS zones and records Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage Support tickets
[!div class="mx-tableFixed"]
Description Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. Id 5bd9cd88-fe45-4216-938b-f97437e15450 Actions Microsoft.Authorization/*/read Read roles and role Assignments Microsoft.DocumentDb/databaseAccounts/* Create and manage Azure Cosmos DB accounts Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage EventGrid event subscription operations. Id 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.EventGrid/eventSubscriptions/* Microsoft.EventGrid/topicTypes/eventSubscriptions/read List global event subscriptions by topic type Microsoft.EventGrid/locations/eventSubscriptions/read List regional event subscriptions Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read List regional event subscriptions by topictype Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you read EventGrid event subscriptions. Id 2414bbcf-6497-4faf-8c65-045460748405 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.EventGrid/eventSubscriptions/read Read a eventSubscription Microsoft.EventGrid/topicTypes/eventSubscriptions/read List global event subscriptions by topic type Microsoft.EventGrid/locations/eventSubscriptions/read List regional event subscriptions Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read List regional event subscriptions by topictype Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
[!div class="mx-tableFixed"]
Description Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package Id 8d8d5a11-05d3-4bda-a417-a08778121c7c Actions Microsoft.AAD/*/read Microsoft.AAD/domainServices/*/read Microsoft.AAD/domainServices/oucontainer/*
[!div class="mx-tableFixed"]
Description Lets you manage Intelligent Systems accounts, but not access to them. Id 03a6d094-3444-4b3d-88af-7477090a9e5e Actions Microsoft.Authorization/*/read Read roles and role Assignments Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.IntelligentSystems/accounts/* Create and manage intelligent systems accounts Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage key vaults, but not access to them. Id f25e0fa2-a7c8-4377-a976-54943a77a395 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.KeyVault/* Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets NotActions Microsoft.KeyVault/locations/deletedVaults/purge/action Purge a soft deleted key vault Microsoft.KeyVault/hsmPools/*
[!div class="mx-tableFixed"]
Description Lets you create, manage, delete your managed labs under your Azure Lab Accounts. Id b97fb8bc-a8b2-4522-a38b-dd33c7e65ead Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.LabServices/labAccounts/*/read Microsoft.LabServices/labAccounts/createLab/action Create a lab in a lab account. Microsoft.LabServices/labAccounts/sizes/getRegionalAvailability/action Microsoft.LabServices/labAccounts/getRegionalAvailability/action Get regional availability information for each size category configured under a lab account Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources. Id 92aaf0da-9dab-42b6-94a3-d43ce8d16293 Actions */read Read resources of all types, except secrets. Microsoft.Automation/automationAccounts/* Microsoft.ClassicCompute/virtualMachines/extensions/* Microsoft.ClassicStorage/storageAccounts/listKeys/action Lists the access keys for the storage accounts. Microsoft.Compute/virtualMachines/extensions/* Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Insights/diagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.OperationalInsights/* Microsoft.OperationsManagement/* Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourcegroups/deployments/* Microsoft.Storage/storageAccounts/listKeys/action Returns the access keys for the specified storage account. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. Id 73c42c96-874c-492b-b04d-ab87d138a893 Actions */read Read resources of all types, except secrets. Microsoft.OperationalInsights/workspaces/analytics/query/action Search using new engine. Microsoft.OperationalInsights/workspaces/search/action Executes a search query Microsoft.Support/* Create and manage support tickets NotActions Microsoft.OperationalInsights/workspaces/sharedKeys/read Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace.
[!div class="mx-tableFixed"]
Description Lets you manage logic app, but not access to them. Id 87a39d53-fc1b-424a-814c-f7e04687dc9e Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.ClassicStorage/storageAccounts/listKeys/action Lists the access keys for the storage accounts. Microsoft.ClassicStorage/storageAccounts/read Return the storage account with the given account. Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Insights/diagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.Insights/logdefinitions/* This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. Microsoft.Insights/metricDefinitions/* Read metric definitions (list of available metric types for a resource). Microsoft.Logic/* Manages Logic Apps resources. Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage/storageAccounts/listkeys/action Returns the access keys for the specified storage account. Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.Support/* Create and manage support tickets Microsoft.Web/connectionGateways/* Create and manages a Connection Gateway. Microsoft.Web/connections/* Create and manages a Connection. Microsoft.Web/customApis/* Creates and manages a Custom API. Microsoft.Web/serverFarms/join/action Microsoft.Web/serverFarms/read Get the properties on an App Service Plan Microsoft.Web/sites/functions/listSecrets/action List Secrets Web Apps Functions.
[!div class="mx-tableFixed"]
Description Lets you read, enable and disable logic app. Id 515c2055-d9d4-4321-b1b9-bd0c9a0f79fe Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/*/read Read Insights alert rules Microsoft.Insights/diagnosticSettings/*/read Gets diagnostic settings for Logic Apps Microsoft.Insights/metricDefinitions/*/read Gets the available metrics for Logic Apps. Microsoft.Logic/*/read Reads Logic Apps resources. Microsoft.Logic/workflows/disable/action Disables the workflow. Microsoft.Logic/workflows/enable/action Enables the workflow. Microsoft.Logic/workflows/validate/action Validates the workflow. Microsoft.Resources/deployments/operations/read Gets or lists deployment operations. Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets Microsoft.Web/connectionGateways/*/read Read Connection Gateways. Microsoft.Web/connections/*/read Read Connections. Microsoft.Web/customApis/*/read Read Custom API. Microsoft.Web/serverFarms/read Get the properties on an App Service Plan
[!div class="mx-tableFixed"]
Description Lets you read and perform actions on Managed Application resources Id c7393b34-138c-406f-901b-d8cf2b17e6ae Actions */read Read resources of all types, except secrets. Microsoft.Solutions/applications/read Retrieves a list of applications.
[!div class="mx-tableFixed"]
Description Lets you read resources in a managed app and request JIT access. Id b9331d33-8a36-4f8c-b097-4f54124fdb44 Actions */read Read resources of all types, except secrets. Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Solutions/jitRequests/*
[!div class="mx-tableFixed"]
Description Create, Read, Update, and Delete User Assigned Identity Id e40ec5ca-96e0-45a2-b4ff-59039f2c2b59 Actions Microsoft.ManagedIdentity/userAssignedIdentities/*/read Microsoft.ManagedIdentity/userAssignedIdentities/*/write Microsoft.ManagedIdentity/userAssignedIdentities/*/delete Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Read and Assign User Assigned Identity Id f1a07417-d97a-45cb-824c-7a7467783830 Actions Microsoft.ManagedIdentity/userAssignedIdentities/*/read Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Management Group Contributor Role Id 5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c Actions Microsoft.Management/managementGroups/delete Delete management group. Microsoft.Management/managementGroups/read List management groups for the authenticated user. Microsoft.Management/managementGroups/subscriptions/delete De-associates subscription from the management group. Microsoft.Management/managementGroups/subscriptions/write Associates existing subscription with the management group. Microsoft.Management/managementGroups/write Create or update a management group.
[!div class="mx-tableFixed"]
Description Management Group Reader Role Id ac63b705-f282-497d-ac71-919bf39d939d Actions Microsoft.Management/managementGroups/read List management groups for the authenticated user.
[!div class="mx-tableFixed"]
Description Can read all monitoring data and edit monitoring settings. See also Get started with roles, permissions, and security with Azure Monitor. Id 749f88d5-cbae-40b8-bcfc-e573ddc772fa Actions */read Read resources of all types, except secrets. Microsoft.AlertsManagement/alerts/* Microsoft.AlertsManagement/alertsSummary/* Microsoft.Insights/actiongroups/* Microsoft.Insights/AlertRules/* Read/write/delete alert rules. Microsoft.Insights/components/* Read/write/delete Application Insights components. Microsoft.Insights/DiagnosticSettings/* Read/write/delete diagnostic settings. Microsoft.Insights/eventtypes/* List Activity Log events (management events) in a subscription. This permission is applicable to both programmatic and portal access to the Activity Log. Microsoft.Insights/LogDefinitions/* This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. Microsoft.Insights/metricalerts/* Microsoft.Insights/MetricDefinitions/* Read metric definitions (list of available metric types for a resource). Microsoft.Insights/Metrics/* Read metrics for a resource. Microsoft.Insights/Register/Action Register the Microsoft Insights provider Microsoft.Insights/scheduledqueryrules/* Microsoft.Insights/webtests/* Read/write/delete Application Insights web tests. Microsoft.OperationalInsights/workspaces/intelligencepacks/* Read/write/delete Log Analytics solution packs. Microsoft.OperationalInsights/workspaces/savedSearches/* Read/write/delete Log Analytics saved searches. Microsoft.OperationalInsights/workspaces/search/action Executes a search query Microsoft.OperationalInsights/workspaces/sharedKeys/action Retrieves the shared keys for the workspace. These keys are used to connect Microsoft Operational Insights agents to the workspace. Microsoft.OperationalInsights/workspaces/storageinsightconfigs/* Read/write/delete Log Analytics storage insight configurations. Microsoft.Support/* Create and manage support tickets Microsoft.WorkloadMonitor/monitors/* Microsoft.WorkloadMonitor/notificationSettings/*
[!div class="mx-tableFixed"]
Description Enables publishing metrics against Azure resources Id 3913510d-42f4-4e42-8a64-420c390055eb Actions Microsoft.Insights/Register/Action Register the Microsoft Insights provider Microsoft.Support/* Create and manage support tickets Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. DataActions Microsoft.Insights/Metrics/Write Write metrics
[!div class="mx-tableFixed"]
Description Can read all monitoring data (metrics, logs, etc.). See also Get started with roles, permissions, and security with Azure Monitor. Id 43d0d8ad-25c7-4714-9337-8ba259a9fe05 Actions */read Read resources of all types, except secrets. Microsoft.OperationalInsights/workspaces/search/action Executes a search query Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage networks, but not access to them. Id 4d97b98b-1d4f-4787-a291-c67834d212e7 Actions Microsoft.Authorization/*/read Read roles and role Assignments Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.Network/* Create and manage networks Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. Id 5d28c62d-5b37-4476-8438-e587778df237 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets NewRelic.APM/accounts/*
[!div class="mx-tableFixed"]
Description Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. Id c12c1c16-33a1-487b-954d-41c89c60f349 Actions Microsoft.Storage/storageAccounts/listKeys/action Returns the access keys for the specified storage account. Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account.
[!div class="mx-tableFixed"]
Description Lets you manage Azure Cache for Rediss, but not access to them. Id e0f68234-74aa-48ed-b826-c38b57376e17 Actions Microsoft.Authorization/*/read Read roles and role Assignments Microsoft.Cache/redis/* Create and manage Azure Cache for Rediss Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description (Preview) Backfilled users from EA, with rights to create/modify resource policy, create support ticket and read resources/hierarchy. Id 36243c78-bf99-498c-9df9-86d9f8d28608 Actions */read Read resources of all types, except secrets. Microsoft.Authorization/policyassignments/* Create and manage policy assignments Microsoft.Authorization/policydefinitions/* Create and manage policy definitions Microsoft.Authorization/policysetdefinitions/* Create and manage policy sets Microsoft.PolicyInsights/* Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage Scheduler job collections, but not access to them. Id 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 Actions Microsoft.Authorization/*/read Read roles and role Assignments Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Scheduler/jobcollections/* Create and manage job collections Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage Search services, but not access to them. Id 7ca78c08-252a-4471-8644-bb5ff32d4ba0 Actions Microsoft.Authorization/*/read Read roles and role Assignments Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Search/searchServices/* Create and manage search services Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations Id fb1c8493-542b-48eb-b624-b4c8fea62acd Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Authorization/policyAssignments/* Create and manage policy assignments Microsoft.Authorization/policyDefinitions/* Create and manage policy definitions Microsoft.Authorization/policySetDefinitions/* Create and manage policy sets Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.Management/managementGroups/read List management groups for the authenticated user. Microsoft.operationalInsights/workspaces/*/read View Log Analytics data Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Security/*/read Read security components and policies Microsoft.Security/locations/alerts/activate/action Activate a security alert Microsoft.Security/locations/alerts/dismiss/action Dismiss a security alert Microsoft.Security/locations/tasks/activate/action Activate a security recommendation Microsoft.Security/locations/tasks/dismiss/action Dismiss a security recommendation Microsoft.Security/policies/write Updates the security policy Microsoft.Security/pricings/write Updates the pricing settings for the scope Microsoft.Security/pricings/delete Deletes the pricing settings for the scope Microsoft.Security/securityContacts/delete Deletes the security contact Microsoft.Security/securityContacts/write Updates the security contact Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description This is a legacy role. Please use Security Administrator instead Id e3d13bf0-dd5a-482e-ba6b-9b8433878d10 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.ClassicCompute/*/read Read configuration information classic virtual machines Microsoft.ClassicCompute/virtualMachines/*/write Write configuration for classic virtual machines Microsoft.ClassicNetwork/*/read Read configuration information about classic network Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Security/* Create and manage security components and policies Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description In Security Center only: Can view recommendations and alerts, view security policies, view security states, but cannot make changes Id 39bc4728-0917-49c7-9d2c-d95423bc2eb4 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.operationalInsights/workspaces/*/read View Log Analytics data Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Security/*/read Read security components and policies Microsoft.Support/* Create and manage support tickets Microsoft.Management/managementGroups/read List management groups for the authenticated user.
[!div class="mx-tableFixed"]
Description Lets you manage Site Recovery service except vault creation and role assignment Id 6670b86e-a3f7-4917-ac9b-5d6ab1be4567 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.Network/virtualNetworks/read Get the virtual network definition Microsoft.RecoveryServices/locations/allocatedStamp/read GetAllocatedStamp is internal operation used by service Microsoft.RecoveryServices/locations/allocateStamp/action AllocateStamp is internal operation used by service Microsoft.RecoveryServices/Vaults/certificates/write The Update Resource Certificate operation updates the resource/vault credential certificate. Microsoft.RecoveryServices/Vaults/extendedInformation/* Create and manage extended info related to vault Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices/Vaults/refreshContainers/read Microsoft.RecoveryServices/Vaults/registeredIdentities/* Create and manage registered identities Microsoft.RecoveryServices/vaults/replicationAlertSettings/* Create or Update replication alert settings Microsoft.RecoveryServices/vaults/replicationEvents/read Read any Events Microsoft.RecoveryServices/vaults/replicationFabrics/* Create and manage replication fabrics Microsoft.RecoveryServices/vaults/replicationJobs/* Create and manage replication jobs Microsoft.RecoveryServices/vaults/replicationPolicies/* Create and manage replication policies Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/* Create and manage recovery plans Microsoft.RecoveryServices/Vaults/storageConfig/* Create and manage storage configuration of Recovery Services vault Microsoft.RecoveryServices/Vaults/tokenInfo/read Returns token information for Recovery Services Vault. Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services Vault. Microsoft.RecoveryServices/Vaults/vaultTokens/read The Vault Token operation can be used to get Vault Token for vault level backend operations. Microsoft.RecoveryServices/Vaults/monitoringAlerts/* Read alerts for the Recovery services vault Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you failover and failback but not perform other Site Recovery management operations Id 494ae006-db33-4328-bf46-533a6560a3ca Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.Network/virtualNetworks/read Get the virtual network definition Microsoft.RecoveryServices/locations/allocatedStamp/read GetAllocatedStamp is internal operation used by service Microsoft.RecoveryServices/locations/allocateStamp/action AllocateStamp is internal operation used by service Microsoft.RecoveryServices/Vaults/extendedInformation/read The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices/Vaults/refreshContainers/read Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation Microsoft.RecoveryServices/Vaults/registeredIdentities/read The Get Containers operation can be used get the containers registered for a resource. Microsoft.RecoveryServices/vaults/replicationAlertSettings/read Read any Alerts Settings Microsoft.RecoveryServices/vaults/replicationEvents/read Read any Events Microsoft.RecoveryServices/vaults/replicationFabrics/checkConsistency/action Checks Consistency of the Fabric Microsoft.RecoveryServices/vaults/replicationFabrics/read Read any Fabrics Microsoft.RecoveryServices/vaults/replicationFabrics/reassociateGateway/action Reassociate Gateway Microsoft.RecoveryServices/vaults/replicationFabrics/renewcertificate/action Renew Certificate for Fabric Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read Read any Networks Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read Read any Network Mappings Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read Read any Protection Containers Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read Read any Protectable Items Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/applyRecoveryPoint/action Apply Recovery Point Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/failoverCommit/action Failover Commit Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/plannedFailover/action Planned Failover Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read Read any Protected Items Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read Read any Replication Recovery Points Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/repairReplication/action Repair replication Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/reProtect/action ReProtect Protected Item Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailover/action Test Failover Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/testFailoverCleanup/action Test Failover Cleanup Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/unplannedFailover/action Failover Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/updateMobilityService/action Update Mobility Service Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read Read any Protection Container Mappings Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read Read any Recovery Services Providers Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/refreshProvider/action Refresh Provider Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read Read any Storage Classifications Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read Read any Storage Classification Mappings Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read Read any vCenters Microsoft.RecoveryServices/vaults/replicationJobs/* Create and manage replication jobs Microsoft.RecoveryServices/vaults/replicationPolicies/read Read any Policies Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/failoverCommit/action Failover Commit Recovery Plan Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/plannedFailover/action Planned Failover Recovery Plan Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read Read any Recovery Plans Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/reProtect/action ReProtect Recovery Plan Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailover/action Test Failover Recovery Plan Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/testFailoverCleanup/action Test Failover Cleanup Recovery Plan Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/unplannedFailover/action Failover Recovery Plan Microsoft.RecoveryServices/Vaults/monitoringAlerts/* Read alerts for the Recovery services vault Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.RecoveryServices/Vaults/storageConfig/read Microsoft.RecoveryServices/Vaults/tokenInfo/read Returns token information for Recovery Services Vault. Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services Vault. Microsoft.RecoveryServices/Vaults/vaultTokens/read The Vault Token operation can be used to get Vault Token for vault level backend operations. Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you view Site Recovery status but not perform other management operations Id dbaa88c4-0c30-4179-9fb3-46319faa6149 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.RecoveryServices/locations/allocatedStamp/read GetAllocatedStamp is internal operation used by service Microsoft.RecoveryServices/Vaults/extendedInformation/read The Get Extended Info operation gets an object's Extended Info representing the Azure resource of type ?vault? Microsoft.RecoveryServices/Vaults/monitoringAlerts/read Gets the alerts for the Recovery services vault. Microsoft.RecoveryServices/Vaults/monitoringConfigurations/notificationConfiguration/read Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices/Vaults/refreshContainers/read Microsoft.RecoveryServices/Vaults/registeredIdentities/operationResults/read The Get Operation Results operation can be used get the operation status and result for the asynchronously submitted operation Microsoft.RecoveryServices/Vaults/registeredIdentities/read The Get Containers operation can be used get the containers registered for a resource. Microsoft.RecoveryServices/vaults/replicationAlertSettings/read Read any Alerts Settings Microsoft.RecoveryServices/vaults/replicationEvents/read Read any Events Microsoft.RecoveryServices/vaults/replicationFabrics/read Read any Fabrics Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/read Read any Networks Microsoft.RecoveryServices/vaults/replicationFabrics/replicationNetworks/replicationNetworkMappings/read Read any Network Mappings Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/read Read any Protection Containers Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectableItems/read Read any Protectable Items Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/read Read any Protected Items Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectedItems/recoveryPoints/read Read any Replication Recovery Points Microsoft.RecoveryServices/vaults/replicationFabrics/replicationProtectionContainers/replicationProtectionContainerMappings/read Read any Protection Container Mappings Microsoft.RecoveryServices/vaults/replicationFabrics/replicationRecoveryServicesProviders/read Read any Recovery Services Providers Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/read Read any Storage Classifications Microsoft.RecoveryServices/vaults/replicationFabrics/replicationStorageClassifications/replicationStorageClassificationMappings/read Read any Storage Classification Mappings Microsoft.RecoveryServices/vaults/replicationFabrics/replicationvCenters/read Read any vCenters Microsoft.RecoveryServices/vaults/replicationJobs/read Read any Jobs Microsoft.RecoveryServices/vaults/replicationPolicies/read Read any Policies Microsoft.RecoveryServices/vaults/replicationRecoveryPlans/read Read any Recovery Plans Microsoft.RecoveryServices/Vaults/storageConfig/read Microsoft.RecoveryServices/Vaults/tokenInfo/read Returns token information for Recovery Services Vault. Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services Vault. Microsoft.RecoveryServices/Vaults/vaultTokens/read The Vault Token operation can be used to get Vault Token for vault level backend operations. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. Id 9b7fa17d-e63e-47b0-bb0a-15c516ac86ec Actions Microsoft.Authorization/*/read Read roles and role Assignments Microsoft.Insights/alertRules/* Create and manage alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Sql/locations/*/read Microsoft.Sql/servers/databases/* Create and manage SQL databases Microsoft.Sql/servers/read Return the list of servers or gets the properties for the specified server. Microsoft.Support/* Create and manage support tickets Microsoft.Insights/metrics/read Read metrics Microsoft.Insights/metricDefinitions/read Read metric definitions NotActions Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/auditingPolicies/* Can't edit audit policies Microsoft.Sql/servers/databases/auditingSettings/* Can't edit audit settings Microsoft.Sql/servers/databases/auditRecords/read Retrieve the database blob audit records Microsoft.Sql/servers/databases/connectionPolicies/* Can't edit connection policies Microsoft.Sql/servers/databases/dataMaskingPolicies/* Can't edit data masking policies Microsoft.Sql/servers/databases/extendedAuditingSettings/* Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/securityAlertPolicies/* Can't edit security alert policies Microsoft.Sql/servers/databases/securityMetrics/* Can't edit security metrics Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*
[!div class="mx-tableFixed"]
Description Lets you manage the security-related policies of SQL servers and databases, but not access to them. Id 056cd41c-7e88-42e1-933e-88ba6a50c9c3 Actions Microsoft.Authorization/*/read Read Microsoft authorization Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/auditingPolicies/* Create and manage SQL server auditing policies Microsoft.Sql/servers/auditingSettings/* Create and manage SQL server auditing setting Microsoft.Sql/servers/extendedAuditingSettings/read Retrieve details of the extended server blob auditing policy configured on a given server Microsoft.Sql/servers/databases/auditingPolicies/* Create and manage SQL server database auditing policies Microsoft.Sql/servers/databases/auditingSettings/* Create and manage SQL server database auditing settings Microsoft.Sql/servers/databases/auditRecords/read Read audit records Microsoft.Sql/servers/databases/connectionPolicies/* Create and manage SQL server database connection policies Microsoft.Sql/servers/databases/dataMaskingPolicies/* Create and manage SQL server database data masking policies Microsoft.Sql/servers/databases/extendedAuditingSettings/read Retrieve details of the extended blob auditing policy configured on a given database Microsoft.Sql/servers/databases/read Return the list of databases or gets the properties for the specified database. Microsoft.Sql/servers/databases/schemas/read Retrieve list of schemas of a database Microsoft.Sql/servers/databases/schemas/tables/columns/read Retrieve list of columns of a table Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/schemas/tables/read Retrieve list of tables of a database Microsoft.Sql/servers/databases/securityAlertPolicies/* Create and manage SQL server database security alert policies Microsoft.Sql/servers/databases/securityMetrics/* Create and manage SQL server database security metrics Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql/servers/firewallRules/* Microsoft.Sql/servers/read Return the list of servers or gets the properties for the specified server. Microsoft.Sql/servers/securityAlertPolicies/* Create and manage SQL server security alert policies Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. Id 6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Sql/locations/*/read Microsoft.Sql/servers/* Create and manage SQL servers Microsoft.Support/* Create and manage support tickets Microsoft.Insights/metrics/read Read metrics Microsoft.Insights/metricDefinitions/read Read metric definitions NotActions Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/auditingPolicies/* Can't edit SQL server auditing policies Microsoft.Sql/servers/auditingSettings/* Can't edit SQL server auditing settings Microsoft.Sql/servers/databases/auditingPolicies/* Can't edit SQL server database auditing policies Microsoft.Sql/servers/databases/auditingSettings/* Can't edit SQL server database auditing settings Microsoft.Sql/servers/databases/auditRecords/read Can't read audit records Microsoft.Sql/servers/databases/connectionPolicies/* Can't edit SQL server database connection policies Microsoft.Sql/servers/databases/dataMaskingPolicies/* Can't edit SQL server database data masking policies Microsoft.Sql/servers/databases/extendedAuditingSettings/* Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/securityAlertPolicies/* Can't edit SQL server database security alert policies Microsoft.Sql/servers/databases/securityMetrics/* Can't edit SQL server database security metrics Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql/servers/extendedAuditingSettings/* Microsoft.Sql/servers/securityAlertPolicies/* Can't edit SQL server security alert policies
[!div class="mx-tableFixed"]
Description Lets you manage storage accounts, but not access to them. Id 17d1049b-9a84-46fb-8f53-869881c3d3ab Actions Microsoft.Authorization/*/read Read all authorization Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Insights/diagnosticSettings/* Manage diagnostic settings Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage/storageAccounts/* Create and manage storage accounts Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Storage Account Key Operators are allowed to list and regenerate keys on Storage Accounts Id 81a9662b-bebf-436f-a333-f67b29880f12 Actions Microsoft.Storage/storageAccounts/listkeys/action Returns the access keys for the specified storage account. Microsoft.Storage/storageAccounts/regeneratekey/action Regenerates the access keys for the specified storage account.
[!div class="mx-tableFixed"]
Description Allows for read, write and delete access to Azure Storage blob containers and data Id ba92f5b4-2d11-453d-a403-e96b0029c9fe Actions Microsoft.Storage/storageAccounts/blobServices/containers/delete Returns the result of deleting a container Microsoft.Storage/storageAccounts/blobServices/containers/read Returns a container or a list of containers Microsoft.Storage/storageAccounts/blobServices/containers/write Returns the result of put or lease blob container DataActions Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Returns the result of deleting a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Returns a blob or a list of blobs Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Returns the result of writing a blob
[!div class="mx-tableFixed"]
Description Allows for read, write, delete, and POSIX superuser access to Azure Storage blob containers and data Id b7e6dc6d-f1e8-4753-8033-0f276bb0955b Actions Microsoft.Storage/storageAccounts/blobServices/containers/delete Returns the result of deleting a container Microsoft.Storage/storageAccounts/blobServices/containers/read Returns a container or a list of containers Microsoft.Storage/storageAccounts/blobServices/containers/write Returns the result of put or lease blob container DataActions Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Returns the result of deleting a blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Returns a blob or a list of blobs Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Returns the result of writing a blob
[!div class="mx-tableFixed"]
Description Allows for read access to Azure Storage blob containers and data Id 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1 Actions Microsoft.Storage/storageAccounts/blobServices/containers/read Returns a container or a list of containers DataActions Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Returns a blob or a list of blobs
[!div class="mx-tableFixed"]
Description Allows for read, write, and delete access to Azure Storage queues and queue messages Id 974c5e8b-45b9-4653-ba55-5f855dd0fb88 Actions Microsoft.Storage/storageAccounts/queueServices/queues/delete Returns the result of deleting a queue Microsoft.Storage/storageAccounts/queueServices/queues/read Returns a queue or a list of queues. Microsoft.Storage/storageAccounts/queueServices/queues/write Returns the result of writing a queue DataActions Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete Returns the result of deleting a message Microsoft.Storage/storageAccounts/queueServices/queues/messages/read Returns a message Microsoft.Storage/storageAccounts/queueServices/queues/messages/write Returns the result of writing a message
[!div class="mx-tableFixed"]
Description Allows for read access to Azure Storage queues and queue messages Id 19e7f393-937e-4f77-808e-94535e297925 Actions Microsoft.Storage/storageAccounts/queueServices/queues/read Returns a queue or a list of queues. DataActions Microsoft.Storage/storageAccounts/queueServices/queues/messages/read Returns a message
[!div class="mx-tableFixed"]
Description Lets you create and manage Support requests Id cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e Actions Microsoft.Authorization/*/read Read authorization Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage Traffic Manager profiles, but does not let you control who has access to them. Id a4b10055-b0c7-44c2-b00f-c7b5b3550cf7 Actions Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Network/trafficManagerProfiles/* Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description Lets you manage user access to Azure resources. Id 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9 Actions */read Read resources of all Types, except secrets. Microsoft.Authorization/* Manage authorization Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description View Virtual Machines in the portal and login as administrator Id 1c0163c0-47e6-4577-8991-ea5c82e286e4 Actions Microsoft.Network/publicIPAddresses/read Gets a public ip address definition. Microsoft.Network/virtualNetworks/read Get the virtual network definition Microsoft.Network/loadBalancers/read Gets a load balancer definition Microsoft.Network/networkInterfaces/read Gets a network interface definition. Microsoft.Compute/virtualMachines/*/read DataActions Microsoft.Compute/virtualMachines/login/action Log in to a virtual machine as a regular user Microsoft.Compute/virtualMachines/loginAsAdmin/action Log in to a virtual machine with Windows administrator or Linux root user privileges
[!div class="mx-tableFixed"]
Description Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. Id 9980e02c-c2be-4d73-94e8-173b1dc7cf3c Actions Microsoft.Authorization/*/read Read authorization Microsoft.Compute/availabilitySets/* Create and manage compute availability sets Microsoft.Compute/locations/* Create and manage compute locations Microsoft.Compute/virtualMachines/* Create and manage virtual machines Microsoft.Compute/virtualMachineScaleSets/* Create and manage virtual machine scale sets Microsoft.DevTestLab/schedules/* Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Network/applicationGateways/backendAddressPools/join/action Joins an application gateway backend address pool Microsoft.Network/loadBalancers/backendAddressPools/join/action Joins a load balancer backend address pool Microsoft.Network/loadBalancers/inboundNatPools/join/action Joins a load balancer inbound nat pool Microsoft.Network/loadBalancers/inboundNatRules/join/action Joins a load balancer inbound nat rule Microsoft.Network/loadBalancers/probes/join/action Allows using probes of a load balancer. For example, with this permission healthProbe property of VM scale set can reference the probe. Microsoft.Network/loadBalancers/read Gets a load balancer definition Microsoft.Network/locations/* Create and manage network locations Microsoft.Network/networkInterfaces/* Create and manage network interfaces Microsoft.Network/networkSecurityGroups/join/action Joins a network security group Microsoft.Network/networkSecurityGroups/read Gets a network security group definition Microsoft.Network/publicIPAddresses/join/action Joins a public ip address Microsoft.Network/publicIPAddresses/read Gets a public ip address definition. Microsoft.Network/virtualNetworks/read Get the virtual network definition Microsoft.Network/virtualNetworks/subnets/join/action Joins a virtual network Microsoft.RecoveryServices/locations/* Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write Create a backup Protection Intent Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read Returns object details of the Protected Item Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write Create a backup Protected Item Microsoft.RecoveryServices/Vaults/backupPolicies/read Returns all Protection Policies Microsoft.RecoveryServices/Vaults/backupPolicies/write Creates Protection Policy Microsoft.RecoveryServices/Vaults/read The Get Vault operation gets an object representing the Azure resource of type 'vault' Microsoft.RecoveryServices/Vaults/usages/read Returns usage details for a Recovery Services Vault. Microsoft.RecoveryServices/Vaults/write Create Vault operation creates an Azure resource of type 'vault' Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.SqlVirtualMachine/* Microsoft.Storage/storageAccounts/listKeys/action Returns the access keys for the specified storage account. Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.Support/* Create and manage support tickets
[!div class="mx-tableFixed"]
Description View Virtual Machines in the portal and login as a regular user. Id fb879df8-f326-4884-b1cf-06f3ad86be52 Actions Microsoft.Network/publicIPAddresses/read Gets a public ip address definition. Microsoft.Network/virtualNetworks/read Get the virtual network definition Microsoft.Network/loadBalancers/read Gets a load balancer definition Microsoft.Network/networkInterfaces/read Gets a network interface definition. Microsoft.Compute/virtualMachines/*/read DataActions Microsoft.Compute/virtualMachines/login/action Log in to a virtual machine as a regular user
[!div class="mx-tableFixed"]
Description Lets you manage the web plans for websites, but not access to them. Id 2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b Actions Microsoft.Authorization/*/read Read authorization Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets Microsoft.Web/serverFarms/* Create and manage server farms
[!div class="mx-tableFixed"]
Description Lets you manage websites (not web plans), but not access to them. Id de139f84-1756-47ae-9be6-808fbbe84772 Actions Microsoft.Authorization/*/read Read authorization Microsoft.Insights/alertRules/* Create and manage Insights alert rules Microsoft.Insights/components/* Create and manage Insights components Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage resource group deployments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and manage support tickets Microsoft.Web/certificates/* Create and manage website certificates Microsoft.Web/listSitesAssignedToHostName/read Get names of sites assigned to hostname. Microsoft.Web/serverFarms/join/action Microsoft.Web/serverFarms/read Get the properties on an App Service Plan Microsoft.Web/sites/* Create and manage websites (site creation also requires write permissions to the associated App Service Plan)